Channel data encapsulation system and method for use with client-server data channels

US 10,581,884 B2
Filed: 10/18/2018
Issued: 03/03/2020
Est. Priority Date: 07/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method performed by a security service comprising:

receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and one or more data packets;

performing a security service on the one or more data packets using the first encapsulation context;

transmitting, by the first security microservice, a second channel data encapsulation packet comprising a request for security services to a second security microservice;

receiving, by the first security microservice, a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load;

generating, by the first security microservice, a timestamp and a load value representing, in either relative or absolute terms, the loading of the first and second microservices processing the encapsulated channel data; and

transmitting, by the first security microservice, a response to the first channel data encapsulation packet, the response including the timestamp and the load value,wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed that relate to network security to monitor and report threats in network traffic of a datacenter. For example, one embodiment discloses a method of receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data, performing a security service on the first encapsulated data using the first encapsulation context, transmitting by the first security microservice a second channel data encapsulation packet to a second security microservice, wherein the second channel encapsulation packet comprises a request for security services, receiving by the first security microservice a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load. The first security microservice further generates a timestamp and a load included in a response to the first channel data encapsulation packet.

18 Citations

20 Claims

1. A method performed by a security service comprising:
- receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and one or more data packets;
  
  performing a security service on the one or more data packets using the first encapsulation context;
  
  transmitting, by the first security microservice, a second channel data encapsulation packet comprising a request for security services to a second security microservice;
  
  receiving, by the first security microservice, a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load;
  
  generating, by the first security microservice, a timestamp and a load value representing, in either relative or absolute terms, the loading of the first and second microservices processing the encapsulated channel data; and
  
  transmitting, by the first security microservice, a response to the first channel data encapsulation packet, the response including the timestamp and the load value,wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first channel data encapsulation packet to contain an encapsulation identifier to distinguish a data channel associated with the first data channel encapsulation packet within a network environment and an encapsulation header to define a location within the first channel data encapsulation packet of the first encapsulation context and a first encapsulation service load.
  - 3. The method of claim 2, wherein the encapsulation header further to define a timestamp, and wherein the first security microservice to record the second security microservice timestamp and the second security microservice load.
  - 4. The method of claim 3, wherein the first channel data encapsulation packet further to include an encapsulation checksum calculated using the encapsulation identifier and the encapsulation header.
  - 5. The method of claim 1, further comprising increasing a number of the one or more data packets in subsequent channel data encapsulation packets, to thereby reduce a number but increase a size of subsequently transmitted channel data encapsulation packets.
  - 6. The method of claim 5, wherein the reducing the number but increasing the size of subsequently transmitted channel data encapsulation packets reduces a number of subsequent routing decisions made by the security service.
  - 7. The method of claim 5, wherein the reducing the number but increasing the size of subsequently transmitted channel data encapsulation packets reduces a number of load balancing decisions made by the security service.
  - 8. The method of claim 5, wherein the reducing the number but increasing the size of subsequently transmitted channel data encapsulation packets reduces contention for a backplane of the security service.

9. A system comprising a memory and a processor, performing a security microservice, to:
- receive a first channel data encapsulation packet encapsulating a first encapsulation context and one or more data packets;
  
  perform a security service on the one or more data packets using the first encapsulation context;
  
  transmit a second channel data encapsulation packet to a second security microservice, the second channel data encapsulation packet comprising a request for security services;
  
  receive a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load;
  
  generate a timestamp and a load value representing, in either relative or absolute terms, the loading of the first and second microservices processing the encapsulated channel data, and transmit a response to the first channel data encapsulation packet, the response to include the timestamp and the load value; and
  
  wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to the processors executing the first and second security microservices.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9,wherein the first channel data encapsulation packet to contain an encapsulation identifier to distinguish a data channel associated with the first data channel encapsulation packet within a network environment and an encapsulation header to define a location within the first channel data encapsulation packet of the first encapsulation context and a first encapsulation service load.
  - 11. The system of claim 10, wherein the encapsulation header further to define a timestamp.
  - 12. The system of claim 11, wherein the first channel data encapsulation packet further to include an encapsulation checksum calculated using the encapsulation identifier and the encapsulation header.
  - 13. The system of claim 9, wherein the first security microservice to record the second security microservice timestamp and the second security microservice load.

14. A non-transitory computer-readable medium containing computer-executable instructions to which a security service is to respond by:
- receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and one or more data packets;
  
  performing a security service on the one or more data packets using the first encapsulation context;
  
  transmitting by the first security microservice a second channel data encapsulation packet to a second security microservice, wherein the second channel data encapsulation packet comprises a request for security services;
  
  receiving by the first security microservice a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load;
  
  generating, by the first security microservice, a timestamp and a load value representing, in either relative or absolute terms, the loading of the first and second microservices processing the encapsulated channel data; and
  
  transmitting, by the first security microservice, a response to the first channel data encapsulation packet, the response including the timestamp and the load value,wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the first channel data encapsulation packet to contain an encapsulation identifier to distinguish a data channel associated with the first data channel encapsulation packet within a network environment and an encapsulation header to define a location within the first channel data encapsulation packet of the first encapsulation context and the first encapsulation data.
  - 16. The non-transitory computer-readable medium of claim 15, wherein the encapsulation header further to define a timestamp.
  - 17. The non-transitory computer-readable medium of claim 14, wherein the computer-executable instructions further cause the security service to respond by increasing a number of the one or more data packets in subsequent channel data encapsulation packets, to thereby reduce a number but increase a size of subsequently transmitted channel data encapsulation packets.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the reducing the number but increasing the size of subsequently transmitted channel data encapsulation packets reduces a number of subsequent routing decisions made by the security service.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the reducing the number but increasing the size of subsequently transmitted channel data encapsulation packets reduces a number of load balancing decisions made by the security service.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the reducing the number but increasing the size of subsequently transmitted channel data encapsulation packets reduces contention for a backplane of the security service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
ShieldX Networks, Inc. (Fortinet Inc.)
Inventors
Ahuja, Ratinder Paul Singh, Nedbal, Manuel
Primary Examiner(s)
Gracia, Gary S

Application Number

US16/163,977
Publication Number

US 20190124096A1
Time in Patent Office

502 Days
Field of Search

707600, 707601, 707607, 707613, 709226, 709223, 709224, 709230, 717103, 717125, 726 1, 726 28
US Class Current
CPC Class Codes

G06F 2221/2151   Time stamp

H04L 2212/00   Encapsulation of packets

H04L 45/123   Evaluation of link metrics ...

H04L 45/124   using a combination of metrics

H04L 45/125   based on throughput or band...

H04L 45/30   Routing of multiclass traffic

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/1001   for accessing one among a p...

Channel data encapsulation system and method for use with client-server data channels

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Channel data encapsulation system and method for use with client-server data channels

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links