Scalable network security detection and prevention platform

US 10,225,288 B2
Filed: 01/21/2016
Issued: 03/05/2019
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a proxy site to receive Internet traffic for a client network;

intrusion monitoring circuitry to analyze the Internet traffic received at the proxy site to detect a threat using distributed threats analytics;

circuitry that implements at least one selective additional security service from a plurality of different security services, each security service as a respective virtual machine, wherein each respective virtual machine is a virtual platform that emulates an instruction set and enables scalability of the plurality of different security services;

a translation layer coupling the intrusion monitoring circuitry and each selected additional security service, in a manner where the at least one additional selected security service is automatically responsive to the intrusion monitoring circuitry;

forwarding circuitry to forward at least part of the Internet traffic to the client network, subject to performance of a function of the at least one selected additional security service, the forwarding circuitry comprising a device at each data center of at least two data centers that are geographically separated; and

a hardware platform that implements, as a virtual machine, a service to route at least a portion of the Internet traffic received at the proxy site to a receiving device at a selective one of the at least two data centers;

wherein;

the at least one additional selected security service includes an antivirus service;

the translation layer generates a template responsive to a trigger from the intrusion monitoring circuitry representing a detected threat;

the forwarding circuitry automatically, responsive to the template, forward at least a portion of the Internet traffic received at the proxy site to the virtual machine implementing the antivirus service;

the antivirus service automatically screens the at least a portion of the Internet traffic for viruses to produce screened traffic; and

the forwarding circuitry forwards the screened traffic to the client network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

Citations

21 Claims

1. A system, comprising:
- a proxy site to receive Internet traffic for a client network;
  
  intrusion monitoring circuitry to analyze the Internet traffic received at the proxy site to detect a threat using distributed threats analytics;
  
  circuitry that implements at least one selective additional security service from a plurality of different security services, each security service as a respective virtual machine, wherein each respective virtual machine is a virtual platform that emulates an instruction set and enables scalability of the plurality of different security services;
  
  a translation layer coupling the intrusion monitoring circuitry and each selected additional security service, in a manner where the at least one additional selected security service is automatically responsive to the intrusion monitoring circuitry;
  
  forwarding circuitry to forward at least part of the Internet traffic to the client network, subject to performance of a function of the at least one selected additional security service, the forwarding circuitry comprising a device at each data center of at least two data centers that are geographically separated; and
  
  a hardware platform that implements, as a virtual machine, a service to route at least a portion of the Internet traffic received at the proxy site to a receiving device at a selective one of the at least two data centers;
  
  wherein;
  
  the at least one additional selected security service includes an antivirus service;
  
  the translation layer generates a template responsive to a trigger from the intrusion monitoring circuitry representing a detected threat;
  
  the forwarding circuitry automatically, responsive to the template, forward at least a portion of the Internet traffic received at the proxy site to the virtual machine implementing the antivirus service;
  
  the antivirus service automatically screens the at least a portion of the Internet traffic for viruses to produce screened traffic; and
  
  the forwarding circuitry forwards the screened traffic to the client network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the first additional security is selected, for use with Internet traffic for the client network, from a plurality of different available security services that are each implemented as a virtual machine.
  - 3. The system of claim 2, comprising:
    - a web interface that permits a client administrator to dynamically select from among the plurality of different available security services.
  - 4. The system of claim 2, wherein the plurality of different available security services includes security software products from different software manufacturers.
  - 5. The system of claim 1, wherein the intrusion monitoring circuitry comprises code to extract metadata from the Internet traffic and a correlation engine to correlate metadata from diverse exchanges represented by the Internet traffic received at the proxy site.
  - 6. The system of claim 1, wherein the translation layer generates a template for each threat detected by the intrusion monitoring circuitry.
  - 7. The system of claim 1, wherein:
    - the at least one additional selected security service includes a vulnerability assessment service;
      
      the translation layer generates a template responsive to a trigger from the intrusion monitoring circuitry representing a detected threat; and
      
      the vulnerability assessment service automatically, responsive to the template, tests the client network for a vulnerability matching the detected threat.
  - 8. The system of claim 1, wherein:
    - the at least one additional selected security service includes a firewall service;
      
      the translation layer automatically generates a policy responsive to a trigger from the intrusion monitoring circuitry representing a detected threat; and
      
      the firewall service controls the forwarding circuitry to implement the policy and consequently block at least some of the Internet traffic from the client network.
  - 9. The system of claim 1, wherein:
    - the first additional security includes an intrusion prevention service;
      
