US2016269421A1PendingUtilityA1

Method for network security using statistical object identification

49
Assignee: HAYES JOHN WPriority: Nov 18, 2011Filed: Mar 11, 2015Published: Sep 15, 2016
Est. expiryNov 18, 2031(~5.4 yrs left)· nominal 20-yr term from priority
Inventors:John Hayes
H04L 63/08H04L 63/126G06F 21/64G06F 2221/2151H04L 9/3236H04L 9/3263H04L 63/0823H04L 63/06
49
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices are disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present invention greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising the steps of:
 providing a network endpoint device ( 10 ), a remote network device ( 11 ), an authentication device ( 18 ) and a network ( 20 );   providing at least one network interface ( 49 ) at said network endpoint device ( 10 );   receiving an IP packet ( 12 ) from said remote network device ( 11 ) by said network endpoint device ( 10 ) using said network interface ( 49 );   said IP packet ( 12 ) including a TCP header ( 14 );   said TCP header ( 14 ) including a TCP SYN bit ( 16 );   conveying said IP packet ( 12 ) to said authentication device ( 18 ) via said network ( 20 );   determining the identity ( 22 ) of said IP packet ( 12 ) at said authentication device ( 18 );   selecting a policy rule ( 26 );   matching said identity ( 22 ) from a first table of policy rules ( 27 );   applying said policy rule ( 26 ) to said IP packet ( 12 ).   
     
     
         2 . A method as recited in  claim 1 , in which
 conveying context information to said authentication device ( 18 ) along with said IP packet ( 12 ).   
     
     
         3 . A method as recited in  claim 1 , in which
 conveying said network interface ( 49 ) information to said authentication device ( 18 ) along with said IP packet ( 12 ).   
     
     
         4 . A method as recited in  claim 1 , in which
 said authentication device ( 18 ) can be used by a plurality of said network endpoint devices ( 10 ) concurrently.   
     
     
         5 . A method as recited in  claim 1 , in which
 said network endpoint device ( 10 ) does not save context information regarding said IP packet ( 12 );   
     
     
         6 . A method as recited in  claim 1 , further comprising the steps of
 providing an authenticated session table ( 30 ) and a TCP/IP protocol stack ( 32 ) at said network endpoint device ( 10 );   conveying said IP packet ( 12 ) from said authentication device ( 18 ) to said network endpoint device ( 10 ) via said network ( 20 );   creating a session descriptor ( 28 ) in said authenticated session table ( 30 ); and   conveying said IP packet ( 12 ) to said TCP/IP protocol stack ( 32 ).   
     
     
         7 . A method as recited in  claim 6 , further comprising the steps of:
 conveying context information and said network interface ( 49 ) information to said network endpoint device ( 10 ) by said authentication device ( 18 ) with said IP packet ( 12 ); and   storing said context information and said network interface information ( 49 ) in said session descriptor ( 28 ).   
     
     
         8 . A method as recited in  claim 6 , further comprising the steps of:
 conveying authentication processing information to said network endpoint device ( 10 ) with said IP packet ( 12 ); and   storing said authentication processing information in said session descriptor ( 28 ).   
     
     
         9 . A method as recited in  claim 1 , further comprising the steps of
 conveying a policy rule ( 26 ) to said network endpoint device ( 10 ) from said authentication device ( 18 ) via said network ( 20 ); and   adding said policy rule ( 26 ) to a second table of policy rules ( 36 ) by said network endpoint device ( 10 ).   
     
     
         10 . A method as recited in  claim 9 , in which
 expiring said policy rule ( 26 ) after a period of time.   
     
     
         11 . A method as recited in  claim 9 , in which
 said step of adding said policy rule ( 26 ) to said second table of policy rules ( 36 ) is performed by a peer authentication management application ( 44 ).   
     
     
         12 . A method as recited in  claim 1 , in which
 said authentication device ( 18 ) uses transport access control to perform authentication.   
     
     
         13 . A method as recited in  claim 1 , in which
 said authentication device ( 18 ) uses statistical object identification to perform authentication.   
     
     
         14 . A method as recited in  claim 1 , in which
 said authentication device ( 18 ) does not share with said network endpoint device ( 10 ) cryptographic keys necessary to perform said authentication.   
     
