Transparent provisioning of network access to an application

US 9,537,824 B2
Filed: 03/08/2013
Issued: 01/03/2017
Est. Priority Date: 06/23/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the method comprising:

interfacing with the network so as to be able to intercept any packet of the plurality of packets, wherein interfacing with the network comprises interfacing between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface capable of connecting the first application to the network, the first intended destination and the second intended destination being separate from the first application;

intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination;

analyzing, with a processor, an intercepted packet of the intercepted portion of packets and deleting the intercepted packet based on the analysis of the intercepted packet, wherein the analyzing of the intercepted packet comprises determining that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and determining whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination;

evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and

forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset or deleting the intercepted packet if the intercepted packet is not one of the specified first subset with respect to which the first application is to perform the first service.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. A packet interceptor/processor apparatus is coupled with the network so as to be able to intercept and process packets flowing over the network. Further, the apparatus provides external connectivity to other devices that wish to intercept packets as well. The apparatus applies one or more rules to the intercepted packets which execute one or more functions on a dynamically specified portion of the packet and take one or more actions with the packets. The apparatus is capable of analyzing any portion of the packet including the header and payload. Actions include releasing the packet unmodified, deleting the packet, modifying the packet, logging/storing information about the packet or forwarding the packet to an external device for subsequent processing. Further, the rules may be dynamically modified by the external devices.

143 Citations

45 Claims

1. A method of transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the method comprising:
- interfacing with the network so as to be able to intercept any packet of the plurality of packets, wherein interfacing with the network comprises interfacing between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface capable of connecting the first application to the network, the first intended destination and the second intended destination being separate from the first application;
  
  intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination;
  
  analyzing, with a processor, an intercepted packet of the intercepted portion of packets and deleting the intercepted packet based on the analysis of the intercepted packet, wherein the analyzing of the intercepted packet comprises determining that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and determining whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination;
  
  evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset or deleting the intercepted packet if the intercepted packet is not one of the specified first subset with respect to which the first application is to perform the first service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the analyzing comprises applying one or more rules to the intercepted packet to determine if the intercepted packet is malformed, andwherein the deleting comprises deleting the intercepted packet when the intercepted packet is determined to be malformed.
  - 3. The method of claim 1, further comprising:
    - detecting a security attack based on the analysis of the intercepted packet; and
      
      absorbing the detected security attack.
  - 4. The method of claim 1, wherein the network carries the plurality of packets in a first format incompatible with the first application.
  - 5. The method of claim 1, further comprising converting, independent of the first application and the first service provided thereby, the intercepted packet from the first format to a second format compatible with the first application and incompatible with the network, storing information representative thereof and providing the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset.
  - 6. The method of claim 1, further comprising forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset.
  - 7. The method of claim 1, further comprising deleting the intercepted packet if the intercepted packet is not one of the specified first subset with respect to which the first application is to perform the first service.
  - 8. The method of claim 1, wherein the intercepted portion of packets comprises a first intercepted packet and a second intercepted packet, andwherein the method further comprises:
    - storing data related to the first intercepted packet when the first intercepted packet is determined to be malformed; and
      
      deleting the second intercepted packet as a function of the stored data related to the first intercepted packet.
  - 9. The method of claim 8, wherein applying the one or more rules to the second intercepted packet comprises applying one or more rules comprising a function and an action to be taken to the second intercepted packet, the action to be taken comprising deleting the second intercepted packet, andwherein the function takes the stored data related to the first intercepted packet into account.
  - 10. The method of claim 1, wherein the one or more rules comprise a function and an action to be taken, the action to be taken comprising the deleting.
  - 11. The method of claim 10, wherein the function comprises comparing one or more portions of the intercepted packet with one or more predefined values, the determination of whether the intercepted packet is malformed being based on the comparing.

