CN117203942A - Method and execution unit for supervising connections in a computer network - Google Patents
Method and execution unit for supervising connections in a computer network Download PDFInfo
- Publication number
- CN117203942A CN117203942A CN202180097210.5A CN202180097210A CN117203942A CN 117203942 A CN117203942 A CN 117203942A CN 202180097210 A CN202180097210 A CN 202180097210A CN 117203942 A CN117203942 A CN 117203942A
- Authority
- CN
- China
- Prior art keywords
- unit
- execution unit
- client
- computer
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000012544 monitoring process Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000000903 blocking effect Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 230000007246 mechanism Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 5
- 239000004065 semiconductor Substances 0.000 description 4
- 230000003993 interaction Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
A method for supervising connections in a computer network (100, 200) is provided, the computer network (100, 200) comprising one or more client units (202A-N), one or more host units (108A-N, 206A-N) and an execution unit (106, 306) to monitor connections in the computer network and to allow or deny connections according to a dynamic rule set. The method comprises detecting a message from an address resolution unit (403). The method includes checking that the message is sent in response to a request with a hostname from a first client unit of the one or more client units after obtaining the IP address from the message. The method includes adding a new rule in the dynamic rule set that allows a connection between the first client unit and the IP address only if the message is found to be responsive to the request and the IP address corresponds to the hostname.
Description
Technical Field
The present invention relates generally to a method of supervising connections in a computer network comprising one or more client units, one or more host units and an execution unit, and more particularly to an execution unit for use in a computer network wherein a client computer may be connected to a plurality of host computers.
Background
Each online operation requires the exchange of data between one or more devices, each including its IP address, and a host server. To remap and preserve the IP addresses, network address translation (network address translation, NAT) is envisaged, which comprises one external public IP address of all devices. When a packet is received from a device, the NAT records the device that sent the packet and replaces the address of the device with the external public IP before forwarding the packet. NAT inserts response packets into public addresses in the provider's internal network. NAT does not involve connecting from the internet to the device because the public IP address would be completely absent as the destination is unknown. Packet loss may also occur when a slave device is sent over a network to an external server. Legal connections on the internet are based on hostnames. But the IP address is connected to the desired host by a response received from the server.
The predefined IP address allows anyone to connect anywhere directly from the internet to the device. Which may include cyber criminals. The predefined IP address allows free flow to the device's request, the transmission including spam and attempts to control the device. Connections on predefined IP addresses typically belong to attempting to connect with devices, errors, malware, or a darknet. These errors may be present in the implementation of predefined IP addresses, as well as in the design. Malware attempts to connect to a known remote server. The predefined IP addresses may also include botnets, which are remotely controlled and may be used to initiate a threat greater than virus regulation. Among these predefined IP addresses, security is ambiguous and the connection is not supervised and performed, and functions based on hard coded IP addresses are not required and should be blocked. In an organization, connections cannot be performed under hostname according to predefined IP address network traffic.
Accordingly, there is a need to address the above-described technical deficiencies in existing systems or techniques when performing connections in a computer network.
Disclosure of Invention
It is an object of the present invention to provide a method of supervising connections in a computer network comprising one or more client units, one or more host units and an execution unit for use in the computer network, wherein a client computer may be connected to a plurality of host computers while avoiding one or more of the disadvantages of the prior art methods.
This object is achieved by the features of the independent claims. Other implementations are apparent in the dependent claims, the description and the drawings.
The present invention provides a method of supervising connections in a computer network comprising one or more client units, one or more host units and an execution unit for use in the computer network, wherein a client computer may be connected to a plurality of host computers.
According to a first aspect, there is provided a method of supervising connections in a computer network comprising one or more client units and one or more host units, an execution unit for monitoring connections in the computer network and allowing or rejecting connections according to a dynamic rule set. The method includes detecting a message from an address resolution unit, the message including an IP address. The method includes obtaining an IP address from a message. The method includes checking that the message is sent in response to a request from a first client unit of the one or more client units, the IP address corresponding to a hostname specified in the request. The method includes adding a new rule in the dynamic rule set that allows a connection between the first client unit and the IP address only if the message is found to be responsive to the request and the IP address corresponds to the hostname.
