Methods, systems, and computer readable media for advertising network security capabilities

US 10,581,802 B2
Filed: 05/02/2017
Issued: 03/03/2020
Est. Priority Date: 03/16/2017
Status: Active Grant

First Claim

Patent Images

1. A method for advertising network security capabilities, the method comprising:

at a network node, wherein the network node directs packets to downstream network nodes according to one or more of a plurality of routes, wherein at least one of the plurality of routes involves traversing a downstream network security system;

receiving an extended request for comments (RFC) 5575 based first route advertisement message that includes network security capabilities information indicating threat assessment capabilities of the network security system along a route, wherein the first route advertisement message uses a network route advertisement protocol extension for indicating the network security capabilities information, wherein the network security capabilities information indicates that the network security system is capable of performing spam traffic filtering, virus traffic filtering, malware traffic filtering, ransomware traffic filtering, or bot traffic filtering;

receiving a packet associated with a first packet flow;

determining that the packet requires threat assessment;

directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to a downstream network node associated with the route such that the packet is processed by the network security system, and wherein the downstream network node is upstream from the network security system, wherein packets associated with a second packet flow are directed along a second path that bypasses the network security system; and

receiving, from the downstream network node, a second route advertisement message, wherein the second route advertisement message includes information that instructs the network node to block or discard subsequent packets associated with the first packet flow, wherein the second route advertisement message is generated by the downstream network node after receiving a threat analysis message associated with the packet from the network security system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer readable media for advertising network security capabilities are disclosed. According to one method, the method occurs at a network node. The method includes receiving a first route advertisement message that includes network security capabilities information indicating capabilities of a network security system associated with a route. The method also includes receiving a packet associated with a packet flow. The method further includes directing the packet associated with the packet flow to a downstream network node associated with the network security system.

Citations

13 Claims

1. A method for advertising network security capabilities, the method comprising:
- at a network node, wherein the network node directs packets to downstream network nodes according to one or more of a plurality of routes, wherein at least one of the plurality of routes involves traversing a downstream network security system;
  
  receiving an extended request for comments (RFC) 5575 based first route advertisement message that includes network security capabilities information indicating threat assessment capabilities of the network security system along a route, wherein the first route advertisement message uses a network route advertisement protocol extension for indicating the network security capabilities information, wherein the network security capabilities information indicates that the network security system is capable of performing spam traffic filtering, virus traffic filtering, malware traffic filtering, ransomware traffic filtering, or bot traffic filtering;
  
  receiving a packet associated with a first packet flow;
  
  determining that the packet requires threat assessment;
  
  directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to a downstream network node associated with the route such that the packet is processed by the network security system, and wherein the downstream network node is upstream from the network security system, wherein packets associated with a second packet flow are directed along a second path that bypasses the network security system; and
  
  receiving, from the downstream network node, a second route advertisement message, wherein the second route advertisement message includes information that instructs the network node to block or discard subsequent packets associated with the first packet flow, wherein the second route advertisement message is generated by the downstream network node after receiving a threat analysis message associated with the packet from the network security system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the first route advertisement message includes traffic filter information usable for determining whether the first packet flow is to use or not use the route.
  - 3. The method of claim 1 wherein directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to the downstream network node includes analyzing the packet, determining that the packet matches traffic filter information associated with the route, and determining that a network security capability of the network security system associated with the route is relevant to the packet.
  - 4. The method of claim 1 wherein the first route advertisement message is sent by a downstream network node.
  - 5. The method of claim 1 comprising:
    - at the network security system;
      
      receiving the packet associated with the first packet flow; and
      
      performing a threat analysis action involving the packet.

