FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
AND
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(See Section 10; rule 13)
T I T L E
“A METHOD AND SYSTEM FOR NETWROK ACCESS CONTROL BASED ON TRAFFIC MONITORING AND VULNERABILITY DETECTION USING PROCESS
RELATED INFORMATION”
APPLICANT
Sophos Limited
of The Pentagon, Abingdon Science Park, Abingdon Oxfordshire OX14 3YP, Oxfordshire, United Kingdom ; UK
The following specification particularly describes the invention and the manner in which it is to be performed

FIELD OF THE INVENTION:
The invention relates to the field of wireless communication. More particularly it relates to network access control without compromising performance and efficiency. Even more specifically it pertains to mechanism for network access control based on traffic monitoring and vulnerability detection using process related information.
PRIOR ART:
The phenomenal growth of networks poses a major thrust on security of crucial network resources. Also an accepted fact is that it is impossible to prevent all attacks and secure all resources. The major means of providing this security is what Network Admission Control (NAC) is all about.
Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement. Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed.
Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

NAC is a set of technologies and defined processes, whose aim is to control access to the network allowing only authorized and compliant host to access and operate on a network. NAC uses endpoint assessment capabilities to determine the security posture of connecting devices. NAC is also responsible for controlling the devices remotely for security operations. This process is dynamic in the sense that it does not only happen during the initial attachment of the node to the network, it checks periodically to make sure the status of the host is what it should be (decided by the administrator). Controlling mechanism includes quarantining or even removing the misbehaving process of the remote-controlled host.
NAC is a static policy implementation, which is achieved using host assessment as well as validation and enforcement of restriction. Host assessment is a fundamental part of determining the state of a host and the kind of access it should receive. State of a host includes current version of operating system, anti-virus signature, status of firewall, installed software or patches. The NAC can operate in two modes; the first utilizes basic facilities provided by the operating system of the host to report back or special processes known as agents to shoulder the responsibility of reporting. This information is relayed to a centralized controller using Agent-based or Agent-less NAC technique depending on the mode chosen by the administrator. Agent-based NAC depend on specially designed operating system independent agents to retrieve host information. Agent-less NAC utilizes operating system's management interface to query operating system and receive snapshot for that checkpoint. From this information and information received at past checkpoints, the controller categorizes a host as healthy or unhealthy. The unhealthy hosts need restriction. VLAN steering switches are instructed to divert traffic to and from such unhealthy hosts or processes residing on such hosts in other direction for better control in case of unhealthy hosts. It is possible to manage these switches remotely and usually from a central place it is possible to monitor and control the entire network. The remote controlling of this switch is possible to be done by a

few methods. One is to use SNMP commands when SNMP client is running on the host under consideration. The other option is to use remote login methods like SSH or Telnet to send commands to the target host.
There are several other mechanisms are also available in market for the purpose of network access control. Some of them are discussed hereinafter for reference.
European patent publication no. EP2164228 Al claims "Hierarchical application of security services with a computer network" whereby In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner. But, it scans the network and collects the network security snapshot which comprises association of host with installed patches, application, etc. When that particular host create sends or receives a network data, tailor made pattern matching is applied for that host. Like if it is known that only certain applications are installed on that host then attack related to those applications are scanned and matched with. Thus, it requires scanning of entire network. Moreover, it applies pattern matching for whole bunch of applications installed on that host instead of being specific to identified vulnerable application. Thus, the present invention is more time consuming and costly.

US patent publication no. US6816973B1 claims a method and system for adaptive network security using intelligent packet analysis are provided. The method comprises monitoring network data traffic. The network data traffic is analyzed to assess network information. A plurality of analysis tasks are prioritized based upon the network information. The analysis tasks are to be performed on the monitored network data traffic in order to identify attacks upon the network. But this invention creates a network map which composes information regarding different devices, oses, services installed in the network and then use that information to analyze the network packet. Thus, this invention is fully dependant on prior network map making it stringent.
The existing NAC systems suffer from at least one of the below mentioned
deficiencies: i. Periodic scan for host assessment cannot run at higher frequency due to efficiency reasons, hence there are high chances that any host starts violation of policy in between two scans. That means after the host is recognized as healthy, it might change its status to unhealthy and the monitor missed that. It might be again able to change its state back to healthy to avoid detection. ii. Existing NAC solutions have a tendency of removing the entire host from the network once found unhealthy. Thus, due to just one vulnerable process, all network traffic of host will be blocked, which can have practical impact on overall productivity. Rather, this behaviour can be used to have denial of service attack on that host.
iii. They are dependent on prior network map which makes them
stringent. iv. They apply pattern matching for whole bunch of applications installed on that host instead of being specific to identified vulnerable application which makes them more time consuming and costly.

