Locked down network interface

US 10,212,135 B2
Filed: 08/08/2016
Issued: 02/19/2019
Est. Priority Date: 04/08/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for intercepting a data flow from a network source to a network destination, the apparatus comprising:

a data store holding a set of compliance rules and corresponding actions;

a packet inspector configured to inspect the intercepted data flow and search the data store for a compliance rule associated with the inspected data flow; and

processing circuitry configured to carry out an action with respect to data packets meeting a criteria of a temporary compliance rule whilst the temporary compliance rule is valid, wherein said temporary compliance rule is used where there is no other compliance rule associated with the inspected data flow in the data store,wherein the temporary compliance rule is valid until the processing circuitry determines that at least one criterion is met, wherein the at least one criterion comprises either or both of expiration of a predefined time period or arrival from the network source of a predefined number of data packets meeting the criteria of the temporary compliance rule.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A logic device and method are provided for intercepting a data flow from a network source to a network destination. A data store holds a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period. A packet inspector is configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow. A packet filter is configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid.

Citations

22 Claims

1. An apparatus for intercepting a data flow from a network source to a network destination, the apparatus comprising:
- a data store holding a set of compliance rules and corresponding actions;
  
  a packet inspector configured to inspect the intercepted data flow and search the data store for a compliance rule associated with the inspected data flow; and
  
  processing circuitry configured to carry out an action with respect to data packets meeting a criteria of a temporary compliance rule whilst the temporary compliance rule is valid, wherein said temporary compliance rule is used where there is no other compliance rule associated with the inspected data flow in the data store,wherein the temporary compliance rule is valid until the processing circuitry determines that at least one criterion is met, wherein the at least one criterion comprises either or both of expiration of a predefined time period or arrival from the network source of a predefined number of data packets meeting the criteria of the temporary compliance rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21)
- - 2. The apparatus of claim 1 wherein the data store is further configured to receive a new compliance rule in replacement of the temporary compliance rule.
  - 3. The apparatus of claim 2 wherein the processing circuitry is further configured to, in response to the packet inspector identifying the new compliance rule as being associated with the inspected data flow, carry out an action corresponding to the new compliance rule.
  - 4. The apparatus of claim 1 further configured to inform a compliance rule controller of the activation of the temporary compliance rule.
  - 5. The apparatus of claim 1 wherein the compliance rules are configured to ensure compliance of at least one of said network source and network destination with allowed behaviour.
  - 6. The apparatus of claim 1, wherein the packet inspector is further configured to identify the compliance rule associated with the data flow by parsing the received data flow to determine a characteristic of that data flow.
  - 7. The apparatus of claim 1, wherein the temporary compliance rule identifies a characteristic within the data flow for which there is an associated action.
  - 8. The apparatus of claim 7, wherein the characteristic identifies a network destination for which there is an associated action.
  - 9. The apparatus of claim 8, wherein the associated action is blocking a data flow directed to the network destination.
  - 10. The apparatus of claim 8, wherein the associated action is allowing a data flow directed to the network destination to continue to be transmitted to the network destination.
  - 21. The apparatus of claim 1, wherein the processing circuitry comprises one or more of a field-programmable gate array (FPGA), a network processing unit, or a network interface card.

11. An apparatus for intercepting a data flow from a network source to a network destination, the apparatus comprising:
- a data store holding a set of compliance rules and corresponding actions; and
  
  a packet inspector configured to inspect the intercepted data flow and to search the data store for a compliance rule associated with the inspected data flow,processing circuitry configured to determine that there is no compliance rule associated with the inspected data flow in the data store, and in response to said determination, activate a temporary compliance rule to perform an action associated with data packets meeting a criteria of the temporary compliance rule while the temporary compliance rule is valid,wherein the temporary compliance rule is valid until the processing circuitry determines that at least one criterion is met, wherein the at least one criterion comprises either or both of expiration of a predefined time period or arrival from the network source of a predefined number of data packets meeting the criteria of the temporary compliance rule.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 22)
- - 12. The apparatus of claim 11 wherein the data store is further configured to receive a new compliance rule in replacement of the temporary compliance rule.
  - 13. The apparatus of claim 12 wherein the processing circuitry is further configured to in response to the packet inspector identifying the new compliance rule as being associated with the inspected data flow, carry out an action corresponding to the new compliance rule.
  - 14. The apparatus of claim 11 further configured to inform a compliance rule controller of the activation of the temporary compliance rule.
  - 15. The apparatus of claim 11 wherein the compliance rules are configured to ensure compliance of at least one of said network source and network destination with allowed behaviour.
  - 16. The apparatus of claim 11, wherein the packet inspector is further configured to identify a compliance rule associated with a data flow by parsing the intercepted data flow to determine a characteristic of said intercepted data flow.
  - 17. The apparatus of claim 11 wherein the temporary compliance rule identifies a characteristic within the data flow for which there is an associated action.
  - 18. The apparatus of claim 11 wherein the associated action is blocking a data flow directed to the network destination.
  - 22. The apparatus of claim 11, wherein the processing circuitry comprises one or Inure of a field-programmable gate array (FPGA), a network processing unit, or a network interface card.

19. A method comprising:
- intercepting a data flow from a network source to a network destination;
  
  storing a set of compliance rules and corresponding actions;
  
  inspecting the intercepted data flow and searching a data store for a compliance rule associated with the inspected data flow; and
  
  carrying out an action with respect to data packets meeting a criteria of a temporary compliance rule whilst the temporary compliance rule is valid, wherein said temporary compliance rule is used where there is no other compliance rule associated with the inspected data flow in the data store,wherein the temporary compliance rule is valid until it is determined that at least one criterion is met, wherein the at least one criterion comprises either or both of expiration of a predefined time period or arrival from the network source of a predefined number of data packets meeting the criteria of the temporary compliance rule.

20. A method comprising:
- intercepting a data flow from a network source to a network destination;
  
  storing a set of compliance rules and corresponding actions;
  
  inspecting the intercepted data flow and searching a data store for a compliance rule associated with the inspected data flow; and
  
  determining that there is no compliance rule associated with the inspected data flow in the data store, and in response to said determination activating a temporary compliance rule to perform an action associated with data packets meeting a criteria of the temporary compliance rule whilst the temporary compliance rule is valid,wherein the temporary compliance rule is valid until the processing circuitry determines that at least one criterion is met, wherein the at least one criterion comprises either or both of expiration of a predefined time period or arrival from the network source of a predefined number of data packets meeting the criteria of the temporary compliance rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Original Assignee
SolarFlare Communications Incorporated (Advanced Micro Devices, Inc.)
Inventors
Pope, Steve L., Roberts, Derek, Riddoch, David J.
Primary Examiner(s)
Jeudy, Josnel

Application Number

US15/231,564
Publication Number

US 20160352687A1
Time in Patent Office

925 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/0263 Rule management

Locked down network interface

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Locked down network interface

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links