WO2009149516A1 - Computer network security system - Google Patents

Computer network security system Download PDF

Info

Publication number
WO2009149516A1
WO2009149516A1 PCT/AU2009/000747 AU2009000747W WO2009149516A1 WO 2009149516 A1 WO2009149516 A1 WO 2009149516A1 AU 2009000747 W AU2009000747 W AU 2009000747W WO 2009149516 A1 WO2009149516 A1 WO 2009149516A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
source
filter
rejected
downloaded
Prior art date
Application number
PCT/AU2009/000747
Other languages
French (fr)
Inventor
Geoff Rhodes
Roger Smith
David Roberts
Original Assignee
Websafe Security Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2008902989A external-priority patent/AU2008902989A0/en
Application filed by Websafe Security Pty Ltd filed Critical Websafe Security Pty Ltd
Priority to AU2009257197A priority Critical patent/AU2009257197A1/en
Publication of WO2009149516A1 publication Critical patent/WO2009149516A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Definitions

  • This invention relates to computer network security systems.
  • the invention may be adapted for controlling and monitoring any suitable information provided over a distributed communications network, for convenience it shall be described herein in terms of a security system for monitoring and controlling internet access and content being distributed over the internet.
  • the internet is a tool that is used by millions of people every day. Due to differing tastes, needs and interests the information provided by the internet is varied and some of it may be considered inappropriate, distasteful or offensive to some people. As a result many different groups ranging from parents to the management of a company may wish to limit access to information on the internet, or even prevent access altogether. To achieve this many groups use an internet filter that restricts access to certain areas on the internet.
  • One method of internet filtering is software that can be installed directly onto a personal computer or computer network. This method provides a computer owner or network administrator with the power to identify any information that may be considered undesirable to the users of the computer or network. This method of filtering can be overcome since a person who is direct control of the computer or network has access to the filtering method and can change the settings without notifying another user until it may be too late.
  • ISP Internet Service Provider
  • the present invention provides a method of monitoring the transfer of data, the method including the steps of: requesting data from a designated source; comparing data downloaded from the designated source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; determining the reason the rejected data is rejected by the first filter; for rejected data is that non-malicious, comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source; and for data from the designated source, filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements.
  • the present invention provides increased security by filtering and comparing downloaded data with predetermined requirements such as applications contained within the data or embedded files to reduce the chance that malicious data will be passed from source to source.
  • Malicious data includes, but is not limited to, data which may adversely affect a computer or computer network or includes undesirable content, for example adult content.
  • the method can further include the steps of: for data that is malicious, comparing the malicious data with a set of known data anomalies and rejecting data which falls within the set of known data anomalies; and for data which is outside the set of known data anomalies, potentially storing the data for further investigation or passing the data to relevant authorities for relevant processing.
  • the further investigation can include determining if the data contains hidden information. For example, undesirable content can be contained within a photograph embedded in a text document.
  • the present invention also provides a system for monitoring communications between a first computer, the first computer being able to be connected to the internet, and a second computer, the system including: a monitoring device, operably interposed between the computers, comprising: means for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; means for determining the reason the rejected data is rejected by the first filter; for rejected data is that non-malicious, means for comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source; and for data from the designated source, means for filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements.
  • the monitoring device can further include three filters.
  • a first filter for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; a second filter for determining the reason the rejected data is rejected by the first filter and comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source, and filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements; and a third filter for analizing data payloads and determining if the data fits within certain criteria.
  • the criteria can include, but are not limited to, data encapsulated within peer to peer connections, chat or messenger traffic, or traffic that may contain hidden or disguised payloads.
  • the data is also scanned for malicious content against a set of known data anomalies and rejected if it falls within the set of known data anomalies.
  • Data anomalies may include unsigned Active-X files or photographs hidden within document files.
  • the monitoring device can include one or more storage devices for storing the data to be compared and can also store the rejected data.
  • each filter is associated with a separate storage device.
  • the monitoring device can also include a proxy storage server for storing data which has been filtered and is allowed to pass through the system.
  • a proxy server advantageously speeds up use of the system as it can store data which is frequently requested by a compuer.
  • the system can further include a key for connection to the client computer and transmitting a code to the monitoring device before data can be transferred between the client and the server.
  • the key can comprise erasable programmable read-only memory (EPROM) and the code can be programmed directly into the EPROM. Further, the key includes a tamper evident seal or built in circuitry which destroys the information once the key has been opened.
  • the present invention can provide software for use with a computer including a processor and associated member device for storing the software, the software including a series of instructions to cause the processor to carry out a method described above.
  • the first computer and second computer can be a client-server relationship, such as a home or office user connecting to an internet service provider (ISP).
  • ISP internet service provider
  • the ISP can control, monitor and manage the internet or computer network system.
  • the system of the present invention can be adapted to act as an intermediary between the user and a telecommunications provider which is required to connect to an ISP.
  • the system can be adapted to act as an intermediary between the user and the internet or the like so that all outgoing and incoming access and document filtering can be monitored to assist in safeguarding the integrity of the user's computer and data.
  • the system can be adapted to manage all traffic including access to secure and non- secure sites. Further, the system can restrict internet access and mail through firewall rules and port restrictions which will be set and monitored by the ISP.
  • the third filter can be a stegonographic filter adapted to determine is the data contains hidden information.