The method performs a connection of the IP address in the request to the hostname. The connection does not include any hard-coded IP address due to errors, darknet or unregistered malware server addresses, thereby improving security. The method can further improve the security by adding a blacklist and a whitelist based on the host name and a DNS server blacklist and a whitelist, and supporting the protection of malicious software.
Optionally, the checking includes the execution unit having received the request before the message.
The new rule includes a time frame defining a time period in which the new rule is valid, and the method optionally includes the step of disabling the new rule after the time period.
The new rule comprises a maximum number of data packets, the method optionally comprising the step of disabling the new rule after receiving the maximum number of data packets for the connection.
Optionally, the method includes the step of disabling the new rule upon receipt of an outbound data packet from the client computer to the host in the firewall unit.
The execution unit is optionally located in a firewall unit for monitoring connections between the one or more client units and the one or more host units. The execution unit may be located in the first client unit and may be configured to implement the new rule as a hook in a computer function that initiates a connection with a host. The execution unit may be located in a local server in a local network comprising the one or more client units.
According to a second aspect, a computer program product is provided for use in a monitoring unit in a network, wherein a client device is connectable to one or more host devices. The arranged monitoring unit allows or denies the connection according to the dynamic rule set. The computer program product comprises computer readable code which, when run in a processor, will cause the monitoring unit to perform the method.
The computer program product does not require any manual intervention, as the computer program product comprises an automatic mechanism in the computer network for allowing or rejecting connections according to a dynamic rule set.
Optionally, the computer program product comprises a non-transitory memory storing the computer readable code.
According to a third aspect, there is provided an execution unit for use in a network, wherein a client device is connectable to one or more host devices. The execution units arranged allow or deny connections according to the dynamic rule set. The execution unit comprises a control unit for executing the method.
Optionally, the execution unit is for inclusion in a firewall unit and for monitoring connections between the client computer and one or more host units. The control unit may be adapted to monitor the connection between the client computer and the one or more host units.
Optionally, the execution unit is configured to be included in the first client computer. The control unit may be adapted to implement the new rule as a hook in a computer function initiating a connection with the host.
Optionally, the execution unit is for inclusion in a local server unit in a local network comprising the client computer. The control unit may be located in the local server in the local network comprising the one or more client units.
The IP address in the execution request of the execution unit is connected to the host name, so that the security of the client computer is improved. The execution unit is capable of tracking requests and responses from the computer network to perform the method.
According to a fourth aspect, there is provided a computer network comprising one or more client computers, one or more host computers and a firewall unit for monitoring traffic between the one or more client computers and the one or more host computers and blocking unwanted traffic. The network comprises an execution unit for executing the above method.
The technical problem in the prior art is solved, wherein the technical problem is that internet connection based on a predefined IP address may cause security risks to organizations.
Thus, in contrast, according to the method and the execution unit provided in the present invention, it is possible to supervise a connection in a network and execute the connection to connect with a hostname, thereby improving security.
These and other aspects of the invention will be apparent from the implementations described below.
Drawings
An implementation of the invention will now be described, by way of example only, with reference to the accompanying drawings.
FIG. 1 is a block diagram of an execution unit for use in a computer network according to an implementation of the present invention.
Fig. 2 is a block diagram of a computer network including one or more client computers, one or more host computers, and a firewall unit according to an implementation of the invention.
Fig. 3A is an exemplary diagram of information flow in a computer network when an execution unit is located in a client computer, according to an implementation of the invention.
FIG. 3B is an exemplary diagram of a response flow from an execution unit according to an implementation of the invention.
FIG. 4 is an interaction diagram of event streams received from client computers in a computer network in accordance with an implementation of the present invention.
FIG. 5 is a flow chart of a method of supervising connections in a computer network according to an implementation of the invention.
FIG. 6 is an illustration of an exemplary computing device in which the various architectures and functions of the various previous implementations may be implemented.
Detailed Description
An implementation of the present invention provides a method of supervising connections in a computer network comprising one or more client units, one or more host units and an execution unit in the computer network for supervising connections in the computer network.
