Signature driven cache extension for stream based scanning

US 7,130,981 B1
Filed: 04/06/2004
Issued: 10/31/2006
Est. Priority Date: 04/06/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for dynamically resizing a flow scanning cache used to scan a flow for presence of malicious code signatures, the method comprising the steps of:

a scanning manager reading a directive contained within a known malicious code signature, said directive instructing the scanning manager to resize the flow scanning cache;

the scanning manager dynamically resizing the flow scanning cache responsive to the directive;

and the scanning manager scanning for presence of a known malicious code signature within the resized flow scanning cache.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scanning manager (101) dynamically resizes (205) a flow scanning cache (109) based on signature (105) content in order to scan a flow (103) for signatures (105). The scanning manager (101) reads a directive (107) in a signature (105) to resize (205) the cache (109) in order to scan the flow (103) for the signature (105). The scanning manager (101) dynamically resizes (205) the cache (109) responsive to the directive (107), and scans for the signature (105) within the resized cache (109).

Citations

43 Claims

1. A computer implemented method for dynamically resizing a flow scanning cache used to scan a flow for presence of malicious code signatures, the method comprising the steps of:
- a scanning manager reading a directive contained within a known malicious code signature, said directive instructing the scanning manager to resize the flow scanning cache;
  
  the scanning manager dynamically resizing the flow scanning cache responsive to the directive;
  
  and the scanning manager scanning for presence of a known malicious code signature within the resized flow scanning cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 41, 42)
- - 2. The method of claim 1 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically expanding the flow scanning cache to a specific size, in response to the directive contained within the known malicious code signature.
  - 3. The method of claim 2 further comprising the steps of:
    - the scanning manager comparing the specific size specified by the directive to a maximum flow scanning cache size;
      
      and responsive to determining that the specified size is greater than the maximum flow scanning cache size, the scanning manager performing a step from a group of steps consisting of;
      
      the scanning manager dynamically expanding the flow scanning cache to a default expanded size;
      
      and the scanning manager classifying the result of the determination as an error condition.
  - 4. The method of claim 1 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically resizing the flow scanning cache to a default expanded cache size, in response to the directive contained within the known malicious code signature not specifying a specific number of bytes.
  - 5. The method of claim 1 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically contracting the flow scanning cache to a specific size, in response to the directive contained within the known malicious code signature.
  - 6. The method of claim 1 further comprising the steps of:
    - the scanning manager reading the directive;
      
      the scanning manager determining that the flow scanning cache is already sized sufficiently as per the directive;
      
      and the scanning manager ignoring the directive.
  - 7. The method of claim 1 further comprising the step of:
    - the scanning manager dynamically resizing the flow scanning cache, after scanning for the known malicious code signature within the resized flow scanning cache.
  - 8. The method of claim 7 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically contracting the flow scanning cache to a default size.
  - 9. The method of claim 1 wherein the steps are performed by a scanning manager which is incorporated into at least one of the following:
    - a firewall;
      
      a network card embedded client firewall;
      
      an intrusion prevention system;
      
      an intrusion detection system;
      
      an intrusion detection system application proxy;
      
      a router;
      
      a switch;
      
      a standalone proxy;
      
      a server;
      
      a gateway;
      
      a client.
  - 41. The method of claim 1 further comprising the steps of:
    - the scanning manager reading a directive contained within a known malicious code signature, said signature instructing the scanning manager to dynamically resize the flow scanning cache;
      
      the scanning manager determining that the flow scanning cache is already sized as per the directive; and
      
      the scanning manager ignoring the directive.
  - 42. The method of claim 1 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically resizing the flow scanning cache to a relative size, in response to the directive.

