Escalated inspection of traffic via SDN

US 10,296,744 B1
Filed: 09/24/2015
Issued: 05/21/2019
Est. Priority Date: 09/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring an indicator indicative of a presence of malware in a selected flow in a local area network;

when the indicator suggests the presence of malware in the selected flow, requesting a network device to redirect the selected flow, or to copy the selected flow and send a resulting copy of the selected flow, to a security appliance, wherein the requesting comprises sending a message to a software defined network controller that is configured to control the network device; and

causing the security appliance to be reconfigured in response to the indicator when the indicator suggests the presence of malware in the selected flow, by supplying an indication of an inspection profile to the security appliance by using a virtual local area network (VLAN) associated with a desired inspection profile,wherein the selected flow would otherwise go uninspected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and related apparatus for performing inspection of flows within a software defined network includes monitoring an indicator indicative of a presence of malware in a selected flow in an electronic communications network, when the indicator suggests the presence of malware in the selected flow, requesting a network device to redirect the selected flow, or to copy the selected flow and send a resulting copy of the selected flow, to a security appliance, and causing the security appliance to be reconfigured in response to the indicator that suggest the presence of malware in the selected flow.

16 Citations

View as Search Results

20 Claims

1. A method comprising:
- monitoring an indicator indicative of a presence of malware in a selected flow in a local area network;
  
  when the indicator suggests the presence of malware in the selected flow, requesting a network device to redirect the selected flow, or to copy the selected flow and send a resulting copy of the selected flow, to a security appliance, wherein the requesting comprises sending a message to a software defined network controller that is configured to control the network device; and
  
  causing the security appliance to be reconfigured in response to the indicator when the indicator suggests the presence of malware in the selected flow, by supplying an indication of an inspection profile to the security appliance by using a virtual local area network (VLAN) associated with a desired inspection profile,wherein the selected flow would otherwise go uninspected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the indicator includes at least one of a SQL injection attempt, server logs, a current event, a human resource event, an industry compliance factor or a user request.
  - 3. The method of claim 1, further comprising receiving a message from the network device indicating that a request to copy or to redirect the selected flow cannot be fulfilled.
  - 4. The method of claim 1, further comprising receiving a message from the network device indicating that the network device can no longer copy or redirect the selected flow.
  - 5. The method of claim 1, further comprising selecting, from among a plurality of security appliances, the security appliance to which the resulting copy of the selected flow is to be sent or the selected flow is to be redirected based on a capacity of the security appliance.
  - 6. The method of claim 1, further comprising, in response to results of analysis of the selected flow, causing the security appliance to be further reconfigured.
  - 7. The method of claim 1, further comprising, in response to results of analysis of the selected flow, requesting the network device to redirect another selected flow, or to copy another selected flow and to send a copy the another selected flow, to the security appliance or another security appliance.
  - 8. The method of claim 1, wherein monitoring comprises monitoring a domain name system (DNS) server.
  - 9. The method of claim 1, wherein the method is performed, at least in part, by an Application Policy Infrastructure Controller Enterprise Module (APIC-EM).

10. An apparatus comprising:
- a network interface unit configured to enable communications via a local area network;
  
  a memory configured to store logic instructions; and
  
  at least one processor, when executing the logic instructions, is configured to;
  
  monitor an indicator indicative of a presence of malware in a selected flow in the local area network;
  
  when the indicator suggests the presence of malware in the selected flow, request a network device to redirect the selected flow, or to copy the selected flow and send a resulting copy of the selected flow, to a security appliance, wherein the request is performed by sending a message to a software defined network controller that is configured to control the network device; and
  
  cause the security appliance to be reconfigured in response to the indicator when the indicator suggests the presence of malware in the selected flow, by supplying an indication of an inspection profile to the security appliance by using a virtual local area network (VLAN) associated with a desired inspection profile,wherein the selected flow would otherwise go uninspected.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein the indicator includes at least one of a SQL injection attempt, server logs, a current event, a human resource event, an industry compliance factor or a user request.
  - 12. The apparatus of claim 10, wherein the processor, when executing the logic instructions, is further configured to receive a message from the network device indicating that a request to redirect or to copy the selected flow cannot be fulfilled.
  - 13. The apparatus of claim 10, wherein the processor, when executing the logic instructions, is further configured to receive a message from the network device indicating that the network device can no longer redirect or copy the selected flow.
  - 14. The apparatus of claim 10, wherein the processor, when executing the logic instructions, is further configured to select, from among a plurality of security appliances, the security appliance to which the redirected flow or resulting copy of the selected flow is to be sent based on a capacity of the security appliance.
  - 15. The apparatus of claim 10, wherein the processor, when executing the logic instructions, is further configured to, in response to results of analysis of the selected flow, cause the security appliance to be further reconfigured.
  - 16. The apparatus of claim 10, wherein the processor, when executing the logic instructions, is further configured to, in response to results of analysis of the selected flow, request the network device to redirect another selected flow, or to copy another selected flow and to send a copy the another selected flow, to the security appliance or another security appliance.

17. A non-transitory tangible computer readable storage media encoded with instructions that, when executed by at least one processor, is configured to cause the processor to:
- monitor an indicator indicative of a presence of malware in a selected flow in a local area network;
  
  when the indicator suggests the presence of malware in the selected flow, request a network device to redirect the selected flow, or to copy the selected flow and send a resulting copy of the selected flow, to a security appliance, wherein the request is performed by sending a message to a software defined network controller that is configured to control the network device; and
  
  cause the security appliance to be reconfigured in response to the indicator when the indicator suggests the presence of malware in the selected flow, by supplying an indication of an inspection profile to the security appliance by using a virtual local area network (VLAN) associated with a desired inspection profile,wherein the selected flow would otherwise go uninspected.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory tangible computer readable storage media of claim 17, wherein, when the instructions are executed, the at least one processor is configured to receive a message from the network device indicating that a request to redirect the selected flow or to copy the selected flow cannot be fulfilled.
  - 19. The non-transitory tangible computer readable storage media of claim 17, wherein, when the instructions are executed, the at least one processor is configured to receive a message from the network device indicating that the network device can no longer redirect the selected flow or to copy the selected flow.
  - 20. The non-transitory tangible computer readable storage media of claim 17, wherein, when the instructions are executed, the at least one processor is configured to, in response to results of analysis of the selected flow, cause the security appliance to be further reconfigured.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McGrew, David, Beck, Kenneth S., Verma, Jyoti, Brvenik, Jason R.
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Cattungal, Dereena T

Application Number

US14/864,116
Time in Patent Office

1,335 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/566 Dynamic detection, i.e. det...

Escalated inspection of traffic via SDN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Escalated inspection of traffic via SDN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links