In order that those skilled in the art will more readily understand the solution of the present invention, the following implementation of the invention is described in conjunction with the accompanying drawings.
Terms such as "first," "second," "third," and "fourth" (if any) in the summary, claims, and drawings of the invention are used to distinguish between similar objects and not necessarily to describe a particular order or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the implementations of the disclosure described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprise" and "have," and any variations thereof, are intended to encompass non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to the particular steps or elements recited, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
FIG. 1 is a block diagram of an execution unit 106 for use in a computer network 100 according to an implementation of the invention. Computer network 100 includes a client computer 102, a communication network 104, and one or more host computers/units 108A-N. The computer network 100 is communicatively connected to an execution unit 106. Execution unit 106 enables client computer 102 to connect to one or more host computers 108A-N. The execution unit 106 is configured to allow or deny the connection according to the dynamic rule set. The execution unit 106 comprises a control unit 107, the control unit 107 being arranged to detect a message from the address resolution unit. The message includes an IP address. The control unit 107 is arranged to obtain an IP address from the message. The control unit 107 is configured to check that the message is sent in response to a request from a first client computer (e.g. client computer 102) of the one or more client computers/units, the IP address corresponding to the hostname specified in the request. The control unit 107 is configured to add new rules in the dynamic rule set. The new rule allows a connection between the first client computer and the IP address only if the message is found to be responsive to the request and the IP address corresponds to the hostname.
The execution unit 106 performs the connection of the requested IP address to the hostname and improves security, since only the requested IP address is allowed to connect to the hostname and the connection does not include any hard-coded IP due to errors, darknet or unregistered malware server addresses. The execution unit 106 improves security by adding a blacklist and a whitelist based on host names and a DNS server blacklist and a whitelist. This mechanism supports malware protection. The execution unit 106 can automatically process or monitor connections and can allow/deny connections between the client computer 102 and one or more host units 108A-N.
The address resolution unit may be a name server or a local file. The message may be maliciously received from the client computer 102 without any initiation. The hostname may be associated with any one of the one or more host computers 108A-N.
The control unit 107 optionally checks that the execution unit 106 has received the request before the message. The request may be a domain name system (domain name system, DNS) request requesting the requested hostname. The response may be a domain name system (domain name system, DNS) response to response piece unit 106. The requested hostname may be associated with any one of one or more hosts 108A-N. The execution unit 106 is used to track DNS requests and DNS responses from or to the computer network 100.
The dynamic rule set is dynamic and temporary based on the data in the DNS response. The new rules may also be dynamic and temporary. The new rule may include a time frame defining a period of time for which the new rule is valid, and the control unit 107 may deactivate the new rule after the period of time. The new rule may comprise a maximum number of data packets and the control unit 107 may deactivate the new rule after said maximum number of data packets for the connection has been received. The control unit 107 may deactivate the new rule when the firewall unit receives the outbound data packet. Outbound data packets may be from client computer 102 to the host. The computer network 100 creates pinholes only for IP addresses that are known and belong to the hostname and performs the connection of the client device to the hostname.
The execution unit 106 may be located in a firewall unit and is used to monitor the connections between the client computer 102 and one or more host computers 108A-N. Client computer 102 may be connected to one or more host computers 108A-N through execution units 106 in computer network 100. Execution unit 106 allows or denies the connection according to the dynamic rule set. The execution unit 106 comprises a control unit for supervising the connection. The execution unit 106 may use an execution mechanism to monitor and supervise the connection. The execution unit 106 allows and denies the connection according to the response from the computer network 100.
The computer network 100 may include a mechanism for annotating a requested hostname by sniffing hostname lookups, annotating response IP addresses detected from messages, verifying that the response matches the request, and updating the execution unit 106 to allow or deny the connection. This mechanism enables an IP address to connect to one or more host computers 108A-N with a hostname or domain.
The execution unit 106 sniffs hostname lookups from the local client. The local client may be a local DNS server. The hostname lookup may be done by a hook in a firewall, getaddrinfo, or a local DNS server. The hostname lookup of the firewall includes either lptables, ebpf or netfilter. The execution unit 106 may provide different granularity and resolution in the process-based and session-based execution of hostname-based connections and the global and system-wide execution of hostname-based connections. Execution unit 106 may provide detail level granularity in all processes.
