Multi-level packet screening with dynamically selected filtering criteria

US 6,983,323 B2
Filed: 08/12/2002
Issued: 01/03/2006
Est. Priority Date: 08/12/2002
Status: Expired due to Term

First Claim

Patent Images

1. A packet filtering device, comprising:

a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; and

a second filter, by-passed by the first pass traffic portion, applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion;

wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet filtering operation implements a hierarchical technique. Received packet traffic is first filtered with a first filtering criteria. This first filtering action generates a first pass traffic portion and a fail traffic portion from the received packet traffic. The fail traffic portion is then second filtered with a second filtering criteria. This second filtering action generates a second pass traffic portion and a reject traffic portion. The first filtering criteria provide for higher throughput, lower accuracy processing while the second filtering criteria provide for lower throughput, higher accuracy processing. Dynamic adjustments may be made to the first and second filtering criteria to achieve better overall packet filtering performance. For example, load is measured and the filtering criteria adjusted to better balance load between the hierarchical filtering actions.

Citations

75 Claims

1. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; and
  
  a second filter, by-passed by the first pass traffic portion, applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion;
  
  wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The device as in claim 1 wherein the first and second pass traffic portions combined comprise a pass filtered packet traffic output for destination delivery and the reject traffic portion comprises a reject filtered packet traffic output that is not destination delivered.
  - 3. The device as in claim 1 wherein the first filtering criteria are designed to detect suspicious packet traffic for output as the fail traffic portion and the second filtering criteria are designed to detect threatening packet traffic within the suspicious packet traffic for output as the reject traffic portion.
  - 4. The device as in claim 1 wherein the first filtering criteria are designed to trigger a suspicion of dangerous packets within the packet traffic and produce suspicious packets as the fail traffic portion and the second filtering criteria are designed to confirm the presence of dangerous packet traffic within the fail traffic portion and produce dangerous packets as the reject traffic portion.
  - 5. The device as in claim 1 wherein the first and second filtering criteria are user selected.

6. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion, a fail traffic portion and a first reject traffic portion; and
  
  a second filter, by-passed by the first pass traffic portion and the first reject traffic portion, applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a second reject traffic portion.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The device as in claim 6 wherein the first and second pass traffic portions combined comprise a pass filtered packet traffic output for destination delivery and the first and second reject traffic portions combined comprise a reject filtered packet traffic output that is not destination delivered.
  - 8. The device as in claim 7 wherein the first filtering criteria are designed to detect suspicious packet traffic for output as the fail traffic portion and dangerous packet traffic for output as the first reject portion, and wherein the second filtering criteria are designed to detect threatening packet traffic within the suspicious packet traffic for output as the second reject traffic portion.
  - 9. The device as in claim 7 wherein the first filtering criteria are designed to trigger a suspicion of dangerous packets within the packet traffic and produce suspicious packets as the fail traffic portion and the second filtering criteria are designed to confirm the presence of dangerous packet traffic within the fail traffic portion and produce dangerous packets as the second reject traffic portion.
  - 10. The device as in claim 9 wherein the first filtering criteria are further designed to trigger detection of dangerous packets within the packet traffic and produce dangerous packets as the first reject traffic portion.
  - 11. The device as in claim 6 wherein the first and second filtering criteria are user selected.
  - 12. The device as in claim 6 wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic.

13. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion;
  
