Dynamic network security apparatus and methods or network processors

US 7,540,028 B2
Filed: 10/25/2002
Issued: 05/26/2009
Est. Priority Date: 10/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a statistic associated with a plurality of communication packets received by a processor;

determining a security attack on the processor is in progress based at least in part on the statistic;

determining whether to load a security algorithm based on an amount of download time to download the security algorithm; and

loading the security algorithm in a fast path of the processor based on the determining whether to load the security algorithm.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for loading a security algorithm in a fast path of a network processor are disclosed. In an example method, a network processor generates a statistic associated with a plurality of communication packets received by the network processor, determines a security attack on the network processor is in progress based on the statistic and loads the security algorithm in the fast path of the network processor.

50 Citations

View as Search Results

50 Claims

1. A method comprising:
- generating a statistic associated with a plurality of communication packets received by a processor;
  
  determining a security attack on the processor is in progress based at least in part on the statistic;
  
  determining whether to load a security algorithm based on an amount of download time to download the security algorithm; and
  
  loading the security algorithm in a fast path of the processor based on the determining whether to load the security algorithm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further including calculating a function that balances adaptation time and communication throughput and comparing a result of the function to a threshold value prior to loading the security algorithm in the fast path of the processor.
  - 3. The method of claim 1, wherein loading the security algorithm in the fast path of the processor includes loading the security algorithm in the fast path of the processor based on a comparison of a value function result and a threshold value.
  - 4. The method of claim 1, wherein loading the security algorithm in the fast path of the processor comprises loading the security algorithm in response to determining that the amount of download time to download the security algorithm is acceptable relative to a second amount of time indicative of an elapsed duration since a previous download of the security algorithm.
  - 5. The method of claim 1, further including determining the security algorithm is available for downloading from a database associated with the processor.
  - 6. The method of claim 1, wherein generating the statistic associated with the plurality of communication packets received by the processor includes generating one or more of a SYN rate statistic, a connection queue statistic, or a resource allocation statistic.
  - 7. The method of claim 1, wherein determining the security attack on the processor is in progress based at least in part on the statistic includes comparing the statistic to a threshold value associated with the security attack.
  - 8. The method of claim 7, wherein comparing the statistic to the threshold value associated with the security attack includes comparing the statistic to a value associated with one or more of a TCP SYN attack, an IP source address spoofing attack, a UDP flooding attack, an ICMP echo reply attack, an ICMP flooding attack, or a sequence number attack.

9. A system comprising:
- a memory containing a plurality of security algorithms; and
  
  a processor coupled to the memory and programmed to;
  
  generate a statistic associated with a plurality of communication packets received by the processor;
  
  determine a security attack on the processor is in progress based at least in part on the statistic;
  
  determine whether to load a security algorithm based on an amount of download time to download the security algorithm; and
  
  load the one of the plurality of security algorithms in the processor based on the determining whether to load the security algorithm.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the processor is further programmed to calculate a value function result and compare the value function result to a threshold value prior to loading the one of the plurality of security algorithms in the processor.
  - 11. The system of claim 10, wherein the processor is further programmed to load the security algorithm in the processor based at least in part on the comparison of the value function result and the threshold value.
  - 12. The system of claim 9, wherein the processor is programmed to load the one of the plurality of security algorithms in response to determining that the amount of download time to download the security algorithm is acceptable relative to a second amount of time indicative of an elapsed duration since a previous download of the security algorithm.
  - 13. The system of claim 9, wherein the processor generates the statistic associated with the plurality of communication packets received by the processor by generating one or more of a SYN rate statistic, a connection queue statistic, or a resource allocation statistic.
  - 14. The system of claim 9, wherein the processor determines the security attack on the processor is in progress based on the statistic by comparing the statistic to a threshold value associated with the security attack.

