Herd based scan avoidance system in a network environment
First Claim
1. At least one non-transitory machine readable storage medium having instructions stored thereon, the instructions when executed by at least one processor cause the at least one processor to:
- generate a signature for an object in a first compute node of a first plurality of compute nodes connected to a network;
search a local cache in a memory element of the first compute node for the signature;
scan the object with a scan module to obtain a scan result if the signature is not found in the local cache;
update the local cache with the scan result including the signature of the object;
select a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern;
dynamically select, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and
synchronize the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein synchronizing is to include;
sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and
receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset;
wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object.
9 Assignments
0 Petitions
Accused Products
Abstract
A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization.
-
Citations
20 Claims
-
1. At least one non-transitory machine readable storage medium having instructions stored thereon, the instructions when executed by at least one processor cause the at least one processor to:
-
generate a signature for an object in a first compute node of a first plurality of compute nodes connected to a network; search a local cache in a memory element of the first compute node for the signature; scan the object with a scan module to obtain a scan result if the signature is not found in the local cache; update the local cache with the scan result including the signature of the object; select a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern; dynamically select, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and synchronize the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein synchronizing is to include; sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset; wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
-
a hardware processor; a scan module configured to be executed by the hardware processor to; generate a signature for an object in a first compute node of a first plurality of compute nodes connected to a network; search a local cache in a memory element of the first compute node for the signature; scan the object to obtain a scan result if the signature is not found in the local cache; and update the local cache with the scan result including the signature of the object; and a synchronization module configured to be executed by the hardware processor to; select a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern; dynamically select, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and synchronize the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein synchronizing is to include; sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset; wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method comprising:
-
generating a signature for an object in a first compute node of a first plurality of compute nodes connected to a network; searching a local cache in a memory element of the first compute node for the signature; scanning the object with a scan module to obtain a scan result if the signature is not found in the local cache; updating the local cache with the scan result including the signature of the object; selecting a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern; dynamically selecting, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and synchronizing the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein the synchronizing includes; sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset; wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object. - View Dependent Claims (19, 20)
-
Specification