Computerized system and method for advanced network content processing

US 10,009,386 B2
Filed: 06/30/2017
Issued: 06/26/2018
Est. Priority Date: 01/13/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a network security device protecting a private network, network traffic carrying content associated with a plurality of application layer protocols, including one or more of an instant messaging (IM) protocol, a peer-to-peer (P2P) protocol, an electronic mail (email) protocol, a web browsing protocol and a file sharing protocol;

identifying, by the network security device, a first application layer protocol of the plurality of application layer protocols associated with a first subset of packets of the network traffic;

performing, by the network security device, real-time application-level content processing of a first set of original application layer content carried by the first subset of packets by;

based on the identified first application layer protocol, redirecting the first subset of packets to a first proxy module executing on the network security device;

extracting, reconstructing and buffering, by the first proxy module, the first set of original application layer content from the first subset of packets; and

based on a first set of network traffic selectors associated with the first subset of packets, causing, by the first proxy module, a first subset of a plurality of scanning engines to process the first set of original application layer content in accordance with a first set of a plurality of content processing rules selected from a rule definition store;

identifying, by the network security device, a second application layer protocol of the plurality of application layer protocols, distinct from the first application layer protocol, associated with a second subset of packets of the network traffic; and

performing, by the network security device, real-time application-level content processing of a second set of original application layer content carried by the second subset of packets by;

based on the identified second application layer protocol, redirecting the first subset of packets to a second proxy module executing on the network security device;

extracting, reconstructing and buffering, by the second proxy module, the second set of original application layer content from the second subset of packets; and

based on a second set of network traffic selectors associated with the second subset of packets, causing, by the second proxy module, a second subset of a plurality of scanning engines to process the second set of original application layer content in accordance with a second set of a plurality of content processing rules selected from the rule definition store.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning. The processed portion of network content may be forwarded using a second interface.

39 Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, by a network security device protecting a private network, network traffic carrying content associated with a plurality of application layer protocols, including one or more of an instant messaging (IM) protocol, a peer-to-peer (P2P) protocol, an electronic mail (email) protocol, a web browsing protocol and a file sharing protocol;
  
  identifying, by the network security device, a first application layer protocol of the plurality of application layer protocols associated with a first subset of packets of the network traffic;
  
  performing, by the network security device, real-time application-level content processing of a first set of original application layer content carried by the first subset of packets by;
  
  based on the identified first application layer protocol, redirecting the first subset of packets to a first proxy module executing on the network security device;
  
  extracting, reconstructing and buffering, by the first proxy module, the first set of original application layer content from the first subset of packets; and
  
  based on a first set of network traffic selectors associated with the first subset of packets, causing, by the first proxy module, a first subset of a plurality of scanning engines to process the first set of original application layer content in accordance with a first set of a plurality of content processing rules selected from a rule definition store;
  
  identifying, by the network security device, a second application layer protocol of the plurality of application layer protocols, distinct from the first application layer protocol, associated with a second subset of packets of the network traffic; and
  
  performing, by the network security device, real-time application-level content processing of a second set of original application layer content carried by the second subset of packets by;
  
  based on the identified second application layer protocol, redirecting the first subset of packets to a second proxy module executing on the network security device;
  
  extracting, reconstructing and buffering, by the second proxy module, the second set of original application layer content from the second subset of packets; and
  