When a DNS response is received from the local client, the execution unit 106 recognizes the response IP address with the message, and updates the execution unit 106. Execution unit 106 may be updated with a firewall or hook that is connected and sent to the system call. Execution unit 106 may be located in client computer 102 and is used to implement the new rule as a hook in the computer function that initiates the connection to the host. Optionally, the execution unit 106 is for inclusion in the first client computer and the control unit 107 is for executing the mechanism.
The new rule may include a specific process, have a timeout, or have a matching constraint. The timeout may be a default value or a Time To Live (TTL) provided by the DNS server. The matching limit may be an IP address that can be used a determined number of times or may be an IP address that can only be used a determined number of sessions. The matching restrictions support a variety of protocols, which may include any of a transmission control protocol (transmission control protocol, TCP) session or a user datagram protocol (user datagram protocol, UDP) session. The UDP session may use its five-tuple detection.
Optionally, the execution unit 106 in the computer network 100 (where the client computers 102 may be connected to one or more host computers 108A-N) includes a control unit for executing the mechanisms.
Optionally, the computer network 100 includes one or more client computers, one or more host computers 108A-N, and a firewall unit for monitoring traffic between the one or more client computers and the one or more host computers 108A-N and blocking unwanted traffic.
FIG. 2 is a block diagram of a computer network 200 according to an implementation of the invention, the computer network 200 including one or more client computers/units 202A-N, one or more host computers 206A-N, and a firewall unit 208. The block diagram includes a computer network 200, the computer network 200 including one or more client computers 202A-N, a communication network 204, one or more host computers 206A-N, and a firewall unit 208. The firewall unit 208 monitors traffic between one or more client computers 202A-N and one or more host computers 206A-N and blocks unwanted traffic. The computer network 200 also includes an execution unit.
Fig. 3A is an exemplary diagram of information flow in a network of computers 302 when an execution unit 306 is located in a client computer, according to an implementation of the invention. The exemplary diagram includes a client computer 302 (including a client application 304 and an execution unit 306), a firewall unit 308, a local DNS server 310 associated with an internal network 314, and a DNS server 312 associated with an external network 316. The client computer 302 sends a request to a computer network. One or more clients may send requests to a computer network using client application 304. The request may be information or a message, including an IP address. The internal network 314 receives requests from the client application 304. The internal network 314 is communicatively connected to the local DNS server 310 and the firewall unit 308. Local DNS server 310 may send a request to external network 316 through firewall unit 308. Firewall unit 308 is a gateway for communicating with internal network 314 and external network 316. External network 316 is communicatively coupled to DNS server 312. External network 316 may send a request to DNS server 312 and DNS server 312 may send a response to the request to external network 316. Local DNS server 310 may send a response received from DNS server 312 to client computer 302. Execution unit 306 in client computer 302 sniffs requests and responses to monitor connections and either allow or deny connections according to a dynamic rule set.
Fig. 3B is an exemplary diagram of a response flow received from execution unit 306 according to an implementation of the invention. Client computer 302 may look up the host. The host may be "server. The execution unit 306 may perform a lookup, e.g. DNS, host. Local DNS server 310 may send an IP address in response to a lookup from client computer 302. Execution unit 306 may create local rules in the dynamic rule set for the IP address and set triggers according to its configuration. If a rule already exists, execution unit 306 may update the rule in the dynamic rule set. The execution unit 306 may override the rule with an existing rule.
Client computer 302 may send a request to an IP address using client application 304. DNS server 312 receives the request and sends a response to client computer 302. Execution unit 306 receives the response from DNS server 312 and sends the response to client application 304. If the trigger condition occurs on a local rule, execution unit 306 deletes the rule. If execution unit 306 deletes the local rule, execution unit 306 may discard the data packet from the local rule and client application 304.
