US2020162428A1PendingUtilityA1
Methods for Internet Communication Security
Est. expiryOct 6, 2037(~11.2 yrs left)· nominal 20-yr term from priority
G06F 21/566H04L 63/0428H04L 63/145H04L 63/16H04L 63/067H04L 63/0414G06F 21/554H04L 63/0236G06F 2221/2129H04L 63/166G06F 21/606G06F 21/44
58
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.
Claims
exact text as granted — not AI-modified1 - 30 . (canceled)
31 . A method for performing communication management operations to secure communications of a plurality of networked computing devices, the method comprising:
i) sending a nonpublic first identification code for the a computing device to a software port on a second computing device via a pre-established communication pathway; ii) receiving, in response to the sending the nonpublic first identification code, a nonpublic second identification code for the second computing device; iii) comparing the nonpublic second identification code with a pre-established value for the second computing device; iv) further sending a first application identifier for a first user-application to the second computing device via the pre-established communication pathway; v) further receiving, in response to the sending the first application identifier, a second application identifier for a second user-application; vi) comparing the second application identifier with a pre-established value for the second user-application; vii) confirming application data received from the second user-application conforms to a data model assigned to a predetermined port number, a data range assigned to the predetermined port number, and a command type assigned to the predetermined port number, the predetermined port number assigned to the first user-application and/or the second user-application; followed by viii) passing the confirmed application data to the first user-application.
32 . The method of claim 31 , wherein the nonpublic second identification code is obtained from a network packet.
33 . The method of claim 32 , wherein the nonpublic second identification code is obtained from a portion of the network packet that is higher-than-OSI layer three and lower-than-OSI layer seven.
34 . The method of claim 33 , wherein the comparing is initiated in a kernel space of the first computing device.
35 . The method of claim 31 , wherein the pre-established value is preprovisioned on nonvolatile storage media of the first computing device.
36 . The method of claim 35 , further comprising decrypting the nonpublic second identification code with a single-use cryptographic key.
37 . The method of claim 31 , wherein the nonpublic first identification code and the nonpublic second identification code are shared secrets between the first computing device and the second computing device.
38 . The method of claim 31 , further comprising translating, prior to the passing, the application data from a first pre-established format to a second pre-established format.
39 . The method of claim 38 , further comprising determining the first pre-established format and the second pre-established format from (a) a data model identification code assigned to the data model and/or (b) the predetermined port number.
40 . The method of claim 31 , further comprising sending the first application identifier and a data model identifier assigned to the data model to the second computing device in a single network packet.
41 . The method of claim 31 , wherein the comparing the nonpublic second identification code and the comparing the second application identifier are performed prior to any communication of application data between the first user-application and the second user-application.
42 . The method of claim 41 , further comprising:
i) receiving a data packet from a first port assigned to the first user-application, the first port hosted on the first computing device, the data packet comprising a payload and a second port number; and ii) assembling a packet segment for the received data packet, the packet segment comprising the payload, the first application identifier, and a data model identifier assigned to the data model.
43 . The method of claim 42 , wherein the pre-established communication pathway has a one-to-one correspondence to an n-tuple comprising the first application identifier, the second application identifier, the second port number, and the data model identifier.
44 . The method of claim 43 , wherein each of a series of network packet communications of user-application data between the first port and the second port comprise: transmission of a network packet to a third port, the third port assigned to network security software resident on the second computing device, the third port having a one-to-one correspondence with the second port number, the second port number assigned to the second port, the second port assigned to the second user-application, the network packet comprising the first application identifier and the data model identifier.
45 . The method of claim 44 , wherein the first application identifier and the data model identifier in the each of the series of network packet communications are encrypted by one of a series of single-use encryption keys.
46 . The method of claim 44 , wherein all communications of user-application data between the first port and the second port comprise the series of network packet communications.
47 . The method of claim 31 , further comprising
i) intercepting a network connection request from a first port assigned to the first user-application, the first port hosted by the first computing device, the request comprising a second port number; and ii) verifying that the first user-application is specifically authorized to communicate with a second port, the second port number assigned to the second port.
48 . The method of claim 47 , wherein the verifying is performed prior to forming the pre-established communication pathway.
49 . The method of claim 31 , further comprising:
i) confirming that further application data received from the first user-application conforms to a further data model assigned to a further predetermined port number, a further data range assigned to the further predetermined port number, and a further command type assigned to the further predetermined port number, the further predetermined port number assigned to the first user-application and/or the second user-application; ii) passing the confirmed further application data to the second user-application.
50 . The method of claim 31 , wherein a portion of the communication management operations are executed in a kernel space of the first computing device, and a further portion of the communication management operations are executed in an application space of the first computing device.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.