Computer networks provide a communications path between network attached computers which exchange data via communications protocols. The communications model for the Internet is based on Internet Protocol (IP) which facilitates end to end communications.
Generally, in order for computers to communicate over networks, an IP address, subnet and method of getting an IP packet to a destination is required, the method is provided by routing protocols on routers between IP communications endpoints. All devices, namely switches, routers and firewalls between two hosts engaged in communications pass the IP traffic to enable the communication, in some cases, firewalls will also prohibit that communication.
Firewalls typically perform two main types of functions when permitting the end to end traffic, the first obfuscates the IP address of a device using network address translation and the second is a proxy function to terminate a protocol at a higher layer, for example above the end to end IP layer communications. Existing application and proxy firewalls keep a continuous path and only change IP addresses or TCP ports.
While other security functions exist such as determining if IP or higher protocol level traffic should be denied, or the method of how to impose the denial, those functions are not pertinent, other than to state that the traffic is blocked in some manner unless a method around the blocking is discovered legitimately or by a nefarious act. It is sufficient to say that firewalls in general, when passing permitted traffic, harmful or not, pass the traffic directly between two IP hosts and that no modifications to the data contained in the end to end IP packets are made, including upon detailed packet inspection, except to modify packet headers without modifying any application layer data within the packet.
As such, existing firewalls which permit an IP packet to pass from sender to receiver do so without obstruction or modification of the IP packet's data. If the data within the packet has an adverse effect on the receiving system, it can cause loss of the use of the recipient's system, expose the computer's owner to loss of data, intellectual property, personal details and it may permit an open channel for additional unwelcome activity. While numerous plans exist to abate this, each has to be performing at perfection, such as systems which are properly patched and the attacker has to know of no method around the security imposed, published or unpublished and the attacker must be incapable of penetrating the system, an instance which has shown to be challenging at a minimum and is not solvable with current methods. The many exposures of credit card data and other data theft show just how hard it is for the current systems to be effective.
Data, such as a program on the sender's computer can be reproduced exactly on the user's computer, as this occurs in most, if not all computer security breaches. An alternative approach would be to not permit direct communications between the user's computer which stores such data and details, and the communications partner.
The current problem which is difficult to solve is that volatile data which can alter the state of a recipient computer system can change the state of the computer system in ways which are unintended and can compromise the security of the system. Existing methods to prevent volatile data transmission between computers include virus scanning, packet inspection, and intrusion protection systems based on heuristic, signature or other approaches which have limited success. The current firewall systems which provide security are in the path of the communications and can fail to block volatile communications in all cases, in part because the end to end passing of data between two hosts requires a paradigm shift. The solution is to prevent volatile data from interacting with a computer and prior attempts have not yielded a solution.
For clarification of existing method shortcomings, FIG. 1, shows a typical end to end communications path between a communication partner 110 functioning as a client computer and communications partner 115 functioning as a Web Server which is using the TCP/IP protocol suite, consisting of TCP and IP in this case. As part of the communications setup between 110 and 115, a TCP three-way handshake will occur between 110 and 115 and direct communications are established. The end to end communication path, in reality, consists of switches, routers, firewalls and other network and security devices. The end-to-end path is being used to transport precise data between the two applications, an HTTP server on 115 and a Browser on 110. This is the current method used for a typical client computer to connect to a remote web server, for example, on the Internet. The format and content of the precise data communicated over the direct connection generally does not change, and is at least in part identical, when compared on both communications partners 110 and 115.
This first example, which is the state of the current method used on the Internet, shows a client which is in the process of requesting and receiving webpage data. The HTTP protocol as defined in RFC 2068 carries the intended data from the 115 server to the 110 client, which is, in this case, a file such as a cookie or the client side textual tag with the characters ‘<script>’ or a command embedded in an HTML document. The cookie, or ‘<script>’ tag used to define a client-side script, is transmitted from the server 115 to the client 110 and it is received at the client 110. The ‘<script>’ tag, for example, can be viewed on 110 in the browser's ‘page source’ and it is the identical text ‘<script>’ which was sent from the Web Server 115 which is verifiable with packet capture techniques and analysis of the storage or software on both 115 and 110. The active functionality associated with this ‘<script>’ command can cause an action to occur on 110.
It should be recognized that the data being sent from server to client can originate from storage such as a hard drive or volatile media like random access memory (RAM). Additionally, the data may be unique to the individual communication and calculated via algorithm or uniquely and dynamically constructed for the client, such as in the case of a tracking cookie. In the example shown in FIG. 1, an HTML file on the server is the source of the data and an analysis of the Server 115 would yield a file with the exact data or an algorithm to create the data found on Client 110. Based on the HTML example, the ‘<script>’ tag in ASCII text format on 115 becomes an identical ‘<script>’ tag in ASCII text format on Client 110. Additional concern here is that the tag has the ability to cause an action to occur 110 by activation of this HTML tag. The transference of this data ‘<script>’ from the server to the client is verifiable using existing packet analysis tools or data carving tools on storage or volatile media on each communications partner 115 and 110 and by performing a cryptographic hash on the data yielding the same results. This reproducibility is the intention of IP end to end communications and other protocols support the reliability of the reproduction.
