DYNAMIC RE-ORDERING OF SCANNING MODULES IN SECURITY DEVICES

US 20160182451A1
Filed: 12/19/2014
Published: 06/23/2016
Est. Priority Date: 12/19/2014
Status: Active Grant

First Claim

Patent Images

1. A data processing method comprising:

using a security gateway, filtering application level data units by routing network traffic through a plurality of scanning modules in a module scanning sequence;

using a scanner history tracker, computing a block rate for each module by tracking, over a period, which units are received by each module in a set of scanning modules and not forwarded toward a destination specified in those units;

using a scanner driver, automatically re-ordering the module scanning sequence based on the block rate to preserve bandwidth of the security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules;

wherein the data processing method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for preserving bandwidth of a security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules. By tracking a plurality of application data units that are sent through a set of scanning modules, a scanner history tracker records a rate with which the modules block application data units from forwarding to their intended destination. When the next period of application data units are received, a scanner driver re-orders the sequence of modules from highest block rate to lowest block rate such that some scanning modules are less likely to scan units that are likely to be blocked by other scanning modules.

14 Citations

20 Claims

1. A data processing method comprising:
- using a security gateway, filtering application level data units by routing network traffic through a plurality of scanning modules in a module scanning sequence;
  
  using a scanner history tracker, computing a block rate for each module by tracking, over a period, which units are received by each module in a set of scanning modules and not forwarded toward a destination specified in those units;
  
  using a scanner driver, automatically re-ordering the module scanning sequence based on the block rate to preserve bandwidth of the security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules;
  
  wherein the data processing method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The data processing method of claim 1, wherein the scanning modules are selected from a group consisting of an antivirus module, an anti-spyware module, a file blocking module, an anti-spam module, an anti-phishing module, a URL filtering module, and a content filtering module.
  - 3. The data processing method of claim 1, comprising performing the tracking only periodically for a set period of time.
  - 4. The data processing method of claim 1, comprising performing the tracking only periodically for a set number of units.
  - 5. The data processing method of claim 4, comprising performing the tracking only periodically for a set number of units scanned and not forwarded toward the destination specified in those units.
  - 6. The data processing method of claim 1, wherein the run-time cost for each module further comprises computing a weight value associated with a scanning efficiency for each module, wherein the scanning efficiency comprises a ratio of a number of cycles needed to perform a scan by a module compared to a highest number of cycles needed to perform a scan by one module.
  - 7. The data processing method of claim 6, wherein the re-ordering is based on the block rate for each module, and comprising determining the block rate for a particular module by dividing the units that are received but not forwarded by the particular module by the weight value of that particular module.
  - 8. The data processing method of claim 1, wherein the re-ordering the module scanning sequence comprises the module with the highest block rate placed before a second module with a second highest block rate.

9. A method comprising:
- using an application level firewall, receiving a first unit of data associated with a set of scanning modules based on a sender and receiver of the first unit of data;
  
  wherein the first unit of data is routed through the set of scanning modules in a first sequence;
  
  using a scanner history tracker, in response to a scanning module of the application level firewall discarding the first unit, storing in a record which module in the first sequence discarded the first unit;
  
  using the application level firewall, receiving a second unit of data associated with the set of scanning modules based on a sender and receiver of the second unit of data;
  
  wherein the second unit of data is routed through the set of scanning modules in the first sequence;
  
  using the scanner history tracker, in response to a scanning module of the application level firewall discarding the second unit, storing in the record which module in the first sequence discarded the second unit;
  
  based on the record, re-ordering the first sequence of modules to preserve bandwidth of the application level firewall by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, further comprising resetting the record after the re-ordering.
  - 11. The method of claim 9, comprising performing the re-ordering only periodically after receiving a set number of units.
  - 12. The method of claim 9, comprising performing the re-ordering only periodically after a set number of cycles.
  - 13. The method of claim 9, comprising performing the re-ordering only periodically after a set amount of time.
  - 14. The method of claim 9, wherein each module is associated with a number of cycles needed to perform a scanning operation on a constant number of one or more units;
    - wherein the re-ordering the first sequence is based on the record and the number of cycles needed to perform the scanning operation on the constant number of one or more units.
  - 15. The method of claim 9, wherein each module is associated with a specified weight value;
    - wherein re-ordering the first sequence of modules is based on the record and the specified weight value.
  - 16. The method of claim 9, further comprising determining the set of scanning modules among all modules available defined by a security policy;
    - wherein each policy is associated with routing the unit of data through a least number of modules possible to preserve bandwidth through the firewall.
  - 17. The method of claim 16, wherein determining the set of scanning modules comprises determining a reputation value associated with a sender and an address of the sender.
  - 18. The method of claim 17, comprising storing a different record for each set of scanning modules that is defined by the security policy.

19. A data processing apparatus comprising:
- a security gateway computer that filters traffic of application level data units by routing network traffic through a plurality of scanning modules before forwarding the units to a destination specified by the units;
  
  wherein at least some units are received by at least one module in a set of scanning modules over a data communication network and not forwarded toward the destination specified in those units;
  
  the security gateway further comprising;
  
  a scanner history tracker for computing a block rate for each module by tracking, over a period, which units are received by each module in the set and not forwarded toward the destination specified in those units;
  
  a scanner driver for dynamically ordering a module scanning sequence based on the block rate to preserve bandwidth of the security gateway by dynamically placing a module with a highest ratio of block rate to run-time cost before other modules in the set of scanning modules such that a most effective scanning module blocks data units before scanning is wasted on those data units by other modules.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein the scanning modules are selected from a group consisting of an antivirus module, an anti-spyware module, a file blocking module, an anti-spam module, an anti-phishing module, a URL filtering module, and a content filtering module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Nandagopal, Vijay, Minglani, Himanshu, Selvarajan, Ranjiith, Gorti, Sriram

Granted Patent

US 9,571,454 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/1441 Countermeasures against mal...

DYNAMIC RE-ORDERING OF SCANNING MODULES IN SECURITY DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC RE-ORDERING OF SCANNING MODULES IN SECURITY DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links