KR20160044524A - Evaluating A Questionable Network Communication - Google Patents

Abstract

It is possible to identify a questionable network address from the network communication. In one embodiment, the network device receives incoming or outgoing connection requests, web pages, email, or other network communications. The evaluation module evaluates the network communication for the corresponding network address, which may be the source or destination of the network communication. The network address generally includes an IP address. The assessment module determines one or more characteristics of the network communication, such as time of day, content type, directionality, and so on. The evaluation module then determines whether these properties match or are allowed based on the characteristics specified in the whitelist associated with the IP address.

Description

{Evaluating A Questionable Network Communication}

The invention disclosed herein relates to network security and, more particularly, to a method and apparatus for network security that may be received from a hacker, an illegal intruder, a phishing source, a virus, an email sender, and / Identification and prohibition.

Today, illegal intruders, hackers, unauthorized users, and programs that attempt to penetrate other electronic devices connected to the network through other computers, servers, firewalls, routers, PDAs, cell phones, game consoles, Devices exist. For example, a web site server, other devices, and users can send viruses, worms, adware, spyware, or other files to other electronic devices on the network. Such files may allow other devices to operate some malware that may initiate network connections to other resources such as a web server, spread viruses, acquire other viruses, ≪ / RTI > and / or take other undesirable actions. It is desirable to detect and prevent such actions.

Files are often carried by email, such as web-based email systems. While email messages typically include the sender's identifier in the "sender" field, it can be difficult to ensure that the sender identifier is valid. For example, the sender field of the phishing e-mail may include an e-mail address with the sender's domain name appearing to represent the e-mail server of a legitimate financial institution. The user may find it difficult to determine if the sender identifier is authentic. In other cases, the network device may request access to the client device to carry web pages, pop-up advertisements, or other data. The domain name of the requesting network device may indicate a server of a legitimate financial institution. Some security software provides a message with address information for the user. The user can choose whether to accept the request. However, many users may find it difficult to determine whether the address information of the caller is genuine.

Another undesirable activity is called phishing. The term phishing typically relates to attempts to obtain private and / or confidential information for illegal or unauthorized use. Typically, a deceit or deceptive organization sends one or more e-mails that contain a hyperlink to a phishing web site that allows a user to enter private and / or confidential information. Internet phishing Web sites make people believe that they are actually entering the official website of a company or other organization. These phishing websites typically achieve this by making their website look like an official website. Typical users then post private / confidential information without realizing that they have submitted information to phishing websites, and the operators can use this information for illegal or unauthorized use. Phishing Web sites typically use a uniform resource locator (URL) with a domain name that is very similar to the actual official website. Domain names are often also referred to as domain name addresses (DNA). For example, phishing Web sites use DNA, such as www.paypal.billing.com, to make people think that this address is the official Web site of Paypal, Inc. The Internet Protocol (IP) address under the domain name, which appears to be the official address, typically directs the user to a phishing web site that is not the official web site of the real company. Alternatively, the phishing website can use the official company domain name for the hyperlink, but the phishing website IP address can be used for the hyperlink. When a user clicks on a hyperlink in an email or on a web page, the user goes to the phishing website instead of the official website.

Resources on the Internet or other networks have their own unique IP address. Organizations, including corporations, private organizations, government agencies, etc., are assigned their own unique IP addresses or a range of IP addresses. This applies equally to phishing Web sites. A phishing web site, or other network node, can not forge its IP address to be someone else's official IP address due to the Internet IP network routing mechanism. In order for people to reach a phishing website, the phishing website must also have its own IP address.

Figure 1 shows a functional block diagram illustrating one embodiment of an environment for practicing the invention,
Figure 2 illustrates one embodiment of a client and / or server device that may be included in a system embodying the invention,
3 shows a structure and a communication sequence for an embodiment of the present invention,
Figure 4 shows a screen shot of an embodiment of the present invention,
Figure 5 shows the structure and communication sequence for a further embodiment of the invention,
6 is a flow diagram in which a network communication is representative of a valuation process;

The present invention may take the form of hardware embodiments only, software embodiments only, or embodiments combining software and hardware forms. The following detailed description is, therefore, not to be taken in a limiting sense.

The word "or" includes the meaning of "and / or ". The singular expressions "day" and "one" include the meaning of "plural".

As used herein, the term "client" refers to the general role of the computing module as the final processor of data or service, and the term " server " refers to the role of the computing module as data or service provider for one or more clients. Generally, a computing module acts as a client in one transaction, can request data or services, act as a server in another transaction, and can provide data or services, Can be reversed.

The term "web" is used herein to refer to one or more protocols, formats, etc., intended for use with a computing device, such as a personal computer, laptop computer, workstation, server, minicomputer, mainframe, cellular phone, personal digital assistant Data, and / or other resources that are accessible over the network in accordance with a variety of protocols, syntax, and / or other protocols. The Web protocol includes, but is not limited to, Hypertext Transfer Protocol (HTTP). These conventions include, but are not limited to, Hypertext Markup Language (HTML) and Extensible Markup Language (XML). The terms "web page" and "web data" generally refer to documents, files, applications, services, and / or services that conform to web protocols that are generally accessible using a computing device running an application, such as a general- And other data. Examples of general purpose browsers include Internet Explorer.TM. From Microsoft Corporation, Netscape.TM. From Netscape Communications Corp., and Firefox.TM. From the Mozilla Foundation. A web page is typically indexed by a search engine that has access to the web page. An example search engine is Google, Inc., of Google, Inc.

The term "URL " generally refers to a uniform resource locator, but may also include uniform resource identifiers and / or other address information. URLs typically include a protocol such as a hypertext transfer protocol (e.g., "http: //"), a host name (e.g., "news.google.com") or a domain name (e.g., "google.com" (E.g., "/ intl / en / options") and a particular file (e.g., "pack_installer.html") or query string (e.g., "? Hl = en" The term "URI" generally refers to the name or string of characters used to identify the web resource. Combined with the URL, it represents web resources over the network.

In short, embodiments of the invention evaluate a predetermined network address for a list of trusted addresses known for communication validation. A plurality of security steps are provided. In one embodiment, the top step is the IP address, the second step is the port number, and the third step is a characteristic of the communication payload. Other steps may be associated with other forms of communication. One or more steps may optionally be implemented. Each step may be associated with a user-related level required for communication approval.

Illustrative operating environment

Figure 1 illustrates one embodiment of an environment in which the present invention may operate. However, not all of these elements may be required for the practice of the invention, and variations on the arrangement and type of elements may be realized without departing from the spirit or scope of the invention.

As shown in the figure, the system 10 includes a client device 12-14, a network 15, an online service 16, and a questionable network node 17 that is not directly associated with an online service. The network 15 communicates with and enables communication between each of the client devices 12-14, the online service 16, and the questionable network node 17. The online service 16 may include one or more servers for legitimate web sites, email services, file storage services, domain name assignment services, network address identification services, and the like. The questionable network node 17 may be a client device of a dishonest user, a computer virus source, one or more servers for a web site impersonating another web site, a valid network node being threatened by a hacker, Lt; RTI ID = 0.0 > network node. ≪ / RTI > Each network node has a network address, such as an IP address unique to each network node. The network address generally also includes a port number for identifying a particular communication session, a specific resource within the network node, or other remedy for the network address for proper communication between the nodes. A true network address is required for communication with the network node. Address masking, domain name translation, and other techniques can hide the network address at various points along the communication path. However, a true network address may be derived at some point, or no communication will be made between the intended nodes.

