Distributed filtering and monitoring system for a computer internetwork

US 6,658,565 B1
Filed: 06/01/1998
Issued: 12/02/2003
Est. Priority Date: 06/01/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the method comprising the steps of:

configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on packet traversing paths of the computer internetwork; and

at the configured intermediate station, independently processing a random selection of packets according to a fractional spot-checking function to thereby share the loads among the intermediate stations, to process verification operations on digital signatures appended to the packets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system efficiently distributes processing-intensive loads among a plurality of intermediate stations in a computer internetwork. The intermediate stations include routers, bridges, switches and/or firewalls configured with monitoring and filtering agents that communicate via a defined protocol to implement the system. Those stations configured with agents and having available resources cooperate to execute the loads which generally comprise verification operations on digital signatures appended to frame and/or packet traffic traversing paths of the computer internetwork. Techniques associated with the system are directed to efficiently detecting and filtering unauthorized traffic over portions of the internetwork protected as trust domains as well as unprotected portions of the internetwork.

91 Citations

View as Search Results

26 Claims

1. A method for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the method comprising the steps of:
- configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on packet traversing paths of the computer internetwork; and
  
  at the configured intermediate station, independently processing a random selection of packets according to a fractional spot-checking function to thereby share the loads among the intermediate stations, to process verification operations on digital signatures appended to the packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the selection of packets processed by the configured intermediate station is selected by said intermediate station according to a hash function.
  - 3. The method of claim 2 further comprising the step of invoking the hash function to distinguish the packets based on contents of a field of each packet.
  - 4. The method of claim 3 further comprising the steps of, wherein the contents comprise a destination address:
5. The method of claim 3 further comprising the steps of, wherein the contents comprise a sequence number:
- apportioning the packets according to even and odd sequence numbers; and
  
  selecting packets having even sequence numbers by one intermediate station and selecting packets having odd sequence numbers by another intermediate station.
6. The method of claim 3 further comprising the steps of, wherein the contents comprise an address:
- decoding predetermined address bits into distinct values;
  
  apportioning the packets according to the distinct values;
  
  selecting packets by the intermediate stations based on the distinct values; and
  
  reassigning, by communicating between the intermediate stations, to reassign corresponding packets to others of the intermediate stations to thereby balance the load among the stations.
7. The method of claim 1 further comprising the steps of, wherein processing of the loads comprises verification operations on digital signatures appended to the packets:
- in response to identifying an unauthorized packet by a particular intermediate station, filtering the unauthorized packets; and
  
  altering the random fractional spot-checking of packets by said particular intermediate station on a per flow bases, wherein a flow comprises source and destination addresses, source and destination ports and a flow label of a packet.
8. The method of claim 7 wherein the step of altering comprises the step of spot-checking an increased fraction of the packets.
9. The method of claim 7 wherein the step of altering comprises the step of manually configuring the particular intermediate station to spot-check an increased fraction of the packets based on the flow.
10. The method of claim 1 further comprising the step of, wherein the data traffic comprises packets:
- in response to identifying a change in traffic pattern, altering the random fractional spot-checking of packets by each intermediate station on a per flow basis, wherein a flow comprises source and destination addresses, source and destination ports and a flow label of a packet.
11. The method of claim 1 further comprising the step of, wherein a portion of the internetwork is protected as a trusted domain having trusted switches:
- employing a flag within a header of a packet to indicate whether the packet has been verified by a trusted switch configured with the monitoring and filtering agent.
12. The method of claim 11 wherein the flag may be contained within one of an unused field of the header and a mini-header appended to the packet.
13. The method of claim 12 further comprising the step of, if a state of the flag indicates that the packet has not been verified by an upstream trusted switch along a path of the computer internetwork:
- enabling a downstream trusted switch to process the unverified packet depending upon its available capacity.
14. The method of claim 1, further comprising the steps of:
- calculating an optimal path for the packets over the computer internetwork;
  
  determining whether intermediate stations located along the optimal path are configured with the monitoring and filtering agents; and
  
  changing the optimal path of the packets to a non-optimal path that includes additional intermediate stations configured with the monitoring and filtering agents to execute the verification operations on the packets.
15. The method of claim 1 wherein the intermediate station comprises at least one of a switch, a router, a bridge and a firewall.
16. The method of claim 2 wherein the intermediate station comprises at least one of a switch, a router, a bridge, and a firewall.

17. A computer readable medium containing executable program instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the executable program instructions comprising program instructions for:
- configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and
  
  at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations.
- View Dependent Claims (18, 19)
- - 18. The computer readable medium of claim 17 wherein said executable program instructions further comprise program instructions for invoking the hash function to distinguish the packets based on contents of a field of each packet.
  - 19. The computer readable medium of claim 18 wherein said executable program instructions further comprise program instructions for, wherein the contents comprise an address:

20. A computer data signal embodied in a carrier wave and representing sequences of instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the instructions comprising instructions for:
- configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and
  
  at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations.
- View Dependent Claims (21, 22, 23)
- - 21. The computer data signal of claim 20 wherein the selection of packets processed by each intermediate station is randomly assigned according to a fractional spot-checking function, said fractional spot checking function selecting a predetermined fraction of packets for processing, to enable checking of the digital signatures to identify one of authorized and unauthorized packets.
  - 22. The computer data signal of claim 21 wherein the instructions further comprise instructions for:
23. The computer data signal of claim 22 wherein the instructions for altering further comprise instructions for spot-checking an increased fraction of the packets.

24. A system for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the system comprising:
- a plurality of memory devices containing software programs organized as monitoring and filtering agents to execute the loads on packets traversing paths of the computer inter-network, a portion of the internetwork protected as a trust domain having trusted switches;
  
  a plurality of processing elements coupled to respective ones of the memory devices, each processing element configured to execute a respective agent to independently verify digital signatures appended to a selection of packets to thereby share the loads among the intermediate stations; and
  
  a flag structure contained within a header of a packet to indicate whether the packet has been verified by a trusted switch configured with the monitoring and filtering agent.
- View Dependent Claims (25, 26)
- - 25. The system of claim 24 wherein the flag structure may be contained within one of an unused field of the header and a mini-header appended to the packet.
  - 26. The system of claim 25 wherein the intermediate station comprises one of a switch and a router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Chiu, Dah-Ming, Gupta, Amit, Perlman, Radia Joy
Primary Examiner(s)
Marcelo, Melvin
Assistant Examiner(s)
LEE, CHI HO A

Application Number

US09/088,348
Time in Patent Office

2,010 Days
Field of Search

370/389, 370/392, 370/393, 370/230-235, 370/252, 370/400, 370/351, 370/352, 370/357, 713/153, 713/154, 713/160, 713/176, 713/161, 713/200, 713/168, 713/201, 709/105, 709/223-235, 709/237, 709/238, 709/244
US Class Current

713/153
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 43/028   by filtering

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/1408   by monitoring network traff...

H04L 67/10   in which an application is ...

H04L 9/40   Network security protocols

Distributed filtering and monitoring system for a computer internetwork

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Distributed filtering and monitoring system for a computer internetwork

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others