US2016269421A1PendingUtilityA1
Method for network security using statistical object identification
Est. expiryNov 18, 2031(~5.4 yrs left)· nominal 20-yr term from priority
Inventors:John Hayes
H04L 63/08H04L 63/126G06F 21/64G06F 2221/2151H04L 9/3236H04L 9/3263H04L 63/0823H04L 63/06
49
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Methods to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices are disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present invention greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising the steps of:
providing a network endpoint device ( 10 ), a remote network device ( 11 ), an authentication device ( 18 ) and a network ( 20 ); providing at least one network interface ( 49 ) at said network endpoint device ( 10 ); receiving an IP packet ( 12 ) from said remote network device ( 11 ) by said network endpoint device ( 10 ) using said network interface ( 49 ); said IP packet ( 12 ) including a TCP header ( 14 ); said TCP header ( 14 ) including a TCP SYN bit ( 16 ); conveying said IP packet ( 12 ) to said authentication device ( 18 ) via said network ( 20 ); determining the identity ( 22 ) of said IP packet ( 12 ) at said authentication device ( 18 ); selecting a policy rule ( 26 ); matching said identity ( 22 ) from a first table of policy rules ( 27 ); applying said policy rule ( 26 ) to said IP packet ( 12 ).
2 . A method as recited in claim 1 , in which
conveying context information to said authentication device ( 18 ) along with said IP packet ( 12 ).
3 . A method as recited in claim 1 , in which
conveying said network interface ( 49 ) information to said authentication device ( 18 ) along with said IP packet ( 12 ).
4 . A method as recited in claim 1 , in which
said authentication device ( 18 ) can be used by a plurality of said network endpoint devices ( 10 ) concurrently.
5 . A method as recited in claim 1 , in which
said network endpoint device ( 10 ) does not save context information regarding said IP packet ( 12 );
6 . A method as recited in claim 1 , further comprising the steps of
providing an authenticated session table ( 30 ) and a TCP/IP protocol stack ( 32 ) at said network endpoint device ( 10 ); conveying said IP packet ( 12 ) from said authentication device ( 18 ) to said network endpoint device ( 10 ) via said network ( 20 ); creating a session descriptor ( 28 ) in said authenticated session table ( 30 ); and conveying said IP packet ( 12 ) to said TCP/IP protocol stack ( 32 ).
7 . A method as recited in claim 6 , further comprising the steps of:
conveying context information and said network interface ( 49 ) information to said network endpoint device ( 10 ) by said authentication device ( 18 ) with said IP packet ( 12 ); and storing said context information and said network interface information ( 49 ) in said session descriptor ( 28 ).
8 . A method as recited in claim 6 , further comprising the steps of:
conveying authentication processing information to said network endpoint device ( 10 ) with said IP packet ( 12 ); and storing said authentication processing information in said session descriptor ( 28 ).
9 . A method as recited in claim 1 , further comprising the steps of
conveying a policy rule ( 26 ) to said network endpoint device ( 10 ) from said authentication device ( 18 ) via said network ( 20 ); and adding said policy rule ( 26 ) to a second table of policy rules ( 36 ) by said network endpoint device ( 10 ).
10 . A method as recited in claim 9 , in which
expiring said policy rule ( 26 ) after a period of time.
11 . A method as recited in claim 9 , in which
said step of adding said policy rule ( 26 ) to said second table of policy rules ( 36 ) is performed by a peer authentication management application ( 44 ).
12 . A method as recited in claim 1 , in which
said authentication device ( 18 ) uses transport access control to perform authentication.
13 . A method as recited in claim 1 , in which
said authentication device ( 18 ) uses statistical object identification to perform authentication.
14 . A method as recited in claim 1 , in which
said authentication device ( 18 ) does not share with said network endpoint device ( 10 ) cryptographic keys necessary to perform said authentication.
15 . A method as recited in claim 1 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
selecting a matching policy rule ( 26 ) that matches some portion of said IP packet ( 12 ) from a second table of policy rules ( 36 ); and applying said policy rule ( 26 ) to said IP packet ( 12 ).