Hence need exists to develop a new technique to deal with network access control in most efficient, controlled and secured manner.
OBJECTIVES OF THE INVENTION:
The main objective of the present invention is to provide a mechanism for network access control based on traffic monitoring and vulnerability detection using process information which ensures security of network resources against malicious intent.
Further objective of the present invention is to provide the mechanism for network access control based on traffic monitoring and vulnerability detection using process information which monitors each host under consideration and identifying vulnerable processes if so running on monitored hosts and blocking those particular vulnerable processes instead of blocking the entire host from acquiring network resources.
Further objective of the invention is to provide the mechanism for network access control based on traffic monitoring and vulnerability detection using process information which enables optimum and efficient way of controlling network access.
Further objective of the invention is to provide the mechanism for network access control based on traffic monitoring and vulnerability detection using process information which focuses on real runtime alert information retrieval and remediation.
STATEMENT OF THE INVENTION:
Accordingly in order to achieve the aforementioned objectives, the present invention provides system for network access control based on traffic monitoring and vulnerability detection using process related information, the system comprising:

a plurality of workstations for receiving at least one connection request from a process running on a host, each of the workstation comprising a process intercepting unit being configured for extracting the process related information and forwarding at least one of the following information to a pattern matching unit: a. Process related information b. connection information and c. Network packet information;
the pattern matching unit being configured for receiving the at least one of the information from the process intercepting unit and forwarding the at least one of the information to a intrusion prevention unit;
the intrusion prevention unit comprising a processing unit and a database, the database consisting of plurality of signatures defining set of rules to detect attacks or intrusive activities on network which can occur through the process, the signatures are prepared based on information relating to the process, the intrusion prevention unit configured for receiving at least one of the said information from the pattern matching unit, verifying at least one of the said information against the signatures stored in the database to identify and detect a known vulnerity in the network activities and establishing a verification report based on identification and detection, and sending the verification report to the pattern matching unit;
the pattern matching unit is further configured for receiving the verification report from the intrusion prevention unit, verifying whether the verification report is applicable to the process associated with network packet and sending authorization decision to the process intercepting unit regarding allowing continuing or blocking of the initiated connection request from the process running on the host.

According to one of the embodiment, the process intercepting unit further configured for disallowing of only the process and not the host for communication, if authorization decision indicate matching of the signature identification code mentioned in the verification report with the code stored in the application process information database
The present invention also provides a method for network access control based on traffic monitoring and vulnerability detection using process related information, the method comprising:
receiving, by a plurality of workstations, at least one connection request from a process running on a host;
extracting, by a process intercepting unit of the workstation, the process related information;
forwarding, by the process intercepting unit to a pattern matching unit, at least one of the following information to: a. Process related information b. connection information and c. Network packet information (every outgoing & incoming packet);
receiving, by the pattern matching unit, the at least one of the information from the process intercepting unit and forwarding at least one of the information to a intrusion prevention unit;
receiving, by the intrusion prevention unit, at least one of the said information from the pattern matching unit;
verifying, by the intrusion prevention unit, at least one of the said information against plurality of signatures stored in a database of the intrusion prevention unit to identify and detect a known vulnerity in the network activities;

establishing, by the intrusion prevention unit, a verification report based on verification step;
sending, by the intrusion prevention unit, the verification report to the pattern matching unit;
receiving, by the pattern matching unit, the verification report from the intrusion prevention unit;
verifying, by the pattern matching unit, whether the verification report is applicable to the process associated with network packet; and
sending, by the pattern matching unit, authorization decision to the process intercepting unit regarding continuing or blocking of the initiated connection request from the process running on the host.
According to one of the embodiment of the invention, the method further comprising disallowance, by the process intercepting unit, of only the process and not the host for communication, if authorization decision indicate matching of the signature identification code mentioned in the verification report with the code stored in the application process information database.
BRIEF DESCRIPTION OF DRAWINGS:

