US2015319137A1PendingUtilityA1
Techniques to monitor connection paths on networked devices
Est. expiryApr 10, 2032(~5.7 yrs left)· nominal 20-yr term from priority
H04L 67/535H04L 61/1511H04L 63/164H04L 63/10H04L 63/0236H04L 43/0811H04L 67/22H04L 9/3263H04L 61/4511
42
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Techniques for managing network connections are described. An apparatus may comprise a communications component operative to manage a connection for a client, the connection routed over a network and a traffic analysis component operative to determine one or more characteristics of the routing of the connection. Other embodiments are described and claimed.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . An apparatus, comprising:
a processor component of a server included in a cloud computing system configured to provide a service to manage routing of a connection for a client over a network; a traffic analysis component for execution by the processing component to determine one or more characteristics of the routing of the connection, the one or more characteristics including a physical location of routing points of the routing of the connection and determined based on performing an encrypted exchange with a plurality of routing points of the connection, the encrypted exchanges including public-key based verification of identifying information of the plurality of routing points; and a network control component for execution by the processing component to determine whether to block the connection based on the one or more determined characteristics.
2 . The apparatus of claim 1 , the traffic analysis component to determine the one or more characteristics of the routing of the connection further comprises the traffic analysis component to determine the routing points of the connection, determine a domain name server lookup of a source of the connection, or determine a type of data carried by the connection.
3 . The apparatus of claim 1 , the network control component to determine to block the connection based on the one or more determined characteristics indicating that any of the routing points are not securely verified.
4 . The apparatus of claim 1 , comprising:
a communications component for execution by the processing component to specify one or more of a whitelist, a blacklist, and a preference list in a header of a network protocol message, the one or more of the whitelist, the blacklist, and the preference list specifying region-based rules for the routing of the connection.
5 . The apparatus of claim 4 , the blacklist comprising a listing of one or more regions through which the connection should not be routed, a region to include a defined physical area including a country, a state, a city or a cohesive political unit that includes a country, a state, a county, a city, or a municipality.
6 . The apparatus of claim 5 , the network control component to block the connection if the determined characteristics indicate that the connection was routed through one or more regions included in the blacklist, the traffic analysis component to re-check the connection at an interval indicated in the blacklist, the interval including a set interval or responsive to a request from the client.
7 . The apparatus of claim 4 , the whitelist comprising a listing that includes one or more of a country, a region, a server, a network, a server operator, or network operator through which routing of the connection is authorized.
8 . The apparatus of claim 1 , the traffic component to determine the one or more characteristics of the routing of the connection further comprises retrieving a cryptographically secure mapping list, the mapping list comprising a map between network addresses and regions.
9 . The apparatus of claim 1 , comprising:
the network control component to present the client with the determined one or more characteristics and to query the client as to whether to block the connection.
10 . The apparatus of claim 1 , comprising:
the network control component to present the client with the determined one or more characteristics and to query the user as to whether to allow the connection.
11 . A method comprising:
managing, at a server included in a cloud computing system, a connection for a client, the connection routed over a network; determining one or more characteristics of the routing of the connection, the one or more characteristics including a physical location of routing points of the routing of the connection and determined based on performing an encrypted exchange with a plurality of routing points of the connection, the encrypted exchanges including public-key based verification of identifying information of the plurality of routing points; and determining whether to block the connection based on the one or more determined characteristics.
12 . The method of claim 11 , determining the one or more characteristics of the routing of the connection further comprises determining the routing points of the connection, determining a domain name server lookup of a source of the connection, or determining a type of data carried by the connection.
13 . The method of claim 11 , determining to block the connection based on the one or more determined characteristics indicating that any of the routing points are not securely verified.
14 . The method of claim 11 , comprising:
specifying one or more of a whitelist, a blacklist, and a preference list in a header of a network protocol message, the one or more of the whitelist, the blacklist, and the preference list specifying region-based rules for the routing of the connection.
15 . The method of claim 14 , the blacklist comprising a listing of one or more regions through which the connection should not be routed, a region to include a defined physical area including a country, a state, a city or a cohesive political unit that includes a country, a state, a county, a city, or a municipality.
16 . The method of claim 15 , blocking the connection if the determined characteristics indicate that the connection was routed through one or more regions included in the blacklist and re-checking the connection at an interval indicated in the blacklist, the interval including a set interval or responsive to a request from the client.
17 . The method of claim 14 , the whitelist comprising a listing that includes one or more of a country, a region, a server, a network, a server operator, or network operator through which routing of the connection is authorized.
18 . The method of claim 11 , determining the one or more characteristics of the routing of the connection further comprises retrieving a cryptographically secure mapping list, the mapping list comprising a map between network addresses and regions.
19 . The method of claim 11 , comprising:
presenting the client with the determined one or more characteristics; querying the client as to whether to block the connection.
20 . The method of claim 11 , comprising:
presenting the client with the determined one or more characteristics; and querying the user as to whether to allow the connection.
21 . At least one non-transitory computer-readable storage medium comprising a plurality of instructions that in response to being executed on a system at a server of a cloud computing system arranged to provide a service to manage routing of a connection for a client over a network, the instructions to cause the system to:
determine one or more characteristics of the routing of the connection, the one or more characteristics including a physical location of routing points of the routing of the connection and determined based on performing an encrypted exchange with a plurality of routing points of the connection, the encrypted exchanges including public-key based verification of identifying information of the plurality of routing points; and determine whether to block the connection based on the one or more determined characteristics.
22 . The at least one non-transitory computer-readable storage medium of claim 21 , to determine the one or more characteristics of the routing of the connection further comprises the instructions to cause the system to determine the routing points of the connection, determine a domain name server lookup of a source of the connection, or determine a type of data carried by the connection.
23 . The at least one non-transitory computer-readable storage medium of claim 21 , the instructions to cause the system to determine to block the connection based on the one or more determined characteristics indicating that any of the routing points are not securely verified.
24 . The at least one non-transitory computer-readable storage medium of claim 21 , the instructions to further cause the system to:
specify one or more of a whitelist, a blacklist, and a preference list in a header of a network protocol message, the one or more of the whitelist, the blacklist, and the preference list specifying region-based rules for the routing of the connection.
25 . The at least one non-transitory computer-readable storage medium of claim 24 , the blacklist comprising a listing of one or more regions through which the connection should not be routed, a region to include a defined physical area including a country, a state, a city or a cohesive political unit that includes a country, a state, a county, a city, or a municipality.
26 . The at least one non-transitory computer-readable storage medium of claim 25 , the instructions to cause the system to block the connection if the determined characteristics indicate that the connection was routed through one or more regions included in the blacklist and re-checking the connection at an interval indicated in the blacklist, the interval including a set interval or responsive to a request from the client.
27 . The at least one non-transitory computer-readable storage medium of claim 24 , the whitelist comprising a listing that includes one or more of a country, a region, a server, a network, a server operator, or network operator through which routing of the connection is authorized.
28 . The at least one non-transitory computer-readable storage medium of claim 21 , the instructions to cause the system to determine the one or more characteristics of the routing of the connection further comprises the instruction to cause the system to retrieve a cryptographically secure mapping list, the mapping list comprising a map between network addresses and regions.
29 . The at least one non-transitory computer-readable storage medium of claim 21 , the instructions to further cause the system to:
present the client with the determined one or more characteristics; query the client as to whether to block the connection.
30 . The at least one non-transitory computer-readable storage medium of claim 21 , instructions to further cause the system to:
present the client with the determined one or more characteristics; and query the user as to whether to allow the connection.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.