Scalable network security with fast response protocol

US 10,432,674 B1
Filed: 09/01/2017
Issued: 10/01/2019
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising instructions stored on computer readable storage, the apparatus adapted to receive a query related to a possible network security threat, the instructions when executed operable to cause at least one computer to:

receive an indication indicating whether the query is required to be returned within a predetermined time limit;

in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieve a result to the query, provide the result in a response, and update a local cached storage;

in response to the indication indicating that the query is required to be returned within the predetermined time limit, determine whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage;

if the query is of the first type, service the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and

if the query is of the second type;

do not respond to the query or respond with a null response, indicating that the query cannot be answered by the local cached storage;

forward the query to at least one other information source for response data;

receive the response data from the at least one other information source; and

asynchronously update the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

21 Citations

View as Search Results

19 Claims

1. An apparatus comprising instructions stored on computer readable storage, the apparatus adapted to receive a query related to a possible network security threat, the instructions when executed operable to cause at least one computer to:
- receive an indication indicating whether the query is required to be returned within a predetermined time limit;
  
  in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieve a result to the query, provide the result in a response, and update a local cached storage;
  
  in response to the indication indicating that the query is required to be returned within the predetermined time limit, determine whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage;
  
  if the query is of the first type, service the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and
  
  if the query is of the second type;
  
  do not respond to the query or respond with a null response, indicating that the query cannot be answered by the local cached storage;
  
  forward the query to at least one other information source for response data;
  
  receive the response data from the at least one other information source; and
  
  asynchronously update the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The apparatus of claim 1, wherein the query specifies an identifier of the possible network security threat.
  - 3. The apparatus of claim 2, wherein the response data is to be received by the at least one computer via a wide area network connection using a transmission control protocol, and wherein the instructions when executed are further to cause the at least one computer to respond to the query specifying the identifier also via the wide area network connection also using a transmission control protocol.
  - 4. The apparatus of claim 1, wherein the instructions to forward the query to the at least one other information source comprise instructions to transmit the query to multiple destinations using a broadcast transmission format.
  - 5. The apparatus of claim 2, wherein the instructions cause the at least one computer to respond to the query specifying the identifier in a manner which includes a network address representing a threat source associated with the possible network security threat.
  - 6. The apparatus of claim 2, wherein the instructions when executed are further to cause the at least one computer to respond to the query specifying the identifier in a manner which identifies a domain representing a threat source associated with the possible network security threat.
  - 7. The apparatus of claim 2, wherein the instructions when executed are further to cause the at least one computer to:
    - compare at least one of the information on hand, if available, with a threshold or a response from a source of the one or more other information sources with the threshold; and
      
      respond to the query by specifying the identifier based at least in part on a result of the comparison.
  - 8. The apparatus of claim 2, wherein the instructions, when executed, are further to cause the at least one computer to respond to the query specifying the identifier in such a way as to convey a link to a network resource that possesses more detailed information regarding the possible network security threat.
  - 9. The apparatus of claim 1, wherein the query comprises an intrusion detection system (IDS) query.
  - 10. The apparatus of claim 1, wherein the local cached storage comprises a cache implemented in random access memory.
  - 11. The apparatus of claim 1, wherein the local cached storage comprises multiple partitions.
  - 12. The apparatus of claim 11, wherein the multiple partitions comprise a level one (L1) cache and a level two (L2) cache, and wherein the update to the local cached storage is stored in the L2 cache.

13. A computer-implemented method, comprising:
- receiving a query that specifies an identifier of a possible network security threat;
  
  receiving an indication indicating whether the query is required to be returned within a predetermined time limit;
  
  in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieving a result to the query, providing the result in a response, and updating a local cached storage;
  
  in response to the indication indicating that the query is required to be returned within the predetermined time limit, determining whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage;
  
  if the query is of the first type, servicing the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and
  
  if the query is of the second type;
  
  not responding to the query or responding with a null response, indicating that the query cannot be answered by the local cached storage;
  
  forwarding the query to at least one other information source for response data;
  
  receiving the response data from the at least one other information source; and
  
  asynchronously updating the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-implemented method of claim 13, comprising:
    - forwarding the query to the at least one other information source comprising instructions to transmit the query to multiple destinations using a broadcast transmission format.
  - 15. The computer-implemented method of claim 13, comprising:
    - responding to the query by specifying the identifier in a manner which includes a network address representing a threat source associated with the possible network security threat.
  - 16. The computer-implemented method of claim 13, comprising:
    - responding to the query by specifying the identifier in a manner which identifies a domain representing a threat source associated with the possible network security threat.

17. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that, when executed by one or more processors, cause the one or more processors to:
- receive a query that specifies an identifier of a possible network security threat;
  
  receive an indication indicating whether the query is required to be returned within a predetermined time limit;
  
  in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieve a result to the query, provide the result in a response, and update a local cached storage;
  
  in response to the indication indicating that the query is required to be returned within the predetermined time limit, determine whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage;
  
  if the query is of the first type, servicing the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and
  
  if the query is of the second type;
  
  do not respond to the query or respond with a null response, indicating that the query cannot be answered by the local cached storage;
  
  forward the query to at least one other information source for response data;
  
  receive the response data from the at least one other information source; and
  
  asynchronously update the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage.
- View Dependent Claims (18, 19)
- - 18. The machine-readable medium of claim 17, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - forward the query to the at least one other information source comprising instructions to transmit the query to multiple destinations using a broadcast transmission format.
  - 19. The machine-readable medium of claim 17, comprising machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to:
    - respond to the query by specifying the identifier in a manner which includes a network address, a domain, or both, representing a threat source associated with the possible network security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Haugsnes, Andreas Seip, Hahn, Markus
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Shirazi, Sayed Aresh Beheshti

Application Number

US15/694,166
Time in Patent Office

760 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/23   Updating

G06F 16/245   Query processing

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 21/552   involving long-term monitor...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

H04L 67/1097   for distributed storage of ...

H04W 12/12   Detection or prevention of ...

Scalable network security with fast response protocol

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Scalable network security with fast response protocol

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others