Scalable network security with fast response protocol
First Claim
1. An apparatus comprising instructions stored on computer readable storage, the apparatus adapted to receive a query related to a possible network security threat, the instructions when executed operable to cause at least one computer to:
- receive an indication indicating whether the query is required to be returned within a predetermined time limit;
in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieve a result to the query, provide the result in a response, and update a local cached storage;
in response to the indication indicating that the query is required to be returned within the predetermined time limit, determine whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage;
if the query is of the first type, service the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and
if the query is of the second type;
do not respond to the query or respond with a null response, indicating that the query cannot be answered by the local cached storage;
forward the query to at least one other information source for response data;
receive the response data from the at least one other information source; and
asynchronously update the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.
21 Citations
19 Claims
-
1. An apparatus comprising instructions stored on computer readable storage, the apparatus adapted to receive a query related to a possible network security threat, the instructions when executed operable to cause at least one computer to:
-
receive an indication indicating whether the query is required to be returned within a predetermined time limit; in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieve a result to the query, provide the result in a response, and update a local cached storage; in response to the indication indicating that the query is required to be returned within the predetermined time limit, determine whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage; if the query is of the first type, service the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and if the query is of the second type; do not respond to the query or respond with a null response, indicating that the query cannot be answered by the local cached storage; forward the query to at least one other information source for response data; receive the response data from the at least one other information source; and asynchronously update the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method, comprising:
-
receiving a query that specifies an identifier of a possible network security threat; receiving an indication indicating whether the query is required to be returned within a predetermined time limit; in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieving a result to the query, providing the result in a response, and updating a local cached storage; in response to the indication indicating that the query is required to be returned within the predetermined time limit, determining whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage; if the query is of the first type, servicing the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and if the query is of the second type; not responding to the query or responding with a null response, indicating that the query cannot be answered by the local cached storage; forwarding the query to at least one other information source for response data; receiving the response data from the at least one other information source; and asynchronously updating the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage. - View Dependent Claims (14, 15, 16)
-
-
17. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that, when executed by one or more processors, cause the one or more processors to:
-
receive a query that specifies an identifier of a possible network security threat; receive an indication indicating whether the query is required to be returned within a predetermined time limit; in response to the indication indicating that the query is not required to be returned within the predetermined time limit, synchronously retrieve a result to the query, provide the result in a response, and update a local cached storage; in response to the indication indicating that the query is required to be returned within the predetermined time limit, determine whether the query is of a first type, that can be answered by the local cached storage, or of a second type, that cannot be answered by the local cached storage; if the query is of the first type, servicing the query with information from the local cached storage by providing a response to the query within the predetermined time limit; and if the query is of the second type; do not respond to the query or respond with a null response, indicating that the query cannot be answered by the local cached storage; forward the query to at least one other information source for response data; receive the response data from the at least one other information source; and asynchronously update the local cached storage to contain the response data, such that subsequent queries associated with the query are able to be satisfied by the local cached storage. - View Dependent Claims (18, 19)
-
Specification