Apparatus for Filtering Server Responses

US 20110078309A1
Filed: 12/03/2010
Published: 03/31/2011
Est. Priority Date: 04/29/2006
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

at least one processor;

a traffic monitor comprising logic which, when executed by the at least one processor, causes the at least one processor to perform;

creating, using forward Domain Name System (DNS) lookups, a mapping of domain names to Internet Protocol (IP) addresses;

determining whether a particular domain in the mapping requires handling data traffic to or from the particular domain by performing a particular action;

based on the mapping, determining one or more IP addresses that are associated with the particular domain;

generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request;

wherein the particular request specifies a particular IP address that is within the particular domain.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing apparatus, comprising at least one processor and a traffic monitor comprising logic which, when executed by the processor, causes the processor to perform: creating, using forward Domain Name System (DNS) lookups, a mapping of domain names to Internet Protocol (IP) addresses; determining whether a particular domain in the mapping requires handling data traffic to or from the particular domain by performing a particular action; based on the mapping, determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

114 Citations

View as Search Results

18 Claims

1. A data processing apparatus, comprising:
- at least one processor;
  
  a traffic monitor comprising logic which, when executed by the at least one processor, causes the at least one processor to perform;
  
  creating, using forward Domain Name System (DNS) lookups, a mapping of domain names to Internet Protocol (IP) addresses;
  
  determining whether a particular domain in the mapping requires handling data traffic to or from the particular domain by performing a particular action;
  
  based on the mapping, determining one or more IP addresses that are associated with the particular domain;
  
  generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request;
  
  wherein the particular request specifies a particular IP address that is within the particular domain.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the traffic monitor further comprises logic which, when executed by the processor, causes the processor to perform:
    - using a DNS discovery process and a DNS traffic monitoring process to create the internal mapping list;
      
      observing the forward DNS lookups from an internal network and inspecting DNS transactions that take place in the internal network.
  - 3. The apparatus of claim 1, wherein the traffic monitor further comprises logic which, when executed by the processor, causes the processor to perform sending instructions to the firewall for determining whether the particular request is to access any of the one or more IP addresses that are associated with the particular domain.
  - 4. The apparatus of claim 1, wherein the particular action includes any of:
    - precluding traffic to the particular domain, precluding traffic from the particular domain, diverting traffic to the particular domain, diverting traffic from the particular domain, maintaining a log of activities at the particular domain, logging traffic information related to the particular domain, blocking or reporting on DNS hosts that belong to the particular domain, blocking or reporting on host-port combinations, blocking or reporting on domain-port combinations;
      
      wherein the mapping further comprises state information and other information specific to the domain names.
  - 5. The apparatus of claim 1, wherein the traffic monitor further comprises logic which, when executed by the processor, causes the processor to perform:
    - retrieving, from a web reputation service, reputation scores for the particular domain and reputation scores for subdomains that belong to the particular domain;
      
      querying whitelists and blacklists.
  - 6. The apparatus of claim 1, wherein the policy is further defined for an individual user or for groups of individual users.

7. A non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
- creating, using forward Domain Name System (DNS) lookups, a mapping of domain names to Internet Protocol (IP) addresses;
  
  determining whether a particular domain in the mapping requires handling data traffic to or from the particular domain by performing a particular action;
  
  based on the mapping, determining one or more IP addresses that are associated with the particular domain;
  
  generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request;
  
  wherein the particular request specifies a particular IP address that is within the particular domain.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable storage medium of claim 7, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - using a DNS discovery process and a DNS traffic monitoring process to create the internal mapping list;
      
      observing the forward DNS lookups from an internal network and inspecting DNS transactions that take place in the internal network.
  - 9. The non-transitory computer-readable storage medium of claim 7, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform sending instructions to the firewall for determining whether the particular request is to access any of the one or more IP addresses that are associated with the particular domain.
  - 10. The non-transitory computer-readable storage medium of claim 7, wherein the particular action includes any of:
    - precluding traffic to the particular domain, precluding traffic from the particular domain, diverting traffic to the particular domain, diverting traffic from the particular domain, maintaining a log of activities at the particular domain, logging traffic information related to the particular domain, blocking or reporting on DNS hosts that belong to the particular domain, blocking or reporting on host-port combinations, blocking or reporting on domain-port combinations;
      
      wherein the internal mapping list further comprises state information and other information specific to the domain names.
  - 11. The non-transitory computer-readable storage medium of claim 7, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - retrieving, from a web reputation service, reputation scores for the particular domain and reputation scores for subdomains that belong to the particular domain;
      
      querying whitelists and blacklists.
  - 12. The non-transitory computer-readable storage medium of claim 7, wherein the policy is further defined for an individual user or for groups of individual users.

13. A method, comprising:
- creating, using forward Domain Name System (DNS) lookups, a mapping of domain names to Internet Protocol (IP) addresses;
  
  determining whether a particular domain, listed on the internal mapping list, requires handling data traffic to or from the particular domain by performing a particular action;
  
  based on the internal mapping list, determining one or more IP addresses that are associated with the particular domain;
  
  generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request;
  
  wherein the particular request specifies a particular IP address that is within the particular domain;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, further comprising:
    - using a DNS discovery process and a DNS traffic monitoring process to create the internal mapping list;
      
      observing the forward DNS lookups from an internal network and inspecting DNS transactions that take place in the internal network.
  - 15. The method of claim 13, further comprising sending instructions to the firewall for determining whether the particular request is to access any of the one or more IP addresses that are associated with the particular domain.
  - 16. The method of claim 13, wherein the particular action includes any of:
    - precluding traffic to the particular domain, precluding traffic from the particular domain, diverting traffic to the particular domain, diverting traffic from the particular domain, maintaining a log of activities at the particular domain, logging traffic information related to the particular domain, blocking or reporting on DNS hosts that belong to the particular domain, blocking or reporting on host-port combinations, blocking or reporting on domain-port combinations;
      
      wherein the internal mapping list further comprises state information and other information specific to the domain names.
  - 17. The method of claim 13, further comprising:
    - retrieving, from a web reputation service, reputation scores for the particular domain and reputation scores for subdomains that belong to the particular domain;
      
      querying whitelists and blacklists.
  - 18. The method of claim 13, wherein the policy is further defined for an individual user or for groups of individual users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brandon L. Golm, Bruce Thompson, Doug Moore, Elischer Jr, Eric Bloch, Mark Krentel, Rajendraprasad R. Pagaku, Shalabh Mohan
Original Assignee
Brandon L. Golm, Bruce Thompson, Doug Moore, Elischer Jr, Eric Bloch, Mark Krentel, Rajendraprasad R. Pagaku, Shalabh Mohan
Inventors
Moore, Doug, Thompson, Bruce, Mohan, Shalabh, Bloch, Eric, Golm, Brandon L., Pagaku, Rajendraprasad R., Elischer, J.R., Krentel, Mark

Granted Patent

US 8,087,082 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/16   Threshold monitoring

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

Apparatus for Filtering Server Responses

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus for Filtering Server Responses

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links