PROVIDING A FAST, REMOTE SECURITY SERVICE USING HASHLISTS OF APPROVED WEB OBJECTS

US 20140173729A1
Filed: 09/09/2013
Published: 06/19/2014
Est. Priority Date: 09/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method for reducing user-experienced latencies and server costs encountered when all requested Web objects by a client device must pass through a security server system, the method comprising:

a) generating, by the security server system, a list of at least one {validated Web object identifier, validated Web object hash value} pair;

b) forwarding at least a part of the list to the client device;

c) receiving, by the client device, the at least part of the list;

d) storing, by the client device, the at least part of the list received in a client list of at least one {validated Web object identifier, validated Web object hash value} pair; and

e) responsive to a request for a Web object by an application at the client device,1) determining, by the client device, whether or not the requested Web object is included in the client list, and2) responsive to a determination, by the client device, that the requested Web object is included in the clientlist,A) fetching, by the client device, the requested Web object from an origin server,B) receiving, by the client device, the Web object,C) computing, by the client device, a hash of the received Web object,D) comparing, by the client device, the computed hash with the hash paired with the requested Web object included in the client list, andE) responsive to a determination, by the client device, that the computed hash matches the hash paired with the requested Web object included in the client list,i) passing, by the client device, the requested Web object to the application,otherwise, responsive to a determination, by the client device, that the computed hash does not match the hash paired with the requested Web object included in the client list,i) requesting, by the client device, the requested Web object via the security server system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system and service, which improves the performance of SECaaS services, is described. A security server system tracks the content that has successfully passed through its security modules and distributes this information to the end user client devices as hashlist information. The remote client devices can then safely bypass the cloud for a significant fraction of Web object requests by using information on a locally stored hashlist to validate Web objects.

Citations

22 Claims

1. A method for reducing user-experienced latencies and server costs encountered when all requested Web objects by a client device must pass through a security server system, the method comprising:
- a) generating, by the security server system, a list of at least one {validated Web object identifier, validated Web object hash value} pair;
  
  b) forwarding at least a part of the list to the client device;
  
  c) receiving, by the client device, the at least part of the list;
  
  d) storing, by the client device, the at least part of the list received in a client list of at least one {validated Web object identifier, validated Web object hash value} pair; and
  
  e) responsive to a request for a Web object by an application at the client device,1) determining, by the client device, whether or not the requested Web object is included in the client list, and2) responsive to a determination, by the client device, that the requested Web object is included in the clientlist,A) fetching, by the client device, the requested Web object from an origin server,B) receiving, by the client device, the Web object,C) computing, by the client device, a hash of the received Web object,D) comparing, by the client device, the computed hash with the hash paired with the requested Web object included in the client list, andE) responsive to a determination, by the client device, that the computed hash matches the hash paired with the requested Web object included in the client list,i) passing, by the client device, the requested Web object to the application,otherwise, responsive to a determination, by the client device, that the computed hash does not match the hash paired with the requested Web object included in the client list,i) requesting, by the client device, the requested Web object via the security server system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising,responsive to a determination, by the client device, that the requested Web object is not included in the client list,(A) requesting, by the client device, at least one of the requested Web object via the security server system, or a {validated Web object identifier, validated Web object hash value} pair from the security server system.
  - 3. The method of claim 1 wherein the list is forwarded to the client device and other client devices in accordance with a hybrid push-pull hashlist distribution protocol includingmaintaining, by the security server system, botha pull hashlist including hashes for Web objects to be provided to a client device on demand from the client device, anda push hashlist including hashes for Web objects to be provided to a client device regardless of whether or not the client device requested the Web object, andresponsive to a determination, by the security server system, that an expected future period cost value for one or more pulls of a {validated Web object identifier, validated Web object hash value} pair on the pull hashlist exceeds an expected future period cost value for a push of the {Web object, hash value} pair, adding the {validated Web object identifier, validated Web object hash value} pair to the push hashlist.
  - 4. The method of claim 3 wherein the expected future period cost for one or more pulls of a {validated Web object identifier, validated Web object hash value} pair is defined as f×
    - (C_delay+C_bandwidth), where “
      
      f”
      
      is defined as an estimated number of clients that will request the Web object in the future period, “
      