Fig. 1 Shows one of the embodiments of network environment including system for network access control based on traffic monitoring and vulnerability detection using process related information in accordance to present invention.
Fig. 2 Shows another embodiment of network environment including system for network access control based on traffic monitoring and vulnerability detection using process related information in

accordance to present invention.
Fig. 3 • Shows embodiment of the process intercepting unit of the system of figures 1 and 2.
Figs. • Shows different embodiments of the pattern matching unit of
4& 5 the system of figures 1 and 2.
Fig. 6& ; Shows different embodiments of global process store of the

7 pattern matching unit of figures 4 and 5.
Fig. 8 • Shows details of application process information database of the pattern matching unit of figures 4 and 5.
Fig. 9 • Shows details of alert store database of the pattern matching unit of figures 4 and 5.
Fig. ; Shows flow diagram illustrating method for network access
10 control based on traffic monitoring and vulnerability detection using process related information in accordance to present invention.
DETAILED DESCRIPTION OF THE INVENTION:
Further objective and particular features of the invention are exemplified in the embodiment shown in accompanying drawings and described below.
The present invention advocates a hybrid system, where information about malicious attempt is derived locally and preventive decision making is done centrally. The hybrid nature of invention overcomes two major flaws: Implementing major assessment functionalities at host-level is time and resource consuming and leads to productivity issues. Overall host performance suffers. Network level sensors miss crucial information about an alert due to which possibility of attack increases. The present invention takes advantages of both the approaches and this leads to maximum productivity in the network. An agent to intercept process related information is deployed on each workstation in the local network. This agent relays the process information to a centralized engine. The engine tries to

find out vulnerability, if present with the process. If vulnerability is detected, the process is blocked and the information for the vulnerable process is stored in an alert store database. Network administrator uses this database for preventive actions.
A connection in the present invention is described as an attempt by a process running on a host machine to communicate with another process on another host. The intent of connection can either be healthy communication or malicious. The present invention tries to tap the malicious intent of a process.
Referring to figure 1, one of the embodiments of network environment including system for network access control based on traffic monitoring and vulnerability detection using process related information in accordance to present invention is illustrated. The network environment including system comprises plurality of workstations and server which is protected by a firewall. The local network interacts with the external world via a router. It is assumed that the router sends and receives network packets from local network to the internet. Router is a device recognized in the networking arena, that which is capable of making connections between multiple networks at the transport layer of OSI model. It examines protocol information present in the packet after which it makes the decision of forwarding the same. The router described in fig. 1 forwards the network packets from inside network to internet and vice versa after inspecting them.
The system for network access control based on traffic monitoring and vulnerability detection using process related information of present invention mainly includes a process intercepting unit, a pattern matching unit and a intrusion prevention unit.
Each of the workstations receives at least one connection request from a process running on a host. Each of the workstation comprising the process intercepting unit. The process intercepting unit extracts the process related

information and forwards at least one of the following information to the pattern matching unit: a. Process related information b. connection information and c. Network packet information. The process related information includes process name and process version. The process intercepting unit takes advantage of its host-based feature and retrieves granular information which is not possible in a network-based scenario. The process intercepting unit hooks at two places: first hook is implemented at socket level which intercepts socket functions like open, close, sendto and recvfrom. Second hook intercepts incoming and outgoing packets at network layer to send those network packets to the pattern matching unit, if required.
The pattern matching unit receives the at least one of the information from the process intercepting unit and forwards the at least one of the information to the intrusion prevention unit.
The intrusion prevention unit inspects network packets header and payload information for detection of known vulnerabilities. Vulnerabilities in network security is an amalgamation of three situations: a system or resource susceptible to flaws, an attacker gaining access to that flaw and the capability of an attacker to exploit that flaw by launching an attack on the system or resource. The intrusion prevention unit comprises a processing unit and a signature database. The database consisting of plurality of signatures defining set of rules to detect attacks or intrusive activities on network which can occur through the process. The signatures are prepared based on information relating to the process. Each of the signatures includes unique signature identification code. The signatures in the signature database contain possible alert information. The packet information is matched against the signature, and a positive match is termed as a threat or an attack. An example of a signature used by a popular open source IDS suricata is:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SERVER Possible SQL Injection Attempt DELETE FROM";
flow:established,to_server; uricontent:"DELETE"; nocase; uricontent'FROM"; nocase;
pare: "/DELETE. +FROM/ Ui"; classtype:web-appUcation-attack;
reference:url, en. wikipedia. org/ wiki/ SQL_injection; reference:url, doc. emergingthreats. net/2006443; sid:2006443; rev: 10;) This signature identifies an attempt of SQL injection attack present in web url.
The intrusion prevention unit is receives at least one of the said information from the pattern matching unit and verifies at least one of the said information against the signatures stored in the database to identify. On basis of verification, the intrusion prevention unit detects a known vulnerity in the network activities and establishes a verification report based on identification and detection. The verification report is then sent to the pattern matching unit. The verification report includes unique signature identification code.
The pattern matching unit further includes application process information database containing unique signature identification code, signature name, applicable process name and applicable process version. The pattern matching unit receives the verification report from the intrusion prevention unit. It verifies whether the verification report is applicable to the process associated with network packet. In verification the pattern matching unit matches signature identification code mentioned in the verification report with the code stored in the application process information database. On the basis of verification, the pattern matching unit sends authorization decision to the process intercepting unit regarding continuingor blocking of the initiated connection request from the process running on the host.
The above mentioned verification is done with the help of one of the embodiments shown in Figs. 6 8B 7 called Global Process store. This is implemented as a two level linked list. In the first level linked list, each node stores a hash value to identify unique host and host name. Each node of the first linked list points to a set of nodes of second level linked list where each