  a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  a load detector operable to dynamically select the first and second filtering criteria during first and second filter operation on the packet traffic based on measured load.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 74)
- - 14. The device as in claim 13 wherein the load detector includes a traffic monitor operating to measure packet traffic load, the load detector dynamically selecting the first and second filtering criteria based on measured packet traffic load.
  - 15. The device as in claim 14 wherein the measured packet traffic load comprises packet traffic volume.
  - 16. The device as in claim 15 wherein the packet traffic volume comprises a volume of a certain type of packet traffic.
  - 17. The device as in claim 15 wherein the packet traffic volume comprises a volume of packet traffic from a certain origination.
  - 18. The device as in claim 14 further including a load hysteresis evaluated by the load detector and which must be overcome by changes in the measured packet traffic load before a change is made in the first and second filtering criteria.
  - 19. The device as in claim 13 wherein the load detector includes a filter load monitor operating to measure loading of the first and second filters, the load detector dynamically selecting the first and second filtering criteria based on measured load at each of the first and second filters.
  - 20. The device as in claim 19 wherein the measured filter load comprises an identification of dropped packets by one of the first and second filters.
  - 21. The device as in claim 19 wherein the measured filter load comprises an identification of a percentage of filter load capacity for one of the first and second filters.
  - 22. The device as in claim 13 wherein the load detector operates to detect an imbalance in load between the first and second filters, the load detector changing the first and second filtering criteria to better balance load between the first and second filters.
  - 23. The device as in claim 22 wherein the imbalance is indicated by an increased number of false positive packets contained in the fail traffic portion.
  - 24. The device as in claim 13 wherein the application of the first filtering criteria against the packet traffic further generates an additional reject traffic portion such that each of the first pass traffic portion and the additional reject traffic portion by-passes filtering in the second filter.
  - 25. The device as in claim 24 wherein the first and second pass traffic portions combined comprise a pass filtered packet traffic output for destination delivery and the reject traffic portion and additional reject traffic portion combined comprise a reject filtered packet traffic output that is not destination delivered.
  - 26. The device as in claim 13 wherein the first filtering criteria are designed to detect suspicious packet traffic for output as the fail traffic portion, and wherein the second filtering criteria are designed to detect threatening packet traffic within the suspicious packet traffic for output as the reject traffic portion.
  - 27. The device as in claim 13 wherein the first filtering criteria are designed to trigger a suspicion of dangerous packets within the packet traffic and produce suspicious packets as the fail traffic portion and the second filtering criteria are designed to confirm the presence of dangerous packet traffic within the fail traffic portion and produce dangerous packets as the reject traffic portion.
  - 28. The device as in claim 27 wherein the first filtering criteria are further designed to trigger detection of dangerous packets within the packet traffic and produce dangerous packets as an additional reject traffic portion.
  - 29. The device as in claim 13 wherein the dynamic selection of the first and second filtering criteria is made with user input.
  - 74. The device of claim 13 wherein the generated first pass traffic portion by-passes the second filter.

30. A packet filtering device, comprising:
- a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; and
  
  a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion;
  
  wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic.
- View Dependent Claims (38, 40, 42, 43, 44)
- - 38. The device as in claim 30 further including a functionality operable to adjust a complexity of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies.
  - 40. The device as in claim 30 further including a functionality operable to adjust a comprehensiveness of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies.
  - 42. The device as in claim 30 wherein the higher throughput, lower accuracy filtering criteria comprises a header field compare and the lower throughput, higher accuracy filtering criteria comprises a protocol decoder.
  - 43. The device as in claim 30 wherein the higher throughput, lower accuracy filtering criteria comprises a trigger content search and the lower throughput, higher accuracy filtering criteria comprises a regular expression matching.
  - 44. The device as in claim 43 wherein the trigger content search comprises a short string compare and the regular expression matching comprises a long string compare.

31. A packet filtering device, comprising:
- a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; and
  
  a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  a load balancer operable to adjust the relative throughputs and accuracies of the first and second filtering criteria to balance load therebetween.
- View Dependent Claims (32, 33, 34, 35, 36, 37)
- - 32. The device as in claim 31 wherein the load balancer makes the adjustment dynamically in response to measured load.
  - 33. The device as in claim 32 wherein the measured load is first and second filter processing load.
  - 34. The device as in claim 33 wherein the processing load is evaluated in comparison to first and second filter load capacity.
  - 35. The device as in claim 32 wherein the measured load comprises packet traffic volume.
  - 36. The device as in claim 35 wherein the packet traffic volume comprises a volume of a certain type of packet traffic.
  - 37. The device as in claim 35 wherein the packet traffic volume comprises a volume of packet traffic from a certain origination.

