DYNAMIC RE-ORDERING OF SCANNING MODULES IN SECURITY DEVICES
First Claim
1. A data processing method comprising:
- using a security gateway, filtering application level data units by routing network traffic through a plurality of scanning modules in a module scanning sequence;
using a scanner history tracker, computing a block rate for each module by tracking, over a period, which units are received by each module in a set of scanning modules and not forwarded toward a destination specified in those units;
using a scanner driver, automatically re-ordering the module scanning sequence based on the block rate to preserve bandwidth of the security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules;
wherein the data processing method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus are provided for preserving bandwidth of a security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules. By tracking a plurality of application data units that are sent through a set of scanning modules, a scanner history tracker records a rate with which the modules block application data units from forwarding to their intended destination. When the next period of application data units are received, a scanner driver re-orders the sequence of modules from highest block rate to lowest block rate such that some scanning modules are less likely to scan units that are likely to be blocked by other scanning modules.
14 Citations
20 Claims
-
1. A data processing method comprising:
-
using a security gateway, filtering application level data units by routing network traffic through a plurality of scanning modules in a module scanning sequence; using a scanner history tracker, computing a block rate for each module by tracking, over a period, which units are received by each module in a set of scanning modules and not forwarded toward a destination specified in those units; using a scanner driver, automatically re-ordering the module scanning sequence based on the block rate to preserve bandwidth of the security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules; wherein the data processing method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
using an application level firewall, receiving a first unit of data associated with a set of scanning modules based on a sender and receiver of the first unit of data;
wherein the first unit of data is routed through the set of scanning modules in a first sequence;using a scanner history tracker, in response to a scanning module of the application level firewall discarding the first unit, storing in a record which module in the first sequence discarded the first unit; using the application level firewall, receiving a second unit of data associated with the set of scanning modules based on a sender and receiver of the second unit of data;
wherein the second unit of data is routed through the set of scanning modules in the first sequence;using the scanner history tracker, in response to a scanning module of the application level firewall discarding the second unit, storing in the record which module in the first sequence discarded the second unit; based on the record, re-ordering the first sequence of modules to preserve bandwidth of the application level firewall by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules; wherein the method is performed by one or more computing devices. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A data processing apparatus comprising:
-
a security gateway computer that filters traffic of application level data units by routing network traffic through a plurality of scanning modules before forwarding the units to a destination specified by the units; wherein at least some units are received by at least one module in a set of scanning modules over a data communication network and not forwarded toward the destination specified in those units;
the security gateway further comprising;a scanner history tracker for computing a block rate for each module by tracking, over a period, which units are received by each module in the set and not forwarded toward the destination specified in those units; a scanner driver for dynamically ordering a module scanning sequence based on the block rate to preserve bandwidth of the security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules. - View Dependent Claims (20)
-
Specification