      the translation layer generates a template responsive to a trigger from the intrusion monitoring circuitry representing a detected threat; and
      
      the intrusion prevention service automatically filters the Internet traffic received at the proxy site in dependence on the template.
  - 10. The system of claim 1, wherein:
    - the at least one additional selected security service includes a security event manager service;
      
      the translation layer generates a template responsive to a trigger from the intrusion monitoring circuitry representing a detected threat; and
      
      where the security event manager service automatically, in response to the template, (a) alerts an administrator for the client network and (b) logs the template.
  - 11. The system of claim 1, wherein the intrusion monitoring circuitry is implemented as a virtual machine.
  - 12. The system of claim 1, wherein:
    - the Internet traffic is inbound Internet traffic and includes return traffic responsive to outbound Internet traffic from the client network;
      
      the system is also to receive the outbound Internet traffic from the client network; and
      
      the system further comprises circuitry to specify a return path in the outbound Internet traffic to direct the return traffic to the proxy site.
  - 13. The system of claim 12, comprising:
    - a virtual private network concentrator to concentrate the outbound Internet traffic that is received from multiple client sites into a single path.

14. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that, when executed by one or more processors, cause the one or more processors to:
- receive, via a proxy site, Internet traffic of a client network;
  
  analyze, via intrusion monitoring circuitry, the Internet traffic to detect a threat using distributed threat analytics;
  
  implement, via circuitry, at least one selective additional security service from a plurality of different security services, each security service as a respective virtual machine, wherein each respective virtual machine is a virtual platform that emulates an instruction set and enables scalability of the plurality of different security services;
  
  forward, via forwarding circuitry, at least part of the Internet traffic to the client network subject to performance of a function of the at least one selected additional security service, the forwarding circuitry comprising a device at each data center of at least two data centers that are geographic ally separated; and
  
  implement, via a hardware platform, a service as a virtual machine to route at least a portion of the Internet traffic received at the proxy site to a receiving device at a selective one of the at least two data centers;
  
  wherein;
  
  wherein a translation layer is coupled to the intrusion monitoring circuitry and each selected additional security service in a manner where the at least one additional selected security service is automatically responsive to the intrusion monitoring circuitry;
  
  the at least one additional selected security service includes an antivirus service;
  
  the translation layer generates a template responsive to a trigger from the intrusion monitoring circuitry representing a detected threat;
  
  the forwarding circuitry automatically, responsive to the template, forwards at least a portion of the Internet traffic received at the proxy site to the virtual machine implementing the antivirus service;
  
  the antivirus service automatically screens the at least a portion of the Internet traffic for viruses to produce screened traffic; and
  
  the forwarding circuitry forwards the screened traffic to the client network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - extract metadata from the Internet traffic and correlate metadata from diverse exchanges represented by the Internet traffic received at the proxy site.
  - 16. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - generate a template for each threat detected by the intrusion monitoring circuitry.
  - 17. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - generate a template responsive to a trigger representing a detected threat; and
      
      automatically, responsive to the template, test the client network for a vulnerability matching the detected threat.
  - 18. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - automatically generate a policy responsive to a trigger from the intrusion monitoring circuitry representing a detected threat; and
      
      control the forwarding circuitry to implement the policy and consequently block at least some of the Internet traffic from the client network.
  - 19. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - generate a template responsive to a trigger representing a detected threat; and
      
      automatically filter the Internet traffic received at the proxy site in dependence on the template.
  - 20. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - generate a template responsive to a trigger representing a detected threat; and
      
      automatically, in response to the template, (a) alert an administrator for the client network and (b) log the template.
  - 21. The machine-readable medium of claim 14, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - implement the intrusion monitoring circuitry as a virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Haugsnes, Andreas Seip
Primary Examiner(s)
Ullah, Sharif E

Application Number

US15/002,655
Publication Number

US 20160269427A1
Time in Patent Office

1,139 Days
Field of Search

726 12, 726 2, 726 21, 726 36, 713150, 713163, 713181, 380255, 380264, 380276
US Class Current
CPC Class Codes

G06F 16/23   Updating

G06F 16/245   Query processing

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 21/552   involving long-term monitor...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

H04L 67/1097   for distributed storage of ...

H04W 12/12   Detection or prevention of ...

Scalable network security detection and prevention platform

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable network security detection and prevention platform

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links