US 12,267,301 B2
Methods and systems for automatically securing endpoint device data communications
David Thomas Bonczar, Squantum, MA (US)
Filed by David Thomas Bonczar, Squantum, MA (US)
Filed on Jun. 9, 2020, as Appl. No. 16/896,341.
Claims priority of provisional application 62/874,069, filed on Jul. 15, 2019.
Prior Publication US 2021/0021572 A1, Jan. 21, 2021
Int. Cl. H04L 29/00 (2006.01); H04L 9/40 (2022.01); H04L 12/46 (2006.01)
CPC H04L 63/0272 (2013.01) [H04L 12/4641 (2013.01); H04L 63/0245 (2013.01); H04L 63/0263 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01)] 5 Claims
OG exemplary drawing
 
1. A method for automatically securing endpoint device data communications, the method comprising:
establishing, between a first server and an endpoint device, a persistent virtual private network (VPN) connection, the endpoint device configured to automatically establish the persistent VPN connection upon establishing network connectivity;
providing, by the first server, for the endpoint device, a network address translation (NAT) firewall service;
receiving, by the first server, a first plurality of data packets from a third computing device;
inspecting, by the first server, each of the first received plurality of data packets;
determining, by the first server, whether to block one of the first plurality of data packets or to forward the one of the first plurality of data packets to the endpoint device;
blocking, by the first server, the one of the first plurality of data packets based upon a determination that the one of the first plurality of data packets fails to satisfy a security rule;
generating, by the first server, a profile of the endpoint device based upon the inspection of each of the received first plurality of data packets;
applying, by the first server, the profile during an inspection of a second plurality of data packets received from a fourth computing device and addressed to a second endpoint device;
determining, by the first server, whether to block one of the second plurality of data packets based upon the applying of the profile during the inspection;
generating, by the first server, a log including an identification of a determination to block the one of the plurality of data packets;
transmitting, by the first server, the log to an analysis server for analysis to determine whether the blocked packet is part of a plurality of data packets comprising malicious traffic;
receiving, by the analysis server, from the first server, the log;
receiving, by the analysis server, from each of a plurality of security servers, a log file including an identification of a determination to block the one of the plurality of data packets, the plurality of security servers on a network and including the first server;
analyzing, by the analysis server, an aggregate of the received log files, to determine whether there is a pattern of traffic matching a known malicious traffic pattern;
analyzing, by the analysis server, the aggregate of the received log files to determine whether there is a pattern of traffic across endpoint devices satisfying a threshold level of anomalous traffic and comprising a malicious traffic pattern;
generating, by the analysis server, an update to a security rule set based on determining that there is a malicious traffic pattern in data packets received across the network; and
distributing, by the analysis server, to each of the plurality of security servers, the update to the security rule set.