Client devices 12-14 may include virtually any computing device capable of receiving and transmitting messages from one computing device to another, such as on-line service 16, over a network, such as network 15, from one computing device to another. A set of such devices is generally referred to as a more general purpose device and is typically connected by a wired communication medium such as a personal computer, a multiprocessor system, a microprocessor-based or programmable consumer electronics device, a network PC, Device. A set of such devices is generally referred to as a more dedicated device and is typically a cell phone, a smartphone, a pager, a walkie-talkie, a radio frequency (RF) device, an infrared (IR) device, a CB, A mobile terminal that is connected using a wireless communication medium, such as one or more combined devices, or virtually any mobile device, or the like. Likewise, the client devices 12-14 may be a personal digital assistant (PDA), a POCKET PC, a wearable computer, and any other device equipped to communicate via a wired and / Lt; RTI ID = 0.0 > a < / RTI >

Each client device in the client device 12-14 includes a user interface that allows the user to manipulate the settings and instructs the client device to perform the operation. Each client device may also include a browser application configured to receive and transmit web pages, web-based messages, and so on. The browser application can be a general application program such as SGML (Standard Generalized Markup Language), HyperText Markup Language (HTML), Extensible Markup Language (XML), Wireless Application Protocol (WAP), Handheld Device Markup Language (HDML) Text, multimedia, etc., using virtually any web-based language, including, but not limited to, HTML, JavaScript, The client device 12-14 may allow the client device to send an email message, Instant Messaging (IM), Short Message Service (SMS) messaging, Multimedia Message Service (MMS) messaging, Internet Relay Chat (IRC), Mardam- such as, but not limited to, mIRC, Jabber, and the like, as well as other communication devices that use the same or different communication modes.

The network 15 is configured to connect one computing device to another computing device for communication. The network 15 is activated to use any form of media for transferring information from one electronic device to another. The network 15 may also be connected to a local area network (LAN), a wide area network (WAN), such as a direct connection via a universal serial bus (USB) port, other forms of computer- In addition to the interface, it may include a wireless interface, such as a cellular network interface, and / or a wired interface, such as an Internet interface. On interconnected LAN sets, including those based on different structures and protocols, routers act as links between LANs, allowing messages to be transmitted from each other. Further, the communication link within the LAN typically includes a twisted wire pair or coaxial cable, and the communication link between the networks may be a cellular telephone signal over air, an analog telephone line, a full or fractional dedicated digital signal line, (DS3), Optical Carrier 3 (OC3), OC12, OC48, Asynchronous Transfer Mode (ATM), Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), T1, T2, T3, , Satellite links, or other communication links known and / or equivalent to those of skill in the art. Moreover, the remote computer and other associated electronic devices may be remotely connected to the LAN or WAN via a modem and a temporary telephone link. In essence, the network 15 includes any communication method capable of moving information between the client device 12-14, the online service 16, and / or the questionable network node 17. The network 15 may be any of a variety of communication protocols, including Transmission Control Protocol / Internet Protocol (TCP / IP), User Datagram Protocol (UDP), WAP, Code Division Multiple Access (CDMA), Global System for Mobile Communications As shown in FIG.

The medium used to transmit information over the communication link described above generally includes any medium that can be accessed by a computing device. Computer readable media can include computer storage media, wired and wireless communication media, or a combination thereof. Additionally, computer readable media typically store and / or carry computer readable instructions, data structures, program modules, or other data that may be provided to a processor. The computer readable medium can include a transmission medium for transmitting a modulated data signal, a data signal, or other transmission mechanism, such as a carrier wave, and includes any information carrier medium. The terms "modulated data signal" and "carrier signal" include signals having one or more of the characteristics set or changed in this manner to encode information, instructions, data, By way of example, and not limitation, communication media includes wireless media such as acoustic waves, RF, infrared, and other wireless media, and wired media such as twisted pairs, coaxial cables, optical fibers, waveguides, and other wired media.

One embodiment of an electronic device is described in more detail below with reference to FIG. For purposes of discussion, a general purpose client computing device is described as an example. However, server devices, dedicated devices (e.g., cell phones), and / or other electronic devices may be used in embodiments of the invention. In this example, the client device 20 is capable of connecting to the network 15 so that the user can communicate with other network resources, such as the client device, the portal server 16, and / or the questionable network node 17 And may include any computing device. The client device 20 may include many more components than shown. However, the components shown are sufficient to disclose exemplary embodiments for the practice of the invention. Many of the components of the client device 20 may also be replicated at the server of the on-line service 16, the server of the questionable network node 17, and / or other electronic devices.

As shown in the figure, the client device 20 includes a processing unit 22 that communicates with the mass memory 24 via a bus 23. The mass memory 24 typically includes a RAM 26, a ROM 28, and other storage means. The mass memory 24 illustrates some type of computer readable medium, i.e., a computer storage medium. Computer storage media (also referred to as "computer readable media") are volatile and nonvolatile, removable and / or removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, Removable media. Other example computer storage media include, but are not limited to, EEPROM, flash memory, or other semiconductor memory technology, CD-ROM, digital versatile disk (DVD), or other optical storage, magnetic cassette, magnetic tape, magnetic disk storage, And any other medium that can be used to store the desired information and which can be accessed by the computing device.

The mass memory 24 stores a basic input / output system ("BIOS") 30 for controlling the low-level operation of the client device 20. The mass memory also stores an operating system 31 for controlling the operation of the client device 20. These components may include general purpose operating systems such as certain versions of Windows.TM., UNIX, LINUX.TM., And the like. The operating system may also include or be interfaced with a virtual machine module capable of controlling hardware components and / or operating system operations via an application program.

The mass memory 24 further includes, among other things, one or more data storage units 32 that can be used by the client device 20 to store programs 34 and / or other data. The program 34 may include computer executable instructions that may be executed by the client device 20 to implement an HTTP handler application for sending, receiving, and otherwise processing HTTP communications. Similarly, program 34 may include an HTTPS handler application for handling secure connections, such as initiating communications with external applications in a stable manner. Other examples of applications include schedulers, calendars, web services, transcoders, database programs, word processing programs, spreadsheet programs, and the like. Thus, the program 34 can process web pages, audio, and video, and can communicate with other users of other electronic devices.

Additionally, the mass memory 24 stores one or more programs for messaging and / or other applications. The messaging client module 36 may include computer executable instructions that may be run under the control of the operating system 31 to enable email, instant messaging, SMS, and / or other messaging services. Likewise, a server device that is configured to be very similar to the client device 20 may include a messaging server module 37 that provides routing, access control, and / or other server-side messaging services. The client device 20 may further include an evaluation module 38 that generally evaluates communications for valid callers, requests, and / or other data. In one embodiment, the assessment module 38 may include an appearance-prevention module that interacts with the phishing website to allow the client device 20 to identify the network address of the phishing web site, To determine if it is associated with a site. Other example embodiments include an authorization module that can check email messages, file downloads, redirects, and / or other communications. The evaluation module 38 may be implemented separately from other applications (such as a browser), and may be implemented as a plug-in to other applications (such as an email application) and may be implemented as a server application and / .

The client device 20 may be coupled to an input / output device such as a keyboard, mouse, wheel, joystick, rocker switches, keypad, printer, scanner, and / or other input device not specifically shown in FIG. And an input / output interface 40 for communication. A user of the client device 20 may utilize the input / output device to interact with a user interface that may be separate or integrated with the operating system 31 and / or programs 34-38. Interaction with the user interface includes visual interaction through the display, and the video display adapter 42.

In the case of some client devices, such as personal computers, the client device 20 may include a removable media drive 44 and / or a permanent media drive 46 for a computer-readable storage medium. Removable media drive 44 may include one or more of an optical disk drive, a floppy disk drive, and / or a tape drive. A permanent or removable storage medium may include volatile, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, . Examples of computer storage media include CD-ROM 45, a digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, RAM, ROM, EEPROM, Technology, or any other medium that can be used for storing the desired information and which can be accessed by a computing device.