10. A computer implemented method for dynamically resizing a flow scanning cache used to scan at least one flow for presence of malicious code signatures, the method comprising the steps of:
- prior to scanning at least one flow, a scanning manager reading a plurality of known malicious code signatures;
  
  the scanning manager determining from content of at least one known malicious code signature an optimal flow scanning cache size for scanning for that malicious code signature;
  
  and while scanning a flow for the plurality of known malicious code signatures, the scanning manager dynamically resizing the flow scanning cache based on the determined optimal flow scanning cache size for at least one known malicious code signature of the plurality, as the scanning manager is scanning for that known malicious code signature.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 43)
- - 11. The method of claim 10 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically expanding the flow scanning cache to the determined optimal size for a specific known malicious code signature.
  - 12. The method of claim 11 further comprising the steps of:
    - the scanning manager comparing the determined optimal size for a specific known malicious code signature to a maximum flow scanning cache size; and
      
      responsive to determining that the size is greater than the maximum flow scanning cache size, the scanning manager performing a step from a group of steps consisting of;
      
      the scanning manager dynamically expanding the flow scanning cache to a default expanded size; and
      
      the scanning manager classifying the result of the determination as an error condition.
  - 13. The method of claim 10 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically contracting the flow scanning cache to the determined optimal size for a specific known malicious code signature.
  - 14. The method of claim 10 further comprising the steps of:
    - the scanning manager determining that the flow scanning cache is already sufficiently sized as per the determined optimal size for a specific known malicious code signature;
      
      and the scanning manager scanning for that known malicious code signature without resizing the flow scanning cache.
  - 15. The method of claim 10 further comprising the step of:
    - the scanning manager dynamically resizing the flow scanning cache, after scanning for a known malicious code signature within the resized flow scanning cache.
  - 16. The method of claim 15 wherein the step of the scanning manager dynamically resizing the flow scanning cache comprises:
    - the scanning manager dynamically contracting the flow scanning cache to a default size.
  - 17. The method of claim 10 wherein:
    - the step of the scanning manager determining an optimal flow scanning cache size for scanning at least one known malicious code signature further comprises;
      
      the scanning manager determining a first optimal flow scanning cache size for scanning for a first portion of the at least one known malicious code signature; and
      
      the scanning manager determining at least one additional optimal flow scanning cache size for scanning for at least one additional portion of that at least one known malicious code signature;
      
      and wherein the step of the scanning manager dynamically resizing the flow scanning cache based on the determined optimal flow scanning cache size as the scanning manager is scanning for the at least one known malicious code signature further comprises;
      
      the scanning manager dynamically-resizing the flow scanning cache to the first determined optimal size as the scanning manager is scanning for the first portion of the at least one known malicious code signature; and
      
      the scanning manager dynamically resizing the flow scanning cache to at least one additional optimal size as the scanning manager is scanning for at least one additional portion of that at least one known malicious code signature.
  - 18. The method of claim 10 wherein the steps are performed by a scanning manager which is incorporated into at least one of the following:
    - a firewall;
      
      a network card embedded client firewall;
      
      an intrusion prevention system;
      
      an intrusion detection system;
      
      an intrusion detection system application proxy;
      
      a router;
      
      a switch;
      
      a standalone proxy;
      
      a server;
      
      a gateway;
      
      a client.
  - 43. The method of claim 10 further comprising the steps of:
    - the scanning manager determining that the flow scanning cache is already sized as per the determined optimal size for a specific known malicious code signature; and
      
      the scanning manager scanning for that known malicious code signature without resizing the flow scanning cache.

19. A computer readable medium storing a computer program product for dynamically resizing a flow scanning cache used to scan a flow for presence of malicious code signatures, the computer program product comprising:
- program code, acting as a scanning manager, for reading a directive in contained within a known malicious code signature, said directive instructing to resize the flow scanning cache;
  
  program code, acting as a scanning manager, for dynamically resizing the flow scanning cache responsive to the directive;
  
  and program code, acting as a scanning manager, for scanning for the known malicious code signature within the resized flow scanning cache.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer program product of claim 19 wherein the program code for dynamically resizing the flow scanning cache comprises:
    - program code for dynamically expanding the flow scanning cache to a specific size, in response to the directive contained within the known malicious code signature.
  - 21. The computer program product of claim 20 further comprising:
    - program code for comparing the specific size specified by the directive to a maximum flow scanning cache size; and
      