node stores connection and process information about each connection initiated from that host. The pattern matching unit performs a lookup on this store. It matches applicable process information retrieved from applicable process information database with the associated process information in the linked list. If a match is found, then pattern matching unit sends authorization decision of blocking the initiated connection by the associated process to the process intercepting unit.
On receiving the disallowance decision from pattern matching unit, the process intercepting unit blocks the connection. The pattern matching unit also adds the vulnerable process information in one of the embodiment of invention known as alert store database as shown in fig. 9. The alert store database stores information about vulnerable or malfunctioning processes. The network administrator uses this alert store database for preventive actions. In one of the embodiment, the alert store database can be a part of the pattern matching unit.
Applicable process information database fulfils the purpose of identifying which signature is applicable to which process with a specific version. It contains fields defined as signature id, signature name, applicable process name, applicable process version. The invention describes a method where a network administrator defines applicability of attack signatures to different processes. A parser program reads signature file of IPS engine and displays a table of signatures to the administrator. The administrator specifies the corresponding process name and version for each signature. The signature and corresponding process name and version are stored into this database.
The pattern matching unit is deployed either in inline mode (fig. 1) or out of band mode (fig. 2). Inline deployment means all incoming and outgoing network traffic always passes through pattern matching unit. Thus, pattern matching unit sits in the flow of all network traffic. As against this, when pattern matching unit is deployed in out of band mode, it analyzes only some of the live data streams. When pattern matching unit is deployed in

inline mode, the second network level hook by process intercepting unit is not required. When process intercepting unit intercepts any open socket call, it generates a UDP packet containing information as specified below:
System Identifier: It is a unique identifier of a system, such as MAC address
or IP address.
Source IP, Destination IP: It is the source and destination IP address of a
connection respectively.
Protocol Name: Transport layer protocol.
Process Information: Process name and version
In case of pattern matching unit deployment in inline mode, network level hooking is not required since both process intercepting unit and pattern matching unit are inline. Therefore, packets transferred from system will be passing through the pattern matching unit. In that case, pattern matching unit will have network layer hooking.
In case of out of band deployment, process intercepting unit will copy intercepted packets and will send it to PME over dedicated channel. Dedicated channel could be TCP connection or any standard tunneling protocol.
When pattern matching unit is deployed in out of band mode, it starts TCP server listening on a dedicated port. The process intercepting unit running on each system initiates a dedicated TCP connection from each one of them. All the packets transferred on that system is sent to pattern matching unit using this dedicated TCP connection. So, TCP listener will have multiple incoming packet streams. Each packet stream is uniquely identified and differentiated by system identifier. Pattern matching unit puts a wrapper (Hashvalue of combination of MAC ID & Source IP Address),on every packet to associate it with respective system. It also accumulates all these packets in a common packet queue.