12. A system for transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the system comprising:
- a system network interface operative to interface with the network, wherein the system network interface is further operative to interface between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface operable to connect the first application to the network, the at least one intended destination being separate from the first application;
  
  a packet interceptor coupled with the system network interface and operative to intercept each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination;
  
  a processor coupled with the packet interceptor and operative to detect a security attack based on an intercepted packet of the intercepted portion of packets, and absorb the detected security attack, the detection comprising a determination that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and a determination whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination;
  
  a packet evaluator coupled with the packet interceptor and operative to evaluate each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  a packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset, a packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset, or a combination thereof.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the processor is further operative to apply one or more rules to the intercepted packet to determine if the intercepted packet is malformed, and delete the intercepted packet when the intercepted packet is determined to be malformed.
  - 14. The system of claim 12, wherein the processor is further operative to absorb the detected security attack by responding to the intercepted packet or deleting the intercepted packet.
  - 15. The system of claim 12, wherein the network carries the plurality of packets in a first format incompatible with the first application.
  - 16. The system of claim 12, further comprising a packet converter coupled with the packet evaluator and operative to convert, independent of the first application and the first service provided thereby, the intercepted packet from the first format to a second format compatible with the first application and incompatible with the network, store information representative thereof and provide the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset.
  - 17. The system of claim 12, further comprising the packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset.
  - 18. The system of claim 12, further comprising 12, the packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset.
  - 19. The system of claim 12, wherein the intercepted portion of packets comprises a first intercepted packet and a second intercepted packet, andwherein the processor is further operative to store data related to the first intercepted packet when the first intercepted packet is determined to be malformed, and delete the second intercepted packet as a function of the stored data related to the first intercepted packet when the second intercepted packet is determined to be malformed.
  - 20. The system of claim 19, wherein the processor is further operative to apply the one or more rules to the second intercepted packet, the one or more rules comprising a function and an action to be taken, the action to be taken comprising the deletion of the second intercepted packet, and the function taking the stored data related to the first intercepted packet into account.
  - 21. The system of claim 12, wherein the one or more rules comprise a function and an action to be taken, the action to be taken comprising the deletion.
  - 22. The system of claim 21, wherein the function comprises comparison of one or more portions of the intercepted packet with one or more predefined values, the determination of whether the intercepted packet is malformed being based on the comparison.

23. A method of transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the method comprising:
- interfacing with the network so as to be able to intercept any packet of the plurality of packets, wherein interfacing with the network comprises interfacing between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface capable of connecting the first application to the network, the at least one intended destination being separate from the first application;
  
  intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination;
  
  analyzing, by a processor, an intercepted packet of the intercepted portion of packets and absorbing the intercepted packet based on the analysis of the intercepted packet, the analyzing of the intercepted packet comprising determining that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and determining whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination;
  
  evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  forwarding the intercepted packet to the network or deleting the intercepted packet if the intercepted packet is not one of the specified first subset.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The method of claim 23, wherein the analyzing further comprises applying one or more rules to the intercepted packet to determine if the intercepted packet is malicious, andwherein the absorbing comprising deleting the intercepted packet when the intercepted packet is determined to be malicious.
  - 25. The method of claim 23, wherein the absorbing comprises responding to the intercepted packet or deleting the intercepted packet.
  - 26. The method of claim 23, wherein the network carries the plurality of packets in a first format incompatible with the first application.
  - 27. The method of claim 23, further comprising converting, independent of the first application and the first service provided thereby, the intercepted packet from the first format to a second format compatible with the first application and incompatible with the network, storing information representative thereof and providing the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset.
  - 28. The method of claim 23, further comprising forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset.
  - 29. The method of claim 23, further comprising deleting the intercepted packet if the intercepted packet is not one of the specified first subset.
  - 30. The method of claim 23, wherein the intercepted portion of packets comprises a first intercepted packet and a second intercepted packet, andwherein the method further comprises:
    - storing data related to the first intercepted packet when the first intercepted packet is determined to be malicious; and
      
      deleting the second intercepted packet as a function of the stored data related to the first intercepted packet.
  - 31. The method of claim 30, wherein applying the one or more rules to the second intercepted packet comprises applying one or more rules comprising a function and an action to be taken to the second intercepted packet, the action to be taken comprising deleting the second intercepted packet, andwherein the function takes the stored data related to the first intercepted packet into account.
  - 32. The method of claim 23, further comprising determining an origin of the intercepted packet, the determining if the intercepted packet is malicious being based on the determined origin of the intercepted packet.
  - 33. The method of claim 23, wherein the one or more rules comprises a function and an action to be taken,wherein the function comprises comparing the intercepted packet to previously identified malicious data, andwherein the method further comprises receiving the previously identified malicious data from the at least one intended destination, a separate server, or the at least one intended destination and the separate server.