Fig. 4 is an interaction diagram of event streams from a client computer 401 in a computer network in accordance with an implementation of the present invention. In step 402, client computer 401 is used to find a host, such as "server. In step 404, a lookup is performed at address resolution unit 403 using either a DNS server or a host. In step 406, the client computer 401 is enabled to connect to the execution unit 405. The address resolution unit 403 may connect the client computer 401 with the execution unit 405 using an IP address. The IP address may be 179.285.71.74. In step 408, the client computer 401 connects to the host having the IP address through the execution unit 405. In step 410, the execution unit 405 is configured to add the new rule to the dynamic rule set. The new rule may include: process "Client device" >179.285.71.74:ACCEPT.
In step 412, the execution unit 405 sets a timeout 407 if the dynamic rule set or the lookup of the new rule includes a TTL. In step 414, if the DNS record does not include a TTL, the execution unit 405 sets a timeout for the predefined interval in the timeout 407. In step 416, the client computer 401 requests an IP address from the execution unit 405. In step 418, the execution unit 405 establishes a connection with an IP address. In step 420, if there is no TTL, the execution unit 405 deletes the rule and the IP address may be used only once. Rules are deleted by:
Delete rule:Process“Client device”>179.285.71.74:ACCEPT。
in step 422, the execution unit 405 sends a request for an IP address to the server 409. In step 424, the server 409 transmits a response to the IP address to the execution unit 405. In step 426, a connection is established, and the execution unit 405 transmits a response to the IP address received from the server 409 to the client computer 401. In step 428, when timeout 407 is reached, the rule is deleted. In step 430, the client computer 401 requests the IP address of the additional data packet, and the additional data packet may be discarded at the execution unit 405.
FIG. 5 is a flow chart of a method of supervising connections in a computer network according to an implementation of the invention. The computer network includes one or more client units, one or more host units, and an execution unit for monitoring connections in the computer network and allowing or denying connections according to a dynamic rule set. In step 502, a message from an address resolution unit is detected. The message includes an IP address. In step 504, the IP address is obtained from the message. In step 506, a check message is sent in response to the first client unit from the one or more client units, the IP address corresponding to the hostname specified in the request. In step 508, new rules are added in the dynamic rule set. The new rule allows a connection between the first client unit and the IP address only if the message is found to be responsive to the request and the IP address corresponds to the hostname.
The method performs a connection of the IP address in the request to the hostname. The connection does not include any hard-coded IP address due to errors, darknet or unregistered malware server addresses, thereby improving security. The method can further improve the security by adding a blacklist and a whitelist based on the host name and a DNS server blacklist and a whitelist, and supporting the protection of malicious software.
The method is capable of tracking requests and responses from the network. The method does not require any manual intervention, as the method includes an automatic mechanism in the computer network that allows or denies connections according to a dynamic rule set.
Optionally, the checking comprises the execution unit having received the request before the message.
The new rule includes a time frame defining a time period in which the new rule is valid, and the method optionally includes the step of disabling the new rule after the time period. The new rule comprises a maximum number of data packets, the method optionally comprising the step of disabling the new rule after receiving the maximum number of data packets for the connection.
Optionally, the method includes the step of disabling the new rule upon receipt of an outbound data packet from the client device to the host in the firewall unit. The execution unit is located in a firewall unit for monitoring connections between one or more clients and one or more hosts.
Optionally, during initialization, the computer network may add an external DNS server (i.e., remote host) to allow outgoing traffic. Optionally, the following rules allow the local DNS server to connect to an external DNS server:
lptables-A OUTPUT-d<DNS SERVER>-udp-dport 53-j ACCEPT。
the local DNS server forwards the DNS request to an external DNS server. The local DNS server receives a response to the DNS request from the external DNS server. The local DNS server updates the local firewall with the specific rules of outgoing traffic as follows:
iptables-A OUTPUT-d<IP address from response>-j ACCEPT-m owner-pid-owner<PID>。
the owner PID may be retrieved by any of scanning, proc, < PID > or net to obtain a connection (e.g., UDP connection) to the local DNS server. The local DNS server creates a timer for the TTL field, or defaults to timeout. The default timeout is the amount of time that the UDP connection remains open in the local DNS server and in the computer network. Typically, the default timeout may be about 60 seconds.