39. A packet filtering device, comprising:
- a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; and
  
  a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  a functionality operable to adjust a complexity of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies so as to better balance load between the first and second filters.

41. A packet filtering device, comprising:
- a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion anda second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  a functionality operable to adjust a comprehensiveness of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies so to better balance load between the first and second filters.

45. A method for hierarchical filtering of packet traffic, comprising the steps of:
- first filtering the packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion;
  
  second filtering the fail traffic portion, but not the first pass traffic portion, with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion; and
  
  dynamically selecting the first and second filtering criteria during first and second filtering to filter packet traffic.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 57, 58, 59, 60, 61, 62, 75)
- - 46. The method as in claim 45 wherein the step of first filtering detects suspicious packet traffic for output as the fail traffic portion and the step of second filtering detects threatening packet traffic within the suspicious packet traffic for output as the reject traffic portion.
  - 47. The method as in claim 45 wherein the step of first filtering triggers a suspicion of dangerous packets within the packet traffic and produces suspicious packets as the fail traffic portion and the step of second filtering criteria confirms the presence of dangerous packet traffic within the fail traffic portion and produces dangerous packets as the reject traffic portion.
  - 48. The method as in claim 45 wherein the step of first filtering includes the step of applying the first filtering criteria against the packet traffic to further generate an additional reject traffic portion that by-passes processing by the step of second filtering.
  - 49. The method as in claim 45 further including the steps of:
    - measuring load; and
      
      dynamically selecting the first and second filtering criteria based on measured load.
  - 50. The method as in claim 49 wherein the step of measuring load comprises the step of monitoring packet traffic load with the dynamic selection based on measured packet traffic load.
  - 51. The method as in claim 49 further including the step of applying a load hysteresis which must be overcome by changes in the measured load before a change is made in the first and second filtering criteria.
  - 52. The method as in claim 49 wherein the step of measuring load comprises the step of monitoring loading due to performance of the first and second filtering steps with the dynamic selection based on measured filtering step load.
  - 53. The method as in claim 49 wherein the step of measuring load comprises the step of detecting an imbalance in load between performance of the first and second filtering steps with the dynamic selection made to better balance filtering step load.
  - 54. The method as in claim 45 wherein:
    - the step of first filtering includes the step of applying higher throughput, lower accuracy filtering criteria against the packet traffic; and
      
      the step of second filtering includes the step of applying lower throughput, higher accuracy filtering criteria against the fail traffic portion.
  - 57. The method as in claim 54 further including the step of adjusting a complexity of the first and second filtering criteria to alter the relative throughputs and accuracies.
  - 58. The method as in claim 54 further including the step of adjusting a comprehensiveness of the first and second filtering criteria to alter the relative throughputs and accuracies.
  - 59. The method as in claim 54 wherein the higher throughput, lower accuracy filtering criteria comprises a header field compare and the lower throughput, higher accuracy filtering criteria comprises a protocol decoder.
  - 60. The method as in claim 54 wherein the higher throughput, lower accuracy filtering criteria comprises a trigger content search and the lower throughput, higher accuracy filtering criteria comprises a regular expression matching.
  - 61. The method as in claim 60 wherein the trigger content search comprises a short string compare and the regular expression matching comprises a long string compare.
  - 62. The method as in claim 45 further including the step of user selecting the first and second filtering criteria.
  - 75. The method as in claim 45 further comprising:
    - combining the first and second pass traffic portions as a pass filtered packet traffic output for destination delivery; and
      
      combining the reject traffic portion and additional reject traffic portion as a reject filtered packet traffic output that is not destination delivered.

55. A method for hierarchical filtering of packet traffic, comprising the steps of:
- first filtering the packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion;
  
  second filtering the fail traffic portion, but not the first pass traffic portion, with a second filtering criteria to generate a second pass traffic portion and a reject traffic portionwherein;
  
  the step of first filtering includes the step of applying higher throughput, lower accuracy filtering criteria against the packet traffic andthe step of second filtering includes the step of applying lower throughput, higher accuracy filtering criteria against the fail traffic portion andfurther including the step of balancing load between the first and second filtering steps by adjusting the relative throughputs and accuracies of the first and second filtering criteria.
- View Dependent Claims (56)
- - 56. The method as in claim 55 wherein the step of adjusting to balance load is made dynamically in response to measured load.

63. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion;
  
  a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion;
  
  a load detector operable to detect an imbalance in load between the first and second filters and dynamically change the first and second filtering criteria during operation of the first and second filters in filtering packet traffic based on measured load to better balance load between the first and second filters.
- View Dependent Claims (64)
- - 64. The device as in claim 63 wherein the imbalance is indicated by an increased number of false positive packets contained in the fail traffic portion.

65. A packet filtering device, comprising:
- a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion;
  
  a second filter applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  a functionality operable to adjust a complexity of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies, wherein the functionality makes the complexity adjustments to better balance load between the first and second filters.

66. A packet filtering device, comprising:
- a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion;
  
  a second filter applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  a functionality operable to adjust a comprehensiveness of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies, wherein the functionality makes the comprehensiveness adjustments to better balance load between the first and second filters.

67. A packet filtering device, comprising:
- a first filter including a first plurality of filter modules, each filter module having associated first filtering criteria;
  
  a second filter including a second plurality of filter modules, each filter module having associated second filtering criteria; and
  
  a generator module operating to select at least one of the first plurality of filter modules and at least one of the second plurality of filter modules;
  
  the associated first filtering criteria of the selected first plurality of filter modules being applied against packet traffic to generate a first pass traffic portion and a fail traffic portion; and
  
  the associated second filtering criteria of the selected second plurality of filter modules being applied against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; and
  
  wherein the generator module operates to dynamically select the first and second plurality of filtering modules during first and second filter operation in filtering packet traffic based on measured load at each filter so as to balance load between the first and second filters.

68. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; and
  
  a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion;
  
  wherein the first and second filtering criteria are dynamically selected during operation of the first and second filters in filtering packet traffic.
- View Dependent Claims (69)
- - 69. The device as in claim 68 wherein the first and second pass traffic portions combined comprise a pass filtered packet traffic output for delivery and the reject traffic portion comprises a reject filtered packet traffic output that is not delivered.

70. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion, a fail traffic portion and a first reject traffic portion; and
  
  a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a second reject traffic portion;
  
  wherein the first and second filtering criteria are dynamically selected during operation of the first and second filters in filtering packet traffic.
- View Dependent Claims (71)
- - 71. The device as in claim 70 wherein the first and second pass traffic portions combined comprise a pass filtered packet traffic output for delivery and the first and second reject traffic portions combined comprise a reject filtered packet traffic output that is not delivered.

72. A method for hierarchical filtering of packet traffic, comprising the steps of:
- first filtering the packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion; and
  
  second filtering the fail traffic portion with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion;
  
  wherein the first and second filtering criteria are dynamically selected during implementation of the steps of first and second filtering of the packet traffic.
- View Dependent Claims (73)
- - 73. The method as in claim 72 further comprising:
    - delivering the first and second pass traffic portions as pass filtered packet traffic; and
      
      not delivering the reject traffic portion as reject filtered packet traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
TippingPoint Technologies, Inc. (Trend Micro Inc.)
Inventors
Smith, Brian, Willebeek-LeMair, Marc, Cox, Dennis, Cantrell, Craig, Kolbly, Donovan
Primary Examiner(s)
VU, VIET DUY

Application Number

US10/217,862
Publication Number

US 20040030776A1
Time in Patent Office

1,240 Days
Field of Search

709/206, 709/207, 709/217, 709/219, 709/220, 709/223, 709/224, 709/225, 709/238, 709/250, 709/226, 718/105, 713/153, 713/154
US Class Current

709/225
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Multi-level packet screening with dynamically selected filtering criteria

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

75 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level packet screening with dynamically selected filtering criteria

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

75 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links