Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-02-02
2001-02-20
Iqbal, Nadeem (Department: 2785)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C380S044000
Reexamination Certificate
active
06192477
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to computer networks, and, more specifically, to providing data security for computers communicating across an unsecured computer network communications link. The present invention has applications in the areas of computer science and computer network security.
2. The Related Art
Computer network traffic has grown exponentially over the past two decades. Disconnected desktop computers have been transferred to large networks of networked computers due, in part, to advances in networking technology such as modem and Ethernet connections that have made the formation of computer networks financially practical. Over the past decade, the reach of computer communications has become global due to the expansion of users on the Internet. This worldwide computer network has provided millions of computer users with access to information and commerce opportunities unparalleled in history.
Access to these resources and opportunities has not come without a price. The rise of computer networks has also spawned new risks for users in the form of information theft and/or sabotage. Such theft and sabotage can be wrought by “hackers”: individuals who attempt to gain access to data stored on another's computer system, often for the sheer sport of the activity. Some hackers are more malicious, using software to install computer “viruses” on client computers to alter or destroy data or steal trade secrets. However, even organizations such as governments and businesses also “lift” and/or modify user data when the user connects to apparently “innocuous” servers over the World-Wide Web. For example, a business or government agency could establish an engine to scan surreptitiously the contents of a client computer's drive(s) when that computer logs-in to a Web server. The data obtained from the drive could be used for marketing or espionage purposes.
To counter these threats, many local area networks (“LANs”) use firewalls to protect connected to the local network from the above-described threats. However, firewalls suffer from drawbacks. First, firewall protection is generally designed for computer networks; thus, protection for individual users is not readily available. Second, firewall protection is expensive. Thorough firewall protection often requires the purchase and maintenance of one or more specialized computer systems. Third, firewalls can only protect against known threats. Thus, the firewall software must be reconfigured repeatedly as new threats appear.
For individual users, some protection is available using various software packages that monitor certain actions taken by software running on the computer and/or scan files for known anomalies, such as code patterns that are consistent with a computer virus. As with firewalls, these software packages must be constantly updated to scan for the latest virus code patterns. Also, these packages offer limited protection for more dynamic forms of intrusion, such as snooping and/or copying performed by malicious Web sites.
Thus, there is a need for cheaper, simpler software and methods to protect the integrity of data stored on computers used to communicate over computer networks, especially unregulated networks such as the Internet. More particularly, such software and methods will protect against attacks by viruses as well as attempts to copy or alter information on the user's computer by sever computers across in communication with the user's computer across a computer network. The present invention meets these and other needs.
SUMMARY OF THE INVENTION
The present invention provides relatively simple methods, software, and system for maintaining data security on a first computer in communication with another computer (e.g., a server) across a unsecure computer network such as the Internet. The methods, software, and systems described herein can be implemented on individual computers, computers coupled with local- or wide-area networks, and client computers in a client-server environment (e.g., thin clients).
In a first aspect, the present invention provides a method for performing secure communication between a first user's computer and second remote computer over a computer network. According to one embodiment of this aspect of the invention, the data space of the first computer (i.e., the memory associated with data and instructions stored on the first computer at the time communication between the first and second computer is initiated) is partition into a first secure portion and a second network interface portion. Communication is established between the first and second computer, and redirection and filter mechanisms are initialized. An instruction is received by the first computer. The instruction is analyzed by the redirection mechanism, and passed to the filter if the instruction is a protected instruction. The protected instruction is verified by the filter and processed if the verification is successful.
In another embodiment, data and instructions necessary for performing communications over the network are copied from the secure portion to the network interface portion. In a more specific embodiment, the method of the invention includes disconnecting the first and second computers from network communication and comparing the files stored in the secure and network interface portions. In a still more specific embodiment, files that were changed during the communications session between the first and second computers are restored to their original state.
In yet another embodiment, the method of the invention includes passing non-protected instructions to the operating system of the first computer, and notifying the user of the first computer that a received instruction is a protected instruction. The user can then determine whether to execute the instruction. Instructions not verified can be disallowed. In still other embodiments, instructions and/or files stored on the first computer are marked and/or tagged. In an alternative embodiment, instructions and/or files received by the first computer are marked and/or tagged.
In a second aspect, the present invention provides systems for performing secure communication between a first computer containing secure data is a data space and a second remote computer across a computer network. The system of the invention includes, in one embodiment, a first data space partition is configured to store data such that the data cannot be modified during the communication between said first and second computers. A second data space partition is configured to store data to enable communication between said first and second computers over the network. A redirection mechanism configured to receive data and instructions from the second computer over said computer network is also provided. The redirection mechanism is configured to determine whether the received data and instructions include instructions to perform protected operations. The redirection mechanism is coupled with a filter mechanism that is configured to receive instructions to perform protected operations from the redirection mechanism and verify those instructions.
In one embodiment of the second aspect of the present invention, the second data space partition includes images of files stored in the first data space partition. In a more specific embodiment, these images include operating system files to enable function of the images of the executable files stored in the second data space partition. In another embodiment, the filter is coupled with, and forwards to, the image files verified instructions. In still another embodiment, the operating system of the first computer is stored in the first data portion and non-protected instructions are forwarded to the operating system directly. In yet another embodiment, the filter is configured to abort instructions that are not verified. In still another embodiment, the user can override the filter. In still another embodiment, a comparator is provided to compare files stored in the first da
Dagg LLC
Iqbal Nadeem
Lentini David P.
LandOfFree
Methods, software, and apparatus for secure communication... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods, software, and apparatus for secure communication..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods, software, and apparatus for secure communication... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2578640