      C_delay”
      
      is defined as a cost of an additional delay encountered when retrieving a hash entry on demand and “
      
      C_bandwidth”
      
      is defined as a cost of network resources used to distribute a hash entry.
  - 5. The method of claim 4 wherein the estimated number “
    - f”
      
      of clients that which request the Web object in the future period is a linear estimator that minimizes a least square error of estimates generated from a log of actual client requests.
  - 6. The method of claim 3 wherein the expected future period cost for one or more pulls of a {validated Web object identifier, validated Web object hash value} pair is defined as f×
    - (C_delay+C_bandwidth), where “
      
      f”
      
      is defined as an estimated number of clients that which request the Web object in the future period, “
      
      C_bandwidth”
      
      is defined as a cost of network resources used to distribute a hash entry, and “
      
      C_delay”
      
      is defined as the product of (1) a tunable parameter α and
      
      (2) a cost of an additional delay encountered when retrieving a hash entry on demand.
  - 7. The method of claim 3 wherein the expected future period cost for the push distribution of a {validated Web object identifier, validated Web object hash value} pair is defined as (n−
    - m)×
      
      (C_bandwidth), where “
      
      n”
      
      is defined as a number of clients served by the security server system, “
      
      m”
      
      is defined as a number of clients that have already requested the Web object, and “
      
      C_bandwidth”
      
      is defined as a cost of network resources used to distribute a hash entry.
  - 8. The method of claim 1 wherein the act of fetching, by the client device, the requested Web object from the origin server is performed directly, thereby bypassing the security server system.
  - 9. The method of claim 1 wherein the validated Web object identifier is a URL of a validated Webpage.
  - 10. The method of claim 1 wherein the validated Web object identifier is a hashed URL of a validated Webpage.

11. A method for reducing user-experienced latencies and server costs encountered when all requested Web objects by a client device must pass through a security server system, the method comprising:
- a) receiving, by the client device, the at least part of a list, generated by the security server system, of at least one {validated Web object identifier, validated Web object hash value} pair;
  
  b) storing, by the client device, the at least part of the list received in a client list of at least one {validated Web object identifier, validated Web object hash value} pair; and
  
  c) responsive to a request for a Web object by an application at the client device,1) determining, by the client device, whether or not the requested Web object is included in the client list, and2) responsive to a determination, by the client device, that the requested Web object is included in the clientlist,A) fetching, by the client device, the requested Web object from an origin server,B) receiving, by the client device, the Web object,C) computing, by the client device, a hash of the received Web object,D) comparing, by the client device, the computed hash with the hash paired with the requested Web object included in the client list, andE) responsive to a determination, by the client device, that the computed hash matches the hash paired with the requested Web object included in the client list,i) passing, by the client device, the requested Web object to the application,otherwise, responsive to a determination, by the client device, that the computed hash does not match the hash paired with the requested Web object included in the client list,i) requesting, by the client device, the requested Web object via the security server system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 further comprising,responsive to a determination, by the client device, that the requested Web object is not included in the client list,(A) requesting, by the client device, at least one of the requested Web object via the security server system, or a {validated Web object identifier, validated Web object hash value} pair from the security server system.
  - 13. The method of claim 11 wherein the act of fetching, by the client device, the requested Web object from the origin server is performed directly, thereby bypassing the security server system.
  - 14. The method of claim 11 wherein the validated Web object identifier is a URL of a validated Webpage.
  - 15. The method of claim 11 wherein the validated Web object identifier is a hashed URL of a validated Webpage.

