Systems and methods for secure communication in cloud computing environments
First Claim
1. A system for network intrusion detection comprising:
- one or more memory devices storing instructions;
a first private network, and a second network wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor; and
one or more processors, the processors not part of the first or second networks, configured to execute the instructions to perform operations comprising;
receiving a request from the first network of plurality of communication devices to communicate with the second network of a plurality of communication devices, the request comprising;
a set of destination network addresses associated with the plurality of communication devices in the second network; and
data to be transmitted to the set of destination addresses in the second network;
unmarshaling the received data to be transmitted;
routing the unmarshaled data to a detection device;
analyzing the data, using the detection device, to determine signs of network intrusion; and
when the analysis does not indicate a network intrusion;
determining a set of routes to the respective destination network addresses;
marshaling the received data; and
forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and
when the analysis indicates a network intrusion;
identifying a set of compromised unmarshaled data associated with the intrusion; and
discarding the compromised data.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed embodiments provide systems, methods, and computer-readable storage media for secure data communication between two devices. A disclosed system responds to a request from an originating communication device in a first network to connect with a communication device in a second network, for communication, by receiving a request from the communication device in the first network, the request including payload data and a destination network address in the second network. The system then transmits the received payload data to the destination address in the second network after analyzing the payload data for network intrusion. When the analysis does not indicate network intrusion, the system determines a route to the destination network address by looking up the destination address in a routing table and forwarding the payload data to the destination network address in the second network. If the analysis indicates network intrusion, the system discards the payload data.
-
Citations
17 Claims
-
1. A system for network intrusion detection comprising:
-
one or more memory devices storing instructions; a first private network, and a second network wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor; and one or more processors, the processors not part of the first or second networks, configured to execute the instructions to perform operations comprising; receiving a request from the first network of plurality of communication devices to communicate with the second network of a plurality of communication devices, the request comprising; a set of destination network addresses associated with the plurality of communication devices in the second network; and data to be transmitted to the set of destination addresses in the second network; unmarshaling the received data to be transmitted; routing the unmarshaled data to a detection device; analyzing the data, using the detection device, to determine signs of network intrusion; and when the analysis does not indicate a network intrusion; determining a set of routes to the respective destination network addresses; marshaling the received data; and forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and when the analysis indicates a network intrusion; identifying a set of compromised unmarshaled data associated with the intrusion; and
discarding the compromised data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method, performed by one or more processors, for detecting network intrusion, the method comprising:
-
receiving a request from a first private network, of a plurality of communication devices, to communicate with a second network of a plurality of communication devices, wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor, and the processors are not part of the first and second networks of a plurality of communication devices, the request comprising; a set of destination network addresses associated with the plurality of communication devices in the second network; and data to be transmitted to the set of destination addresses in the second network; unmarshaling the received data to be transmitted; routing the unmarshaled data to a detection device; analyzing the data, using the detection device, to determine signs of network intrusion; and when the analysis does not indicate a network intrusion; determining a set of routes to the respective destination network addresses; marshaling the received data; and forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and when the analysis indicates a network intrusion; identifying a set of compromised unmarshaled data associated with the intrusion; and
discarding the compromised data.- View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium storing instructions that are executable by a network intrusion detection system that includes one or more processors to perform operations for network intrusion detection, the operations comprising:
-
receiving a request from a first private network of a plurality of communication devices, to communicate with a second network of a plurality of communication devices, wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor, and the processors are not part of the first and second networks of a plurality of communication devices, the request comprising; a set of destination network addresses associated with the plurality of communication devices in the second network; and data to be transmitted to the set of destination addresses in the second network; unmarshaling the received data to be transmitted; analyzing the data to determine signs of network intrusion; and when the analysis does not indicate a network intrusion; determining a set of routes-to the respective destination network addresses; marshaling the received data; and forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and when the analysis indicates a network intrusion; identifying a set of compromised unmarshaled data associated with the intrusion; and
discarding the compromised data.
-
Specification