After receiving the response from the external DNS server, the local DNS server forwards the response to the client computer. When the client computer connects to the remote host, the response matches the newly added pinhole rule. When a client computer sends one or more additional data packets in the same session, the existing connection matches the dynamic rule set and the computer network allows the connection. The local DNS server may include a netfilter queue handler that supports matching restrictions. The local DNS server examines one or more events in the netfilter queue handler and deletes the relevant rule from the dynamic rule set when at least one of the one or more additional data packets matches.
The execution unit may be implemented using library function hooks. The library function hook processes any of the intercepted function calls, events, or messages to allow or deny connections from the client computer. Hooks can be implemented by getaddrinfo, connect and sendto. connect, sendto and hooks in sendmsg may use seccomp-ebpf. connect and sendto hooks may need to install IP, PID and timeout time stamps in the ebpf map. If the rule already exists in the dynamic rule set, the computer network overrides the rule with the same rule. In getaddrinfo, the IP address looks up the given hostname. For one-time use, when no TTL is given, the IP can be marked. The getaddrinfo forwards the IP address to the client computer.
The client computer connects to the DNS server through a computer network using hooks. The hooks may be system calls, such as connect, sendto or sendmsg or operating system services. Hooks may be mounted on the system call. The computer network is used to look up the destination IP address and PID in the ebpf map. If the timeout timestamp has elapsed, the computer network may delete the rule from the dynamic rule set. It may not match and refuse the connection. If the rule matches the dynamic rule set, the computer network allows the system call to allow the connection. If the IP address is marked as one-time-use, the computer network may delete the IP address from the ebpf map. The computer network is configured to reject the system call if the one-time IP address is not deleted from the ebpf map. A hook exit system call may be added in the client computer to delete all PID rules in the computer network.
A computer program product for use in a monitoring unit in a computer network is provided, wherein a client computer can be connected to one or more host devices, the monitoring unit arranged in the computer network allowing or denying a connection according to a dynamic rule set. The computer program product comprises computer readable code which, when run in a processor, causes the monitoring unit to execute the execution mechanism.
The computer program product optionally includes a non-transitory memory storing computer readable code.
Fig. 6 is an illustration of an exemplary computing device 600 in which the various architectures and functions of the various previous implementations may be implemented. As shown, computing device 600 includes at least one processor 604 connected to bus 602, wherein computing device 600 may be implemented using any suitable protocol, such as peripheral component interconnect (peripheral component interconnect, PCI), PCI-Express, accelerated graphics port (accelerated graphics port, AGP), hyperTransport, or any other bus or point-to-point communication protocol. Computing device 600 also includes memory 606.
Control logic (software) and data are stored in memory 606, and memory 606 may take the form of random-access memory (RAM). In this description, a single semiconductor platform may refer to the only single semiconductor-based integrated circuit or chip. It should be noted that the term "single semiconductor platform" may also refer to multi-chip modules with increased connectivity that simulate on-chip modules with increased connectivity, simulate on-chip operations, and make substantial improvements over implementations using conventional central processing units (central processing unit, CPUs) and buses. Of course, the various modules may also be placed alone or in various combinations of semiconductor platforms, depending on the needs of the user.
Computing device 600 may also include secondary memory 610. For example, secondary memory 610 includes mechanical hard disks and removable memory drives, including floppy disk drives, tape drives, compact disk drives, digital versatile disk (digital versatiledisk, DVD) drives, recording devices, universal serial bus (universal serial bus, USB) flash memory. The removable storage drive reads from and/or writes to a removable storage unit in a well known manner.
A computer program or computer control logic algorithm may be stored in at least one of memory 606 and secondary memory 610. These computer programs, when executed, enable the computing device 600 to perform the various functions as described above. Memory 606, secondary memory 610, and any other memory are possible examples of computer-readable media.
In one implementation, the architecture and functionality described in the preceding figures may be implemented in the context of processor 604, a graphics processor coupled to communications interface 612, an integrated circuit (not shown) capable of having at least a portion of the capabilities of processor 604 and graphics processor, a chipset (i.e., a set of integrated circuits designed to operate and sell as a unit to perform related functions, etc.).
