Dynamic network security apparatus and methods for network processors

US 20040083385A1
Filed: 10/25/2002
Published: 04/29/2004
Est. Priority Date: 10/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method of loading a security algorithm in a fast path of a network processor, comprising:

generating a statistic associated with a plurality of communication packets received by the network processor;

determining a security attack on the network processor is in progress based at least in part on the statistic; and

loading the security algorithm in the fast path of the network processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for loading a security algorithm in a fast path of a network processor are disclosed. In an example method, a network processor generates a statistic associated with a plurality of communication packets received by the network processor, determines a security attack on the network processor is in progress based on the statistic and loads the security algorithm in the fast path of the network processor.

92 Citations

View as Search Results

50 Claims

1. A method of loading a security algorithm in a fast path of a network processor, comprising:
- generating a statistic associated with a plurality of communication packets received by the network processor;
  
  determining a security attack on the network processor is in progress based at least in part on the statistic; and
  
  loading the security algorithm in the fast path of the network processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further including calculating a function that balances adaptation time and communication throughput and comparing a result of the function to a threshold value prior to loading the security algorithm in the fast path of the network processor.
  - 3. The method of claim 1, wherein loading the security algorithm in the fast path of the network processor includes loading the security algorithm in the fast path of the network processor based on a comparison of a value function result and a threshold value.
  - 4. The method of claim 3, wherein comparing the value function result to the threshold value includes comparing a load time of the security algorithm to an elapsed time from a previous download to the network processor.
  - 5. The method of claim 1, further including determining the security algorithm is available for downloading from a database associated with the network processor.
  - 6. The method of claim 1, wherein generating the statistic associated with the plurality of communication packets received by the network processor includes generating one or more of a SYN rate statistic, a connection queue statistic, and a resource allocation statistic.
  - 7. The method of claim 1, wherein determining the security attack on the network processor is in progress based at least in part on the statistic includes comparing the statistic to a threshold value associated with the security attack.
  - 8. The method of claim 7, wherein comparing the statistic to the threshold value associated with the security attack includes comparing the statistic to a value associated with one or more of a TCP SYN attack, an IP source address spoofing attack, a UDP flooding attack, an ICMP echo reply attack, an ICMP flooding attack, and a sequence number attack.

9. A system for dynamically responding to a network security attack, comprising:
- a memory containing a plurality of security algorithms; and
  
  a processor coupled to the memory and programmed to;
  
  generate a statistic associated with a plurality of communication packets received by the processor;
  
  determine the security attack on the processor is in progress based at least in part on the statistic; and
  
  load one of the plurality of security algorithms in the processor.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the processor is further programmed to calculate a value function result and compare the value function result to a threshold value prior to loading the one of the plurality of security algorithms in the processor.
  - 11. The system of claim 10, wherein the processor is further programmed to load the security algorithm in the processor based at least in part on the comparison of the value function result and the threshold value.
  - 12. The system of claim 10, wherein the processor compares the value function result to the threshold value by comparing a load time of the one of the plurality of security algorithms to an elapsed time from a previous download to the processor.
  - 13. The system of claim 9, wherein the processor generates the statistic associated with the plurality of communication packets received by the processor by generating one or more of a SYN rate statistic, a connection queue statistic, and a resource allocation statistic.
  - 14. The system of claim 9, wherein the processor determines the security attack on the processor is in progress based on the statistic by comparing the statistic to a threshold value associated with the security attack.