16. A non-transitory storage device storing processor-executable code which, when executed by the at least one processor, causes the at least one processor to perform a method for reducing user-experienced latencies and server costs encountered when all requested Web objects by a client device must pass through a security server system, the methodreceiving, by the client device, the at least part of a list, generated by the security server system, of at least one {validated Web object identifier, validated Web object hash value} pair,storing, by the client device, the at least part of the list received in a client list of at least one {validated Web object identifier, validated Web object hash value} pair, andresponsive to a request for a Web object by an application at the client device,A) determining, by the client device, whether or not the requested Web object is included in the client list, andB) responsive to a determination, by the client device, that the requested Web object is included in the clientlist,i) fetching, by the client device, the requested Web object from an origin server,ii) receiving, by the client device, the Web object,iii) computing, by the client device, a hash of the received Web object,iv) comparing, by the client device, the computed hash with the hash paired with the requested Web object included in the client list, andv) responsive to a determination, by the client device, that the computed hash matches the hash paired with the requested Web object included in the client list,passing, by the client device, the requested Web object to the application,otherwise, responsive to a determination, by the client device, that the computed hash does not match the hash paired with the requested Web object included in the client list,requesting, by the client device, the requested Web object via the security server system.

17. A method for reducing user-experienced latencies and server costs encountered when all requested Web objects by a client device must pass through a security server system, the method comprising:
- a) generating, by the security server system, a list of at least one {validated Web object identifier, validated Web object hash value} pair;
  
  b) transmitting, by the security server system, at least a part of the list to the client device, thereby enabling the client device to determine whether or not a desired Web object has been validated by the security server system using a hash comparison.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17 wherein the list is forwarded to the client device and other client devices in accordance with a hybrid push-pull hashlist distribution protocol includingmaintaining, by the security server system, botha pull hashlist including hashes for Web objects to be provided to a client device on demand from the client device, anda push hashlist including hashes for Web objects to be provided to a client device regardless of whether or not the client device requested the Web object, andresponsive to a determination, by the security server system, that an expected future period cost value for one or more pulls of a {validated Web object identifier, validated Web object hash value} pair on the pull hashlist exceeds an expected future period cost value for a push of the {Web object, hash value} pair, adding the {validated Web object identifier, validated Web object hash value} pair to the push hashlist.
  - 19. The method of claim 18 wherein the expected future period cost for one or more pulls of a {validated Web object identifier, validated Web object hash value} pair is defined as f×
    - (C_delay+C_bandwidth), where “
      
      f”
      
      is defined as an estimated number of clients that will request the Web object in the future period, “
      
      C_delay”
      
      is defined as a cost of an additional delay encountered when retrieving a hash entry on demand and “
      
      C_bandwidth”
      
      is defined as a cost of network resources used to distribute a hash entry.
  - 20. The method of claim 19 wherein the estimated number “
    - f”
      
      of clients that which request the Web object in the future period is a linear estimator that minimizes a least square error of estimates generated from a log of actual client requests.
  - 21. The method of claim 18 wherein the expected future period cost for one or more pulls of a {validated Web object identifier, validated Web object hash value} pair is defined as f×
    - (C_delay+C_bandwidth), where “
      
      f”
      
      is defined as an estimated number of clients that which request the Web object in the future period, “
      
      C_bandwidth”
      
      is defined as a cost of network resources used to distribute a hash entry, and “
      
      C_delay”
      
      is defined as the product of (1) a tunable parameter α and
      
      (2) a cost of an additional delay encountered when retrieving a hash entry on demand.
  - 22. The method of claim 18 wherein the expected future period cost for the push distribution of a {validated Web object identifier, validated Web object hash value} pair is defined as (n−
    - m)×
      
      (C_bandwidth), where “
      
      n”
      
      is defined as a number of clients served by the security server system, “
      
      m”
      
      is defined as a number of clients that have already requested the Web object, and “
      
      C_bandwidth”
      
      is defined as a cost of network resources used to distribute a hash entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Polytechnic Institute Of New York University (New York University)
Original Assignee
Keith Ross, Nasir Memon
Inventors
MEMON, Nasir, CAPPOS, Justin, PEDDINTI, Sai Teja, ROSS, Keith

Granted Patent

US 9,246,929 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

PROVIDING A FAST, REMOTE SECURITY SERVICE USING HASHLISTS OF APPROVED WEB OBJECTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

PROVIDING A FAST, REMOTE SECURITY SERVICE USING HASHLISTS OF APPROVED WEB OBJECTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links