  • the present invention also provides a method of monitoring data communications, the method including the steps of: requesting data from a designated source; comparing data downloaded from a source against a first filter set of predefined requirements for safe access to accept, reject or further investigate the downloaded data; accepting the data if it is received from a previously identified safe source, or terminating the data if it receive from a previously known unsafe source, or further investigation the data it is received from an unknown source by scanning the data for malicious content, where the data does not include suspicious content, accepting the data, or where the data does include suspicious content, rejecting the data determining the reason the rejected data is rejected by the first filter set, where the rejected data is malicious, terminating the data, where the rejected data is non-malicious, comparing the source from which the data is downloaded with the designated source and terminating the data where the source does not match the designated source, and for data from the designated source, filtering the content according to a second filter set of predefined requirements and accepting the data that satisfies the second filter set of predefined requirements
  • the present invention allows users to view legitimate website, or any other data, which may be rejected by conventional firewall
  • the method and system are able to provide this flexibility by monitoring content and further investigating content which may initially look suspicious (and therefore would be rejected by a conventional firewall) but instead is non-threatening to a computer or network of computers
  • Figure 1 is a diagram of the system according to a preferred embodiment the present invention.
  • FIG. 2 is a detailed diagram of the system shown in Figure 1
  • Figure 3 is a detailed diagram of the system shown in Figure 1
  • Figure 4 is a flow chart illustration an example method of monitoring a computer network system.
  • Figure 5a and 5b form a detailed flow chart illustration an example method of monitoring a computer network system.
  • the present invention provides a system 100 for monitoring communications between a first server computer 50, which is connected to the internet, and a second client computer 20.
  • the system may also include a monitoring device 40, operably interposed between the client 20 and the server 20 which includes means, in the form of alpha filter 41 , for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; means, in the form of delta filter 42, for determining the reason the rejected data is rejected by the alpha filter 41. If the rejected data is non-malicious, the source from which the data is downloaded is compared at step 150 with the designated source at step 120 and rejected the data where the source does not match the designated source at step 155.
  • the present invention also provides a method as shown in Figure 4.
  • the method includes requesting data from a designated source at step 500 and comparing data downloaded from a source against a first filter set of predefined requirements at step 501. If the data meets the requirements, it is accepted at step 502, but if not it is initially rejected at step 503.
  • the reason for rejecting the data is determined by testing, at step 505, if the data is downloaded from the requested source. If the data was not downloaded from the requested source, it is rejected at step 507. If the data is from the requested source, it is further analysed at step 506 to determine if it meets a second set of requirement. If the data meets a second set of requirements, access to it is enabled at step 508, otherwise it is rejected.
  • An internet service provider 50 is adapted to provide a means for controlling, monitoring and managing the internet and computer network security system and providing third party protection for at (east one user.
  • the user may preferably be an individual or business user wanting to protect their computer and data.
  • the service provider is adapted to provide protection for the user's computer away from the user so that it cannot be seen as what protection is in place or circumvented by skilled users.
  • the system 100 acts as an intermediary between the user 20 and a telecommunications provider 25 which is required to connect to an ISP 50.
  • the system can be adapted to act as an intermediary between the user and the internet or the like so that all outgoing and incoming access and document filtering can be monitored to assist in safeguarding the integrity of the user's computer and data.
  • the system has a proxy storage server 130.
  • the server is adapted to receive and store information from the internet prior to being directed through to the user's computer.
  • the server is a cache server which is only adapted to contain filtered and clean internet information after it has been passed through a filtering system to ensure that access to the internet is not unduly slowed. Thus, a clean feed of information is passed from the server to the user's computer.
  • Additional security software may be operated on a separate server to provide real time tracking of events and logs to maintain the integrity of the system.
  • the invention preferably has provided a monitoring device 40 which is adapted to monitor and control access to the internet.
  • the monitoring device utilises a DSLAM connection 46 and is adapted to manage all traffic including access to secure and non-secure sites. It is envisaged that automatic direct access will be provided to secure sites (VPN, RDP) such as Government or education sites. All other internet access and mail will be restricted through firewall rules and port restrictions which wil.l be set and monitored by the service provider. All non-allocated ports will preferably be closed down to prevent unauthorised access or hacking and all required ports will be redirected.
  • the monitoring device 40 reviews what access is required and permits or denies access with the correct restrictions. Access may include, but not be limited to, the following:
  • VPN Access full access to the internet through port 1723, GRE and UDP 500 to anywhere on the internet, requires access with usemame and password.
  • RDP Access full access to port 3389 with username and password.
  • POP3 Access incoming mail checked for SPAM and viruses.
  • o SMTP Access outgoing mail checked for viruses and spam, anything over a defined threshold is restricted, user computers are not zombies or part of bot.
  • Other Requested Ports access to any other port that may need to be accessed such as FTP, IMAP, Game ports, SSH and other approved ports or the like.
  • HTTP/HTTPS access provided with filtration process.
  • o IM/Chat - will be scanned to determine if conversation is safe and drop connection upon detection of bad conversation/connection.
  • HTTP Access Any content provided through the generic internet access (HTTP Access) and mail will be required to undergo a filtration process with the exception of HTTPS, VPN and
  • RDP access where there is no change in data.
  • an inbound firewall may also be provided which is adapted to only allow designated ports back, as required and also only allow these ports to flow back into the network if they are concurrent and connected. The connection must be established from the inside to allow for the return traffic back in. It is envisaged that a remote management from the
  • WebSafe portal with a firewall and switch equipment may also be provided to allow connection to elements of the system for provisioning and fault resolution.
  • FIG. 2 illustrates the invention having a tiered filtering system.
  • the filtering system is a three-tiered filtering system for all internet traffic accessible using internet browsing programs such as internet explorer and firefox or the like.