15. An apparatus for dynamically responding to a network security attack, comprising:
- a machine accessible medium; and
  
  instructions stored on the machine accessible medium and adapted to be executed by a processor to;
  
  generate a statistic associated with a plurality of communication packets received by the processor;
  
  determine a security attack on the processor is in progress based on the statistic; and
  
  load one of a plurality of security algorithms in the processor.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the instructions are adapted to be executed by the processor to calculate a value function result and compare the value function result to a threshold value prior to loading the one of the plurality of security algorithms in the processor.
  - 17. The system of claim 16, wherein the instructions are adapted to load the one of the plurality of security algorithms in the processor based at least in part on the comparison of the value function result and the threshold value.
  - 18. The system of claim 16, wherein the instructions are adapted to be executed by the processor to compare the value function result to the threshold value by comparing a load time of the one of the plurality of security algorithms to an elapsed time from a previous download to the processor.
  - 19. The system of claim 15, wherein the instructions are adapted to be executed by the processor to generate the statistic associated with the plurality of communication packets received by the processor by generating one or more of a SYN rate statistic, a connection queue statistic, and a resource allocation statistic.
  - 20. The system of claim 15, wherein the instructions are adapted to be executed by the processor to determine the security attack on the processor is in progress based at least in part on the statistic by comparing the statistic to a threshold value associated with the security attack.

21. A machine accessible medium having associated data that, when accessed, causes a machine to:
- generate a statistic associated with a plurality of communication packets received by the processor;
  
  determine a security attack on the processor is in progress based on the statistic; and
  
  load one of a plurality of security algorithms in the processor.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The machine accessible medium of claim 21, wherein the data, when accessed, causes the machine to calculate a value function result and compare the value function result to a threshold value prior to loading the one of the plurality of security algorithms in the processor.
  - 23. The machine accessible medium of claim 22, wherein the data, when accessed, causes the machine to load the one of the plurality of security algorithms in the processor based at least in part on the comparison of the value function result and the threshold value.
  - 24. The machine accessible medium of claim 22, wherein the data, when accessed, causes the machine to compare the value function result to the threshold value by comparing a load time of the one of the plurality of security algorithms to an elapsed time from a previous download to the processor.
  - 25. The machine accessible medium of claim 21, wherein the data, when accessed, causes the machine to generate the statistic associated with the plurality of communication packets received by the processor by generating one or more of a SYN rate statistic, a connection queue statistic, and a resource allocation statistic.
  - 26. The machine accessible medium of claim 21, wherein the data, when accessed, causes the machine to determine the security attack on the processor is in progress based at least in part on the statistic by comparing the statistic to a threshold value associated with the security attack.

27. A method of loading a security algorithm in a fast path of a network processor, comprising:
- receiving a request for a connection to the network processor from a network client;
  
  presenting a plurality of available security algorithms to the network client;
  
  determining which one of the plurality of available security algorithms is to be used for communications with the network client; and
  
  downloading the one of the plurality of available security algorithms to be used for communications with the network client to the network processor.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method of claim 27, further including determining another network client is currently connected to the network processor and presenting the plurality of available security algorithms so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the plurality of available security algorithms are presented to the network client.
  - 29. The method of claim 28, wherein receiving the request for the connection to the network processor from the network client includes receiving a request for a virtual private network connection from the network client.
  - 30. The method of claim 29, wherein receiving the request for the virtual private network connection from the network client includes receiving security key exchange information from the network client.
  - 31. The method of claim 27, wherein presenting the plurality of available security algorithms to the network client includes presenting authentication and encryption algorithms to the network client.
  - 32. The method of claim 27, wherein downloading the one of the plurality of available security algorithms to be used for communications with the network client to the network processor includes loading the one of the plurality of available security algorithms in the fast path of the network processor.

33. A network communication device, comprising, a memory containing a plurality of security algorithms;
- and a processor coupled to the memory and programmed to;
  
  receive a request for a connection to the processor from a network client;
  
  present a set of the plurality of security algorithms to the network client;
  
  determine which one of the plurality of security algorithms is to be used for communications with the network client; and
  
  download the one of the plurality of security algorithms to be used for communications with the network client to the processor.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The network communication device of claim 33, wherein the processor is programmed to determine that another network client is connected to the processor and to present the set of the security algorithms so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the set of the security algorithms are presented to the network client.
  - 35. The network communication device of claim 33, wherein the processor functions as a gateway to a virtual private network.
  - 36. The network communication device of claim 33, wherein the processor is programmed to use security key exchange information received from the network client to generate the set of the security algorithms.
  - 37. The network communication device of claim 33, wherein the plurality of security algorithms include authentication and encryption algorithms.

