System and method for limiting data leakage

US 9,210,127 B2
Filed: 06/15/2011
Issued: 12/08/2015
Est. Priority Date: 06/15/2011
Status: Active Grant

First Claim

Patent Images

1. A system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, comprising:

a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request;

a receiver coupled to the buffer; and

a connection state engine connected to the buffer;

wherein the connection state engine is configured to receive an indication of the connection request from the first computer for a connection to the second computer and record initial state information and option parameters associated with the connection request;

wherein the connection state engine is configured to record current connection state information associated with the connection request after the connection state engine receives an indication that the second computer has sent an acknowledgement to the first computer;

wherein the receiver is configured to receive data into the buffer from one of the first or second computers after the acknowledgement,wherein the connection state engine is configured to read the received data from the buffer and is configured to deny use of the connection based on a pre-agent check that applies a security policy to the received data without forwarding the received data, responsive to receiving the indication that the second computer has sent an acknowledgement to the first computer, andwherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.

9 Citations

11 Claims

1. A system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, comprising:
- a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request;
  
  a receiver coupled to the buffer; and
  
  a connection state engine connected to the buffer;
  
  wherein the connection state engine is configured to receive an indication of the connection request from the first computer for a connection to the second computer and record initial state information and option parameters associated with the connection request;
  
  wherein the connection state engine is configured to record current connection state information associated with the connection request after the connection state engine receives an indication that the second computer has sent an acknowledgement to the first computer;
  
  wherein the receiver is configured to receive data into the buffer from one of the first or second computers after the acknowledgement,wherein the connection state engine is configured to read the received data from the buffer and is configured to deny use of the connection based on a pre-agent check that applies a security policy to the received data without forwarding the received data, responsive to receiving the indication that the second computer has sent an acknowledgement to the first computer, andwherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data.
- View Dependent Claims (2)
- - 2. The system of claim 1, wherein the connection state engine is capable of identifying and controlling access to applications.

3. A system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, comprising:
- a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request;
  
  a receiver coupled to the buffer;
  
  one or more proxies connected to the buffer; and
  
  a connection state engine connected to the buffer and the proxies;
  
  wherein the connection state engine is configured to receive an indication of the connection request from the first computer for a connection to the second computer and record initial state information and option parameters associated with the connection request;
  
  wherein the connection state engine is configured to receive an indication of a connection acknowledgement being sent from the second computer to the first computer and record state associated with the connection acknowledgement;
  
  wherein the receiver is configured to receive data into the buffer from one of the first or second computers after the connection acknowledgement is received at the first computer; and
  
  wherein the connection state engine is configured to read the received data from the buffer, determine whether the connection should be promoted to one of the proxies based on a pre-agent check that applies a security policy to the received data, and promote the connection to a selected one of the proxies when it determines the connection should be promoted,wherein the selected proxy is configured to read current connection state information associated with the connection request and the connection acknowledgement and establish socket connections to the first and second computers as a function of the recorded state such that the connection changes into a proxy connection, responsive to the determination that the connection should be promoted, andwherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data.
- View Dependent Claims (4, 5)
- - 4. The system of claim 3, wherein the connections and rules are based on named sockets.
  - 5. The system of claim 3, wherein the connection state engine is capable of identifying and controlling access to applications.

6. In a system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, a method of determining whether to deny use of the connections, comprising:
- receiving a connection request from the first computer;
  
  recording initial state information and option parameters associated with the connection request;
  
  receiving a connection request acknowledgement from the second computer;
  
  recording current connection state information associated with the connection request acknowledgement;
  
  storing in a buffer data received from one of the first or second computers after the connection request acknowledgement has been received at the first computer; and
  
  determining, as a function of the received data stored in the buffer, whether to deny use of the connection, responsive to receiving the connection request acknowledgement, based on a pre-agent check that applies the security policy to the received data, the security policy expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data,wherein, when use of the connection is denied, none of the received data is forwarded using the connection associated with the connection request between the first and second computer.
- View Dependent Claims (7)
- - 7. The method of claim 6, wherein determining includes determining to deny the connection if the connection request is for an HTTP message.

8. In a system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, a method of determining whether to deny use of the connections, comprising:
- receiving a connection request from the first computer;
  
  recording initial state information and option parameters associated with the connection request;
  
  receiving a connection request acknowledgement from the second computer;
  
  recording current connection state information associated with the connection request acknowledgement;
  
  storing in a buffer data associated with the connection request, wherein the data is received from one of the first or second computers after the connection request acknowledgement has been received at the first computer;
  
  determining, as a function of the data stored in the buffer, whether to promote a message containing the data to a proxy, responsive to receiving the connection request acknowledgement, based on a pre-agent check that applies the security policy to the received data, wherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data;
  
  receiving, at the proxy, information corresponding to the message; and
  
  establishing socket connections to the first and second computers as a function of the recorded connection state information such that the connection changes into a proxy connection.
- View Dependent Claims (9)
- - 9. The method of claim 8, wherein determining includes determining to promote the connection if the connection request is for an HTTP message and there is a named socket for HTTP messages.

10. A non-transitory machine-readable medium, on which are stored instructions, comprising instructions that when executed cause a machine to:
- receive a connection request from a first computer on a first network;
  
  record initial state information and option parameters associated with the connection request;
  
  receive a connection request acknowledgement from a second computer on a second network;
  
  record current connection state information associated with the connection request acknowledgement;
  
  store in a buffer data received from one of the first or second computers after the connection request acknowledgement has been received at the first computer; and
  
  determine, as a function of the received data stored in the buffer, whether to deny use of the connection, responsive to receiving the connection request acknowledgement, based on a pre-agent check that applies the security policy to the received data,wherein the security policy expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data, andwherein, when use of the connection is denied, none of the received data is forwarded using the connection associated with the connection request between the first and second computer.
- View Dependent Claims (11)
- - 11. The machine-readable medium of claim 10, wherein the instructions that when executed cause the machine to determine whether to deny use of the connection comprise instructions that when executed cause the machine to determine to promote the connection if the connection request is for an HTTP message and there is a named socket for HTTP messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Meyer, Paul, Diehl, David, Minear, Spencer
Primary Examiner(s)
Tolentino, Roderick

Application Number

US13/161,493
Publication Number

US 20120324526A1
Time in Patent Office

1,637 Days
Field of Search

726 28- 30
US Class Current

1/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/20 for managing network securi...

System and method for limiting data leakage

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for limiting data leakage

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links