  based on a second set of network traffic selectors associated with the second subset of packets, causing, by the second proxy module, a second subset of a plurality of scanning engines to process the second set of original application layer content in accordance with a second set of a plurality of content processing rules selected from the rule definition store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the first application layer protocol carries content in a form of a text stream.
  - 3. The computer-implemented method of claim 2, wherein the first set of network traffic selectors include one or more of a source Internet Protocol (IP) address, a destination IP address, a port number, a time of day and a username.
  - 4. The computer-implemented method of claim 3, further comprising scanning the first set of original application layer content for existence of one or more of unsolicited advertising (spam), phishing attempts and patterns or phrases possibly relating to terrorism or criminal activity.
  - 5. The computer-implemented method of claim 1, wherein the second application layer protocol is capable of transferring a file.
  - 6. The computer-implemented method of claim 5, further comprising scanning the second set of original application layer content for existence of one or more malware, viruses, worms, Trojans and spyware.
  - 7. The computer-implemented method of claim 1, wherein said identifying, by the network security device, a first application layer protocol is performed within a kernel of an operating system of the network security device.
  - 8. The computer-implemented method of claim 1, wherein the first proxy module executes within a user space of an operating system of the network security device.
  - 9. The computer-implemented method of claim 1, wherein said identifying, by the network security device, a second application layer protocol is performed within a kernel of an operating system of the network security device.
  - 10. The computer-implemented method of claim 1, wherein the second proxy module executes within a user space of an operating system of the network security device.

11. A non-transitory computer-readable storage medium embodying one or more sequences of instructions, which when executed by one or more processors of a network security device, cause the one or more processors to perform a method comprising:
- receiving network traffic carrying content associated with a plurality of application layer protocols, including one or more of an instant messaging (IM) protocol, a peer-to-peer (P2P) protocol, an electronic mail (email) protocol, a web browsing protocol and a file sharing protocol;
  
  identifying a first application layer protocol of the plurality of application layer protocols associated with a first subset of packets of the network traffic;
  
  performing real-time application-level content processing of a first set of original application layer content carried by the first subset of packets by;
  
  based on the identified first application layer protocol, redirecting the first subset of packets to a first proxy module executing on the network security device;
  
  extracting, reconstructing and buffering, by the first proxy module, the first set of original application layer content from the first subset of packets; and
  
  based on a first set of network traffic selectors associated with the first subset of packets, causing, by the first proxy module, a first subset of a plurality of scanning engines to process the first set of original application layer content in accordance with a first set of a plurality of content processing rules selected from a rule definition store;
  
  identifying a second application layer protocol of the plurality of application layer protocols, distinct from the first application layer protocol, associated with a second subset of packets of the network traffic; and
  
  performing real-time application-level content processing of a second set of original application layer content carried by the second subset of packets by;
  
  based on the identified second application layer protocol, redirecting the first subset of packets to a second proxy module executing on the network security device;
  
  extracting, reconstructing and buffering, by the second proxy module, the second set of original application layer content from the second subset of packets; and
  
  based on a second set of network traffic selectors associated with the second subset of packets, causing, by the second proxy module, a second subset of a plurality of scanning engines to process the second set of original application layer content in accordance with a second set of a plurality of content processing rules selected from the rule definition store.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein the first application layer protocol carries content in a form of a text stream.
  - 13. The non-transitory computer-readable storage medium of claim 12, wherein the first set of network traffic selectors include one or more of a source Internet Protocol (IP) address, a destination IP address, a port number, a time of day and a username.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein the method further comprises scanning the first set of original application layer content for existence of one or more of unsolicited advertising (spam), phishing attempts and patterns or phrases possibly relating to terrorism or criminal activity.
  - 15. The non-transitory computer-readable storage medium of claim 11, wherein the second application layer protocol is capable of transferring a file.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the method further comprises scanning the second set of original application layer content for existence of one or more malware, viruses, worms, Trojans and spyware.
  - 17. The non-transitory computer-readable storage medium of claim 11, wherein said identifying a first application layer protocol is performed within a kernel of an operating system of the network security device.
  - 18. The non-transitory computer-readable storage medium of claim 11, wherein the first proxy module executes within a user space of an operating system of the network security device.
  - 19. The non-transitory computer-readable storage medium of claim 11, wherein said identifying a second application layer protocol is performed within a kernel of an operating system of the network security device.
  - 20. The non-transitory computer-readable storage medium of claim 11, wherein the second proxy module executes within a user space of an operating system of the network security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Krywaniuk, Andrew
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/639,075
Publication Number

US 20170302705A1
Time in Patent Office

361 Days
Field of Search
US Class Current
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/02   for separating internal fro...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Computerized system and method for advanced network content processing

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computerized system and method for advanced network content processing

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links