  • the filtering system provides a managed connection to the internet through a closed, monitored system that utilises multiple filters.
  • Each filter has provided a bank of servers which can be scaled to allow potentially hundreds and millions of connections.
  • Each filter is designed to filter items including, but not limited to, inappropriate content, illegal ports, malicious code, phishing scams, SPAM, active X or the like.
  • Each filter is provided with a deleted storage area 30 which is a designated deletion area for storing the deleted items so that only the filtered content is allowed through. Using the filtering system of the invention, no access will be allowed on unregulated ports. As a result, the system provides a cleaner pipe for access to the internet.
  • a first filter is an alpha filter 41.
  • the alpha filter 41 is designed to check the source to which a user is being directed.
  • the alpha filter 41 preferably has black and white list restrictions to indicate the content which should be allowed or discarded as it passes through each filter.
  • the black list 125 contains a list of sources known to contain malicious data or inappropriate content.
  • the white list contains a list of desirable sources. The white list is able to have sources added or removed.
  • the source will initially be checked against the white list for approval and initial scanning.
  • a black list 125 is further utilized to determine if it is banned, in which case the connection will be dropped. Where the source is not on the black list the system will check at step 126 if the source has been downloaded before. If the source has previously been downloaded, the system will check and retrieve the source from the cache server at step 127 and replace the dynamic source with new information.
  • the source Where the source has not been previously downloaded, it will be downloaded and stored in a 'sandpit' 128.
  • the sandpit is a temporary disc storage area. Content in the 'sandpit' 128 which is not on the white list will be scanned at step 134 for source, active X and malicious code and on approval will be passed to cache 130 for storage if requirements are met or to the delta 42 and/or steg filter 43 if requirements are not met and the data is not clean.
  • a second filter is a delta filter 42.
  • the delta filter 42 is adapted to review content which has not passed the initial predefined requirements, that is the data contained applications or other undesirable code.
  • the delta filter 42 determines what triggered the alarm 136. Possible alarm triggers may include, but not be limited to active X, zombie / bot net or phishing attacks or the like. Where the alarm trigger is a malicious code or poisoned source 137, the content will be passed directly to the steg filter 43. Otherwise, the source will then be checked to see it is the same as the user requested at step 150. If the source is as request and the content is clean the request will be processed 170. Clean data is passed to the cache 130 server for storage or alternatively, passed to the steg filter 43 if it is suspicious. If the source is incorrect, because a user has been redirected to a different webpage, or it the content is determined to be undesirable 155, the source will be deemed dangerous and the information will be dropped and not passed onto the user.
  • a third filter is a stegnographic filter 43.
  • the steg filter 43 is adapted to provide the highest level of security and management for content which has an anomaly and does not pass predefined requirements after filtering by the alpha 41 and delta 42 filter. If the anomaly is not noteworthy at step 141 the information will be dropped immediately and reported to the client as a dangerous source at step 142. Alternatively, the anomaly will be documented at step 143, prior to the information being dropped. If the anomaly is noteworthy it is scanned and reported to a high tech crime unit if the access is illegal or immoral.
  • step 178 data that is received by the stegnographic filter 43 is analysed to determine if the data is traffic from a peer-to-peer connection.
  • step 179 the data from that traffic is compared with a database of allowed application and data streams. If the data is safe is passed to the cache 130.
  • the user's computer may also be protected by anti-virus and anti- spam software to provide an additional layer of protection for incoming content and ensuring that outgoing content will not be corrupt and refused by, or affect the integrity of, the present system.
  • the stegonagraphic filter 43 may not be employed at all times, only handling information that is presented to it that did not meet the rule sets of the first two layers 41 , 42 of filtering. Alternatively, the stegonagraphic filter 43 would be employed for use for certain situations. Such as Embedded content within embedded content within a standard application content payload (jpeg withing jpeg within a word document)...
  • the third filter is handling information that is passed to it from the second filter it has a larger role in the filter system to track and manage peer to peer traffic.
  • This filter is designed to monitor peer to peer traffic and pass only traffic that does not fit designated filtering criteria and removal of traffic that has a destructive payload
  • the system may be enhanced by including a key.
  • the key is a hardware device provided to the user in the form of a USB connection. It is installed by communicating with the user's internet service. The key has a code built into the device, which is then transmitted to the monitoring device. The monitoring device will only allow Internet traffic to be transmitted to the user after the presence of the key and successful reception of the code held within the key has been received and accepted.
  • the key is designed to be transportable, hence the user can unplug the key and take the key to another Internet connection and connect to the monitoring device. This would allow the user to travel and connect to the Internet in a secure fashion from different locations.
  • the key includes EPROM technology and the code is programmed into the EPROM.
  • the key is protected from tampering by the use of two methods, the first of which is the use of tamper evident seals to show if tampering has occurred and the second is the use of built in circuitry that would destroy the information held in the EPROM in the event the key is physically opened.
  • the method of the present invention may also be implemented on a cut down proprietary operating system, that is loaded from flash ROM technology within the a stand alone unit.
  • the unit can provide full connectivity to the internet but can reduce some of the normal problems and security issues that are involved in operating a normal PC.
  • the unit is designed to allow people who are not familiar or comfortable using traditional PC equipment to access the internet without the concerns of downloading material they were not intending to or having the PC being infected by malicious software.
  • the unit is also designed to allow parents who, although they understand PC technology, can provide this unit as a controlled and safe appliance for young children to access the internet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method of monitoring the transfer of data, the method including the steps of: requesting data from a designated source (500); comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data (501); determining the reason the rejected data is rejected by the first filter (504); for rejected data that is non-malicious, comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source (505); and for data from the designated source, filtering the content according to a further filter set of predefined requirements and enabling access to the data that satisfies the further filter set of predefined requirements (506).