Another process running under TCP listener keeps a watch on this queue. As soon as packet arrives, it sends that packet to intrusion prevention unit using standard available interface and API provided by intrusion prevention unit, intrusion prevention unit inspects the packet for known vulnerabilities using standard signature rule files. If any vulnerability is found, it responds back to the calling process with signature rule id information. From a packet wrapper, it retrieves system identifier to lookup second level linked list representing that particular system's process and associated connection information.
From a packet, it fetches five tuple information {Source IP, Destination IP, Source Port, Destination Port, Protocol} to lookup into retrieved second-level linked list. This lookup provides associated process information. Pattern matching unit now matches associated process information and applicable process information. If associated application information belongs to this list, then it concludes that process is either compromised or attacked. In that case, pattern matching unit stores this information into an Alert store database. If it doesn't match, it is considered as a false alarm. Administrator takes a decision on every entry in alert database; mark it as a quarantine decision.
When pattern matching unit receives UDP packet containing the above stated information, it will respond back with authorization decision of connection initiated by a process. Once process intercepting unit receives the decision, it either allows or blocks the connection, as per the decision given by pattern matching unit.
The process intercepting unit disallows only the process and not the host for communication, if authorization decision indicates matching of the signature identification code mentioned in the verification report with the code stored in the application process information database The advantage of the present invention is precise access control and protection of network resources against malicious attempts. This is done

without compromising the performance of network. The invention strongly supports the veracity that it is the process which is unhealthy and not the host. Therefore, instead of blocking a host, block the process which is vulnerable or malfunctioning. Another advantage of the present invention is since details of the vulnerable process are stored in alert store database, remediation of the unhealthy processes by applying patches or hot fixes. Yet another advantage of the present invention is considerable reduction in the false positive rate.
WORKING OF THE PRESENT INVENTION
Working of the present invention is illustrated in figure 10. This figure illustrates the method for network access control based on traffic monitoring and vulnerability detection using process related information. The method comprises following steps:
a. receiving, by a plurality of workstations, at least one connection
request from a process running on a host;
b. extracting, by a process intercepting unit of the workstation, the
process related information;
c. forwarding, by the process intercepting unit to a pattern matching
unit, at least one of the following information to: a. Process related information b. connection information and c. Network packet information;
d. receiving, by the pattern matching unit, the at least one of the
information from the process intercepting unit and forwarding the at least one of the information to a intrusion prevention unit;
e. receiving, by the intrusion prevention unit, at least one of the said
information from the pattern matching unit;

f. verifying, by the intrusion prevention unit, at least one of the said
information against plurality of signatures stored in a database of the intrusion prevention unit to identify and detect a known vulneriry in the network activities;
g. establishing, by the intrusion prevention unit, a verification report
based on verification step;
h. sending, by the intrusion prevention unit, the verification report to the pattern matching unit;
i. receiving, by the pattern matching unit, the verification report from the intrusion prevention unit;
j. verifying, by the pattern matching unit, whether the verification report is applicable to the process associated with network packet;
k. matching, by the pattern matching unit, signature identification code mentioned in the verification report with the code stored in the application process information database; and
1. sending, by the pattern matching unit, authorization decision to the process intercepting unit regarding allowing continuing or blocking of the initiated connection request from the process running on the host.
m. disallowance, by the process intercepting unit, of only the process and not the host for communication, if authorization decision indicate matching of the signature identification code mentioned in the verification report with the code stored in the application process information database.

ADVANTAGES OF THE PRESENT INVENTION
i. The invention advocates hybrid deployment and assessment, wherein details of process are retrieved locally from each workstation and sent to a central engine for assessment. This distributed nature enhances load balancing and leads to better productivity in the network. Network performance is not compromised.
ii. The invention defines an alert as a process malfunctioning rather than host malfunctioning. It thus quarantines a vulnerable process rather than a host.
iii. The invention does not rely on any pre-defined pattern matching policy, nor does it define a static list of applications installed on host. Rather, whenever a process initiates a connection from a host, at run-time we extract the process information. This dynamic nature of information retrieval provides precise details of an attack and attacker.
iv. The alerts stored in alert store database provide information about vulnerability of a process with its name and version. This information is crucial for a network administrator for taking preventive measures and makes prevention more effective.
v. The invention also reduces considerable number of false positives from the set of alerts sent by IPS engine to PME.
vi. The present invention ensures considerable reduction in the false positive rate.
vii. Another advantage of the present invention is since details of the vulnerable process are stored in alert store database, remediation of the unhealthy processes by applying patches or hot fixes.
viii. It improves network performance and minimizes the efforts of a network administrator.
While various embodiments of the present invention have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be understood by those skilled in

the relevant art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.

