Hardware-based detection devices for detecting unsafe network traffic content and methods of using the same

US 10,645,097 B2
Filed: 06/20/2016
Issued: 05/05/2020
Est. Priority Date: 07/19/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, in a firewall device, for detecting network traffic content on a data communication network, the method comprising:

compiling signatures associated with content considered unsafe and translating the compiled signatures into a byte stream executable by a processor of the firewall device to control the processor when determining whether network traffic content matches the compiled signatures, the signatures created using at least one predicates, wherein each of the at least one predicates is represented in a signature by one or more of a letter, a word, a sentence, a number, a logical operator, and a mathematical operator, and the signatures received via a first input port of the firewall device communicatively coupled to the data communication network;

receiving, by a network device via a second input port of the firewall device communicatively coupled to the data communication network, network traffic content;

examining headers of network traffic content and the executing byte stream to determine the content type of the network traffic content;

in response to a determination that the content type is considered safe, the network traffic content is passed to a packet processing module wherein the packet processing module passes the network traffic content to a network output port communicatively coupled to the data communication network, wherein the network output port is configured to communicatively couple the firewall device to a computer system of an intended recipient of the network traffic content; and

in response to a determination that the content type is considered unsafe, the network traffic content is sent to a stack module, wherein the stack module converts the traffic network content into a content stream to be processed by a processor,wherein the processor translates at least one signature codified with the at least one predicate representative of at least one function to be performed to detect network traffic content to be detected into a byte stream executable by the processor to determine whether network traffic content matches content to be detected, the at least one signature is received via a first input port of the network device, andblocking network traffic content matching content to be detected.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device for detecting network traffic content is provided. The device includes a first input port configured to receive one or more signatures, each of the one or more signatures associated with content desired to be detected, a second input port configured to receive data associated with network traffic content. The device also includes a processor configured to process the one or more signatures and the data to determine whether the network traffic content matches the content desired to be detected, and an output port configured to couple the device to a computer system of an intended recipient of the network traffic content. The output port passes the network traffic content to the computer system when it is determined that the network traffic content does not match the content desired to be detected.

87 Citations

17 Claims

1. A computer-implemented method, in a firewall device, for detecting network traffic content on a data communication network, the method comprising:
- compiling signatures associated with content considered unsafe and translating the compiled signatures into a byte stream executable by a processor of the firewall device to control the processor when determining whether network traffic content matches the compiled signatures, the signatures created using at least one predicates, wherein each of the at least one predicates is represented in a signature by one or more of a letter, a word, a sentence, a number, a logical operator, and a mathematical operator, and the signatures received via a first input port of the firewall device communicatively coupled to the data communication network;
  
  receiving, by a network device via a second input port of the firewall device communicatively coupled to the data communication network, network traffic content;
  
  examining headers of network traffic content and the executing byte stream to determine the content type of the network traffic content;
  
  in response to a determination that the content type is considered safe, the network traffic content is passed to a packet processing module wherein the packet processing module passes the network traffic content to a network output port communicatively coupled to the data communication network, wherein the network output port is configured to communicatively couple the firewall device to a computer system of an intended recipient of the network traffic content; and
  
  in response to a determination that the content type is considered unsafe, the network traffic content is sent to a stack module, wherein the stack module converts the traffic network content into a content stream to be processed by a processor,wherein the processor translates at least one signature codified with the at least one predicate representative of at least one function to be performed to detect network traffic content to be detected into a byte stream executable by the processor to determine whether network traffic content matches content to be detected, the at least one signature is received via a first input port of the network device, andblocking network traffic content matching content to be detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the packet processing module is further configured to perform network gateway functionality.
  - 3. The method of claim 1, wherein port association based on headers are based on pre-assignment rules.
  - 4. The method of claim 3, wherein the pre-assignment rules may be configurable by a user.
  - 5. The method of claim 1, further comprising sending a message to a user when the network traffic content matches the content to be detected.
  - 6. The method of claim 1, wherein each of the first and the second input ports are externally accessible.
  - 7. The method of claim 1, further comprising categorizing each of the at least one signatures according to the one or more functions prescribed by each of the at least one predicates.
  - 8. The method of claim 1, further comprising storing the at least one signature.
  - 9. The method of claim 1, wherein the network device operates to manage a flow of the network traffic content.

10. A non-transitory computer product includes a computer-readable medium in a firewall device, for detecting network traffic content on a data communication network, the computer-readable medium having a set of stored instructions, an execution of which causes a process to be performed, the process comprising:
- compiling signatures associated with content considered unsafe and translating the compiled signatures into a byte stream executable by a processor of the firewall device to control the processor when determining whether network traffic content matches the compiled signatures, the signatures created using at least one predicates, wherein each of the at least one predicates is represented in a signature by one or more of a letter, a word, a sentence, a number, a logical operator, and a mathematical operator, and the signatures received via a first input port of the firewall device communicatively coupled to the data communication network;
  
  receiving, by a network device via a second input port of the firewall device communicatively coupled to the data communication network, network traffic content;
  
  examining headers of network traffic content and the executing byte stream to determine the content type of the network traffic content;
  
  in response to a determination that the content type is considered safe, the network traffic content is passed to a packet processing module wherein the packet processing module passes the network traffic content to a network output port communicatively coupled to the data communication network, wherein the network output port is configured to communicatively couple the firewall device to a computer system of an intended recipient of the network traffic content; and
  
  in response to a determination that the content type is considered unsafe, the network traffic content is sent to a stack module, wherein the stack module converts the traffic network content into a content stream to be processed by a processor,wherein the processor translates at least one signature codified with the at least one predicate representative of at least one function to be performed to detect network traffic content to be detected into a byte stream executable by the processor to determine whether network traffic content matches content to be detected, the at least one signature is received via a first input port of the network device, andblocking network traffic content matching content to be detected.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The non-transitory computer product of claim 10, wherein the packet processing module is further configured to perform network gateway functionality.
  - 12. The non-transitory computer product of claim 10, wherein port association based on headers are based on pre-assignment rules.
  - 13. The non-transitory computer product of claim 12, wherein the pre-assignment rules may be configurable by a user.
  - 14. The non-transitory computer product of claim 10, further comprising sending a message to a user when the network traffic content matches the content to be detected.
  - 15. The non-transitory computer product of claim 10, wherein each of the first and the second input ports are externally accessible.
  - 16. The non-transitory computer product of claim 10, further comprising categorizing each of the at least one signatures according to the one or more functions prescribed by each of the at least one predicates.
  - 17. The non-transitory computer product of claim 10, further comprising storing the at least one signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Xie, Michael
Primary Examiner(s)
Poltorak, Piotr

Application Number

US15/187,560
Publication Number

US 20160381045A1
Time in Patent Office

1,415 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 43/04   Processing captured monitor...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Hardware-based detection devices for detecting unsafe network traffic content and methods of using the same

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware-based detection devices for detecting unsafe network traffic content and methods of using the same

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links