Description

COMPUTER NETWORK SECURITY SYSTEM
Field of the Invention This invention relates to computer network security systems.
Whilst the invention may be adapted for controlling and monitoring any suitable information provided over a distributed communications network, for convenience it shall be described herein in terms of a security system for monitoring and controlling internet access and content being distributed over the internet.
Background to the Invention
The internet is a tool that is used by millions of people every day. Due to differing tastes, needs and interests the information provided by the internet is varied and some of it may be considered inappropriate, distasteful or offensive to some people. As a result many different groups ranging from parents to the management of a company may wish to limit access to information on the internet, or even prevent access altogether. To achieve this many groups use an internet filter that restricts access to certain areas on the internet.
One method of internet filtering is software that can be installed directly onto a personal computer or computer network. This method provides a computer owner or network administrator with the power to identify any information that may be considered undesirable to the users of the computer or network. This method of filtering can be overcome since a person who is direct control of the computer or network has access to the filtering method and can change the settings without notifying another user until it may be too late.
Another method used is internet filtering that is controlled by the users Internet Service Provider (ISP). Although this method is not software directly loaded onto the computer or network, it is still within the control of a person who is directly in control of the computer or network, hence similar problems can arise relating to the ease with which the filtering can be overcome.
Accordingly, it is an object of the present invention to overcome or ameliorate one or more of disadvantages of the prior art by providing a computer network security system. Summary of the invention
In one embodiment, the present invention provides a method of monitoring the transfer of data, the method including the steps of: requesting data from a designated source; comparing data downloaded from the designated source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; determining the reason the rejected data is rejected by the first filter; for rejected data is that non-malicious, comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source; and for data from the designated source, filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements.
The present invention provides increased security by filtering and comparing downloaded data with predetermined requirements such as applications contained within the data or embedded files to reduce the chance that malicious data will be passed from source to source. Malicious data includes, but is not limited to, data which may adversely affect a computer or computer network or includes undesirable content, for example adult content.
The method can further include the steps of: for data that is malicious, comparing the malicious data with a set of known data anomalies and rejecting data which falls within the set of known data anomalies; and for data which is outside the set of known data anomalies, potentially storing the data for further investigation or passing the data to relevant authorities for relevant processing. The further investigation can include determining if the data contains hidden information. For example, undesirable content can be contained within a photograph embedded in a text document.
The present invention also provides a system for monitoring communications between a first computer, the first computer being able to be connected to the internet, and a second computer, the system including: a monitoring device, operably interposed between the computers, comprising: means for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; means for determining the reason the rejected data is rejected by the first filter; for rejected data is that non-malicious, means for comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source; and for data from the designated source, means for filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements.
The monitoring device can further include three filters. A first filter for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; a second filter for determining the reason the rejected data is rejected by the first filter and comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source, and filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements; and a third filter for analizing data payloads and determining if the data fits within certain criteria. The criteria can include, but are not limited to, data encapsulated within peer to peer connections, chat or messenger traffic, or traffic that may contain hidden or disguised payloads. The data is also scanned for malicious content against a set of known data anomalies and rejected if it falls within the set of known data anomalies. Data anomalies may include unsigned Active-X files or photographs hidden within document files.
The monitoring device can include one or more storage devices for storing the data to be compared and can also store the rejected data. Preferably, each filter is associated with a separate storage device.
The monitoring device can also include a proxy storage server for storing data which has been filtered and is allowed to pass through the system. The use of a proxy server advantageously speeds up use of the system as it can store data which is frequently requested by a compuer. The system can further include a key for connection to the client computer and transmitting a code to the monitoring device before data can be transferred between the client and the server. The key can comprise erasable programmable read-only memory (EPROM) and the code can be programmed directly into the EPROM. Further, the key includes a tamper evident seal or built in circuitry which destroys the information once the key has been opened.
In another embodiment, the present invention can provide software for use with a computer including a processor and associated member device for storing the software, the software including a series of instructions to cause the processor to carry out a method described above.
The first computer and second computer can be a client-server relationship, such as a home or office user connecting to an internet service provider (ISP). The ISP can control, monitor and manage the internet or computer network system.
The system of the present invention can be adapted to act as an intermediary between the user and a telecommunications provider which is required to connect to an ISP. Similarly the system can be adapted to act as an intermediary between the user and the internet or the like so that all outgoing and incoming access and document filtering can be monitored to assist in safeguarding the integrity of the user's computer and data.
The system can be adapted to manage all traffic including access to secure and non- secure sites. Further, the system can restrict internet access and mail through firewall rules and port restrictions which will be set and monitored by the ISP.
The third filter can be a stegonographic filter adapted to determine is the data contains hidden information.
