Distributed filtering and monitoring system for a computer internetwork
First Claim
1. A method for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the method comprising the steps of:
- configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on packet traversing paths of the computer internetwork; and
at the configured intermediate station, independently processing a random selection of packets according to a fractional spot-checking function to thereby share the loads among the intermediate stations, to process verification operations on digital signatures appended to the packets.
2 Assignments
0 Petitions
Accused Products
Abstract
A system efficiently distributes processing-intensive loads among a plurality of intermediate stations in a computer internetwork. The intermediate stations include routers, bridges, switches and/or firewalls configured with monitoring and filtering agents that communicate via a defined protocol to implement the system. Those stations configured with agents and having available resources cooperate to execute the loads which generally comprise verification operations on digital signatures appended to frame and/or packet traffic traversing paths of the computer internetwork. Techniques associated with the system are directed to efficiently detecting and filtering unauthorized traffic over portions of the internetwork protected as trust domains as well as unprotected portions of the internetwork.
91 Citations
26 Claims
-
1. A method for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the method comprising the steps of:
-
configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on packet traversing paths of the computer internetwork; and
at the configured intermediate station, independently processing a random selection of packets according to a fractional spot-checking function to thereby share the loads among the intermediate stations, to process verification operations on digital signatures appended to the packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
apportioning the packets according to even and odd destination addresses; and
selecting packets having even destination addresses by one intermediate station and selecting packets having odd destination addresses by another intermediate station.
-
-
5. The method of claim 3 further comprising the steps of, wherein the contents comprise a sequence number:
-
apportioning the packets according to even and odd sequence numbers; and
selecting packets having even sequence numbers by one intermediate station and selecting packets having odd sequence numbers by another intermediate station.
-
-
6. The method of claim 3 further comprising the steps of, wherein the contents comprise an address:
-
decoding predetermined address bits into distinct values;
apportioning the packets according to the distinct values;
selecting packets by the intermediate stations based on the distinct values; and
reassigning, by communicating between the intermediate stations, to reassign corresponding packets to others of the intermediate stations to thereby balance the load among the stations.
-
-
7. The method of claim 1 further comprising the steps of, wherein processing of the loads comprises verification operations on digital signatures appended to the packets:
-
in response to identifying an unauthorized packet by a particular intermediate station, filtering the unauthorized packets; and
altering the random fractional spot-checking of packets by said particular intermediate station on a per flow bases, wherein a flow comprises source and destination addresses, source and destination ports and a flow label of a packet.
-
-
8. The method of claim 7 wherein the step of altering comprises the step of spot-checking an increased fraction of the packets.
-
9. The method of claim 7 wherein the step of altering comprises the step of manually configuring the particular intermediate station to spot-check an increased fraction of the packets based on the flow.
-
10. The method of claim 1 further comprising the step of, wherein the data traffic comprises packets:
in response to identifying a change in traffic pattern, altering the random fractional spot-checking of packets by each intermediate station on a per flow basis, wherein a flow comprises source and destination addresses, source and destination ports and a flow label of a packet.
-
11. The method of claim 1 further comprising the step of, wherein a portion of the internetwork is protected as a trusted domain having trusted switches:
employing a flag within a header of a packet to indicate whether the packet has been verified by a trusted switch configured with the monitoring and filtering agent.
-
12. The method of claim 11 wherein the flag may be contained within one of an unused field of the header and a mini-header appended to the packet.
-
13. The method of claim 12 further comprising the step of, if a state of the flag indicates that the packet has not been verified by an upstream trusted switch along a path of the computer internetwork:
enabling a downstream trusted switch to process the unverified packet depending upon its available capacity.
-
14. The method of claim 1, further comprising the steps of:
-
calculating an optimal path for the packets over the computer internetwork;
determining whether intermediate stations located along the optimal path are configured with the monitoring and filtering agents; and
changing the optimal path of the packets to a non-optimal path that includes additional intermediate stations configured with the monitoring and filtering agents to execute the verification operations on the packets.
-
-
15. The method of claim 1 wherein the intermediate station comprises at least one of a switch, a router, a bridge and a firewall.
-
16. The method of claim 2 wherein the intermediate station comprises at least one of a switch, a router, a bridge, and a firewall.
-
17. A computer readable medium containing executable program instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the executable program instructions comprising program instructions for:
-
configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and
at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations. - View Dependent Claims (18, 19)
decoding predetermined address bits into distinct values;
apportioning the packets according to the distinct values;
assigning packets to the intermediate stations based on the distinct values; and
reassigning certain of the previously-assigned packets to certain of the intermediate stations to thereby balance the load among the stations.
-
-
20. A computer data signal embodied in a carrier wave and representing sequences of instructions for efficiently distributing processing-intensive loads directed to verification operations on digital signatures appended to packets transferred among a plurality of intermediate stations in a computer internetwork, the instructions comprising instructions for:
-
configuring at least one intermediate station with a monitoring and filtering agent process to execute the loads on the packets traversing paths of the computer internetwork; and
at the configured intermediate station, independently processing a selection of the packets assigned to the station according to a hash function that enables checking of the digital signatures to identify one of authorized and unauthorized packets, thereby enabling sharing of the loads among the intermediate stations. - View Dependent Claims (21, 22, 23)
in response to identifying an unauthorized packet by a particular intermediate station, filtering the unauthorized packet; and
altering the random fractional spot-checking of packets by the particular intermediate station on a per flow basis.
-
-
23. The computer data signal of claim 22 wherein the instructions for altering further comprise instructions for spot-checking an increased fraction of the packets.
-
24. A system for efficiently distributing processing-intensive loads among a plurality of intermediate stations in a computer internetwork, the system comprising:
-
a plurality of memory devices containing software programs organized as monitoring and filtering agents to execute the loads on packets traversing paths of the computer inter-network, a portion of the internetwork protected as a trust domain having trusted switches;
a plurality of processing elements coupled to respective ones of the memory devices, each processing element configured to execute a respective agent to independently verify digital signatures appended to a selection of packets to thereby share the loads among the intermediate stations; and
a flag structure contained within a header of a packet to indicate whether the packet has been verified by a trusted switch configured with the monitoring and filtering agent. - View Dependent Claims (25, 26)
-
Specification