NETWORK INTRUSION DETECTION APPARATUS

US 20110238839A1
Filed: 12/29/2010
Published: 09/29/2011
Est. Priority Date: 09/25/2000
Status: Active Grant

First Claim

Patent Images

1. A system of intrusion detection in a network comprising:

a flow processing facility that is configured to detect and process intrusions in network data flowing through the facility, the facility comprising at least one network processor module having at least one processor, a plurality of network ports for connecting network devices for communicating network data, and instructions to cause the at least one processor to recognize one or more data packets in the network data that contain data, including profile information, for processing by an application executing on the flow processing facility by applying a policy to the data, and directing a portion of the network data to at least one flow processor module for executing the application based on the profile information and the policy;

the at least one flow processor module having at least one processor and at least one memory for storing the application for execution by the at least one flow processor module processor, the at least one flow processor module including instructions to receive the portion of the network data from the at least one network processor module, to process the data in the one or more data packets for detecting intrusions, thereby providing one or more data packets with processed data, and to return the one or more data packets with processed data to the at least one network processor module for facilitating prevention of a detected intrusion from being propagated to the network; and

at least one control processor module in communication with the at least one flow processor module and the at least one network processor module, and having at least one control processor module processor, and instructions for causing the at least one control processor module processor to manage the applications in the flow processor module memories.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for distributing flows between a multiple processors. The flows can be received from an external source such as a network, by a front-end processor that recognizes the flow and the associated request, and identifies at least one internal applications processor to process the request/flow. The front-end processor utilizes a flow scheduling vector related to the identified applications processor(s), and the flow scheduling vector can be based on intrinsic data from the applications processor(s) that can include CPU utilization, memory utilization, packet loss, and queue length or buffer occupation. In some embodiments, applications processors can be understood to belong to a group, wherein applications processors within a group can be configured identically. A flow schedule vector can be computed for the different applications processor groups.

62 Citations

View as Search Results

17 Claims

1. A system of intrusion detection in a network comprising:
- a flow processing facility that is configured to detect and process intrusions in network data flowing through the facility, the facility comprising at least one network processor module having at least one processor, a plurality of network ports for connecting network devices for communicating network data, and instructions to cause the at least one processor to recognize one or more data packets in the network data that contain data, including profile information, for processing by an application executing on the flow processing facility by applying a policy to the data, and directing a portion of the network data to at least one flow processor module for executing the application based on the profile information and the policy;
  
  the at least one flow processor module having at least one processor and at least one memory for storing the application for execution by the at least one flow processor module processor, the at least one flow processor module including instructions to receive the portion of the network data from the at least one network processor module, to process the data in the one or more data packets for detecting intrusions, thereby providing one or more data packets with processed data, and to return the one or more data packets with processed data to the at least one network processor module for facilitating prevention of a detected intrusion from being propagated to the network; and
  
  at least one control processor module in communication with the at least one flow processor module and the at least one network processor module, and having at least one control processor module processor, and instructions for causing the at least one control processor module processor to manage the applications in the flow processor module memories.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the control processor module instructions for causing the at least one control processor module processor to manage the applications in the flow processor module memories further comprise instructions to cause the at least one control processor module to perform a step from the group consisting of, downloading applications to the flow processor module memories, and deleting applications from the flow processor module memories.
  - 3. The system of claim 1, further comprising a management server module in communication with the at least one control processor module and having at least one management server module processor.
  - 4. The system of claim 3, wherein the management server module further comprises instructions for causing the at least one management server module processor to cause the at least one control processor module to perform a step from the group consisting of, downloading applications from the management server module to the flow processor module memories, and deleting applications from the flow processor module memories.
  - 5. The system of claim 1, further comprising a local memory device coupled to the at least one of control processor module.
  - 6. The system of claim 1, further comprising a remote memory device coupled to the at least one of control processor module.
  - 7. The system of claim 1, wherein the at least one control processor module further comprises instructions to cause the at least one control processor module processor to transfer data between a management server module and the at least one flow processor module.
  - 8. The system of claim 1, further comprising at least one storage device coupled to the at least one of flow processor module.
  - 9. The system of claim 1, further comprising at least one storage device coupled to the at least one of network processor module.

10. A method of intrusion detection in a network, comprising:
- providing a flow processing facility in-line in a network;
  
  configuring the flow processing facility to detect intrusions received by the flow processing facility by recognizing with a network processor module of the flow processing facility one or more data packets in a data flow that contain data, including profile information, for processing by an application executing on the flow processing facility by applying a policy to the data;
  
  directing the one or more data packets associated with a data flow that includes detected intrusions from the network processor module to at least one application processor module, based on the profile information and the policy, to process the data thereby providing one or more data packets with processed data; and
  
  executing the application on the at least one application processor module, thereby taking an action on the one or more data packets with processed data such that the data flow of the detected intrusion is not propagated to the network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further including managing the application executing on the at least one application processor with a control processor module that is in communication with the network processor module and the at least one application processor module.
  - 12. The method of claim 10, wherein executing the application on the at least one application processor module further comprises selecting the at least one application based on the subscriber profile information.
  - 13. The method of claim 12, further comprising configuring the at least one application processor module for the at least one selected application.
  - 14. The method of claim 12, further comprising selecting at least one application processor module based on the at least one identified application.
  - 15. The method of claim 10, further comprising selecting at least one application processor module based on application processor module loading.
  - 16. The method of claim 10, further comprising selecting at least one application processor module based on applying the policy to the data.
  - 17. The method of claim 10, wherein directing the one or more data packets further comprises identifying a source of the stream of data packets and retrieving an application subscriber profile based on the data source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Akerman, Moisey, Korsunsky, Yevgeny

Granted Patent

US 9,244,739 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/226
CPC Class Codes

G06F 9/5027   the resource being a machin...

G06F 9/5033   considering data affinity

G06F 9/505   considering the load

G06F 9/5055   considering software capabi...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04L 67/62   Establishing a time schedul...

H04L 67/63   Routing a service request d...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

NETWORK INTRUSION DETECTION APPARATUS

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK INTRUSION DETECTION APPARATUS

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links