US2015096030A1PendingUtilityA1

System, method, and computer program product for preventing communication of unwanted network traffic by holding only a last portion of the network traffic

57
Assignee: MCAFEE INCPriority: Oct 5, 2009Filed: Dec 9, 2014Published: Apr 2, 2015
Est. expiryOct 5, 2029(~3.2 yrs left)· nominal 20-yr term from priority
Inventors:Ge ZhuZheng Bu
H04L 63/145H04L 63/1416H04L 63/0245
57
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system, method, and computer program product are provided for preventing communication of unwanted network traffic by holding only a last portion of the network traffic. In use, network traffic associated with a file transfer is received. Additionally, only a last portion of the network traffic associated with the file transfer is held for determining whether the file is unwanted. Further, the last portion of the network traffic associated with the file transfer is conditionally forwarded to a destination device, based on the determination.

Claims

exact text as granted — not AI-modified
We claim: 
     
         1 . An intrusion protection system, comprising:
 a server, comprising:
 a processor; 
 a network interface, coupled to the processor; and 
 a memory coupled to the processor, on which are stored instructions, comprising instructions that when executed cause the processor to:
 receive via the network interface an initial portion of a file being transferred to a destination; 
 forward the initial portion of the file to the destination; 
 receive via the network interface a final portion of the file; 
 determine identifying information regarding the file; 
 query a file reputation database for a determination of whether the file is wanted or unwanted using the identifying information; and 
 refuse to forward the final portion of the file to the destination responsive to a determination that the file is unwanted. 
 
   
     
     
         2 . The intrusion protection system of  claim 1 , wherein the final portion of the file comprises a predetermined number of final packets. 
     
     
         3 . The intrusion protection system of  claim 1 , wherein the instructions further comprise instructions that when executed cause the processor to:
 identify the final portion of the file by comparing a size of the file to a size of all received portions of the file.   
     
     
         4 . The intrusion protection system of  claim 1 , wherein the identifying information includes a hash of the file. 
     
     
         5 . The intrusion protection system of  claim 1 , wherein the instructions further comprise instructions that when executed cause the server to receive a response from the file reputation database indicating the file is unwanted. 
     
     
         6 . The intrusion protection system of  claim 1 , wherein the instructions further comprise instructions that when executed cause the server to read a network header associated with the file. 
     
     
         7 . The intrusion protection system of  claim 1 , wherein the server further comprises:
 a second network interface,   wherein the instructions that when executed cause the processor to forward the initial portion of the file to the destination comprise instructions that cause the processor to forward the initial portion of the file via the second network interface.   
     
     
         8 . A machine readable medium, on which are stored instructions that when executed cause a server to:
 receive via a network interface an first portion of a file being transferred to a destination through the server;   forward the first portion of the file to the destination;   receive via the network interface a last portion of the file;   determine identifying information regarding the file;   determine whether the file is wanted or unwanted using the identifying information; and   prevent forwarding of the last portion of the file to the destination responsive to a determination that the file is unwanted.   
     
     
         9 . The machine readable medium of  claim 8 , wherein the last portion of the file is a plurality of final packets. 
     
     
         10 . The machine readable medium of  claim 8 , wherein the instructions further comprise instructions that when executed cause the server to identify the last portion of the file by comparing a size of the file to a size of all received portions of the file. 
     
     
         11 . The machine readable medium of  claim 8 , wherein the information regarding the file comprises a hash of the file. 
     
     
         12 . The machine readable medium of  claim 8 , wherein the instructions that when executed cause the server to determine whether the file is wanted or unwanted comprise instructions that when executed cause the server to query a file reputation database. 
     
     
         13 . The machine readable medium of  claim 12 , wherein the instructions that cause the server to query the file reputation database comprise instructions that when executed cause the server to send the identifying information to a file reputation database server. 
     
     
         14 . A method of preventing delivery of malware, comprising:
 receiving by a server via a network interface an first portion of a file;   forwarding by the server the first portion of the file to a destination for the file;   receiving by the server via the network interface a second portion of the file;   obtaining file identification information;   determining whether the file contains malware using the file identification information; and   preventing forwarding by the server of the second portion of the file to the destination responsive to a determination that the file contains malware.   
     
     
         15 . The method of  claim 14 , wherein the second portion of the file comprises one or more packets. 
     
     
         16 . The method of  claim 14  further comprising identifying the second portion of the file by comparing a size of the file to a size of all received portions of the file. 
     
     
         17 . The method of  claim 14 , wherein the file identification information comprises a hash of the file. 
     
     
         18 . The method of  claim 14 , wherein determining whether the file contains malware comprises querying a file reputation database. 
     
     
         19 . The method of  claim 18 , wherein determining whether the file contains malware further comprises obtaining a result from the file reputation database, the result responsive to a comparison of the file identification information with data regarding known malware. 
     
     
         20 . The method of  claim 14 , further comprising reading a network header associated with the file.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.