Through the network communication interface unit 48, the client device 20 can communicate with the network 15, such as a wire area network, such as the Internet, a local area network, a wired telephone network, a cellular telephone network or other communication network, can do. Network communication interface unit 48 is often known as a transceiver, transceiver, network interface card (NIC), and the like.

Illustrative Example

To facilitate the user to remember the network address, a domain name such as www.cnn.com is associated with the numeric IP address. Domain names are often also referred to as domain name addresses (DNA). Such as a path, to specify a uniform resource identifier (URI) that is typically associated with a numeric uniform resource locator (URL) that specifies the network location of a resource, such as a markup document, image, As shown in FIG. A central database is typically used to maintain the association between the IP address and the corresponding domain name. Typically, a Domain Name Server (DNS), Internet Service Provider (ISP), or other database maintains this association. In an exemplary embodiment associated with the Internet, an organization, such as the Internet Assigned Numbers Authority (IANA) or other assigned organization maintains the association between the domain name and the IP address. , And / or other information is also associated with each IP address.

Many embodiments are possible to identify questionable network nodes. For example, an embodiment of the invention may identify a phishing web site. Two examples, though not limited to the following, are described below.

1. Phishing Web site IP address - If the phishing Web site provides the IP address directly to the client, the IP address is checked using a local database or an assigning authority. The website owner is identified by querying the IP address of the website in the local assignment database or ICANN, IANA, or other assigned organization.

2. Phishing Website Domain Name - In general, IP addresses are typically not provided directly. Instead, a domain name such as www.cnn.com is typically provided. By querying the DNS for a domain name, a corresponding IP address can be found. If this IP address is queried to a local assignment database or a database of ICANN, IANA, or other assigned organization, the website owner is identified. The skilled artisan will understand that these two steps may be accomplished by a single service.

Multiple embodiments are also possible for different applications. Three examples are described below, although not limited to the following.

A) Embedded function - The application contains an embedded function that evaluates the link in the document. For example, an email program, an IM program, or a word processing program includes a menu option or button for activating an embedded function to evaluate a link in a message or document. The user can activate the function, or the function can be automatically activated upon link detection in the document. The function accesses the address associated with the link to retrieve the IP address and port number. The function queries the local or remote assignment database to obtain the owner name and country. The function may display the owner name and country, for example, when the user places the mouse pointer over a link or at a specified screen location. The function additionally or alternatively compares the owner name and address to a database of known owners associated with the domain name. A warning is displayed at the specified screen position or on the mouse.

B) Browser Display - Similarly, the browser can provide one or more new fields that have been modified directly or with a plug-in, provided the web page rendered by the browser or the IP address owner name associated with the current URL, and the country Show. Additionally, the browser may generate visual, audible, or other alerts if the owner of the current domain name does not match the known owner name and country for that domain.

C) Online Services - A user may submit a URL or domain name to the online inquiry service via the web page field, and may receive the domain name owner real name and country. Online services risk accessing the URL to obtain an IP address. The online service may return the IP address to the submitting user's client for further evaluation. Alternatively, the online service may determine the owner name and country and may compare this information to a database of known owner names and countries corresponding to the submitted domain names. The online service then sends the owner name and country to the submitting user's client. If the domain name is not associated with the domain name owner real name and country, the online service or client web page will alert the user.

Additional details for owner and country decisions are now provided. (For example, for IP V4 or V6) IP addresses are generally assigned in a delegated manner. The user can be assigned an IP address by the ISP. An ISP generally obtains an assignment of an IP address from a local Internet registry (LIR), from a national Internet registry (NIR), or from one or more appropriate local Internet registries (RIRs).

African Network Information Center (AfriNIC) - Africa (http://www.afrinic.net/)

Asia Pacific Network Information Center (APNIC) - Asia / Pacific (http://www.apnic.net/)

American Registry for Internet Numbers (ARIN) - North America (http://www.arin.net/)

Regional Latin-American and Caribbean IP Address Registry (LACNIC) - Latin America and some Caribbean Islands (http://lacnic.net/en/index.html)

RIPE NCC (Reseaux IP Europeens) - Europe, Middle East, and Central Asia (http://www.ripe.net/)

Registry organizations typically operate a server that maintains an association between a domain name and an IP address. These servers are often referred to as "whois" (Whois) servers. By querying one or more of the above website servers, the IP address owner name and country can be found. The query can be performed by the browser sending an HTTP request to the appropriate server to get a response. Alternatively, a client browser database or other local or cache database can easily and quickly make queries, including one or all of the databases of the "whois" server. Once the owner and / or country is identified, the user or automation process can determine whether the website is a real or phishing web site.

Similar to the DNS database, the public whois database may not be fully trusted. The owner of a phishing Web site can register in the whois registry to use the registry for himself. To prepare for this potential problem, a local database can be used to supplement or replace information from public "whois" servers to improve the discretion of the owner's name. For example, a legitimate company name may not be clearly recognized from the "whois" server. The supplemental database can provide more precise information about the company, such as unique code, along with the IP address. In another example, a legitimate financial institution, company, or government organization can be individually verified and authenticated before being added to this supplemental database.

In some situations, the IP address identifies a proxy server, a network address translation (NAT) server, a firewall, and / or other network intermediaries. To identify the true IP address of a suspicious phishing website (or other illegal resource), the network intermediary device, its owner, or other authorized entity checks one or more intermediate mapping tables, log files, and / or other mapping data do. From this meson mapping data, the authorized entity maps the time stamp and / or the TCP port number to the internal IP address information. The internal IP address may be checked with an internally assigned name to determine the name, location, and / or other internal information. Such internal information acquisition generally involves collaboration from an Internet service provider, from a network intermediary owner, and / or from another source. This additional internal information may be provided to the client or to the trust assessment service to determine whether the website is valid or a phishing web site.

In one embodiment, the log file or mapping data may have the following information for a reverse lookup:

1. Time stamp

2. Internal / local data, such as internal IP addresses for potential phishing websites, potential hacker accounts, internal files, and / or other internal resources

Source and / or destination IP address, source and / or TCP / UDP port number, and / or other data identifying the mapping information for the potential phishing website, potential hacker account, and / External network data such as. For example, the intermediary gateway log file may include a source IP address and source TCP port number when a spammer sent an email with a link to a phishing web site. The log file may also include a destination IP address and a destination port number when the email message was transmitted. Likewise, the log file may include an intermediate gateway log file, which may include the source IP address and source TCP port number when the hacker attempts to access the destination IP address and destination port number. Often, port number 80 or 443 is used. If such a port number does not come back, the link may be associated with a phishing web site. Conversely, if the effective web site intentionally uses a port number other than 80 or 443, and the returned port number is 80 or 443, then the corresponding link may be associated with the phishing web site.

3 illustrates a structure, communication sequence, and method for an embodiment of the present invention. All of the modules shown are not required to be embodiments of the invention, or additional modules may be included for other embodiments. In various embodiments, some modules may be combined, and other modules may be divided into a plurality of modules.

In this example embodiment, this structure includes a client 20a that communicates over the public Internet 15a to an IP address web server 17a corresponding to a phishing web site. The client 20a includes an operating system 31 that communicates with the Internet 15a and communicates with the TCP / IP stack 33. [ The TCP / IP stack 33 communicates with the web browser 34a in communication with the look-around module 38a. The anti-phishing module may include a network address database 50, which may be a local database of the client 20a, or may be a remote network database, such as a network address registry database available over the local network or the Internet 15a Communication. The network address database 50 typically stores the IP address and the relationship between the domain name and its owners.