The present invention also provides a method of monitoring data communications, the method including the steps of: requesting data from a designated source; comparing data downloaded from a source against a first filter set of predefined requirements for safe access to accept, reject or further investigate the downloaded data; accepting the data if it is received from a previously identified safe source, or terminating the data if it receive from a previously known unsafe source, or further investigation the data it is received from an unknown source by scanning the data for malicious content, where the data does not include suspicious content, accepting the data, or where the data does include suspicious content, rejecting the data determining the reason the rejected data is rejected by the first filter set, where the rejected data is malicious, terminating the data, where the rejected data is non-malicious, comparing the source from which the data is downloaded with the designated source and terminating the data where the source does not match the designated source, and for data from the designated source, filtering the content according to a second filter set of predefined requirements and accepting the data that satisfies the second filter set of predefined requirements
The present invention allows users to view legitimate website, or any other data, which may be rejected by conventional firewall The method and system are able to provide this flexibility by monitoring content and further investigating content which may initially look suspicious (and therefore would be rejected by a conventional firewall) but instead is non-threatening to a computer or network of computers
Brief Description of the Drawing Figures
In order that the invention may be more readily understood we will describe by way of non-limiting example of a specific embodiment thereof
Figure 1 is a diagram of the system according to a preferred embodiment the present invention
Figure 2 is a detailed diagram of the system shown in Figure 1
Figure 3 is a detailed diagram of the system shown in Figure 1 Figure 4 is a flow chart illustration an example method of monitoring a computer network system.
Figure 5a and 5b form a detailed flow chart illustration an example method of monitoring a computer network system.
Description of an Embodiment of the Invention
The present invention provides a system 100 for monitoring communications between a first server computer 50, which is connected to the internet, and a second client computer 20. The system may also include a monitoring device 40, operably interposed between the client 20 and the server 20 which includes means, in the form of alpha filter 41 , for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; means, in the form of delta filter 42, for determining the reason the rejected data is rejected by the alpha filter 41. If the rejected data is non-malicious, the source from which the data is downloaded is compared at step 150 with the designated source at step 120 and rejected the data where the source does not match the designated source at step 155. If the data is from the designated source 120, means for filtering the content at step 160 according to a second filter set of predefined requirements and enabling access to the data at step 170 that satisfies the second filter set of predefined requirements. It is envisaged that the features and functionality of the security system and/or its components may be varied to suit different information content, network systems and/or other applications.
The present invention also provides a method as shown in Figure 4. The method includes requesting data from a designated source at step 500 and comparing data downloaded from a source against a first filter set of predefined requirements at step 501. If the data meets the requirements, it is accepted at step 502, but if not it is initially rejected at step 503. At step 504, the reason for rejecting the data is determined by testing, at step 505, if the data is downloaded from the requested source. If the data was not downloaded from the requested source, it is rejected at step 507. If the data is from the requested source, it is further analysed at step 506 to determine if it meets a second set of requirement. If the data meets a second set of requirements, access to it is enabled at step 508, otherwise it is rejected.
An internet service provider 50 is adapted to provide a means for controlling, monitoring and managing the internet and computer network security system and providing third party protection for at (east one user. The user may preferably be an individual or business user wanting to protect their computer and data. The service provider is adapted to provide protection for the user's computer away from the user so that it cannot be seen as what protection is in place or circumvented by skilled users. The system 100 acts as an intermediary between the user 20 and a telecommunications provider 25 which is required to connect to an ISP 50. Similarly the system can be adapted to act as an intermediary between the user and the internet or the like so that all outgoing and incoming access and document filtering can be monitored to assist in safeguarding the integrity of the user's computer and data.
The system has a proxy storage server 130. The server is adapted to receive and store information from the internet prior to being directed through to the user's computer. The server is a cache server which is only adapted to contain filtered and clean internet information after it has been passed through a filtering system to ensure that access to the internet is not unduly slowed. Thus, a clean feed of information is passed from the server to the user's computer. Additional security software may be operated on a separate server to provide real time tracking of events and logs to maintain the integrity of the system.
The invention preferably has provided a monitoring device 40 which is adapted to monitor and control access to the internet. The monitoring device utilises a DSLAM connection 46 and is adapted to manage all traffic including access to secure and non-secure sites. It is envisaged that automatic direct access will be provided to secure sites (VPN, RDP) such as Government or education sites. All other internet access and mail will be restricted through firewall rules and port restrictions which wil.l be set and monitored by the service provider. All non-allocated ports will preferably be closed down to prevent unauthorised access or hacking and all required ports will be redirected. The monitoring device 40 reviews what access is required and permits or denies access with the correct restrictions. Access may include, but not be limited to, the following:
«» VPN Access - full access to the internet through port 1723, GRE and UDP 500 to anywhere on the internet, requires access with usemame and password. » RDP Access - full access to port 3389 with username and password.
» POP3 Access - incoming mail checked for SPAM and viruses. o SMTP Access - outgoing mail checked for viruses and spam, anything over a defined threshold is restricted, user computers are not zombies or part of bot. o Other Requested Ports - access to any other port that may need to be accessed such as FTP, IMAP, Game ports, SSH and other approved ports or the like. β HTTP/HTTPS - access provided with filtration process. o IM/Chat - will be scanned to determine if conversation is safe and drop connection upon detection of bad conversation/connection.
Any content provided through the generic internet access (HTTP Access) and mail will be required to undergo a filtration process with the exception of HTTPS, VPN and
RDP access where there is no change in data. It is envisaged that an inbound firewall may also be provided which is adapted to only allow designated ports back, as required and also only allow these ports to flow back into the network if they are concurrent and connected. The connection must be established from the inside to allow for the return traffic back in. It is envisaged that a remote management from the
WebSafe portal with a firewall and switch equipment may also be provided to allow connection to elements of the system for provisioning and fault resolution.
