Delivering security functions to distributed networks

US 10,084,753 B2
Filed: 11/03/2016
Issued: 09/25/2018
Est. Priority Date: 04/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

getting a security policy for a data network, the security policy allowing and/or prohibiting communications between a plurality of network assets and indicating groupings of the plurality of network assets using a common security characteristic corresponding to the respective grouping;

initiating compilation of the security policy to produce a rule set, the rule set blocking communication between specific ones of the plurality of network assets using at least one of a source address, source port, destination address, destination port, and an application protocol associated with the communication;

providing the rule set to at least one enforcement point;

receiving analytics corresponding to change in data traffic in the data network, the analytics produced by a logging module;

calculating a risk score corresponding to the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of network assets;

initiating a re-compiling of the security policy to produce an updated rule set using the calculated risk score; and

disseminating the updated rule set to the at least one enforcement point.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

119 Citations

19 Claims

1. A method comprising:
- getting a security policy for a data network, the security policy allowing and/or prohibiting communications between a plurality of network assets and indicating groupings of the plurality of network assets using a common security characteristic corresponding to the respective grouping;
  
  initiating compilation of the security policy to produce a rule set, the rule set blocking communication between specific ones of the plurality of network assets using at least one of a source address, source port, destination address, destination port, and an application protocol associated with the communication;
  
  providing the rule set to at least one enforcement point;
  
  receiving analytics corresponding to change in data traffic in the data network, the analytics produced by a logging module;
  
  calculating a risk score corresponding to the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of network assets;
  
  initiating a re-compiling of the security policy to produce an updated rule set using the calculated risk score; and
  
  disseminating the updated rule set to the at least one enforcement point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - analyzing the communications based on at least one of predetermined signatures and predefined state machines defining expected protocol behavior.
  - 3. The method of claim 2, in which the predetermined signatures include at least one of contents of a packet, a behavior of a party, and a historical pattern.
  - 4. The method of claim 2, further comprising:
    - triggering the analysis based on predetermined trigger conditions.
  - 5. The method of claim 4, further comprising:
    - redirecting the communications by the at least one enforcement point.
  - 6. The method of claim 1, further comprising:
    - processing, by the enforcement point and using the rule set, a data packet directed to at least one of the plurality of network assets.
  - 7. The method of claim 6, further comprising:
    - determining the data packet is malicious; and
      
      instantiating a plurality of data paths to enable treatment of communications corresponding to the at least one of the plurality of network assets, the treatment including redirecting malicious communications to a synthetic server.
  - 8. The method of claim 7, further comprising:
    - analyzing, by the synthetic server, the malicious communications to ascertain intent and future actions of an originator of the malicious communications.
  - 9. The method of claim 6, further comprising:
    - approving the data packet and the communications; and
      
      forwarding the communications to an intended destination for a remainder of a connection.

10. A system comprising:
- a plurality of hardware network assets;
  
  at least one enforcement point;
  
  a policy engine communicatively coupled to the at least one enforcement point, the policy engine generating a security policy for a data network that allows and/or prohibits communications between the plurality of hardware network assets and indicating groupings of the plurality of hardware network assets using a common security characteristic corresponding to the respective grouping;
  
  a compiler communicatively coupled to the policy engine, the compiler producing a rule set, the rule set blocking communication between specific ones of the plurality of hardware network assets;
  
  a distributed security processor communicatively coupled to the policy engine, the compiler, and the at least one enforcement point, the distributed security processor providing the rule set to the at least one enforcement point;
  
  a logging module communicatively coupled to at least one of a switch, the at least one enforcement point, and the distributed security processor, the logging module generating analytics corresponding to change in data traffic in the data network; and
  
  an analytics module communicatively coupled to the logging module and the compiler, the analytics module calculating a risk score associated with the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of hardware network assets, the compiler producing an updated rule set using the risk score and the distributed security processor disseminating the updated rule set to the at least one enforcement point.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, in which the enforcement point processes, using the rule set, a data packet directed to at least one of the plurality of hardware network assets.
  - 12. The system of claim 10, further comprising a plurality of distributed security processors, the distributed security processor being one of the plurality of distributed security processors, wherein each of the plurality of distributed security processors provides individualized protection for at least one of the plurality of hardware network assets.
  - 13. The system of claim 10, in which the policy engine includes at least one of a user interface to receive user input, an application program interface, and at least one predetermined policy.
  - 14. The system of claim 10, in which the at least one enforcement point and the plurality of hardware network assets are virtual machines.
  - 15. The system of claim 10, further comprising:
    - a synthetic server communicatively coupled to the enforcement point, the synthetic server receiving a malicious data packet from the enforcement point and performing a security function, wherein the enforcement point processes the malicious data packet and forwards the malicious data packet to the synthetic server.
  - 16. The system of claim 15, in which the synthetic server emulates operation of the plurality of hardware network assets and studies the malicious data packet to ascertain intent and future actions of an originator of the malicious data packet.
  - 17. The system of claim 15, in which the synthetic server is at least one of a honeypot, a tarpit, and an intrusion protection system.
  - 18. The system of claim 10, in which the distributed security processor, once the communications with the plurality of hardware network assets are approved, forwards communications to an intended destination for a remainder of a connection.

19. A method comprising:
- generating, by a policy engine, a security policy for a data network, the security policy allowing and/or prohibiting communications between a plurality of network assets and indicating groupings of the plurality of network assets using a common security characteristic corresponding to the respective grouping;
  
  initiating, by a compiler, compilation of the security policy to produce a rule set, the rule set blocking communication between specific ones of the plurality of network assets using at least one of a source address, source port, destination address, destination port, and an application protocol associated with the communication;
  
  providing, by a distributed security processor, the rule set to at least one enforcement point;
  
  producing, by a logging module, analytics corresponding to change in data traffic in the data network;
  
  calculating, by an analytics module, a risk score corresponding to the analytics of the data network, the risk score being a measurement of relative security corresponding to the plurality of network asset;
  
  initiating, by the analytics module, a re-compiling of the security policy by the compiler to produce an updated rule set using the calculated risk score; and
  
  disseminating, by the distributed security processor, the updated rule set to the at least one enforcement point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Woolward, Marc, Shieh, Choung-Yaw, Lian, Jia-Jyi
Primary Examiner(s)
Turchen, James R

Application Number

US15/342,982
Publication Number

US 20170078247A1
Time in Patent Office

691 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 2463/141   Denial of service attacks a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Delivering security functions to distributed networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Delivering security functions to distributed networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others