A user of the client 20a may receive the email containing the link and view the link of the web page rendered by the browser 34a. The link may be valid, but the user may not be sure of the validity of the link. The user can position the mouse pointer over the link or select a link. In one embodiment, the user can call the anti-phishing module 38a for link checking by positioning the mouse pointer over the link and pressing the right button of the mouse to select a menu option. In another embodiment, the user may simply select a link. The following discussion describes an embodiment in which a user selects a link via the web browser 34a. However, the practitioner will be aware of messaging services such as e-mail, and / or other applications may be used. Similarly, the operator will recognize that a manual check of the link may be performed via the available menu options when the right mouse button is pressed.

In the example embodiment of the present example, the browser 34a detects the user's selection of the link and sends a request for the corresponding web page in the communication step 101. This request is first sent to the TCP / IP stack 33, which parses the link URL into an IP address. URL analysis may require access to a network address registry database, an Internet Service Provider (ISP), or other source that associates a URL with a corresponding IP address. However, if the IP address from such a source is obscured or not, it can be misdirected. It also does not necessarily get the port number by analyzing the URL. To ensure that a true IP address and port number are obtained, the TCP / IP stack 33 sends a request via the operating system 31a in the communication step 102, and in the communication step 103, Establish a TCP connection to the questionable network node 17a.

The questionable network node 17a (e.g., the corresponding server) returns the requested web page in the communication step 104. [ The exact IP address and port number of the phishing website will also be returned. The client operating system 31a receives the web page, the address and the port number and hands this information to the TCP / IP stack 33 in the communication step 105. The TCP / IP stack passes the web page to the browser 34a in the communication step 106. [ In the communication step 107, the browser requests an IP address and a port number from the TCP / IP stack. For example, the browser can call the GetIPAddressByName object or the GetHostByName object. The TCP / IP stack returns the IP address and port number to the browser in the communication step 108.

The browser 34a then passes the IP address, port number, and URL (or domain name or hostname) to the anti-phishing module 38a in the communication step 109. [ The anti-phishing module uses this information in the communication step 110 to request an owner name, country, and / or other identification data (if available) from the database 50. The database 50 sends back the requested information to the anti-phishing module 38a in the communication step 111. [ The anti-phishing module 38a may pass this information directly to the browser 34a for display. However, in one embodiment, the anti-phishing module 38a determines whether the owner name and country match the information known for the domain name of the URL. If a match is found, then the anti-phishing module sends an instruction in communication step 112 for browser 34a to display a warning.

4 illustrates a screen shot of a web page 200 for one embodiment of the present invention. In this example, the phishing website pretends to be the official website of a company such as Paypal, Inc. A uniform resource locator (URL) 202 is shown in the browser address field. URLs were accessed via hyperlinks from unsolicited email. The IP address associated with the domain name of the URL is 68.142.234.59. The associated IP address owner name 204 and country 206 are displayed near the domain name address shown in the browser address field. The user, anti-phishing plug-in, and / or other decision module compares the owner name and country to the domain name to determine if it is genuine. Some comparisons are relatively easy. For example, if the IP owner name is the name of an unknown organization or individual, and the domain name indicates a well-known company, there may be a weighted decision against the IP owner being the real owner of the domain name. Likewise, if the country of the IP owner is a country that has a history of counterfeiting activities or is far from the home country of a known company, there may be additional weightings against which the IP owner is the real owner of the domain name. The IP address may simply be compared to a known IP address or a known company address range. The weighting information can lead to a determination that the IP address is a phishing web site rather than a real web site.

As shown in FIG. 4, the web page 200 looks like a web page of Paypal, Inc. IP owner 202 is displayed as a valid company, Inktomi, Inc. However, the IP address associated with the domain name of www.paypay.com is 216.113.188.67. A large organization may have many IP addresses, and thus it may be unclear whether the IP address is owned by a valid organization. The country 206 associated with the IP address of the URL is also valid as US. Therefore, additional information can be used. In this example, Paypal, Inc. Is owned by Ebay, Inc., a company not associated with Inktomi, Inc. Therefore, the illustrated website is likely to be a phishing web site. An optional alert 208 is displayed in a different browser field, in a pop-up window, and / or otherwise.

Additional Illustrative Embodiment

In an IP network, such as the Internet, a connection or session between two nodes is generally made using an IP address and a TCP / UDP port number. Any node knows its own and the IP address and port number of the other node. A port is typically the endpoint of a network node. The port number represents a concrete communication session, a concrete function, a concrete resource, or another entity within such a network node. Port numbers are generally divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and / or Private Ports. Well-known ports are generally allocated by an allocation service such as IANA. Registered ports can optionally be registered for demanding purposes. A dynamic or private port may be used by a network node, in general, for communication that is frequently changed and / or for private use.

For an outbound connection request to another node, the client uses the IP address and port number of the other node. As with the client, for outbound connections, the requester will identify its IP address and port number. If an intermediate node is used, such as an Internet Service Provider server, the intermediate node will typically know the IP address and port number of each node. For example, the server will typically know the IP address and local port number of both the requesting node and the client node, and thus the intermediate server can relay the communication between the requesting node and the client node.

Likewise, for file downloads initiated by a server or client, an IP address and port number are known. For example, in the case of a download from a web site or other network service, the IP address and port number of the network node providing the file may be determined from the public or local allocation database, as discussed above. In some situations, the IP address and port number may be that of a valid, trusted network node. However, a hacker can access trusted nodes and attempt to distribute viruses or other undesirable files. In this case, an embodiment of the invention evaluates the payload of the communication. In one embodiment, the evaluation module evaluates the payload of the packet to determine and check the payload data for the category identifier indicating the allowable data. In another embodiment, the evaluation module may evaluate the overall file extension, the file creator, the creation date, and / or other properties of the file to be transmitted, to determine whether the file should be blocked and / or an alert should be generated. For example, downloading a new document from a trusted network node may be acceptable, but not downloading executable code. One or more category codes may be associated with the IP address and port number of each trusted node to indicate this type of payload data, download file, or other data allowed.

The IP address, port number, and category code are stored in a file, database, and / or other data source that identifies trusted network nodes and files if valid and / or otherwise. These data sources are often referred to here as whitelists. A white list is generally distinguished from a black list that specifically identifies an address, node, data source, or other information that is to be blocked or otherwise untrusted. For example, the whitelist used in certain embodiments of the invention does not include an IP address for an unauthorized network node or any anonymous proxy server.

The whitelist may be a subset of the IANA WHOIS database. This can identify legitimate financial institutions, reputable websites, reputable download websites, reputable anti-virus company websites, and / or network nodes of other service providers only. Such a service provider may include an ISP. Thus, the whitelist can be modified during installation or otherwise to include IP addresses and other information associated with one or more Internet service providers. The service provider may need to access client devices or other Internet nodes that the client node needs to access or some other network node that authorizes access to certain devices for a particular function. Additionally, the whitelist may include the name, domain name, category code, and other information of the address owner. The whitelist can be stored at the client, at the server providing the file, at the intermediate node of the communication, or at the neutral node, which is not a direct part of the communication between the two end nodes. Multiple white lists may be used in a single or multiple nodes to accommodate obscured network addresses, proxy servers, and the like. For example, multiple whitelists can be distributed across various routers or other nodes to perform an intermediate check as messages, web pages, or other communications travel along the communications path.

Embodiments of the invention may be implemented to provide multi-level security. The first step is the IP address. The second step is the port number. The third step is the category. Other steps may be associated with other types of communication. Depending on the application requirements, one embodiment may apply various levels of evaluation. One embodiment may only perform the first stage evaluation by checking the whitelist for the trusted IP address. For higher security, one embodiment may set the evaluation level in the evaluation module.