Furthermore, the architecture and functionality described in the various previous figures may be implemented in the context of a general computer system, a circuit board system, a game console system dedicated for entertainment purposes, an application specific system. For example, computing device 600 may take the form of a desktop computer, a laptop computer, a server, a workstation, a gaming machine, an embedded system.
In addition, computing device 600 may take the form of various other devices including, but not limited to, personal digital assistant (personal digital assistant, PDA) devices, mobile telephone devices, smartphones, televisions, and the like. Additionally, although not shown, computing device 600 may be coupled to a network (e.g., a telecommunications network, a local area network (local area network, LAN), a wireless network, a wide area network (wide area network, WAN), such as the internet, a point-to-point network, a cable network, etc.) for communication purposes via I/O interface 608.
It should be understood that the arrangement of components shown in the described figures is exemplary and that other arrangements are possible. It should also be understood that the various system components (and parts) defined by the claims, described below, and shown in the various block diagrams represent components in some systems configured in accordance with the subject matter disclosed herein. For example, one or more of these system components (and parts) may be implemented in whole or in part by at least some of the components in the arrangements shown in the described figures.
Furthermore, while at least one of these components is at least partially implemented as an electronic hardware component, and thus constitutes a machine, other components may be implemented in software, which when included in an execution environment constitutes a machine, hardware, or a combination of software and hardware.
Although the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (15)
1. A method of supervising connections in a computer network (100, 200), characterized in that the computer network (100, 200) comprises one or more client units (202A-N), one or more host units (108A-N, 206A-N) and an execution unit (106, 306, 405), the execution unit (106, 306, 405) being for monitoring connections in the computer network (100, 200) and allowing or rejecting connections based on a dynamic rule set, the method comprising the steps of:
detecting a message from an address resolution unit (403), the message comprising an IP address;
acquiring the IP address from the message;
checking the message for transmission in response to a request from a first client unit of the one or more client units (202A-N), the IP address corresponding to a hostname specified in the request;
adding a new rule in the dynamic rule set, the new rule allowing a connection between the first client unit and the IP address only if the message is found to be responsive to the request and the IP address corresponds to the hostname.
2. The method according to claim 1, wherein the checking comprises checking that the request has been received in the execution unit (106, 306, 405) before the message.
3. A method according to claim 1 or 2, wherein the new rule comprises a time frame defining a time period during which the new rule is valid, the method comprising the step of disabling the new rule after the time period.
4. A method according to any of the preceding claims, wherein the new rule comprises a maximum number of data packets, the method comprising the step of disabling the new rule after receiving the maximum number of data packets for the connection.
5. The method according to any of the preceding claims, comprising the step of disabling said new rule upon receipt of an outbound data packet from said client computer (102, 302, 401) to said host in a firewall unit (208, 308).
6. The method according to any of the preceding claims, wherein the execution unit (106, 306, 405) is located in the firewall unit (208, 308) for monitoring the connection between the one or more client units (202A-N) and the one or more host units (108A-N, 206A-N).
7. The method according to any of the claims 1 to 5, characterized in that the execution unit (106, 306, 405) is located in the first client unit and is adapted to implement the new rule as a hook in a computer function initiating a connection with a host.
8. The method according to any one of claims 1 to 5, wherein the execution unit (106, 306, 405) is located in a local server in a local network comprising the one or more client units (202A-N).
9. A computer program product for use in a monitoring unit in a computer network (100, 200), characterized in that a client computer (102, 302, 401) is connectable to a plurality of host computers (108A-N), the monitoring unit being adapted to allow or reject connections according to a dynamic rule set, the computer program product comprising computer readable code means which, when run in a processor, will cause the monitoring unit to perform the method according to any of the preceding claims.
10. The computer program product of claim 9, comprising non-transitory storage means having computer readable code means stored therein.
11. An execution unit (106, 306, 405) for use in a computer network (100, 200), characterized in that a client computer (102, 302, 401) is connectable to a plurality of host computers (108A-N), the execution unit (106, 306, 405) being adapted to allow or deny connections according to a dynamic rule set, the execution unit (106, 306, 405) comprising a control unit (107) for performing the method according to any one of claims 1 to 8.
