Method and Device for Synchronizing Network Data Flow Detection Status

US 20140380415A1
Filed: 09/10/2014
Published: 12/25/2014
Est. Priority Date: 10/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method for synchronizing network data flow detection status, comprising:

receiving a first request sent by a first security device node, wherein the first request carries a first flow entry of a first data flow that is currently detected by the first security device node, and wherein a flow entry is used to uniquely identify a data flow;

determining first network data flow detection status corresponding to the first flow entry; and

sending a first response to the first security device node, wherein the first response carries the first network data flow detection status such that the first security device node maintains, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the first security device node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a device for synchronizing network data flow detection status are provided. The method includes: a status synchronizing server receives a first request sent by a first security device node, where the first request carries a first flow entry of a first data flow that is currently detected by the first security device node; determines first network data flow detection status corresponding to the first flow entry; sends a first response to the first security device node, where the first response carries the first network data flow detection status. A security device node requests previous network data flow detection status of a data flow from a status synchronizing server so as to synchronize network data flow detection status, thereby allowing the security device node to detect a network attack in a more accurate way and improving network system security.

Citations

19 Claims

1. A method for synchronizing network data flow detection status, comprising:
- receiving a first request sent by a first security device node, wherein the first request carries a first flow entry of a first data flow that is currently detected by the first security device node, and wherein a flow entry is used to uniquely identify a data flow;
  
  determining first network data flow detection status corresponding to the first flow entry; and
  
  sending a first response to the first security device node, wherein the first response carries the first network data flow detection status such that the first security device node maintains, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the first security device node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein determining the first network data flow detection status corresponding to the first flow entry comprises:
    - querying a locally stored registration record of the first flow entry; and
      
      determining, according to a result of the query, the first network data flow detection status corresponding to the first flow entry, wherein a registration record of a flow entry comprises the flow entry as well as a security device node and network data flow detection status that correspond to the flow entry.
  - 3. The method according to claim 2, wherein no registration record of the first flow entry is found, and wherein determining, according to the result of the query, the first network data flow detection status corresponding to the first flow entry comprises locally adding a registration record of the first flow entry, setting network data flow detection status corresponding to the first flow entry in the registration record to NULL, and determining that the first network data flow detection status is NULL.
  - 4. The method according to claim 2, wherein the registration record of the first flow entry is found, and wherein determining, according to the result of the query, the first network data flow detection status corresponding to the first flow entry comprises determining, according to information about a security device node corresponding to the first flow entry in the registration record, the first network data flow detection status corresponding to the first flow entry.
  - 5. The method according to claim 4, wherein determining, according to the information about the security device node corresponding to the first flow entry in the registration record, the first network data flow detection status corresponding to the first flow entry comprises determining network data flow detection status corresponding to the first flow entry in the registration record as the first network data flow detection status when the security device node corresponding to the first flow entry in the registration record is NULL.
  - 6. The method according to claim 4, wherein determining, according to the information about the security device node corresponding to the first flow entry in the registration record, the first network data flow detection status corresponding to the first flow entry comprises:
    - sending a second request to a second security device node when the security device node corresponding to the first flow entry in the registration record is the second security device node, wherein the second request carries the first flow entry to request the second security device node to send third network data flow detection status that corresponds to the first flow entry and is recorded on the second security device node;
      
      determining the network data flow detection status corresponding to the first flow entry in the registration record as the first network data flow detection status when no response to the second request is received from the second security device node; and
      
      updating the network data flow detection status that corresponds to the first flow entry and is in the local registration record of the first flow entry to the third network data flow detection status, and determining the third network data flow detection status as the first network data flow detection status when the third network data flow detection status sent by the second security device node is received.
  - 7. The method according to claim 1, wherein before receiving the first request sent by the first security device node, the method further comprises:
    - receiving a connection request sent by the first security device node; and
      
      authenticating an identity of the first security device node according to the connection request to configure a request permission of the first security device node.
  - 8. The method according to claim 1, further comprising:
    - receiving a status update request that is sent by a third security device node according to a preset triggering event or periodically, wherein the status update request carries a second flow entry of a second data flow that is currently detected by the third security device node and corresponding network data flow detection status; and
      
      maintaining, according to the status update request, locally stored registration record of flow entries.
  - 9. The method according to claim 8, wherein maintaining, according to the status update request, the locally stored registration record of flow entries comprises:
    - adding a registration record of the second flow entry when no registration record of the second flow entry is locally stored;
      
      updating, by using network data flow detection status that corresponds to the second flow entry and is carried in the status update request, network data flow detection status that is locally recorded and corresponds to the second flow entry when the registration record of the second flow entry is locally stored and a security device node corresponding to the second flow entry is the third security device node; and
      
      ignoring the status update request when the registration record of the second flow entry is locally stored and the security device node corresponding to the second flow entry in the registration record is not the third security device node.
  - 10. The method according to claim 9, wherein the status update request further carries an event type, wherein the event type is used to indicate whether the status update request is sent according to a preset triggering event or periodically, and wherein maintaining, according to the status update request, the locally stored registration record of flow entries further comprises:
    - setting the security device node corresponding to the second flow entry in the registration record of the second flow entry to NULL when the event type indicates that the status update request is sent according to the preset triggering event; and
      
      setting the security device node corresponding to the second flow entry in the registration record of the second flow entry to the third security device node when the event type indicates that the status update request is sent periodically.