Other information in the whitelist may include a security rating used to indicate whether user interaction is required. For example, in the case of the highest security rating, the evaluation module will automatically perform the evaluation and make all the decisions. In the case of different security classes, user interaction may be required to perform communications, file downloads, or other actions associated with questionable network nodes. In the case of the lowest security class, the evaluation module can automatically block communications, file downloads, or other accesses. Additionally or alternatively, the security level can be identified or individually determined while checking the communication. For example, if the IP address, port number, and category code match the values in the whitelist, the evaluation module may display a high security rating. If the IP address and port number match, but the category code does not match, then the evaluation module can determine the intermediate security rating and request a user indication of how to proceed. If the IP address and port number do not match the values in the whitelist, then the evaluation module can determine the lowest security rating. The evaluation module and / or other applications may take other actions depending on the security level.

There are a plurality of scenarios in which the evaluation module identifies the high-risk network node. Some examples include, but are not limited to:

1. In the case of an outbound connection request, such as a visit to a Web site, FTP (File Transfer Protocol) site or other network node, the IP address and port number of the destination node are checked. If the IP address and port number of the destination node are not in the whitelist, or are otherwise considered high, the evaluation module blocks the connection, warns, requires user approval, requests additional authentication of the destination node , Or perform other specified actions. If the user has to approve the connection, the IP address, port number, and / or other information of the destination node will be added to the whitelist.

2. In the case of an outbound connection request, the IP address of the requesting node and the local device port number are checked against the whitelist. This may cause an intruder, hacker, or other unauthorized user to stop obtaining access to the receiving device. The receiving device (or intermediate node) may deny the connection, issue an alert, request a user acknowledgment, request additional authentication of the requesting node, or perform another specified action. If the user has to approve the connection, the IP address, port number, and / or other information of the requester node will be added to the whitelist.

3. For file transfer, the source node can be checked before downloading the file. Conversely, before the file is sent to the questionable node, the destination node can be checked. As discussed above, the IP address, port number, and file type are checked against the whitelist. Similar to the connection scenario, the evaluation module may block file transfers, require user authorization, require additional authentication of the requesting node, or perform other specified actions. If the user must approve the file transfer, the IP address, port number, and / or other information of the questionable node will be added to the whitelist. The file extension will also be stored in the category with the corresponding IP address, port number, and / or other information.

5 illustrates a structure, communication sequence, and method for a further embodiment of the present invention. Not all of the modules shown for the practice of the invention may be required, or additional modules may be included for other embodiments. In various embodiments, some modules may be combined and the other module may be divided into multiple modules. Exemplary embodiments are discussed in connection with the following structure.

In this example embodiment, the architecture includes a client 20b that communicates over the public Internet 15b to the IP address of a network node 317 that corresponds to a website, FTP site, or other Internet service. Client 20b includes an operating system 31b that communicates with the Internet 15b and communicates with the TCP / IP stack 333. The TCP / IP stack 333 communicates with the Internet network application 34b in communication with the authorization module 38b. The Internet network application 34b may be an email application or other application that may be used to prevent communication that sucks a hacker, virus, or other undesirable entity. The authorization module communicates with the local database 350, which may communicate with the client 20b or may be included in the client 20b. Local database 350 generally includes a whitelist that stores associations between IP address, TCP / IP number, category, security rating, domain name, its owner, and / or other data.

Example Scenario 1: Outbound connection

In the present exemplary embodiment, a user of the client 20b may initiate an Internet connection to, for example, a web site. Internet network application 34b, in communication step 301, detects a user request for a connection. This request is first forwarded to the TCP / IP stack 333 to identify the domain name or URL as an IP address. Domain name discovery may require DNS access. However, the IP address from the DNS may be obscured or otherwise misdirected. The TCP / IP stack 333 sends a request to the operating system 31b in the communication step 302 and the operating system makes a TCP connection to the network node 317 via the Internet in the communication step 303.

The network node 317 (e.g., the corresponding server of the web site) sends back the request in the communication step 304. The exact IP address and port number of the network entity come back together. The client operating system 31b receives the IP address and port number and passes this information to the TCP / IP stack 333 in a communication step 305. [ The TCP / IP stack passes control to the application 34a at the communication step 306. The application program may determine the category code of any file or other data received from the network node 317. [ In communication step 307, the application requests an IP address and port number from the TCP / IP stack. For example, a network application can call the GetIPAddressByName object or the GetHostByName object. The TCP / IP stack sends back the TCP / IP address and port number to the application in a communication step 308.

The network application 34b then passes the IP address, port number, category code, and other information to the authorization module 38b in the communication step 309. [ The authorization module checks the database 350 using this information. The authorization module may send a search request to the database 350 having an IP address, a port number, a category code, and other information in the communication step 310. The database 350 may perform a search to determine whether the IP address and other information is included in the white list of trust information. The database 350 may also determine the owner, country, security code, and / or other information associated with the IP address. The database 350 sends back the requested information to the authorization module 38b in the communication step 311. [ Based on whether the IP address and port number are in the whitelist, the authorization module may send an alert message to close the connection, to reject the received information, to wait for a user decision, and / The command can be sent.

Example Scenario 2: Inbound Connection

The network node 317 may request a connection to the client 20b in the communication step 304. [ The client operating system 31b receives this request including the IP address and port number of the network node 317. [ This request typically also includes the port number of the network application 34b to identify the network application 34b with the resource that the network node intends to contact. The request may further include a file name or other information for the data desired by the network node. The operating system hands this information to the TCP / IP stack 333 in a communication step 305. The TCP / IP stack passes this information to the Internet network application 34b in a communication step 306. [

The network application 34b then passes the IP address, port number, and other information to the authorization module 38b at the communication step 309. [ The authorization module may determine the category code for the information requested by the network node 317. The authorization module can check the database 350 using this information. The authorization module may send a search request to the database 350 having an IP address, a port number, a category code, and other information in the communication step 310. The database 350 may perform a search to determine whether the IP address and other information is included in the white list of trust information. The database 350 may also determine the owner, country, security code, and / or other information associated with the IP address. The database 350 sends back the requested information to the authorization module 38b in the communication step 311. [ The authorization module 38b may pass this information directly to the network application 34b. Based on whether the IP address and port number are in the whitelist, the authorization module may determine in step 312 whether to close the connection, to reject the received information, to send out a warning message, to wait for a user decision, and / Or to take another specified action.

Example scenario 3: Messaging

If the network application 34b is a messaging service, such as, for example, an email client such as Microsoft Outlook.TM., It may check incoming email headers. In the header, there is an "Origination" field with the IP address and port number of the originating email device. The header may include other information such as the IP address of the device associated with the CC recipient, an optional attachment indication of the received email, and / or other data. The network application 34b may determine the category code of any attachment. The network application then passes the IP address, port number, and other information to the authorization module 38b at step 309 of communication. The authorization module may use this information to determine whether the email sender is trusted. Specifically, the authorization module sends to the database 350 the IP address and port number (and category code, if available) in the search request at step 310 of communication. The database checks the IP address and port number in the whitelist. The database may also retrieve domain names, email function codes, security ratings, and / or other data (if available). The database 350 sends back the search results to the authorization module 38b in a communication step 311. [ The authorization module 38b may pass this information directly to the email network application 34b. Based on whether the IP address and port number are in the whitelist, the authorization module may send an email deletion, an email redirection (e.g., to the trash), an alert transmission, a user indication wait, and / Can be transmitted.

In particular, exemplary embodiments of the present invention may include an Internet email system using a Simple Mail Transfer Protocol (SMTP). In the case of Internet email, SMTP is used for mail delivery or retrieval. This is usually done via an intermediate mail server. Upon receipt of the email, the mail server will receive the IP address and TCP / UDP port number of the originating mail client. The mail server will add the sender's IP address in the "From" field of the email header. As described above, the IP address can be verified.