      program code for, responsive to determining that the specified size is greater than the maximum flow scanning cache size, performing a step from a group of steps consisting of;
      
      dynamically expanding the flow scanning cache to a default expanded size; and
      
      classifying the result of the determination as an error condition.
  - 22. The computer program product of claim 19 wherein the program code for dynamically resizing the flow scanning cache comprises:
    - program code for dynamically resizing the flow scanning cache to a default expanded cache size, in response to the directive not specifying a specific number of bytes.
  - 23. The computer program product of claim 19 further comprising:
    - program code for dynamically contracting the flow scanning cache to a default size, after scanning for the known malicious code signature within the resized flow scanning cache.

24. A computer readable medium storing a computer program product for dynamically resizing a flow scanning cache used to scan at least one flow for presence of malicious code signatures, the computer program product comprising:
- program code, acting as a scanning manager, for, prior to scanning at least one flow, reading a plurality of known malicious code signatures;
  
  program code, acting as a scanning manager, for determining from content of at least one known malicious code signature an optimal flow scanning cache size for scanning for that known malicious code signature;
  
  and program code, acting as a scanning manager, for, while scanning a flow for the plurality of known malicious code signatures, dynamically resizing the flow scanning cache based on the determined optimal flow scanning cache size for at least one known malicious code signature of the plurality, as the program code is scanning for that known malicious code signature.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The computer program product of claim 24 wherein the program code for dynamically resizing the flow scanning cache comprises:
    - program code for dynamically expanding the flow scanning cache to the determined optimal size for a specific known malicious code signature.
  - 26. The computer program product of claim 25 further comprising:
    - program code for comparing the determined optimal size for a specific known malicious code signature to a maximum flow scanning cache size;
      
      and program code for, responsive to determining that the size is greater than the maximum flow scanning cache size, performing a step from a group of steps consisting of;
      
      dynamically expanding the flow scanning cache to a default expanded size;
      
      and classifying the result of the determination as an error condition.
  - 27. The computer program product of claim 24 further comprising:
    - program code for dynamically contracting the flow scanning cache to a default size, after scanning for a known malicious code signature within the resized flow scanning cache.
  - 28. The computer program product of claim 24 wherein:
    - the program code for determining an optimal flow scanning cache size for scanning for at least one known malicious code signature further comprises;
      
      program code for determining a first optimal flow scanning cache size for scanning for a first portion of the at least one known malicious code signature; and
      
      program code for determining at least one additional optimal flow scanning cache size for scanning for at least one additional portion of that at least one known malicious code signature;
      
      and wherein the program code for dynamically resizing the flow scanning cache based on the determined optimal flow scanning cache size as program code is scanning for the at least one known malicious code signature further comprises;
      
      program code for dynamically resizing the flow scanning cache to the first determined optimal size as program code for is scanning for the first portion of the at least one known malicious code signature; and
      
      program code for dynamically resizing the flow scanning cache to at least one additional optimal size as program code for is scanning for at least one additional portion of that at least one known malicious code signature.

29. A computer system for dynamically resizing a flow scanning cache used to scan a flow for known malicious code signatures, the computer system comprising:
- a software portion, acting as a scanning manager, configured to read a directive in a known malicious code signature to resize the flow scanning a cache in order to scan the flow for the known malicious code signature;
  
  a software portion, acting as a scanning manager, configured to dynamically resize the flow scanning cache responsive to the directive;
  
  and a software portion, acting as a scanning manager, configured to scan for the known malicious code signature within the resized flow scanning cache.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The computer system of claim 29 wherein the software portion configured to dynamically resize the flow scanning cache comprises:
    - a software portion configured to dynamically expand the flow scanning cache to a specific size, in response to the directive in the known malicious code signature.
  - 31. The computer system of claim 30 further comprising:
    - a software portion configured to compare the specific size specified by the directive to a maximum flow scanning cache size;
      
      and a software portion configured to, responsive to determining that the specified size is greater than the maximum flow scanning cache size, perform a step from a group of steps consisting of;
      
      dynamically expanding the flow scanning cache to a default expanded size;
      