16 . A method as recited in claim 1 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
selecting a policy rule ( 26 ) that matches said network interface ( 49 ) information from a second table of policy rules ( 36 ); and applying said policy rule ( 26 ) to said IP packet ( 12 ).
17 . A method as recited in claim 1 , further including the steps of:
providing a logging device ( 42 ); conveying log information ( 50 ) to said logging device ( 42 ) by said authentication device ( 18 ); and including TCP/IP session information from said IP packet ( 12 ) and said network interface ( 49 ) said IP packet was received on in said log information ( 50 ).
18 . A method as recited in claim 1 , further including the steps of:
providing a logging device ( 42 ); conveying log information ( 50 ) to said logging device ( 42 ) by said authentication device ( 18 ); and including said identity ( 22 ) from said IP packet ( 12 ) in said log information ( 50 ).
19 . A method as recited in claim 1 , further comprising the steps of:
providing a logging device ( 42 ); conveying log information ( 50 ) to said logging device ( 42 ) by said authentication device ( 18 ); and including said policy rule ( 26 ) identity applied to said IP packet ( 12 ) in said log information ( 50 ).
20 . A method as recited in claim 1 , in which
said step of conveying of said IP packet ( 12 ) to said authentication device ( 18 ) is performed by a peer authentication management application ( 44 ).
21 . A method as recited in claim 15 , in which
said network endpoint device ( 10 ), upon receiving said IP Packet ( 12 ) from said remote network device ( 11 ), compares said IP packet ( 12 ) against entries in a second table of policy rules ( 36 ); failing to select a matching policy rule ( 26 ); and continuing with said determination the identity ( 22 ).
22 . A method comprising the steps of:
providing a TCP/IP protocol stack ( 32 ) and an authenticated session table ( 30 ) at a network endpoint device ( 10 ); receiving an IP packet ( 12 ) by said network endpoint device ( 10 ); said IP packet ( 12 ) including a TCP header ( 14 ); said TCP header ( 14 ) not including a TCP SYN bit ( 16 ); matching said IP packet ( 12 ) to a session descriptor ( 28 ) in said authenticated session table ( 30 ); and conveying said IP packet ( 12 ) to said TCP/IP protocol stack ( 32 ).
23 . A method as recited in claim 22 , in which
information in said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and said authentication device ( 18 ) using transport access control to perform authentication.
24 . A method as recited in claim 22 , in which
information in said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and said authentication device ( 18 ) using statistical object identification to perform authentication.
25 . A method as recited in claim 22 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
selecting a matching policy rule ( 26 ) that matches some portion of said IP packet ( 12 ) from a second table of policy rules ( 36 ); and applying said policy rule ( 26 ) to said IP packet ( 12 ).
26 . A method as recited in claim 22 , in which said step of receiving of said IP packet ( 12 ) by said network endpoint device ( 10 ) further includes the steps of:
selecting a policy rule ( 26 ) that matches said network interface ( 49 ) information from a second table of policy rules ( 36 ); and applying said policy rule ( 26 ) to said IP packet ( 12 ).
27 . A method comprising the steps of:
providing a peer authentication driver ( 46 ), a TCP/IP protocol stack ( 32 ), a network device driver ( 48 ), a network interface ( 49 ) and an authenticated session table ( 30 ) at a network endpoint device ( 10 ); said peer authentication driver ( 46 ) receiving an IP packet ( 12 ) from a TCP/IP protocol stack ( 32 ); locating a session descriptor ( 28 ) corresponding to said IP packet ( 12 ) in said authenticated session table ( 30 ); processing said IP packet ( 12 ) in accordance with said session descriptor ( 28 ); sending said IP packet ( 12 ) to said network device driver ( 48 ); and sending said IP packet ( 12 ) to said network interface ( 49 ).
28 . A method as recited in claim 27 , in which
said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and said authentication device ( 18 ) using transport access control to perform authentication.
29 . A method as recited in claim 27 , in which
said session descriptor ( 28 ) in said authenticated session table ( 30 ) was created by an authentication device ( 18 ); and said authentication device ( 18 ) using statistical object identification to perform authentication.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.