     
         15 . A method as recited in  claim 1 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
 selecting a matching policy rule ( 26 ) that matches some portion of said IP packet ( 12 ) from a second table of policy rules ( 36 ); and   applying said policy rule ( 26 ) to said IP packet ( 12 ).   
     
     
         16 . A method as recited in  claim 1 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
 selecting a policy rule ( 26 ) that matches said network interface ( 49 ) information from a second table of policy rules ( 36 ); and   applying said policy rule ( 26 ) to said IP packet ( 12 ).   
     
     
         17 . A method as recited in  claim 1 , further including the steps of:
 providing a logging device ( 42 );   conveying log information ( 50 ) to said logging device ( 42 ) by said authentication device ( 18 ); and   including TCP/IP session information from said IP packet ( 12 ) and said network interface ( 49 ) said IP packet was received on in said log information ( 50 ).   
     
     
         18 . A method as recited in  claim 1 , further including the steps of:
 providing a logging device ( 42 );   conveying log information ( 50 ) to said logging device ( 42 ) by said authentication device ( 18 ); and   including said identity ( 22 ) from said IP packet ( 12 ) in said log information ( 50 ).   
     
     
         19 . A method as recited in  claim 1 , further comprising the steps of:
 providing a logging device ( 42 );   conveying log information ( 50 ) to said logging device ( 42 ) by said authentication device ( 18 ); and   including said policy rule ( 26 ) identity applied to said IP packet ( 12 ) in said log information ( 50 ).   
     
     
         20 . A method as recited in  claim 1 , in which
 said step of conveying of said IP packet ( 12 ) to said authentication device ( 18 ) is performed by a peer authentication management application ( 44 ).   
     
     
         21 . A method as recited in  claim 15 , in which
 said network endpoint device ( 10 ), upon receiving said IP Packet ( 12 ) from said remote network device ( 11 ), compares said IP packet ( 12 ) against entries in a second table of policy rules ( 36 );   failing to select a matching policy rule ( 26 ); and   continuing with said determination the identity ( 22 ).   
     
     
         22 . A method comprising the steps of:
 providing a TCP/IP protocol stack ( 32 ) and an authenticated session table ( 30 ) at a network endpoint device ( 10 );   receiving an IP packet ( 12 ) by said network endpoint device ( 10 );   said IP packet ( 12 ) including a TCP header ( 14 );   said TCP header ( 14 ) not including a TCP SYN bit ( 16 );   matching said IP packet ( 12 ) to a session descriptor ( 28 ) in said authenticated session table ( 30 ); and   conveying said IP packet ( 12 ) to said TCP/IP protocol stack ( 32 ).   
     
     
         23 . A method as recited in  claim 22 , in which
 information in said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and   said authentication device ( 18 ) using transport access control to perform authentication.   
     
     
         24 . A method as recited in  claim 22 , in which
 information in said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and   said authentication device ( 18 ) using statistical object identification to perform authentication.   
     
     
         25 . A method as recited in  claim 22 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
 selecting a matching policy rule ( 26 ) that matches some portion of said IP packet ( 12 ) from a second table of policy rules ( 36 ); and   applying said policy rule ( 26 ) to said IP packet ( 12 ).   
     
     
         26 . A method as recited in  claim 22 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
 selecting a policy rule ( 26 ) that matches said network interface ( 49 ) information from a second table of policy rules ( 36 ); and   applying said policy rule ( 26 ) to said IP packet ( 12 ).   
     
     
         27 . A method comprising the steps of:
 providing a peer authentication driver ( 46 ), a TCP/IP protocol stack ( 32 ), a network device driver ( 48 ), a network interface ( 49 ) and an authenticated session table ( 30 ) at a network endpoint device ( 10 );   said peer authentication driver ( 46 ) receiving an IP packet ( 12 ) from a TCP/IP protocol stack ( 32 );   locating a session descriptor ( 28 ) corresponding to said IP packet ( 12 ) in said authenticated session table ( 30 );   processing said IP packet ( 12 ) in accordance with said session descriptor ( 28 );   sending said IP packet ( 12 ) to said network device driver ( 48 ); and   sending said IP packet ( 12 ) to said network interface ( 49 ).   
     
     
         28 . A method as recited in  claim 27 , in which
 said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and   said authentication device ( 18 ) using transport access control to perform authentication.   
     
     
         29 . A method as recited in  claim 27 , in which
 said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and   said authentication device ( 18 ) using statistical object identification to perform authentication.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.