Figure 2 illustrates the invention having a tiered filtering system. The filtering system is a three-tiered filtering system for all internet traffic accessible using internet browsing programs such as internet explorer and firefox or the like. The filtering system provides a managed connection to the internet through a closed, monitored system that utilises multiple filters. Each filter has provided a bank of servers which can be scaled to allow potentially hundreds and millions of connections. Each filter is designed to filter items including, but not limited to, inappropriate content, illegal ports, malicious code, phishing scams, SPAM, active X or the like. Each filter is provided with a deleted storage area 30 which is a designated deletion area for storing the deleted items so that only the filtered content is allowed through. Using the filtering system of the invention, no access will be allowed on unregulated ports. As a result, the system provides a cleaner pipe for access to the internet.
A first filter is an alpha filter 41. The alpha filter 41 is designed to check the source to which a user is being directed. The alpha filter 41 preferably has black and white list restrictions to indicate the content which should be allowed or discarded as it passes through each filter. The black list 125 contains a list of sources known to contain malicious data or inappropriate content. The white list contains a list of desirable sources. The white list is able to have sources added or removed.
The source will initially be checked against the white list for approval and initial scanning. A black list 125 is further utilized to determine if it is banned, in which case the connection will be dropped. Where the source is not on the black list the system will check at step 126 if the source has been downloaded before. If the source has previously been downloaded, the system will check and retrieve the source from the cache server at step 127 and replace the dynamic source with new information.
Where the source has not been previously downloaded, it will be downloaded and stored in a 'sandpit' 128. The sandpit is a temporary disc storage area. Content in the 'sandpit' 128 which is not on the white list will be scanned at step 134 for source, active X and malicious code and on approval will be passed to cache 130 for storage if requirements are met or to the delta 42 and/or steg filter 43 if requirements are not met and the data is not clean.
A second filter is a delta filter 42. The delta filter 42 is adapted to review content which has not passed the initial predefined requirements, that is the data contained applications or other undesirable code. The delta filter 42 determines what triggered the alarm 136. Possible alarm triggers may include, but not be limited to active X, zombie / bot net or phishing attacks or the like. Where the alarm trigger is a malicious code or poisoned source 137, the content will be passed directly to the steg filter 43. Otherwise, the source will then be checked to see it is the same as the user requested at step 150. If the source is as request and the content is clean the request will be processed 170. Clean data is passed to the cache 130 server for storage or alternatively, passed to the steg filter 43 if it is suspicious. If the source is incorrect, because a user has been redirected to a different webpage, or it the content is determined to be undesirable 155, the source will be deemed dangerous and the information will be dropped and not passed onto the user.
A third filter is a stegnographic filter 43. The steg filter 43 is adapted to provide the highest level of security and management for content which has an anomaly and does not pass predefined requirements after filtering by the alpha 41 and delta 42 filter. If the anomaly is not noteworthy at step 141 the information will be dropped immediately and reported to the client as a dangerous source at step 142. Alternatively, the anomaly will be documented at step 143, prior to the information being dropped. If the anomaly is noteworthy it is scanned and reported to a high tech crime unit if the access is illegal or immoral.
At step 178 data that is received by the stegnographic filter 43 is analysed to determine if the data is traffic from a peer-to-peer connection. At step 179 the data from that traffic is compared with a database of allowed application and data streams. If the data is safe is passed to the cache 130.
It is envisaged that the user's computer may also be protected by anti-virus and anti- spam software to provide an additional layer of protection for incoming content and ensuring that outgoing content will not be corrupt and refused by, or affect the integrity of, the present system.
The stegonagraphic filter 43 may not be employed at all times, only handling information that is presented to it that did not meet the rule sets of the first two layers 41 , 42 of filtering. Alternatively, the stegonagraphic filter 43 would be employed for use for certain situations. Such as Embedded content within embedded content within a standard application content payload (jpeg withing jpeg within a word document)...
Although the third filter is handling information that is passed to it from the second filter it has a larger role in the filter system to track and manage peer to peer traffic. This filter is designed to monitor peer to peer traffic and pass only traffic that does not fit designated filtering criteria and removal of traffic that has a destructive payload
The system may be enhanced by including a key. The key is a hardware device provided to the user in the form of a USB connection. It is installed by communicating with the user's internet service. The key has a code built into the device, which is then transmitted to the monitoring device. The monitoring device will only allow Internet traffic to be transmitted to the user after the presence of the key and successful reception of the code held within the key has been received and accepted.
The key is designed to be transportable, hence the user can unplug the key and take the key to another Internet connection and connect to the monitoring device. This would allow the user to travel and connect to the Internet in a secure fashion from different locations.
The key includes EPROM technology and the code is programmed into the EPROM. The key is protected from tampering by the use of two methods, the first of which is the use of tamper evident seals to show if tampering has occurred and the second is the use of built in circuitry that would destroy the information held in the EPROM in the event the key is physically opened.
The method of the present invention may also be implemented on a cut down proprietary operating system, that is loaded from flash ROM technology within the a stand alone unit. The unit can provide full connectivity to the internet but can reduce some of the normal problems and security issues that are involved in operating a normal PC. The unit is designed to allow people who are not familiar or comfortable using traditional PC equipment to access the internet without the concerns of downloading material they were not intending to or having the PC being infected by malicious software. The unit is also designed to allow parents who, although they understand PC technology, can provide this unit as a controlled and safe appliance for young children to access the internet.
While we have described herein a particular embodiment of an internet and computer network security system, it is further envisaged that other embodiments of the invention could exhibit any number and combination of any one of the features previously described. However, it is to be understood that any variations and modifications can be made without departing from the spirit and scope thereof.