We claim:
1. A method for network access control based on traffic monitoring and
vulnerability detection using process related information, the method comprising:
receiving information from a host based upon a connection request from a process running on the host, the information including process related information for the process, connection information for the connection request, and network packet information for a packet associated with the connection request;
establishing a verification report for the connection request based on a verification of the information against a plurality of signatures of known vulnerabilities stored in a database;
providing a verification that the verification report is applicable to the process by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database; and
in response to the verification, sending an authorization decision to the host to continue or block the connection request from the process running on the host.
2. The method of claim 1, further comprising, in response to the authorization
decision to block the connection request, blocking the connection request from the
process running on the host.
3. The method of claim 1, wherein the process related information includes a
process name and a process version.
4. The method of claim 1, wherein each signature of the plurality of signatures includes a unique signature identification code.
5. The method of claim 1, wherein the first signature identification code in the verification report includes a unique signature identification code.

6. The method of claim 1, wherein the application process information database
stores a unique signature identification code, a signature name, an applicable
process name, and an applicable process version for each of a plurality of
application processes.
7. The method of claim 1, wherein establishing the verification report includes
receiving information from the host at an intrusion prevention unit and establishing
the verification report at the intrusion prevention unit.
8. The method of claim 1, wherein providing the verification includes receiving
the verification report at a pattern matching unit and verifying the verification report
at the pattern matching unit.
9. The method of claim 8, wherein the pattern matching unit is deployed in
an inline mode.
10. The method of claim 8, wherein the pattern matching unit is deployed in
an out of band mode.
11. The method of claim 1, wherein sending the authorization decision to the
host includes sending the authorization decision from a pattern matching unit.
12. A computer program product comprising a non-transitory computer
readable medium having stored thereon computer executable code that, when
executing one or more processors, perform operations comprising:
receiving information from a host based upon a connection request from a process running on the host, the information including process related information for the process, connection information for the connection request, or network packet information for a packet associated with the connection request;

establishing a verification report for the connection request based on a verification of the information against a plurality of signatures of known vulnerabilities stored in a database;
providing a verification that the verification report is applicable to the process by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database; and
in response to the verification, sending an authorization decision to the host to continue or block the connection request from the process running on the host.
13. The computer program product of claim 12, wherein the process related
information includes a process name and a process version.
14. The computer program product of claim 12, wherein each signature of the
plurality of signatures includes a unique signature identification code.
15. The computer program product of claim 12, wherein the first signature
identification code in the verification report includes a unique signature
identification code.
16. The computer program product of claim 12, wherein the application process information database stores a unique signature identification code, a signature name, an applicable process name, and an applicable process version for each of a plurality of application processes.
17. The computer program product of claim 12, wherein establishing the verification report includes receiving information from the host at an intrusion prevention unit and establishing the verification report at the intrusion prevention unit.

18. The computer program product of claim 12, wherein providing the
verification includes receiving the verification report at a pattern matching unit and
verifying the verification report at the pattern matching unit.
19. The computer program product of claim 12, wherein sending the
authorization decision to the host includes sending the authorization decision from
a pattern matching unit.
20. A system for network access control based on traffic monitoring and
vulnerability detection using process related information, the system comprising:
a computer program product comprising a non-transitory computer readable medium having stored thereon computer executable code that, when executing on one or more processors, provide a plurality of process intercepting units, a pattern matching unit, and an intrusion prevention unit;
a plurality of devices for receiving at least one connection request from a process running on a host, each of the plurality of devices comprising a process intercepting unit of the plurality of process intercepting units configured for extracting the process related information for the process, connection information for the connection request, and network packet information for a packet associated with the connection request;
the pattern matching unit configured for receiving the information from the process intercepting unit and forwarding the information; and
the intrusion prevention unit configured for receiving the information from the pattern matching unit, the intrusion prevention unit including a processing unit and a database, the database including a plurality of signatures of known vulnerabilities, the intrusion prevention unit further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities, establish a verification report for the connection request based on a verification of the information against the plurality of signatures of known vulnerabilities, and send the verification report to the pattern matching unit,

wherein the pattern matching unit is further configured to receive the verification report from the intrusion prevention unit, verify whether the verification report is applicable to the process by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database, and send an authorization decision to the host to continue or block the connection request from the process running on the host.