US2020162427A1PendingUtilityA1
Methods for Internet Communication Security
Est. expiryOct 6, 2037(~11.2 yrs left)· nominal 20-yr term from priority
H04L 63/0414H04L 63/1408H04L 63/067G06F 21/566H04L 63/205G06F 21/554H04L 63/0428G06F 21/606G06F 2221/2129H04L 63/0236H04L 63/0272G06F 21/44
55
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A method for securing communication of information between a user-application and a remote computing device, comprising executing communication management operations in or in conjunction with the user-application, the communication management operations comprising:
i) negotiating an encrypted communication pathway with network security software on the remote computing device, the network security software running in a kernel of the remote computing device; ii) exchanging non-public device identification codes with the network security software via the encrypted communication pathway; iii) comparing an identification code for the remote computing device received during the exchanging with a preconfigured value for the remote computing device, to confirm that the remote computing device is authorized to send the information to the user-application; iv) receiving a message via the encrypted communication pathway, the message comprising: (a) the information; and (b) an encrypted parameter; and v) matching a decrypted form of a first portion of the parameter with a preconfigured identifier for the process, to confirm that the information originates from an authorized process on the remote computing device.
22 . The method of claim 21 , further comprising: matching a decrypted form of a second portion of the parameter with a preconfigured information type identifier.
23 . The method of claim 22 , further comprising: (a) using the preconfigured information type identifier to obtain a data definition for the information; and (b) evaluating the information to determine whether the information complies with the data definition.
24 . The method of claim 23 , further comprising: (a) using the preconfigured information type identifier to obtain an allowed range for the information; and (b) evaluating the information to determine whether the information falls within the allowed range.
25 . The method of claim 23 , further comprising: (a) using the preconfigured information type identifier to obtain a list of allowed commands; and (b) evaluating the information to determine whether the information comprises a command present on the list of allowed commands.
26 . The method of claim 21 , wherein the identification code is obtained from a network packet.
27 . The method of claim 21 , wherein the identification code is obtained from a portion of the network packet that is higher-than-OSI layer three and lower-than-OSI layer six.
28 . The product of claim 21 , wherein the communication management operations further comprise:
i) causing a network stack to send a first application identifier to the remote computing device via the pre-established communication pathway; ii) receiving, after the network stack sends the first application identifier, a second application identifier for a remote application program, the remote application program running on the remote computing device; and iii) comparing the second application identifier with a pre-established value for the second application program.
29 . The product of claim 28 , wherein the communication management operations further comprise:
i) causing the network stack to send a data type identifier to the remote computing device via the pre-established communication pathway; ii) receiving, after the network stack sends the data type identifier, the data type identifier from the remote computing device; and iii) comparing the received data type identifier with a pre-established value for the remote computing.
30 . The product of claim 29 , wherein the communication management operations further comprise:
i) causing a data packet to be transmitted from a first port to the network stack, the data packet comprising a payload and a second port number; and ii) sending a command to assemble a packet segment for the received data packet, the packet segment comprising the payload, the first application identifier, and the data type identifier.
31 . The product of claim 30 , wherein the communication management operations further comprise: translating the payload to a format expected by the second application program.
32 . The product of claim 30 , wherein the communication management operations further comprise: confirming the payload conforms to a data model pre-assigned to the data type.
33 . The product of claim 30 , wherein the communication management operations further comprise: confirming the payload conforms to a data range pre-assigned to the destination port number.
34 . The product of claim 30 , wherein the communication management operations further comprise: confirming the payload conforms to an allowed command type pre-assigned to the destination port number.
35 . The product of claim 34 , wherein the payload is translated to a pre-established format, the pre-established format determined from the data type identifier.
36 . The product of claim 33 , wherein the pre-established communication pathway has a one-to-one correspondence to an n-tuple comprising the first application identifier, the second application identifier, the second port number, and the data type identifier.
37 . The method of claim 21 , wherein the comparing is initiated in a kernel space of the computing device.
38 . A method for securing communication of information between a first application running on a first computing device and a second computing device, comprising executing communication management operations in or in conjunction with the first application and a network security program running on the second computing device, the communication management operations comprising:
i) executing application space commands to cause a network stack of the first computing device to send a nonpublic first identification code from a first computing device of the at least two networked computing devices to a second computing device of the at least two networked computing devices via a communication pathway, the communication pathway pre-established on the network; ii) receiving, after the network stack sends the nonpublic first identification code, a nonpublic second identification code from the second computing device; iii) confirming that the second computing device is an authorized computing device on the network; and iv) configuring a kernel of the second computing device to receive and to process the nonpublic first identification code and to send the nonpublic second identification code from the second computing device to the first computing device.
39 . The method of claim 38 , wherein the communication management operations are configured to obtain the nonpublic second identification code from a network packet.
40 . The method of claim 39 , wherein the nonpublic second identification code is obtained from a portion of the network packet that is higher-than-OSI layer three and lower-than-OSI layer six.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.