Claims

Claims:
1. A method of monitoring the transfer of data, the method including the steps of: requesting data from a designated source; comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data; determining the reason the rejected data is rejected by the first filter; for rejected data that is non-malicious, comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source; and for data from the designated source, filtering the content according to a further filter set of predefined requirements and enabling access to the data that satisfies the further filter set of predefined requirements.
2. A method according to claim 1 further including the steps of: for data that is malicious, comparing the malicious data with a set of known data anomalies and rejecting data which falls within the set of known data anomalies; and for data which is outside the set of known data anomalies, storing the data for further investigation.
3. A method according to claim 2 wherein the further investigation includes determining if the data contains hidden information.
4. A method according to any one of claims 1 to 3 wherein the source is a universal resource locator for an internet web page.
5. A method according to any one of the preceding claims wherein the data includes any one or more of: data downloaded from a webpage, peer-to-peer traffic, chat traffic or messenger traffic.
6. A method according to any one of the preceding claims wherein the step of determining the reason the rejected data is rejected by the first filter includes packet inspection of the data or inspecting an application associated with the data.
7. A method according to any one of the preceding claims further including the step of the further filter set of predefined requirements and accepting the data that satisfies the further filter set of predefined requirements wherein the further filter set of predefined requirements includes a) monitoring for embedded content wiihin embedded content within a standard application content payload such as jpeg within jpeg within a word document, or b) monitoring peer to peer traffic and pass only traffic that fits designated filtering criteria and removal of traffic that has a destructive payload
8 A system for monitoring communications between a first computer, the first computer being able to be connected to the internet, and a second computer, the system including a monitoring device, operably interposed between the first and second computers, comprising means for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data, means for determining the reason the rejected data is rejected by the first filter, for rejected data is that non-malicious, means for comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source, and for data from the designated source, means for filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements
9 A system as claimed in claim 8 wherein the monitoring device includes a proxy storage filter for storing the data to be compared
10 A system as claimed in claim 8 wherein the proxy storage filter stores the rejected data
11 A system as claimed in any one of claims 8 to 10 wherein the means for comparing data downloaded from a source against a first filter set of predefined requirements for safe access to reject or accept the downloaded data is a first filter
12 A system as claimed in any one of claims 8 to 11 wherein the means for determining the reason the rejected data is rejected by the first filter is a second filter
13. A system as claimed in claim 12 wherein comparing the source from which the data is downloaded with the designated source and rejecting the data where the source does not match the designated source is preformed by the second filter.
14. A system as claimed in claim 12 or claim 13 wherein filtering the content according to a second filter set of predefined requirements and enabling access to the data that satisfies the second filter set of predefined requirements is performed by the second filter.
15. A system as claimed in any one of claims 12 to 14 further including a third filter for analizing data to determine if the data falls within s set of criteria.
16. A system as claimed in claim 15 wherein the set of criteria includes data anomalies such as hidden or disguised data.
17. A system as claimed in any one of claims 8 to 16 wherein the system further includes a key for connection to the client computer wherein the key transmits a code to the monitoring device before data can be transferred between the client and the server.
18. A system as claimed in claim 17 wherein the key comprises erasable programmable read-only memory (EPROM) and the code is hard-coded into the EPROM.
19. A system as claimed in claim 17 or claim 18 wherein the key includes a tamper evident seal.
20. A system as claimed in claim 12 or claim 13 wherein the key includes built iri circuitry which destroys the information once the key has been opened.
21. Software for use with a computer including a processor and associated member device for storing the software, the software including a series of instructions to cause the processor to carry out a method according to any one of claims 1 to 7.
22. A method of monitoring data communications, the method including the steps of: requesting data from a designated source; comparing data downloaded from a source against a first filter set of predefined requirements for safe access to accept, reject or further investigate the downloaded data; accepting the data if it is received from a previously identified safe source; or terminating the data if it receive from a previously known unsafe source; or further investigation the data it is received from an unknown source by scanning the data for malicious content; where the data does not include suspicious content, accepting the data; or where the data does include suspicious content, rejecting the data determining the reason the rejected data is rejected by the first filter set; where the rejected data is malicious, terminating the data; where the rejected data is non-malicious, comparing the source from which the data is downloaded with the designated source and terminating the data where the source does not match the designated source; and for data from the designated source, filtering the content according to a further filter set of predefined requirements and accepting the data that satisfies the further filter set of predefined requirements.
23. A method of monitoring data communications as claimed in claim 22 wherein the further filter set of predefined requirements includes accepting the data that satisfies the further filter set of predefined requirements wherein the further filter set of predefined requirements includes: a) monitoring for embedded content within embedded content within a standard application content payload such as jpeg within jpeg within a word document; or b) monitoring peer to peer traffic and pass only traffic that fits designated filtering criteria and removal of traffic that has a destructive payload.
24. A method of monitoring data communications substantially as hereinbefore described with reference to the drawings.
25. A system for monitoring communications between a first computer, the first computer being able to be connected to the internet, and a second computer, the system substantially as hereinbefore described with reference to the drawings.
PCT/AU2009/000747 2008-06-13 2009-06-12 Computer network security system WO2009149516A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2009257197A AU2009257197A1 (en) 2008-06-13 2009-06-12 Computer network security system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
AU2008902989A AU2008902989A0 (en) 2008-06-13 Internet and computer network security system
AU2008902989 2008-06-13
AU2009900796A AU2009900796A0 (en) 2009-02-24 Internat and Computer Network Security System
AU2009900796 2009-02-24