      and classifying the result of the determination as an error condition.
  - 32. The computer system of claim 29 wherein the software portion configured to dynamically resize the flow scanning cache comprises:
    - a software portion configured to dynamically resize the flow scanning cache to a default expanded cache size, in response to the directive in the known malicious code signature not specifying a specific number of bytes.
  - 33. The computer system of claim 29 further comprising:
    - a software portion configured to dynamically contract the flow scanning cache to a default size, after scanning for the known malicious code signature within the resized flow scanning cache.
  - 34. The computer system of claim 29 wherein the software portions are incorporated into at least one of the following:
    - a firewall;
      
      a network card embedded client firewall;
      
      an intrusion prevention system;
      
      an intrusion detection system;
      
      an intrusion detection system application proxy;
      
      a router;
      
      a switch;
      
      a standalone proxy;
      
      a server;
      
      a gateway;
      
      a client.

35. A computer system for dynamically resizing a flow scanning cache used to scan at least one flow for presence of malicious code signatures, the computer system comprising:
- a software portion, acting as a scanning manager, configured to, prior to scanning at least one flow, read a plurality of known malicious code signatures;
  
  a software portion, acting as a scanning manager, configured to determine from content of at least one known malicious code signature an optimal flow scanning cache size for scanning for that known malicious code signature;
  
  and a software portion, acting as a scanning manager, configured to, while scanning a flow for the plurality of known malicious code signatures, dynamically resize the flow scanning cache based on the determined optimal flow scanning cache size for at least one known malicious code signature of the plurality, as the software portion is scanning for that known malicious code signature.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computer system of claim 35 wherein the software portion configured to dynamically resize the flow scanning cache comprises:
    - a software portion configured to dynamically expand the flow scanning cache to the determined optimal size for a specific known malicious code signature.
  - 37. The computer system of claim 36 further comprising:
    - a software portion configured to compare the determined optimal size for a specific known malicious code signature to a maximum flow scanning cache size;
      
      and a software portion configured to, responsive to determining that the size is greater than the maximum flow scanning cache size, perform a step from a group of steps consisting of dynamically expanding the flow scanning cache to a default expanded size;
      
      and classifying the result of the determination as an error condition.
  - 38. The computer system of claim 35 further comprising:
    - a software portion configured to dynamically contract the flow scanning cache to a default size, after scanning for a known malicious code signature within the resized flow scanning cache.
  - 39. The computer system of claim 35 wherein:
    - the software portion configured to determine an optimal flow scanning cache size for scanning for at least one known malicious code signature further comprises;
      
      a software portion configured to determine a first optimal flow scanning cache size for scanning for a first portion of the at least one known malicious code signature; and
      
      a software portion configured to determine at least one additional optimal flow scanning cache size for scanning for at least one additional portion of that at least one known malicious code signature;
      
      and wherein the software portion configured to dynamically resize the flow scanning cache based on the determined optimal flow scanning cache size as a software portion is scanning for the at least one known malicious code signature further comprises;
      
      a software portion configured to dynamically resize the flow scanning cache to the first determined optimal size as a software portion is scanning for the first portion of the at least one known malicious code signature; and
      
      a software portion configured to dynamically resize the flow scanning cache to at least one additional optimal size as a software portion is scanning for at least one additional portion of that at least one known malicious code signature.
  - 40. The computer system of claim 35 wherein the software portions are incorporated into at least one of the following:
    - a firewall;
      
      a network card embedded client firewall;
      
      an intrusion prevention system;
      
      an intrusion detection system;
      
      an intrusion detection system application proxy;
      
      a router;
      
      a switch;
      
      a standalone proxy;
      
      a server;
      
      a gateway;
      
      a client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey
Primary Examiner(s)
BATAILLE, PIERRE MICHE
Assistant Examiner(s)
Iwashko, Lev

Application Number

US10/819,494
Time in Patent Office

938 Days
Field of Search

711/170
US Class Current

711/170
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Signature driven cache extension for stream based scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Signature driven cache extension for stream based scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links