NETWORK SECURITY APPLIANCE

US 20100071054A1
Filed: 04/28/2009
Published: 03/18/2010
Est. Priority Date: 04/30/2008
Status: Abandoned Application

First Claim

Patent Images

1. A network security appliance interposed between a computer system and a public network, the network security appliance being configured to:

receive, via a secure connection over the public network, digitally signed and encrypted threat information for identifying malicious content and activities;

validate the signature of the security related information;

decrypt the security related information;

update a secured memory of the network security appliance with the threat information; and

analyze data traffic between the computer system and the public network to identify malicious content using the threat information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for combating and thwarting attacks by cybercriminals are provided. Network security appliances interposed between computer systems and public networks, such as the Internet, are configured to perform defensive and/or offensive actions against botnets and/or other cyber threats. According to some embodiments, network security appliances may be configured to perform coordinated defensive and/or offensive actions with other network security appliances.

52 Citations

View as Search Results

27 Claims

1. A network security appliance interposed between a computer system and a public network, the network security appliance being configured to:
- receive, via a secure connection over the public network, digitally signed and encrypted threat information for identifying malicious content and activities;
  
  validate the signature of the security related information;
  
  decrypt the security related information;
  
  update a secured memory of the network security appliance with the threat information; and
  
  analyze data traffic between the computer system and the public network to identify malicious content using the threat information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network security appliance of claim 1 wherein if malicious content is identified, blocking data traffic between the computer system and the public network.
  - 3. The network security appliance of claim 1, wherein the threat information is received from another network security appliance via a secure peer to peer connection over the public network.
  - 4. The network security appliance of claim 3, wherein the threat information is received from a management server, the management server being configured to provide threat information for identifying malicious content and activities to a plurality of network security appliance.
  - 5. The network security appliance of claim 1, wherein the network security appliance is configured to transmit, via a secure connection over the public network, security related information to at least one other network security appliance and a management server.
  - 6. The network security appliance of claim 1, wherein the network security appliance includes a trusted component, the trusted component comprising:
    - a processor; and
      
      a memory for storing commands to be executed by the processor and threat information for identifying malicious content and activities, wherein the trusted component is configured to prevent unauthorized access to the processor and the memory.
  - 7. The network security appliance of claim 6, wherein the trusted component is configured to prevent physical tampering.

8. A method of operating a network security appliance, the network security appliance being interposed between a computer system and a public network, the method comprising:
- receiving, via a secure connection over the public network, digitally signed and encrypted threat information for identifying malicious content and activities;
  
  validating the signature of the security related information;
  
  decrypting the security related information;
  
  updating a secured memory of the network security appliance with the threat information; and
  
  analyzing data traffic between the computer system and the public network to identify malicious content using the threat information.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The method of claim 8 further comprising:
    - performing one or more remedial measures if malicious content is detected.
  - 10. The method of claim 9 wherein performing the one or more remedial measures further comprises:
    - notifying a management system of a potential threat via a secure connection over the public network, the management system being configured to provide threat information to a plurality of network security appliances.
  - 11. The method of claim 9 wherein performing the one or more remedial measures further comprises:
    - executing one or more defensive actions.
  - 12. The method of claim 11 wherein executing one or more defensive actions further comprises:
    - blocking all data packets from a source of the malicious content.
  - 13. The method of claim 11 wherein executing one or more defensive actions further comprises:
    - blocking all data packets of a particular type associated with the malicious content.
  - 14. The method of claim 11 wherein executing one or more defensive actions further comprises:
    - performing pattern recognition functions in cooperation with a plurality of other network security devices to identify a source of a threat.
  - 15. The method of claim 9 wherein performing the one or more remedial measures further comprises:
    - executing one or more offensive actions.
  - 16. The method of claim 15 wherein executing one or more offensive actions further comprises:
    - participating in a denial of service attack against the source of the malicious content with a plurality of other network security appliances.
  - 17. The method of claim 15 wherein executing one or more offensive actions further comprises:
    - propagating friendly malicious content to the source of the malicious content, the friendly malicious content being configured to damage or disable the source of the malicious content.
  - 18. The method of claim 8 wherein analyzing the data packet for malicious content further comprises:
    - accumulating multiple packets of data at the network security application before analyzing the data packets using the network security appliance to determine whether a threat exists; and
      
      blocking the multiple packets of data if malicious content is identified; and
      
      transmitting the multiple packets of data to a target destination if no malicious content is identified.

19. A method of operating a network security appliance, the network security appliance being interposed between a computer system and a public network, the method comprising:
- receiving a control message from a management server, the management server being configured to provide security related information identifying specific threats to a plurality of network security appliances;
  
  performing one or more security-related actions in response to the control message received from the management server.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19 wherein a performing one or more security-related actions in response to the control message received from the management server further comprises:
    - configuring the network security appliance to transmit packets to a botnet server;
      
      receiving command packets from the botnet server; and
      
      routing the command packets to the management server for analysis.
  - 21. The method of claim 20 wherein in response to routing the command packets to the management server for analysis:
    - receiving from the management server one or more data packets comprising decoy information to be provided by the botnet server; and
      
      transmitting the data packets comprising decoy information to the botnet server.

22. A computer network comprising:
- a management system coupled to a public network;
  
  a plurality of network security appliances, each network security appliance being interposed between a computer system and the public network;
  
  wherein the management server is configured transmit threat information and control commands to the plurality of network security appliances, andwherein the management server is further configured to receive threat information and network data from the plurality of network security appliances.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The computer network of claim 22 wherein the management server is configured to receive threat information from a partner management system and to transmit threat to the partner management system.
  - 24. The computer network of claim 22 wherein the management system is configured to transmit a control command to one or more network security device instructing one or more network security device to execute a defensive action against a cyber threat.
  - 25. The computer network of claim 22 wherein the management system is configured to transmit a control command to one or more network security device instructing the one or more network security device to execute an offensive action against a cyber threat.
  - 26. The computer network of claim 22 wherein the management system is configured to transmit a control command to one or more network security device instructing the one or more network security device to configure the one or more network security device to pose as a zombie computer under the control of a botnet server.
  - 27. The computer network of claim 26 where in response to receiving the command from the management server to pose as a zombie computer under the control of a botnet server, the one or more network security device is configured to:
    - transmit data packets to the botnet server identifying the at least one of the plurality of network security devices as a zombie computer under control of the botnet server;
      
      receiving command packets from the botnet server; and
      
      routing the command packets to the management server for analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ViaSat Incorporated
Original Assignee
ViaSat Incorporated
Inventors
Hart, Steve R.

Application Number

US12/431,190
Publication Number

US 20100071054A1
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2463/144   Detection or countermeasure...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/3247   involving digital signatures

NETWORK SECURITY APPLIANCE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK SECURITY APPLIANCE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links