Another embodiment of this verification may also include reverse DNS lookup by the mail server to authenticate the email sender's domain name. Some mail servers use domain information to block spam emails. Spam prevention can use domain information to check the mail server domain and / or the client sender domain. However, as discussed above, domain information may be obscured. Using DNS discovery or without DNS discovery, embodiments of the present invention can validate an email sender by checking the actual IP address of the email against the whitelist database. Nevertheless, additional information such as owner and country may be checked from domain information obtained from the IP address information in the email header. Additional reliability can be obtained by using domain search to ensure that the received IP address is associated with the domain indicated in the received email address. For example, the authorization module may use the IP address from the email header to retrieve the whitelist and use the domain assignment service to determine the domain name associated with the IP address. The authorization module can then compare the determined domain name to the domain name specified in the "Origination" field of the email message. If the domain name does not match, the message may be illegal. Despite the fact that the IP address and port number from the message match the values in the whitelist, a different domain name may indicate that the hacker has accessed the trusted network node, and the trust It can be indicated that the network node is being used.

If the email is forwarded / relayed by another SMTP server, the recipient email client will also check that the forwarding / relaying mail server is trusted. If the email header is incomplete or the delivery / relay mail server can not be used for caller identification, the authorization module may delete the email or take other actions as discussed above.

Also, in the case of SMTP email, the sender uses an email domain such as xxxx@msn.com. With these domain names alone, there is no easy way to identify whether this email comes from a member of a major organization in MSN, such as an accounting or administrative department, or from a regular MSN user. The ability to determine these levels of detail is a function that a financial institution or other organization desires.

To solve this problem, outgoing e-mail services can establish multiple IP addresses for a given department. Some IP addresses may be for normal users. The remaining IP addresses may be used for dedicated users and / or other dedicated purposes. In this way, financial institutions or other organizations can send financial information emails to customers. Additionally or alternatively, a TCP / IP port can be used to support this functionality. This is useful when a limited IP address is available for Internet mail services. In another embodiment, the communication may include sub-organizational codes and / or may be added to the whitelist database to identify sub-organizations or other email classifications. Likewise, a functional code may be included in the communication to indicate the communication purpose, and / or a function code may be added to the whitelist database. The client device of the customer can use the embodiment of the present invention to authenticate the sender and check the acceptable organization code and / or function code to distinguish the valid email from the phishing email.

As in the alert display for phishing websites, the email client may provide a display field. The email client may also provide a menu option for ratification control. When the user receives the email, the menu options and / or display fields enable the user to identify the email sender, sub organization, and / or other functions / data. In one embodiment, the recipient email client will automatically compare the sender's IP address, port number, and domain name to a local whitelist database. If the IP address of the sender (e.g., based on the sender or RECEIVED field of the email), port number, and / or domain name is not in the database, or is different from the entry in the database, It can be indicated that it may not come from the sender appearing at the address. Alternatively, the user can activate this menu option to perform this check, display information about the email or sender, and / or perform other operations.

In some embodiments, the whitelist has one or more of the following characteristics in addition to the well-known organization IP address. A key advantage of the whitelist described is that IP addresses used for bi-directional communication (e.g., as part of a TCP / IP session) are difficult or impossible to fake. Although it is possible for the intruder or other to spoof the source IP address in the packet, such spoofing is generally not available in the TCP / IP category which requires bidirectional communication for session establishment. Thus, by utilizing the IP address obtained from the network stack, the described techniques can identify network communications of questionable reliability with a high degree of reliability.

Additionally, if a questionable IP address is added to the blacklist, the whitelist provides an advantage over the blacklist in that an unauthorized user of the above IP address only moves the intrusion to another computing system operating with a different IP address . In a world where crime organizations operate the entire network of compromise machines, it is trivial that these organizations deliver their unauthorized activity (eg, spamming) from one machine to another.

The described techniques may also function in a plurality of discrete levels within a given computing system. For example, the described techniques may utilize information received or obtained from the operating system kernel, the network stack, and the application. For example, the authorization module 38b (FIG. 5) may be configured to communicate with an application level (e.g., an email header field received from an email client), a network level (e.g., an IP address received from a TCP / IP stack) , Permission settings received from the operating system kernel).

The described techniques also provide an infrastructure or framework for implementing security at different levels of the computing system. For example, a whitelist or similar structure may have an operating system kernel, a network stack, and information or properties used in the implementation of security or authorization facilities within one or more applications.

The whitelist may have an IP address associated with geographic information. One type of geographic information is based on a local Internet registry that has assigned a specific IP address. As discussed above, the IP address is assigned by a local Internet registry, such as ARIN, APNIC, LACNIC, AfriNiC, RIPE NCC, Given an IP address, it is possible to determine which local Internet registry has assigned an IP address, and thus to determine the area associated with the IP address (e.g., continent or country). The regional registry may further support queries to provide more detailed geographic information, such as country, state, or city associated with the country or IP address. Other sources of geographic information include commercial or public geographic services and whois databases that are configured to provide fine-detail geographic information, including country, state, city, latitude / longitude, zip code,

By using the geographical information, access to the user of the specified area can be restricted. For example, the government may restrict access to IP addresses located within the government or jurisdiction of that government. As another example, an IP address for certain areas may be flagged as dangerous, based on a high level of computer crime that operates from these areas. As another example, an e-commerce computing system (e.g., a banking system, an online shopping system) may only allow customer access from an IP address associated with the same geographic area in which the customer resides (e.g., city, state, country). For example, if a particular customer resides in Seattle, a particular e-commerce system may only allow access to customer accounts from IP addresses assigned to Washington or the United States. Also, in the case of a highly secure organization, such as a government or military, an organization can only access certain geographic locations and block other locations (e.g., China).

The whitelist takes a different form in different embodiments. A white list may exist on the public Internet and / or private internal network. Whitelists can be created for private internal networks in a manner similar to that used over the public Internet. For example, a bank may have a whitelist that associates a customer's Internet IP address with a particular bank account. On the customer side, the bank account holder may have a whitelist that includes the internal IP address of the bank's computing system. Also, a plurality of lists may reside on a single device. For example, one whitelist for inbound traffic and one for outbound data. Additionally, each network interface card (NIC) may have its own white list. Additionally, the whitelist can be generated statically (e.g., specified) or dynamically. For example, in the case of a web site, a dynamic list may be generated based on the received IP address information. Later accesses can then be compared based on the list, and therefore, questionable communication can be identified, such as when the website URL is differentiated from the IP address stored in the list.

The whitelist may have one or more of the following fields or properties listed in Table 1 below. Each field may be associated with one or more of the following: one or more of the following: an allowed communication direction (e.g. upload, download, transmit or receive), an allowed communication time period (e.g. between 8 AM and 11 PM), an authorized program / process (e.g. Internet Explorer) The above allowable communication characteristics are displayed. In another embodiment, the table may also include an indication of an unacceptable communication characteristic, such as an unacceptable time period (e.g., from noon to 4 am), an unauthorized communication port (e.g., port 80 commonly used for HTTP) Instead, include.

