US2019132315A1PendingUtilityA1

Methods for Internet Communication Security

Assignee: STEALTHPATH INCPriority: Oct 6, 2017Filed: Dec 20, 2018Published: May 2, 2019
Est. expiryOct 6, 2037(~11.2 yrs left)· nominal 20-yr term from priority
H04L 63/0869H04L 63/0428H04L 9/0838H04L 2209/805H04W 4/70G06F 21/6263H04L 63/168H04L 67/12H04L 63/1441H04L 63/0236H04L 9/3228
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A product for securing network communications, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device to perform communication management operations, the communication management operations comprising:
 i) intercepting a network connection request from a first user-application on the first computing device, the network connection request specifying a destination port number for a destination port on a second computing device;   ii) using the destination port number to identify a pre-assigned port number associated with a network security agent on the second computing device;   iii) negotiating an external network connection with the network security agent, comprising: sending a network connection request to the second computing device, the network connection request specifying the pre-assigned port number;   iv) establishing, in response to the network connection request, an internal communication pathway with the first user-application;   v) assembling network packets for data received via the internal network connection, the network packets comprising the pre-assigned port number, a first application identifier for the first user-application, a data type identifier for the data, and at least portions of the data; and   vi) transmitting the assembled network packets to the second computing device via the external network connection.   
     
     
         2 . The product of  claim 1 , wherein the communication management operations further comprise: verifying that the first user-application is whitelisted to specify the destination port in the network connection request. 
     
     
         3 . The product of  claim 1 , wherein the communication management operations further comprise: translating the at least portions of the data into a pre-established format. 
     
     
         4 . The product of  claim 3 , wherein the pre-established format is determined from the destination port number. 
     
     
         5 . The product of  claim 1 , wherein the communication management operations further comprise: determining the first application identifier and the data type identifier based on the destination port number. 
     
     
         6 . The product of  claim 1 , wherein the communication management operations further comprise: obtaining the first application identifier and the data type identifier from a non-public n-tuple present in a network security configuration file, the network security configuration file pre-installed on nonvolatile storage media of the first computing device, the n-tuple comprising the destination port number. 
     
     
         7 . The product of  claim 1 , wherein the first application identifier occupies a lower-than-OSI layer seven portion of the network packet. 
     
     
         8 . The product of  claim 1 , wherein the data type identifier occupies a lower-than-OSI layer seven portion of the network packet. 
     
     
         9 . The product of  claim 1 , wherein the first application identifier and the data type identifier are encrypted together in the assembled network packets. 
     
     
         10 . The product of  claim 1 , wherein the intercepting is initiated in a kernel space of the first computing device. 
     
     
         11 . The product of  claim 1 , wherein the communication management operations comprise authorizing the external network connection prior to the transmitting the assembled network packets, the authorizing the external network connection comprising:
 i) sending:
 a) a nonpublic first identification code for the first computing device to the network security agent via the external network connection; 
 b) the first application identifier to the second computing device via the external network connection; and 
 c) the data type identifier via the external network connection; 
   ii) receiving:
 a) a nonpublic second identification code for the second computing device; 
 b) a second application identifier for a second user-application; and 
 c) the data type identifier from the second computing device; and 
   iii) comparing:
 a) the nonpublic second identification code with a pre-established value for the second computing device; 
 b) the second application identifier with a pre-established value for the second user-application; and 
 c) the received data type identifier for the data with a pre-established value for the pre-established network communication pathway. 
   
     
     
         12 . The product of  claim 11 , wherein the sending the application identifier for the first user-application occurs in response to the receiving the nonpublic second identification code. 
     
     
         13 . The product of  claim 11 , wherein the sending the data type identifier occurs in response to the receiving the second application identifier. 
     
     
         14 . The product of  claim 11 , wherein the nonpublic second identification code and the second application identifier are received via the external network connection. 
     
     
         15 . The product of  claim 14 , wherein the second application identifier and the received data type identifier are received together in a network packet. 
     
     
         16 . The product of  claim 11 , wherein the communication management operations further comprise: obtaining the pre-established value for the second computing device from a non-public n-tuple present in a network security configuration file, the network security configuration file pre-installed on nonvolatile storage media of the first computing device, the n-tuple comprising the destination port number. 
     
     
         17 . The product of  claim 11 , wherein the communication management operations further comprise: decrypting the nonpublic second identification code with a single-use cryptographic key. 
     
     
         18 . The product of  claim 11 , wherein the nonpublic first identification code and nonpublic second identification code are shared secrets between the first computing device and the second computing device. 
     
     
         19 . The product of  claim 11 , comprising:
 i) receiving a network packet via the external network connection;   ii) parsing the network packet at predetermined locations to obtain at least one parameter;   iii) comparing the at least one parameter with at least one predetermined value, the at least one predetermined value comprising the second application identifier and the data type identifier; and   vi) passing at least a portion of a payload of the network packet to the first user-application.   
     
     
         20 . The product of  claim 19 , wherein the comparing the at least one parameter with at least one predetermined value is performed in a kernel space of the first computing device. 
     
     
         21 . The product of  claim 11 , comprising:
 i) receiving a network packet via the external network connection;   ii) parsing the network packet at predetermined locations to obtain at least one parameter;   iii) determining that the at least one parameter does not match at least one predetermined value, the at least one predetermined value comprising the second application identifier and the data type identifier; and   vi) terminating the external network connection in response to the determining that the at least one parameter does not match at least one predetermined value.   
     
     
         22 . The product of  claim 21 , wherein the determining that the at least one parameter does not match at least one predetermined value is performed in a kernel space of the first computing device. 
     
     
         23 . The product of  claim 1 , wherein a portion of the communication management operations are configured for execution in a kernel space of the first computing device, and a further portion of the communication management operations are configured for execution in an application space of the first computing device. 
     
     
         24 . The product of  claim 1 , wherein:
 i) the communication management operations further comprise: verifying that the first user-application is whitelisted to specify the destination port in the network connection request; and   ii) the intercepting is initiated in a kernel space of the first computing device.   
     
     
         25 . The product of  claim 24 , wherein the using is initiated in the kernel space of the first computing device. 
     
     
         26 . The product of  claim 25 , wherein one or more of the comparing the nonpublic second identification code with a pre-established value for the second computing device, comparing the second application identifier with a pre-established value for the second user-application, and comparing the received data type identifier for the data with a pre-established value for the pre-established network communication pathway is performed in the kernel space of the first computing device. 
     
     
         27 . The product of  claim 1 , wherein the communication management operations are transparent to the first user-application. 
     
     
         28 . The product of  claim 27 , wherein the communication management operations are transparent to the second user-application. 
     
     
         29 . The product of  claim 1 , wherein the product comprises at least one kernel loadable module. 
     
     
         30 . The product of  claim 1 , wherein the internal communication pathway utilizes a loopback interface.

Join the waitlist — get patent alerts

Track US2019132315A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.