12. The execution unit (106, 306, 405) of claim 11, for inclusion in a firewall unit (208, 308), the firewall unit (208, 308) being configured to monitor connections between the client computer (102, 302, 401) and the one or more host units (108A-N, 206A-N), the control unit (107) being configured to perform the method of claim 6.
13. The execution unit (106, 306, 405) according to claim 11, wherein the execution unit (106, 306, 405) is for inclusion in the first client computer, the control unit (107) being for performing the method according to claim 7.
14. The execution unit (106, 306, 405) according to claim 11, wherein the execution unit (106, 306, 405) is for inclusion in a local server unit in a local network comprising the client computer, the control unit (107) being for performing the method according to claim 8.
15. A computer network (100, 200) comprising one or more client computers (202A-N), one or more host computers (108A-N, 206A-N), and a firewall unit (208, 308) for monitoring traffic between the one or more client computers (202A-N) and the one or more host computers (108A-N, 206A-N) and blocking unwanted traffic, and further comprising an execution unit (106, 306, 405) according to any of claims 11 to 14.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/EP2021/060818 WO2022228647A1 (en) | 2021-04-26 | 2021-04-26 | Method and enforcement unit for supervising connections in a computer network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117203942A true CN117203942A (en) | 2023-12-08 |
Family
ID=75674848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202180097210.5A Pending CN117203942A (en) | 2021-04-26 | 2021-04-26 | Method and execution unit for supervising connections in a computer network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117203942A (en) |
| WO (1) | WO2022228647A1 (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10686753B2 (en) * | 2016-07-13 | 2020-06-16 | DNSthingy Inc. | Method and router to permit or block internet protocol (IP) connectivity based on originating domain name server (DNS) requests |
| CA2983988A1 (en) * | 2016-10-31 | 2018-04-30 | Guest Tek Interactive Entertainment Ltd. | Walled garden system with cleared ips list automatically generated from dns queries |
| US10951582B2 (en) * | 2018-02-09 | 2021-03-16 | Comcast Cable Communications, Llc | Dynamic firewall configuration |
| EP3654606B1 (en) * | 2018-11-15 | 2022-01-05 | Ovh | Method and data packet cleaning system for screening data packets received at a service infrastructure |
| US11310242B2 (en) * | 2019-01-15 | 2022-04-19 | Raytheon Bbn Technologies Corp. | System and method for protecting network-facing services |
| US11159488B2 (en) * | 2019-03-29 | 2021-10-26 | Jpmorgan Chase Bank, N.A. | Dynamic application firewalling in cloud systems |
-
2021
- 2021-04-26 WO PCT/EP2021/060818 patent/WO2022228647A1/en active Application Filing
- 2021-04-26 CN CN202180097210.5A patent/CN117203942A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022228647A1 (en) | 2022-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757941B2 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| US20230020721A1 (en) | Malware detection for proxy server networks | |
| KR101010465B1 (en) | Network security elements using endpoint resources | |
| US11689502B2 (en) | Securing control and user plane separation in mobile networks | |
| CN111756712A (en) | Method for forging IP address and preventing attack based on virtual network equipment | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| JP2010520566A (en) | System and method for providing data and device security between an external device and a host device | |
| US11528253B2 (en) | Security platform for service provider network environments | |
| CN103166960A (en) | Access control method and access control device | |
| US20230198939A1 (en) | System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device | |
| Rahman et al. | Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm | |
| CN117203942A (en) | Method and execution unit for supervising connections in a computer network | |
| US20220337546A1 (en) | Method and system for realizing network dynamics, terminal device and storage medium | |
| CN110768983B (en) | Message processing method and device | |
| CN114363083B (en) | Security protection method, device and equipment of intelligent gateway | |
| TWI714386B (en) | Method for detecting hidden network address and management server | |
| WO2022228649A1 (en) | Method and firewall unit to support a host name based outbound firewall rule | |
| WO2024049591A1 (en) | Applying subscriber-id based security, equipment-id based security, and/or network slice-id based security with user-id and syslog messages in mobile networks | |
| CN115987536A (en) | Message source address identification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |