Communications system with security checking functions for file transfer operation

US 7,725,931 B2
Filed: 03/02/2006
Issued: 05/25/2010
Est. Priority Date: 09/28/2005
Status: Active Grant

First Claim

Patent Images

1. A communications system for transferring packets, comprising:

a router comprising;

a security condition definition unit receiving a set of security conditions,a security condition database storing the received security conditions,a packet parser that identifies and parses a packet produced by a file transfer application protocol, extracts from the packet a destination address and a security condition ID that a sending user has specified for a file contained in the packet, determines whether the extracted destination address satisfies the security condition corresponding to the user-specified security condition ID and, if not, discards the packet to prevent information leakage, anda domain data collector that makes access to a server managing network domains to collect domain data corresponding to a specified destination address; and

a user terminal comprising;

a security condition user interface that requests the router to provide information about the security conditions and gives the security condition ID to the file to indicate which security condition the sending user has specified,(a) wherein;

when network segments do not vary,the security conditions each comprise a security condition ID and a permissible segment corresponding thereto, the permissible segment being defined as a collection of eligible destination addresses; and

the packet parser determines whether the destination address of the file is included in the permissible segment corresponding to the security condition ID, so as to prevent information leakage on an individual segment basis,(b) wherein;

when the network segments vary dynamically,the security conditions each comprise a security condition ID and a permissible domain corresponding thereto, the permissible domain being defined as a collection of eligible destination domain names; and

the packet parser determines whether the destination address of the file is included in the permissible domain corresponding to the specified security condition ID and, if not, notifies the domain data collector of the destination address, and determines again whether the destination address is included in the permissible domain that the domain data collector has obtained, thereby preventing information leakage on an individual domain basis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure data communications system with an enhanced function of preventing information leakage. The system includes a user terminal and a router. The router has a security condition definition unit and a storage unit to receive and store a set of security conditions. A packet parser identifies and parses a packet produced by a file transfer application protocol and extracts from that packet a destination address and a security condition ID that the sending user has specified for a file in the packet. The packet parser discards the packet to prevent information leakage if the extracted destination address does not satisfy the security condition corresponding to the user-specified security condition ID. The user terminal has a security condition user interface that requests the router to provide information about security conditions and gives a security condition ID to each file to indicate which security condition the sending user has specified.

10 Citations

11 Claims

1. A communications system for transferring packets, comprising:
- a router comprising;
  
  a security condition definition unit receiving a set of security conditions,a security condition database storing the received security conditions,a packet parser that identifies and parses a packet produced by a file transfer application protocol, extracts from the packet a destination address and a security condition ID that a sending user has specified for a file contained in the packet, determines whether the extracted destination address satisfies the security condition corresponding to the user-specified security condition ID and, if not, discards the packet to prevent information leakage, anda domain data collector that makes access to a server managing network domains to collect domain data corresponding to a specified destination address; and
  
  a user terminal comprising;
  
  a security condition user interface that requests the router to provide information about the security conditions and gives the security condition ID to the file to indicate which security condition the sending user has specified,(a) wherein;
  
  when network segments do not vary,the security conditions each comprise a security condition ID and a permissible segment corresponding thereto, the permissible segment being defined as a collection of eligible destination addresses; and
  
  the packet parser determines whether the destination address of the file is included in the permissible segment corresponding to the security condition ID, so as to prevent information leakage on an individual segment basis,(b) wherein;
  
  when the network segments vary dynamically,the security conditions each comprise a security condition ID and a permissible domain corresponding thereto, the permissible domain being defined as a collection of eligible destination domain names; and
  
  the packet parser determines whether the destination address of the file is included in the permissible domain corresponding to the specified security condition ID and, if not, notifies the domain data collector of the destination address, and determines again whether the destination address is included in the permissible domain that the domain data collector has obtained, thereby preventing information leakage on an individual domain basis.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The communications system according to claim 1, wherein:
    - the security conditions each comprise a security condition ID and a permissible segment group corresponding thereto, the permissible segment group being defined as a collection of eligible destination addresses; and
      
      the packet parser determines whether the destination address of the file is included in the permissible segment group corresponding to the given security condition ID, so as to prevent information leakage on an individual group basis.
  - 3. The communications system according to claim 1, wherein:
    - the security condition user interface adds a security condition ID to a compressed file;
      
      the router device further comprises a packet decoder that decompresses the compressed file attached to an email message before extracting and sending the security condition ID to the packet parser;
      
      the security conditions each comprise a security condition ID and permissible email addresses eligible for being specified as a file destination; and
      
      the packet parser determines whether the destination address of the file is included in the permissible email addresses corresponding to the extracted security condition ID, so as to prevent information leakage on an individual email address basis.
  - 4. The communications system according to claim 1, wherein:
    - the security condition user interface gives the security condition ID to a user-definable X-field as part of an email header;
      
      the security conditions each comprise a security condition ID and permissible email addresses eligible for being specified as a file destination; and
      
      the packet parser determines whether the destination address of the file is included in the email addresses corresponding to the given security condition ID, so as to prevent information leakage on an individual email address basis.
  - 5. The communications system according to claim 1, wherein the router further comprises a security condition distributor that provides other routers on the same network with a new security condition defined additionally in the router.