Field / property Description / Function IP address and mask Identify a permitted IP address or IP address range. For an internal network, the IP address may be an internal (private) IP address. Port number Identify allowed port numbers or ranges, and present acceptable features such as FTP, Telnet, HTTP, and so on Blocking status Allow or deny access from the corresponding address Category Codes / Data Types Display data of allowed types from communication, such as executable code, scripts, macros, audio, video, images, text files, direction Defines allowed communication directions such as upload, download, reception, and transmission. High security devices may, for example, disallow inbound connections. Security rating Elevation - Specifies the security level associated with the IP address, such as security, security, generic, non-secure, high-risk, Sub organization code Specifies a subset of IP addresses in the organization. For example, an organization can divide IP addresses into subgroups, such as one group for the Web and another group for Telnet. URL / URI The organization official URL associated with the IP address. Often, HTTP redirects can redirect to very similar URLs that host phishing websites for fools, for example. As another example, an HTTP link within an email may look like a legitimate URL. The URL that appears in the communication can be compared to the organization URL to determine whether the communication is questionable. Moreover, URI checking can provide additional protection. Domain name Available for domain name matching. An email address has a domain name that can be verified. Geographic location Country code, city, detailed address, zip code, etc. This can be used to limit access to a given geographic location. Network interface number This is for multi-network interface (NIC) devices. Process name or signature Specifies which programs access the network or communicate with a given IP address. The program can be identified by name, location, or signature / hash (eg, MD5, SHA1, etc.). Interactive / batch mode Many malicious programs will be run in batch or non-interactive mode. This can prevent a virus program accessing the email account from sending or receiving data. This mode can be determined in a variety of ways, such as checking whether there is an active console, a UI window, an interactive input device (e.g., a mouse), etc. Access time Specifies the time or period during which network access is allowed. This will prevent malicious code running during unexpected times (e.g., last night). Number of connections Limit the number of connections that can be made to the network. This can be used to prevent denial of service attacks. Access control Specifies the type of operations that can be performed in relation to the corresponding IP address, including read, write, execute, and so on. These access rights are either operating system specific or application specific. Some applications may provide access that is distinct from that of the subsystem. For example, in a messaging application, sending message transmissions may require access that is distinct from reading incoming messages. User / group identifier An identifier (e.g., user name, account number, user number) of the authorized user or user group that will use the corresponding IP address. For authentication purposes, the user identification, password, and IP address and / or port number may be verified. Inbound / Outbound Inbound traffic can have different security requirements than outbound traffic. Each may have separated the white list.

The above fields can be combined in various ways. For example, referring to FIG. 1, when a client 12, 13, 14 initiates an outbound connection, a process name, an access time window, a batch / interactive processing, a destination IP address, a URL / URI, (If appropriate), security rating, upload / download, category code, or payload type. In some embodiments, when either of these items does not match the corresponding entry / field in the whitelist, the connection may be disallowed. In another embodiment, the user may be notified by the user by sending a message (e. G., E-mail) describing the questionable communication, by presenting a pop-up window / dialog,

As another example, when the client 12, 13, or 14 receives an inbound connection, the IP address and port number of the remote device, the program (process name) serving (e.g., listening on the port) Access Time You can check one or more of Windows, batch or interactive processes, URL / URI or domain name (if appropriate), security rating, upload / download, category code, or payload type.

Such a whitelist may also include an entry that identifies a generally secure system or service, such as a well known company with good security practices. In the case of such a system (e.g., identified by an IP address or domain name), it may be safe to allow access, download, or upload of any type of data.

If the device has already been infected by a malicious code such as a virus, the described technique checks the program name (eg, process name), access time window, payload type, batch or interactive mode, Thereby preventing access to the network. This can prevent the virus from spreading to other devices. If the virus tries to open another program, such as a web browser, that already exists on the list of allowable processes for accessing the online email account to export the data, then the access time window and batch mode check may be done, for example, By disallowing the browser program, you can still stop it.

In some embodiments, malicious or questionable email may be detected in the following manner. First, an authorization module associated with an email client may extract a source email address (e.g., source@hostname.net) from the sender field in the email header. In malicious e-mail, the source e-mail address is often forged and may appear to come from a friend or other known person. The authorization module then determines the first IP address based on the source e-mail address, for example, by performing a domain name search using the host name (e.g., hostname.net) extracted from the source e-mail address. Next, the authorization module will extract the second IP address from the RECEIVED field in the email header. The RECEIVED field is typically inserted by the recipient's SMTP server and contains the actual source IP address of the originator's SMTP server. The authorization module then compares the match of the first and second IP addresses. If not, then the email is not real and the sender may be able to forge the source email address and take appropriate action, such as notifying the user, rejecting the email, refusing to render the image, markup language, or code .

FIG. 6 is a flow chart illustrating a network communication is a evaluator process 600. FIG. This process may be performed by the same module as the evaluation module 38 executed by the computing system 20 (FIG. 2).

The process begins at block 602 and accesses a whitelist that specifies acceptable communication characteristics for the trusted network address. The whitelist access may include receiving, querying, retrieving, or otherwise processing the whitelist. In some embodiments, the whitelist includes rows or entries, each containing a trust network address associated with an indication of one or more acceptable network communication characteristics, as described in Table 1 above.

At block 604, the process determines the IP address corresponding to the network communication. The IP address determination may include requesting an IP address from a TCP / IP stack or other communication module in the computing system. The IP address may be a source or a destination IP address. Typically, if the communication is an inbound connection, the source IP address is checked, and if the communication is outbound, the destination IP address is checked. In other scenarios, the IP address can be determined in other ways, for example, by querying the DNS server with the domain name associated with the network communication. The domain name may be determined by reference to, for example, a URL, an email message, an email address,

At block 606, the process determines a first communication characteristic associated with the network communication. The first communication characteristic determination includes a determination of one of the properties described in Table 1. [ For example, a process may determine properties such as time of day, direction of communication, data payload type, and so on. The process may, for example, query the geo-location information service with an IP address and receive the geographical location associated with the network communication by receiving it in response to an indication of the location (e.g., city, state, country, zip code) associated with the IP address You can decide.

At block 608, the process determines a second communication characteristic that is an acceptable communication characteristic associated with the IP address by the white list. The second property determination may include searching for an IP address in the whitelist and retrieving a communication characteristic associated with the first communication characteristic associated with the IP address. For example, if the first communication characteristic is a time of day, the process may search for an acceptable communication period in the whitelist. If the first communication characteristic is a geographic location, the process may search for an acceptable geographic location in the whitelist.

At block 610, the process determines whether the first communication characteristic is included in the second communication characteristic. The determination of whether the first communication characteristic is included in the second communication characteristic may include determining whether the second property encompasses the first property or not. For example, if the second property is an acceptable country (e.g., Washington State), the second property may be the same as the first property if the first property is the same as or within the allowed country (e.g., Washington, Seattle, If the second nature is an allowable time period (e.g., between 6 am and 11 pm), the first property is that the first property (e.g., 10 pm) , It is included in the time period.

In some embodiments, the determination of whether the first property is included in the second property includes determining whether the two properties match. A property match may include performing an equivalence check for equality between two strings, numbers, or other data types. In some cases, coincidence may be a strict uniformity check, while in other cases, as in case-independent string matching, an approximation may be sufficient.

At block 612, the process provides an indication of the acceptability of network communications. Providing an acceptability indication may include notifying the user (e.g., via a dialog box or another pop-up window), sending a message (e.g., email), recording the indication in the log, returning a value to another process or code block, .

Some embodiments may provide additional or alternative functionality. One embodiment performs user authentication as may appear in a web category. Existing authentication method uses user name / password combination. Some embodiments may also utilize one or more of the above-described techniques in conjunction with a username / password combination technique. For example, some embodiments may check the IP address in addition to the username and password. As an IP address is assigned and unique on the network, it can not be easily manipulated by others. Thus, if a hacker stole a user's username and password, the hacker would not be able to get into the account because the hacker would not have the correct IP address. Port numbers and other properties (e.g., time of day, geographic area) may also be included in the authentication scheme. Many, if not all, of these properties can be determined without user involvement, intervention, or interaction. For example, the IP address can be determined directly with reference to the TCP / IP stack.

