SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE IN AN APPLICATION FIREWALL

US 20160043995A1
Filed: 10/26/2015
Published: 02/11/2016
Est. Priority Date: 06/15/2011
Status: Active Grant

First Claim

Patent Images

1. A system for determining whether to allow a connection between a first computer and a second computer, comprising:

a receiver, operable to receive data into a buffer from one of the first computer or the second computer; and

a connection state engine, operable to;

record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer;

read the data from the buffer;

apply a security policy to the data; and

deny use of the connection between the first computer and the second computer without forwarding the data, based on the application of the security policy to the data.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.

10 Citations

22 Claims

1. A system for determining whether to allow a connection between a first computer and a second computer, comprising:
- a receiver, operable to receive data into a buffer from one of the first computer or the second computer; and
  
  a connection state engine, operable to;
  
  record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer;
  
  read the data from the buffer;
  
  apply a security policy to the data; and
  
  deny use of the connection between the first computer and the second computer without forwarding the data, based on the application of the security policy to the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the connection state engine is further operable to:
    - identify and control access to applications.
  - 3. The system of claim 1, wherein the security policy is based on named sockets.
  - 4. The system of claim 1, wherein the security policy denies use of the connection responsive to the connection request being for a hypertext transport protocol message.
  - 5. The system of claim 1, wherein the security policy comprises a hierarchical set of rules.
  - 6. The system of claim 1, wherein the buffer is sized to receive and buffer data associated with the connection request.
  - 7. The system of claim 1, wherein the connection state engine is further operable to:
    - record initial state information associated with the connection request prior to receiving the acknowledgement from the second computer.
  - 8. The system of claim 7, wherein the connection state engine is further operable to:
    - record option parameters associated with the connection request prior to receiving the acknowledgement from the second computer.

9. A method of determining whether to deny use of a connection between a first computer and a second computer, comprising:
- receiving and storing in a buffer data received from one of the first computer or the second computer;
  
  receiving a connection request acknowledgement from the second computer responsive to a connection request from the first computer;
  
  recording connection state information associated with the connection request acknowledgement; and
  
  determining whether to deny use of the connection responsive to the data stored in the buffer, without forwarding the data stored in the buffer.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising:
    - sizing the buffer for buffering data associated with the connection request.
  - 11. The method of claim 9, further comprising:
    - recording initial state information associated with the connection request prior to receiving the connection request acknowledgement from the second computer.
  - 12. The method of claim 9, further comprising:
    - recording option parameters associated with the connection request prior to receiving the acknowledgement from the second computer.
  - 13. The method of claim 9, wherein determining whether to deny use of the connection responsive to the data stored in the buffer, without forwarding the data stored in the buffer, comprises:
    - applying a security policy to the data stored in the buffer.
  - 14. The method of claim 13, wherein the security policy comprises a set of hierarchical rules based on a reputation of a sender of the data.
  - 15. The method of claim 9, wherein receiving and storing data in the buffer is performed after receiving the connection request acknowledgement.

16. A machine readable medium, on which are stored instructions for applying a security policy to a connection between a first computer and a second computer, comprising instructions that when executed cause a machine to:
- record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request by the first computer;
  
  read from a buffer data received from one of the first computer or the second computer;
  
  apply the security policy to the data; and
  
  promote a message containing the data to a proxy, responsive to applying the security policy to the data; and
  
  change the connection to a proxy connection via the proxy, responsive to the promoted message.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The machine readable medium of claim 16, wherein the security policy comprises a set of hierarchical rules based on reputation information associated with a sender of the data.
  - 18. The machine readable medium of claim 17, wherein the instruction further comprise instructions that when executed cause the machine to dynamically assign the reputation information to the sender of the data.
  - 19. The machine readable medium of claim 16, wherein the instructions further comprise instructions that when executed cause the machine to:
    - identify and control access to applications.
  - 20. The machine readable medium of claim 16, wherein instructions further comprise instructions that when executed cause the machine to:
    - record initial state information associated with the connection request.
  - 21. The machine readable medium of claim 16, wherein instructions further comprise instructions that when executed cause the machine to:
    - record option parameters associated with the connection request.
  - 22. The machine readable medium of claim 16, wherein the instructions that when executed cause the machine to promote the message containing the data to a proxy, responsive to applying the security policy to the data comprise instructions that when executed cause the machine to:
    - record state associated with the acknowledgement; and
      
      establish socket connections to the first and second computer as a function of the recorded state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Meyer, Paul, Diehl, David, Minear, Spencer

Granted Patent

US 9,762,539 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/20 for managing network securi...

SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE IN AN APPLICATION FIREWALL

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE IN AN APPLICATION FIREWALL

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others