11. A method for synchronizing network data flow detection status, comprising:
- sending, by a first security device node, a first request to a status synchronizing server, wherein the first request carries a first flow entry of a first data flow that is currently detected by the first security device node, and a flow entry is used to uniquely identify a data flow;
  
  receiving, by the first security device node, a first response that is sent by the status synchronizing server according to the first request, wherein the first response carries first network data flow detection status corresponding to the first flow entry; and
  
  maintaining, by the first security device node, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the first security device node.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method according to claim 11, further comprising:
    - receiving a second request sent by the status synchronizing server, wherein the second request carries a third flow entry of a third data flow that is currently detected by a fourth security device node;
      
      acquiring third network data flow detection status that corresponds to the third flow entry and is recorded on the first security device node; and
      
      sending a second response to the status synchronizing server, wherein the second response carries the third network data flow detection status.
  - 13. The method according to claim 11, wherein before sending the first request to the status synchronizing server, the method further comprises:
    - sending a connection request to the status synchronizing server such that the status synchronizing server authenticates an identity of the first security device node according to the connection request; and
      
      receiving information about a request permission of the first security device node, wherein the request permission is configured by the status synchronizing server after the identity authentication succeeds.
  - 14. The method according to claim 11, further comprising sending a status update request to the status synchronizing server according to a preset triggering event or periodically, wherein the status update request carries a second flow entry of a second data flow that is currently detected by the first security device node and corresponding network data flow detection status such that the status synchronizing server maintains, according to the status update request, locally stored registration record of flow entries, wherein the registration record of the flow entry is stored on the status synchronizing server.
  - 15. The method according to claim 14, wherein the status update request further carries an event type, and wherein the event type is used to indicate whether the status update request is sent according to a preset triggering event or periodically.

16. A status synchronizing server, comprising:
- a receiving circuit;
  
  a sending circuit;
  
  a processor; and
  
  a memory,wherein the receiving circuit is configured to receive a first request sent by a first security device node, wherein the first request carries a first flow entry of a first data flow that is currently detected by the first security device node, and a flow entry is used to uniquely identify a data flow,wherein the memory stores an instruction for the processor to determine first network data flow detection status corresponding to the first flow entry, andwherein the sending circuit is configured to send a first response to the first security device node, wherein the first response carries the first network data flow detection status determined by the processor such that the first security device node maintains, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the first security device node.

17. A security device node, comprising:
- a receiving circuit;
  
  a sending circuit;
  
  a processor; and
  
  a memory,wherein the sending circuit is configured to send a first request to a status synchronizing server, wherein the first request carries a first flow entry of a first data flow that is currently detected by the security device node, and a flow entry is used to uniquely identify a data flow,wherein the receiving circuit is configured to receive a first response that is sent by the status synchronizing server according to the first request, wherein the first response carries first network data flow detection status corresponding to the first flow entry, andwherein the memory is configured to store an instruction for the processor to maintain, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the security device node.

18. A network system, comprising:
- a status synchronizing server configured to;
  
  receive a first request sent by a first security device node, wherein the first request carries a first flow entry of a first data flow that is currently detected by the first security device node, and a flow entry is used to uniquely identify a data flow;
  
  determine first network data flow detection status corresponding to the first flow entry;
  
  send a first response to the first security device node, wherein the first response carries the first network data flow detection status determined by the processor such that the first security device node maintains, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the first security device node; and
  
  at least one host device, each of the at least one host device comprises one or more virtual machines and the security device node, wherein the at least one host device is configured to;
  
  send the first request to a status synchronizing server;
  
  receive a first response that is sent by the status synchronizing server according to the first request, wherein the first response carries first network data flow detection status corresponding to the first flow entry;
  
  store an instruction for the processor to maintain, according to the first response, second network data flow detection status that corresponds to the first flow entry and is stored on the security device node, andwherein a data connection is established between the security device node and the status synchronizing server to exchange network data flow detection status.
- View Dependent Claims (19)
- - 19. The network system according to claim 18, wherein the at least one host device comprises a first host device and a second host device, wherein a first virtual machine on the first host device migrates to the second host device, and wherein a security device node on the second host device acquires, from the status synchronizing server, network data flow detection status of a data flow generated by the first virtual machine before the migration of the first virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Wang, Yuchen, Zhang, Dacheng, Meng, Jian

Granted Patent

US 9,729,560 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and Device for Synchronizing Network Data Flow Detection Status

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Device for Synchronizing Network Data Flow Detection Status

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links