Access Control Manager

US 20150089625A1
Filed: 09/25/2013
Published: 03/26/2015
Est. Priority Date: 09/25/2013
Status: Active Grant

First Claim

Patent Images

1. A method for domain-based network access management in a computer, comprising:

receiving a session data transfer packet specifying a network address;

determining whether the network address corresponds to a session on a session graylist, the graylist indicating sessions that are associated with an network address that is not permitted access and at least one domain that is permitted access;

determining a domain associated with the session data transfer packet;

determining whether the domain is a permissible domain; and

responsive to determining that the network address corresponds to a session on the session graylist and the domain is a permissible domain, associating the session with a session whitelist and permitting the session data transfer packet access to a network interface.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.

19 Citations

View as Search Results

14 Claims

1. A method for domain-based network access management in a computer, comprising:
- receiving a session data transfer packet specifying a network address;
  
  determining whether the network address corresponds to a session on a session graylist, the graylist indicating sessions that are associated with an network address that is not permitted access and at least one domain that is permitted access;
  
  determining a domain associated with the session data transfer packet;
  
  determining whether the domain is a permissible domain; and
  
  responsive to determining that the network address corresponds to a session on the session graylist and the domain is a permissible domain, associating the session with a session whitelist and permitting the session data transfer packet access to a network interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 13, 14)
- - 2. The method of claim 1, further comprising, responsive to determining that the network address does not correspond to a permissible domain, associating the session with a session blacklist and preventing the session data transfer packet access to the network interface.
  - 3. The method of claim 1, further comprisingreceiving a second session data transfer packet specifying the network address;
    - determining that the second session data transfer packet corresponds to the session on the session whitelist without determining a domain associated with the second data transfer request; and
      
      permitting the second session data transfer packet access to the network interface.
  - 4. The method of claim 1, further comprising:
    - receiving an initiate session packet specifying a session address;
      
      determining whether the session address matches an address in an address graylist, the address graylist indicating a set of addresses that are selectively permitted access to the network interface;
      
      responsive to determining that the session address matches an address in the address graylist, permitting the initiate session packet access to the network interface and adding the session to the session graylist.
  - 5. The method of claim 4, further comprising:
    - receiving, from a requester, a domain resolution request packet specifying a resolution domain and permitting the domain resolution request packet access to the network interface;
      
      receiving a domain resolution response from the network interface specifying a domain network address;
      
      determining whether the resolution domain is a permissible domain and whether the network address is a permissible address;
      
      responsive to determining that the domain is a permissible domain and the network address is not a permissible address, adding the network address to the address graylist.
  - 6. The method of claim 1, wherein the network address is stored in a header of the session data transfer packet.
  - 7. The method of claim 1, wherein the domain is determined from a payload of the session data transfer packet.
  - 13. The method of claim 1, wherein the network address is stored in a header of the session data transfer packet.
  - 14. The method of claim 1, wherein the domain is determined from a payload of the session data transfer packet.

8. A computer system comprising:
- a network interface configured for accessing a network; and
  
  a processor configured toreceive a session data transfer packet specifying a network address;
  
  determine whether the network address corresponds to a session on a session graylist, the graylist indicating sessions that are associated with an network address that is not permitted access and at least one domain that is permitted access;
  
  determine a domain associated with the session data transfer packet;
  
  determine whether the domain is a permissible domain; and
  
  responsive to determining that the network address corresponds to a session on the session graylist and the domain is a permissible domain, associate the session with a session whitelist and permit the session data transfer packet access to the network interface.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the processor is further configured to, responsive to determining that the network address does not correspond to a permissible domain, associate the session with a session blacklist and prevent the session data transfer packet access to the network interface.
  - 10. The system of claim 8, wherein the processor is further configured toreceive a second session data transfer packet specifying the network address;
    - determine that the second session data transfer packet corresponds to the session on the session whitelist without determining a domain associated with the second data transfer request; and
      
      permit the second session data transfer packet access to the network interface.
  - 11. The system of claim 8, wherein the processor is further configured to:
    - receive an initiate session packet specifying a session address;
      
      determine whether the session address matches an address in an address graylist, the address graylist indicating a set of addresses that are selectively permitted access to the network interface;
      
      responsive to determining that the session address matches an address in the address graylist, permit the initiate session packet access to the network interface and add the session to the session graylist.
  - 12. The system of claim 11, wherein the processor is further configured to:
    - receive, from a requesting application, a domain resolution request packet specifying a resolution domain and permit the domain resolution request packet access to the network interface;
      
      receive a domain resolution response from the network interface specifying a domain network address;
      
      determine whether the resolution domain is a permissible domain and whether the network address is a permissible address;
      
      responsive to determining that the domain is a permissible domain and the network address is not a permissible address, add the network address to the address graylist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malwarebytes Corporate Holdco Incorporated
Original Assignee
Malwarebytes Corporation
Inventors
Swanson, Douglas Stuart, Young, Daniel, Moore, John

Granted Patent

US 9,154,459 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

Access Control Manager

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Access Control Manager

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links