Publications (1)

Publication Number Publication Date
WO2009149516A1 true WO2009149516A1 (en) 2009-12-17

Family

ID=41416290

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2009/000747 WO2009149516A1 (en) 2008-06-13 2009-06-12 Computer network security system

Country Status (2)

Country Link
AU (1) AU2009257197A1 (en)
WO (1) WO2009149516A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120210431A1 (en) * 2011-02-11 2012-08-16 F-Secure Corporation Detecting a trojan horse
WO2013025126A2 (en) * 2011-08-12 2013-02-21 Rawllin International Inc. News feed by filter
WO2014117843A1 (en) * 2013-01-31 2014-08-07 Telefonaktiebolaget L M Ericsson (Publ) Method and firewall for soliciting incoming packets

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
WO2002057935A1 (en) * 2001-01-16 2002-07-25 Captus Networks Corporation Method and device for monitoring data traffic and preventing unauthorized access to a network
US6922786B1 (en) * 2000-10-31 2005-07-26 Nortel Networks Limited Real-time media communications over firewalls using a control protocol
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets
US6922786B1 (en) * 2000-10-31 2005-07-26 Nortel Networks Limited Real-time media communications over firewalls using a control protocol
WO2002057935A1 (en) * 2001-01-16 2002-07-25 Captus Networks Corporation Method and device for monitoring data traffic and preventing unauthorized access to a network

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120210431A1 (en) * 2011-02-11 2012-08-16 F-Secure Corporation Detecting a trojan horse
US8726387B2 (en) * 2011-02-11 2014-05-13 F-Secure Corporation Detecting a trojan horse
GB2501203B (en) * 2011-02-11 2017-03-22 F Secure Corp Detecting a trojan horse
WO2013025126A2 (en) * 2011-08-12 2013-02-21 Rawllin International Inc. News feed by filter
WO2013025126A3 (en) * 2011-08-12 2013-05-02 Rawllin International Inc. News feed by filter
WO2014117843A1 (en) * 2013-01-31 2014-08-07 Telefonaktiebolaget L M Ericsson (Publ) Method and firewall for soliciting incoming packets
US10015136B2 (en) 2013-01-31 2018-07-03 Telefonaktiebolaget Lm Ericsson (Publ) Method and firewall for soliciting incoming packets

Also Published As

Publication number Publication date
AU2009257197A1 (en) 2009-12-17

Similar Documents

Publication Publication Date Title
US9462007B2 (en) Human user verification of high-risk network access
US10542006B2 (en) Network security based on redirection of questionable network access
US7818565B2 (en) Systems and methods for implementing protocol enforcement rules
US20080196099A1 (en) Systems and methods for detecting and blocking malicious content in instant messages
US20060026681A1 (en) System and method of characterizing and managing electronic traffic
US20070261112A1 (en) Network Security Device
US20040111623A1 (en) Systems and methods for detecting user presence
US20090222877A1 (en) Unified network threat management with rule classification
US20040109518A1 (en) Systems and methods for a protocol gateway
GB2422224A (en) An anti-phishing system for enhancing network security
Chopra Security issues of firewall
Razumov et al. Developing of algorithm of HTTP FLOOD DDoS protection
WO2009149516A1 (en) Computer network security system
KR101450961B1 (en) Method and system for blocking sophisticated phishing mail by monitoring inner and outer traffic
CA2587867C (en) Network security device
Kantheti et al. Performance and evaluation of firewalls and security
WO2006062961A2 (en) Systems and methods for implementing protocol enforcement rules
WO2008086224A2 (en) Systems and methods for detecting and blocking malicious content in instant messages
Kaplesh et al. Firewalls: A study on Techniques, Security and Threats
Hussain Use of Firewall and Ids To Detect and Prevent Network Attacks
Straub Information Security Managing Risk with Defense in Depth
Nielson Classical Network Security Technology
Suhag Paradigmatic Approaches for Network Security and Preventing Intrusions: A Secure Computer Shield
Fosić et al. VPN network protection by IDS system implementation
Hackl et al. State of the art in network-related extrusion prevention systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09761181

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2009257197

Country of ref document: AU

ENP Entry into the national phase

Ref document number: 2009257197

Country of ref document: AU

Date of ref document: 20090612

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09761181

Country of ref document: EP

Kind code of ref document: A1