38. An apparatus for loading a security algorithm in a fast path of a network processor, comprising:
- a machine accessible medium; and
  
  instructions stored on the machine accessible medium and adapted to be executed by the network processor to;
  
  receive a request for a connection to the network processor from a network client;
  
  present a plurality of available security algorithms to the network client;
  
  determine which one of the plurality of available security algorithms is to be used for communications with the network client; and
  
  download the one of the plurality of available security algorithms to be used for communications with the network client to the network processor.
- View Dependent Claims (39, 40)
- - 39. The apparatus of claim 38, wherein the instructions are adapted to be executed by the network processor to determine that another network client is already connected to the network processor and to present the plurality of available security algorithms to the network client so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the plurality of available security algorithms are presented to the network client.
  - 40. The appartus of claim 38, wherein the instructions are adapted to be executed by the processor to download the one of the plurality of available security algorithms to be used for communications with the network client to the network processor by loading the one of the plurality of available security algorithms in the fast path of the network processor.

41. A machine accessible medium having associated data that, when accessed, causes a machine to:
- receive a request for a connection to the network processor from a network client;
  
  present a plurality of available security algorithms to the network client;
  
  determine which one of the plurality of available security algorithms is to be used for communications with the network client; and
  
  download the one of the plurality of available security algorithms to be used for communications with the network client to the network processor.
- View Dependent Claims (42, 43)
- - 42. The machine accessible medium of claim 41, wherein the data, when accessed, causes the machine to determine that another network client is already connected to the network processor and to present the plurality of available security algorithms to the network client so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the plurality of available security algorithms are presented to the network client.
  - 43. The machine accessible medium of claim 41, wherein the data, when accessed, causes the machine to download the one of the plurality of available security algorithms to be used for communications with the network client to the network processor by loading the one of the plurality of available security algorithms in the fast path of the network processor.

44. A method of responding to a network security attack, comprising:
- monitoring a characteristic of communications on a network;
  
  detecting the network security attack based at least in part on the monitored characteristic; and
  
  loading a security algorithm in a network processor.
- View Dependent Claims (45, 46)
- - 45. The method of claim 44, wherein monitoring the characteristic of the communications on the network includes generating one or more of a communication packet statistic and resource statistic.
  - 46. The method of claim 45, wherein detecting the network security attack based at least in part on the monitored characteristic includes comparing the monitored characteristic to a threshold value associated with the network security attack.

47. A computer system, comprising:
- a memory containing a plurality of security algorithms; and
  
  a network processor coupled to the memory and programmed to;
  
  monitor communications on a network; and
  
  load one of the plurality of security algorithms in the network processor based on the monitored communications.
- View Dependent Claims (48, 49, 50)
- - 48. The computer system of claim 47, wherein the plurality of security algorithms include one or more of an authentication algorithm, an encryption algorithm, and an algorithm responsive to a network security attack.
  - 49. The computer system of claim 47, wherein the network processor is programmed to generate a statistic based on the monitored communications and to load the one of the plurality of security algorithms in the network processor based on the monitored communications by comparing the statistic to a value associated with a network security attack.
  - 50. The computer system of claim 47, wherein the network processor is further programmed to calculate a value function result associated with loading the one of the plurality of algorithms in the network processor and to load the one of the plurality of security algorithms in the network processor based at least in part on the value function result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Johnson, Erik J., Deval, Manasi, Ahmed, Suhail

Granted Patent

US 7,540,028 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Dynamic network security apparatus and methods for network processors

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic network security apparatus and methods for network processors

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links