6. A system for advertising network security capabilities, the system comprising:
- at least one processor; and
  
  a network node implemented using the at least one processor, wherein the network node directs packets to downstream network nodes according to one or more of a plurality of routes, wherein at least one of the plurality of routes involves traversing a downstream network security system;
  
  the network node configured for;
  
  receiving an extended request for comments (RFC) 5575 based first route advertisement message that includes network security capabilities information indicating threat assessment capabilities of the network security system along a route, wherein the first route advertisement message uses a network route advertisement protocol extension for indicating the network security capabilities information, wherein the network security capabilities information indicates that the network security system is capable of performing spam traffic filtering, virus traffic filtering, malware traffic filtering, ransomware traffic filtering, or bot traffic filtering;
  
  receiving a packet associated with a first packet flow;
  
  determining that the packet requires threat assessment;
  
  directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to a downstream network node associated with the route such that the packet is processed by the network security system, and wherein the downstream network node is upstream from the network security system, wherein packets associated with a second packet flow are directed along a second path that bypasses the network security system; and
  
  receiving, from the downstream network node, a second route advertisement message, wherein the second route advertisement message includes information that instructs the network node to block or discard subsequent packets associated with the first packet flow, wherein the second route advertisement message is generated by the downstream network node after receiving a threat analysis message associated with the packet from the network security system.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein the first route advertisement message includes traffic filter information usable for determining whether the first packet flow is to use or not use the route.
  - 8. The system of claim 6 wherein the network node is configured for directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to the network security system by analyzing the packet, determining that the packet matches traffic filter information associated with the route, and determining that a network security capability of the network security system associated with the route is relevant to the packet.
  - 9. The system of claim 6 wherein the first route advertisement message is sent by a downstream network node.
  - 10. The system of claim 6 wherein the network security system is configured for:
    - receiving the packet associated with the first packet flow; and
      
      performing a threat analysis action involving the packet.

11. A non-transitory computer readable medium comprising computer executable instructions that when executed by at least one processor of a computer cause the computer to perform steps comprising:
- at a network node, wherein the network node directs packets to downstream network nodes according to one or more of a plurality of routes, wherein at least one of the plurality of routes involves traversing a downstream network security system;
  
  receiving an extended request for comments (RFC) 5575 based first route advertisement message that includes network security capabilities information indicating threat assessment capabilities of the network security system along a route, wherein the first route advertisement message uses a network route advertisement protocol extension for indicating the network security capabilities information, wherein the network security capabilities information indicates that the network security system is capable of performing spam traffic filtering, virus traffic filtering, malware traffic filtering, ransomware traffic filtering, or bot traffic filtering;
  
  receiving a packet associated with a first packet flow;
  
  determining that the packet requires threat assessment;
  
  directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to a downstream network node associated with the route such that the packet is processed by the network security system, and wherein the downstream network node is upstream from the network security system, wherein packets associated with a second packet flow are directed along a second path that bypasses the network security system; and
  
  receiving, from the downstream network node, a second route advertisement message, wherein the second route advertisement message includes information that instructs the network node to block or discard subsequent packets associated with the first packet flow, wherein the second route advertisement message is generated by the downstream network node after receiving a threat analysis message associated with the packet from the network security system.
- View Dependent Claims (12, 13)
- - 12. The non-transitory computer readable medium of claim 11 wherein the first route advertisement message includes traffic filter information usable for determining whether the first packet flow is to use or not use the route.
  - 13. The non-transitory computer readable medium of claim 11 wherein directing, based on the network security capabilities information in the first route advertisement message, the packet associated with the first packet flow to the network security system includes analyzing the packet, determining that the packet matches traffic filter information associated with the route, and determining that a network security capability of the network security system associated with the route is relevant to the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Keysight Technologies Singapore Sales Pte Ltd (Keysight Technologies, Inc.)
Original Assignee
Keysight Technologies Singapore Sales Pte Ltd (Keysight Technologies, Inc.)
Inventors
Banerjee, Joydeep, Chakraborty, Joy
Primary Examiner(s)
Celani, Nicholas P

Application Number

US15/585,116
Publication Number

US 20180270199A1
Time in Patent Office

1,036 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/02   Topology update or discovery

H04L 45/037   Routes obligatorily travers...

H04L 63/0245   Filtering by information in...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/1012   based on compliance of requ...

Methods, systems, and computer readable media for advertising network security capabilities

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer readable media for advertising network security capabilities

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links