In addition, current Internet service providers can use network address translation (NAT) or proxy services, allowing many users to share the same IP address. Some embodiments include a NAT / proxy service that assigns a static TCP port number corresponding to an internal IP address managed by the NAT / proxy module, such that each internal IP has the same external IP address but has a unique, (E. G., Provided by a router or gateway). ≪ / RTI >

Some embodiments extend the process of FIG. 6 to perform the following additional operations: receiving a first IP address and port number from the TCP / IP stack of the computing system; and sending a uniform resource locator ) / Uniform resource identifier (URI), and by querying the assignment database that correlates the owner name with the IP address, by querying the first IP address received from the TCP / IP stack, the first name associated with the first IP address Determining a second name associated with the URL / URI by querying the assignment database for correlating the owner name with the domain name, by querying the domain name of the URL / URI associated with the network resource; Whether the number is included in the designated whitelist of the trusted network address and whether the first name is included in the second name On the basis of whether the match, the method comprising: setting an indication information to allow or disallow the communication operation.

Some embodiments provide a communication control system including a communication interface including a TCP / IP stack for communicating with a network resource, a memory for storing instructions, and a processor in communication with the communication interface and the memory, The processor is further configured to receive a specified whitelist of trusted network addresses that does not include addresses for unauthenticated network nodes and includes, for each trusted network address, one or more of the acceptable communication characteristics Determining a first Internet Protocol (IP) address corresponding to the network communication, determining a first communication characteristic associated with the network communication, and determining a first communication characteristic associated with the first IP address in an entry in the whitelist corresponding to the first IP address Lt; RTI ID = 0.0 > communication < / RTI > Evaluating network communication in relation to a whitelist by determining whether the first communication characteristic is included in a second communication characteristic, determining whether the first communication characteristic is included in the second communication characteristic, Establishing an indication that network communication is not allowed in response to determining that the first communication characteristic is included in the second communication characteristic; and setting an indication that network communication is allowed in response to determining that the first communication characteristic is included in the second communication characteristic, .

U.S. Patent Application No. 11 / 712,648 (now U.S. Patent No. 8,621,604), entitled "Evaluating a Questionable Network Communication, " filed on February 28, 2007, U.S. Patent Application No. 11 / 470,581, entitled " Identifying A Network Address Source For Authentication ", U.S. Patent Application No. 60 / 714,889 entitled " Identifying A Network Address Source For Authentication " filed on September 6, 2005, The entire contents of all documents mentioned herein, including, but not limited to, U.S. Patent Application No. 60 / 783,446, entitled " Identifying A Network Address Source For Authentication, "filed March 17, .

The above specification, examples, and data provide a complete description of the manufacture and use of the components of the invention. For example, a digital certificate may be used for authentication, encryption may be used for communication, and other features may be included. However, other embodiments will be apparent to those skilled in the art. Since many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims hereinafter appended.

Claims (15)

CLAIMS What is claimed is: 1. A method for communication control in a computing system, the method comprising the steps of: evaluating network communication,
The network communication evaluation includes:
Receiving a specified whitelist of trusted network addresses that does not include addresses for unauthenticated network nodes and includes, for each trust network address, one or more of the allowable communication characteristics; Possible communication characteristics include, but are not limited to, indications of allowable geographical locations, indications of allowable programs, indications of allowable access times, indications of allowable users, indications of allowable data types, Includes multiple of the items -
Determining a first Internet Protocol (IP) address corresponding to the network communication;
Determining a first communication characteristic associated with the network communication;
Determining a second communication characteristic that is an acceptable communication characteristic specified by an entry in the whitelist corresponding to the first IP address;
Evaluating the network communication with respect to the white list by determining whether the first communication characteristic is included in the second communication characteristic;
Setting an indication that the network communication is disallowed in response to determining that the first communication characteristic is not included in the second communication characteristic;
In response to determining that the first communication characteristic is included in the second communication characteristic, establishing an indication that network communication is allowed.
Communication control method. The method according to claim 1,
Wherein the allowable communication characteristics in the whitelist include an indication of an acceptable geographic location for each network address in the whitelist,
Determining a geographic location associated with the first IP address by querying the geographic location information provider;
Determining whether a geographic location associated with the first IP address matches or is included in the geographic location indicated as acceptable by the entry in the white list
Communication control method. The method according to claim 1,
Wherein the allowable communication characteristics in the whitelist include, for each network address in the whitelist, an indication of a program allowed to communicate via the network address, wherein the indication of the program includes a program name and a program code And a hash of the hash function,
Determining a communication program running on the computing system and participating in the network communication;
Further comprising the step of determining whether the communication program is consistent with a program indicated as acceptable by an entry in the whitelist
Communication control method. The method according to claim 1,
Wherein the allowable communication characteristic in the whitelist includes an indication of allowable access time for each network address in the whitelist,
Determining a time at which the network communication is being performed;
Determining whether the determined time is equal to or included in the access time indicated as acceptable by the entry in the white list
Communication control method. The method according to claim 1,
Wherein the allowable communication characteristic in the whitelist includes an indication of an allowable user for each network address in the whitelist,
Determining a user associated with the network communication;
Further comprising the step of determining whether the determined user matches or is included in the user indicated by the entry in the white list as acceptable
Communication control method. The method according to claim 1,
Wherein the allowable communication characteristics in the whitelist include an indication of an acceptable data type that is one of executable code, script, macro, audio, video, image, and text for each network address in the whitelist and,
Determining a data type corresponding to data communicated over the network connection;
Further comprising determining whether the determined data type matches a data type indicated to be acceptable by the entry in the white list
Communication control method. The method according to claim 1,
Wherein the allowable communication characteristics in the whitelist include, for each network address in the whitelist, an indication of whether a non-interactive program is allowed to communicate via the network address,
Determining a communication program executing on the computing system and participating in the network communication;
Further comprising determining whether the communication program is operating in an interactive or non-interactive mode
Communication control method. The method according to claim 1,
Further comprising the step of evaluating the authenticity of an e-mail message having a sender header field specifying a source e-mail address to be inserted in the sender system and a RECEIVED header field being inserted by the recipient SMTP server,
Determining the first IP address based on the RECEIVED header field,
Determining a second IP address by performing a domain name search based on the source email address;
Determining whether the first and second addresses match, and if not, setting an indication that the email message has a manipulated source address
Communication control method. The method according to claim 1,
Wherein the network communication is in an internal network, the first IP address is an IP address of the internal network
Communication control method. The method according to claim 1,
The network communication is initiated via a received TCP / IP connection request
Communication control method. The method according to claim 1,
The network communication is initiated through an outgoing TCP / IP connection request
Communication control method. The method according to claim 1,
Wherein the allowable communication property in the whitelist includes an indication of an allowable user and an access control for each network address in the whitelist,
Determining a user associated with the network communication;
Determining user access control associated with the network communication;
Determining at least one of a user IP address and a port number;
Determining whether a determined user, a user access control right, and a user IP address / port number match or are included in the entry in the whitelist
Communication control method. The method according to claim 1,
Wherein the first IP address is an IP address associated with the customer computing device,
Determining whether the first IP address is associated with an identifier corresponding to the customer by the whitelist;
Determining whether a geographic location associated with the first IP address is included in the geographic location associated with the first IP address by the whitelist
Communication control method. 14. A non-transitory computer readable medium comprising executable instructions for causing a computing device to perform the method of any one of claims 1 to 13. A communication interface including a TCP / IP stack for communicating with a network resource,
A memory for storing instructions,
A communication control system including a processor communicating with the communication interface and the memory,
Wherein the processor is configured to evaluate network communication by performing the method of any one of claims 1 to 13,
Communication control system.

Images