34. A system for transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the system comprising:
- a system network interface operative to interface with the network, wherein the system network interface is further operative to interface between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface operable to connect the first application to the network, the at least one intended destination being separate from the first application;
  
  a packet interceptor coupled with the system network interface and operative to intercept each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination;
  
  a processor coupled with the packet interceptor and operative to detect a security attack based on an intercepted packet of the intercepted portion of packets, and absorb the detected security attack, wherein the detection comprises a determination that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and a determination whether a capacity of the first intended destination or the second intended destination or a capacity of an intermediary separate from the processor, located between the processor and the first intended destination and the second intended destination and operative to cause forwarding of the intercepted packet towards the first intended destination or the second intended destination based on a specification of the first intended destination or the second intended destination specified therein, is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination, the intercepted packet being deleted when the capacity of the first intended destination or the capacity of the intermediary is exceeded and the intercepted packet is directed to the first intended destination, and the intercepted packet not being deleted when the capacity of the first intended destination is exceeded and the capacity of the intermediary and the capacity of the second intended destination are not exceeded;
  
  a packet evaluator coupled with the packet interceptor and operative to evaluate each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  a packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset, a packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset, or a combination thereof.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 35. The system of claim 34, wherein the detection comprises an analysis of the intercepted packet to determine whether the packet is malicious, andwherein the absorption comprises deletion of the intercepted packet when the intercepted packet is determined to be malicious.
  - 36. The system of claim 34, wherein the processor is further operative to absorb the detected security attack by responding to the intercepted packet or deleting the intercepted packet.
  - 37. The system of claim 34, wherein the detection comprises application of one or more rules to the intercepted packet to determine if the intercepted packet is malicious, andwherein the absorption comprises deletion of the intercepted packet when the intercepted packet is determined to be malicious.
  - 38. The system of claim 34, wherein the network carries the plurality of packets in a first format incompatible with the first application.
  - 39. The system of claim 34, further comprising a packet converter coupled with the packet evaluator and operative to convert, independent of the first application and the first service provided thereby, the intercepted packet from the first format to a second format compatible with the first application and incompatible with the network, store information representative thereof and provide the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset.
  - 40. The system of claim 34, further comprising the packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset.
  - 41. The system of claim 34, further comprising a packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset.
  - 42. The system of claim 34, wherein the intercepted portion of packets comprises a first intercepted packet and a second intercepted packet, andwherein the processor is further operative to store data related to the first intercepted packet when the first intercepted packet is determined to be malicious, and delete the second intercepted packet as a function of the stored data related to the first intercepted packet.
  - 43. The system of claim 42, wherein the processor is further operative to apply the one or more rules to the second intercepted packet, the one or more rules comprising a function and an action to be taken, the action to be taken comprising the deletion of the second intercepted packet, and the function taking the stored data related to the first intercepted packet into account.
  - 44. The system of claim 34, wherein the processor is further operative to determine an origin of the intercepted packet, the determination of whether the intercepted packet is malicious being based on the determined origin of the intercepted packet.
  - 45. The system of claim 34, wherein the one or more rules comprise a function and an action to be taken,wherein the function comprises comparing the intercepted packet to previously identified malicious data, andwherein the processor is further operative to receive the previously identified malicious data from the at least one intended destination, a separate server, or the at least one intended destination and the separate server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookingglass Cyber Solutions, LLC
Original Assignee
CloudShield Technologies, Inc. (ZeroFox Holdings, Inc.)
Inventors
Jungck, Peder J., Drown, Matthew Donald, Goller, Sean M.
Primary Examiner(s)
Oh, Andrew

Application Number

US13/790,987
Publication Number

US 20130263247A1
Time in Patent Office

1,397 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 12/2836   Protocol conversion between...

H04L 41/0213   Standardised network manage...

H04L 41/5054   Automatic deployment of ser...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1458   Denial of Service

H04L 65/60   Network streaming of media ...

H04L 67/565   Conversion or adaptation of...

H04L 69/08   Protocols for interworking;...

H04L 69/169   Special adaptations of TCP,...

H04L 69/18   Multiprotocol handlers, e.g...

Transparent provisioning of network access to an application

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

45 Claims

Specification

Use Cases

Quick Links

Others

Transparent provisioning of network access to an application

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

45 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others