6. A method for preventing information from leaking during routing of packets over a network, the method comprising:
- requesting, from a user terminal, a router to provide information about security conditions stored in that router;
  
  adding a security condition ID to a file to indicate a security condition that a sending user has specified;
  
  receiving a set of security conditions at the router;
  
  storing the received security conditions in the router;
  
  identifying and parsing a packet produced by a file transfer application protocol;
  
  extracting from the packet a destination address and a security condition ID that a sending user has specified for a file contained in the packet;
  
  determining whether the extracted destination address satisfies the security condition corresponding to the user-specified security condition ID; and
  
  discarding the packet to prevent information leakage, if the extracted destination address fails to satisfy the security condition;
  
  (a) wherein;
  
  when network segments do not vary,the security conditions each comprise a security condition ID and a permissible segment corresponding thereto, the permissible segment being defined as a collection of eligible destination addresses; and
  
  the determining step determines whether the destination address of the file is included in the permissible segment corresponding to the specified security condition ID, so as to prevent information leakage on an individual segment basis,(b) wherein;
  
  when the network segments vary dynamically,the security conditions each comprise a security condition ID and a permissible domain corresponding thereto, the permissible domain being defined as a collection of eligible destination domain names; and
  
  said determining step comprises;
  
  making access from the router to a server managing network domains to collect domain data corresponding to the extracted destination address if the destination address of the file is not included in the permissible domain corresponding to the specified security condition ID, anddetermining again whether the destination address is included in the collected domain data, so as to prevent information leakage on an individual domain basis.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method according to claim 6, wherein:
    - the security conditions each comprise a security condition ID and a permissible segment group corresponding thereto, the permissible segment group being defined as a collection of eligible destination addresses; and
      
      the determining step determines whether the destination address of the file is included in the permissible segment group corresponding to the extracted security condition ID, so as to prevent information leakage on an individual group basis.
  - 8. The method according to claim 6, wherein:
    - the file has been compressed and attached to an email message at the user terminal;
      
      the adding step adds the security condition ID to the compressed file at the user terminal;
      
      the extracting step comprises decompressing the compressed file attached the email message before extracting the security condition ID;
      
      the security conditions each comprise a security condition ID and permissible email addresses eligible for being specified as a file destination; and
      
      the determining step determines whether the destination address of the file is included in the permissible email addresses corresponding to the extracted security condition ID, so as to prevent information leakage on an individual email address basis.
  - 9. The method according to claim 6, wherein:
    - said adding step adds the security condition ID to a user-definable X-field as part of an email header;
      
      the security conditions each comprise a security condition ID and permissible email addresses eligible for being specified as a file destination; and
      
      said determining step determines whether the destination address of the file is included in the permissible email addresses corresponding to the extracted security condition ID, so as to prevent information leakage on an individual email address basis.
  - 10. The method according to claim 6, wherein the router provides other routers on the same network with an additional security condition newly defined in the router.

11. A router for forwarding packets, comprising:
- a security condition definition unit receiving a set of security conditions,a security condition database storing the received security conditions,a packet parser that identifies and parses a packet produced by a file transfer application protocol, extracts from the packet a destination address and a security condition ID that a sending user has specified for a file contained in the packet, determines whether the extracted destination address satisfies the security condition corresponding to the user-specified security condition ID and, if not, discards the packet to prevent information leakage; and
  
  a domain data collector that makes access to a server managing network domains to collect domain data corresponding to a specified destination address,(a) wherein;
  
  when network segments do not vary,the security conditions each comprise a security condition ID and a permissible segment corresponding thereto, the permissible segment being defined as a collection of eligible destination addresses; and
  
  the packet parser determines whether the destination address of the file is included in the permissible segment corresponding to the security condition ID, so as to prevent information leakage on an individual segment basis,(b) wherein;
  
  when the network segments vary dynamically,the security conditions each comprise a security condition ID and a permissible domain corresponding thereto, the permissible domain being defined as a collection of eligible destination domain names; and
  
  the packet parser determines whether the destination address of the file is included in the permissible domain corresponding to the specified security condition ID and, if not, notifies the domain data collector of the destination address, and determines again whether the destination address is included in the permissible domain that the domain data collector has obtained, thereby preventing information leakage on an individual domain basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Kuranari, Shinichi, Ochiai, Hironori, Ito, Yuji, Oda, Masaya
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
Darrow; Justin T

Application Number

US11/366,658
Publication Number

US 20070079365A1
Time in Patent Office

1,545 Days
Field of Search

709/230, 709/233, 709/236, 726 11- 13, 713/154
US Class Current

726/11
CPC Class Codes

H04L 63/20 for managing network securi...

H04L 69/22 Parsing or analysis of headers

Communications system with security checking functions for file transfer operation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Communications system with security checking functions for file transfer operation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links