Similarly, a JPEG file on 115 called ‘malware.jpg’ could be transmitted from the Server 115, to the Browser on Client 110, as unaltered or only slightly modified data, such as a filename change on the Client 110 storage media. It is possible that a file transmitted to the Client 110 from the Server 115 has the exact same cryptographic hash, statistically ensuring an exact copy. If the hash does not match for the entire file it can match for significant portions of the corresponding files, on each communications partner, when isolated from the storage using data carving techniques. Data carving is the technique of using a hex editor and assembling the sections of a file or file fragment such that it can be in a form for analysis or comparison to a corresponding file on another computer. Cryptographic hashing algorithms typically in use at the writing of this document are MD5, SHA-1 or SHA-256.
This method of end to end communications 195 occurs in countless ways on communications devices 110, 115 of many different kinds and running many different software applications over protocols such as TCP, UDP and IP.
A practical example of a direct connection between two communication partners is the web server and client computer shown in FIG. 2. The firewalls shown may alter the IP addresses of the devices and even modify the protocols such as encapsulation, but application data is intentionally passed with little or no modification between devices as previously described.
In operation, the user types a URL into the browser located on the client computer 210 and activates the instruction to the Browser by depressing the ‘enter key’ on the computer keyboard which issues a request to the web server 215 for the HTML content of a web page. ATCP three-way handshake then establishes a direct connection between the client computer 210 and the web server 215. The properly formatted request is then sent in packets through firewalls 230, 235 and the Internet 250 to the IP address of the web server 215, by means of the server's IP address, some change of IP addresses may occur due to network address translation or translation of the TCP port. Next, the web server 215 sends an HTML file and associated files containing text, scripts, links and graphics files back through the firewalls 230, 235 and Internet 250 to the client computer 210 by means of the client's IP address. Some of the content sent by the web server 215 to the client computer 210 will be saved on the hard drive or located in memory on the client computer 210, some of the content sent by the web server 215 to the client computer's browser will be displayed as a web page with graphics, text, sound or video, and some of the content sent by the web server 215 to the client computer 210 will be acted upon such as commands or active content or the running of HTML scripts. In the exemplary embodiment, throughout the communications the connections 260, 265, 270, 275 between devices 210, 230, 250, 235, 215 have represented network hardware which supports the communications such as links, switches, routers.
In this process, data stored on the web server, and properly referenced in the HTML language, such as text, a graphic (e.g. JPEG) or a video (e.g. MPEG), is presented and directly passed, in original or slightly modified format, to the client computer. For example, a file known as ‘infectme.jpg’ which is on the web server and listed properly in the web page is displayed on the computer screen. That same file can be found on the client computer, perhaps with a different name, but with highly similar content. The corresponding file or data on each computer may have an exact cryptographic hash, or some significant portion of the file or data, when ‘data carved’, may have the exact cryptographic hash such as obtained with the MD-5 or SHA-1 algorithm.
In some cases firewalls based on proxy methods will terminate the communications process for TCP. In FIG. 3, a proxy 335 is shown which has a communications path 365 with the communications partner 315 which could fill the role of web server. The other communications partner 310, could be filling the role of client computer with a Browser. In this case or type of communications, the communications is still the same regarding the transfer of data between communications partners 315 and 310. This is evident that files can be transferred between the devices and that there is a clear communications path over IP between the two endpoints. An ‘infectme.jpg’ could still travel unabated between the communications partners 315, 310 because of an existing end to end communication path 395 with a single protocol set such as TCP/IP across paths 360, 365.
What is needed is a way to impede direct transfer between sender and receiver while still communicating the information. However in view of the art considered as a whole at the time this present invention was made, it was not obvious to those of ordinary skill how the art could be advanced.
While certain aspects of the conventional technologies have been discussed to facilitate disclosure of the invention, Applicants in no way disclaim these technical aspects, and it is contemplated that the claimed invention may encompass one or more of the conventional technical aspects contained herein.
The present invention may address one or more of the problems and deficiencies of the prior art discussed above. However, it is contemplated that the invention may prove useful in addressing other problems and deficiencies in a number of technical areas. Therefore the claimed invention should not be construed as limited to addressing any of the particular problems or deficiencies discussed herein.
In this specification, where a document, act or item of knowledge is referred to or discussed, this reference or discussion is not an admission that the document, act or item of knowledge of any combination thereof was at the priority date, publically available, known to the public, part of common general knowledge, or otherwise constitutes prior art under the applicable statutory provisions; or is known to be relevant to an attempt to solve any problem with which this specification is concerned.
Currently, there is no known hardware configuration or software program which deploys a substantial change of protocol or content to eliminate the action of data coming from a server completely or partially.