15. An apparatus comprising:
- a machine accessible medium; and
  
  instructions stored on the machine accessible medium and adapted to be executed by a processor to;
  
  generate a statistic associated with a plurality of communication packets received by the processor;
  
  determine a security attack on the processor is in progress based on the statistic;
  
  determine whether to load a security algorithm based on an amount of download time to download the security algorithm; and
  
  load the one of the plurality of security algorithms in the processor based on the determining whether to load the security algorithm.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the instructions are adapted to be executed by the processor to calculate a value function result and compare the value function result to a threshold value prior to loading the one of the plurality of security algorithms in the processor.
  - 17. The system of claim 16, wherein the instructions are adapted to load the one of the plurality of security algorithms in the processor based at least in part on the comparison of the value function result and the threshold value.
  - 18. The system of claim 15, wherein the instructions are adapted to be executed by the processor to load the one of the plurality of security algorithms in response to determining that the amount of download time to download the security algorithm is acceptable relative to a second amount of time indicative of an elapsed duration since a previous download of the security algorithm.
  - 19. The system of claim 15, wherein the instructions are adapted to be executed by the processor to generate the statistic associated with the plurality of communication packets received by the processor by generating one or more of a SYN rate statistic, a connection queue statistic, or a resource allocation statistic.
  - 20. The system of claim 15, wherein the instructions are adapted to be executed by the processor to determine the security attack on the processor is in progress based at least in part on the statistic by comparing the statistic to a threshold value associated with the security attack.

21. A machine accessible medium having associated data that, when accessed, causes a machine to:
- generate a statistic associated with a plurality of communication packets received by the processor;
  
  determine a security attack on the processor is in progress based on the statistic;
  
  determine whether to load a security algorithm based on an amount of download time to download the security algorithm; and
  
  load the one of the plurality of security algorithms in the processor based on the determining whether to load the security algorithm.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The machine accessible medium of claim 21, wherein the data, when accessed, causes the machine to calculate a value function result and compare the value function result to a threshold value prior to loading the one of the plurality of security algorithms in the processor.
  - 23. The machine accessible medium of claim 22, wherein the data, when accessed, causes the machine to load the one of the plurality of security algorithms in the processor based at least in part on the comparison of the value function result and the threshold value.
  - 24. The machine accessible medium of claim 22, wherein the data, when accessed, causes the machine to compare the value function result to the threshold value by comparing a load time of the one of the plurality of security algorithms to an elapsed time from a previous download to the processor.
  - 25. The machine accessible medium of claim 21, wherein the data, when accessed, causes the machine to generate the statistic associated with the plurality of communication packets received by the processor by generating one or more of a SYN rate statistic, a connection queue statistic, or a resource allocation statistic.
  - 26. The machine accessible medium of claim 21, wherein the data, when accessed, causes the machine to determine the security attack on the processor is in progress based at least in part on the statistic by comparing the statistic to a threshold value associated with the security attack.

27. A method comprising:
- receiving a request for a connection to a processor from a first network client;
  
  determining whether a second network client is already connected to the processor;
  
  presenting a first plurality of available security algorithms to the first network client when the second network client is not already connected to the processor and a second plurality of available security algorithms to the first network client when the second network client is already connected to the processor, wherein at least some of the second plurality of available security algorithms are different from the first plurality of available security algorithms;
  
  selecting a security algorithm from one of the first or second plurality of available security algorithms to be used for communications with the first network client; and
  
  downloading the selected security algorithm to be used for communications with the first network client to the processor.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method of claim 27, further including presenting the second plurality of available security algorithms so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the first or second plurality of available security algorithms are presented to the first network client.
  - 29. The method of claim 28, wherein receiving the request for the connection to the processor from the first network client includes receiving a request for a virtual private network connection from the first network client.
  - 30. The method of claim 29, wherein receiving the request for the virtual private network connection from the first network client includes receiving security key exchange information from the first network client.
  - 31. The method of claim 27, wherein presenting the first or second plurality of available security algorithms to the first network client includes presenting authentication and encryption algorithms to the first network client.
  - 32. The method of claim 27, wherein downloading the selected security algorithm to be used for communications with the first network client to the processor includes loading the selected security algorithm in the fast path of the processor.

33. A network communication device, comprising:
- a memory containing a plurality of security algorithms; and
  
  a processor coupled to the memory and programmed to;
  
  receive a request for a connection to the processor from a first network client;
  
  determine whether a second network client is already connected to the processor;
  
  present a first set of the plurality of security algorithms to the first network client when the second network client is not already connected to the processor and a second set of the plurality of security algorithms to the first network client when the second network client is already connected to the processor, wherein at least some security algorithms in the second set of the plurality of security algorithms are different from security algorithms in the first set of the plurality of security algorithms;
  
  select a security algorithm from one of the first or second sets of the plurality of security algorithms to be used for communications with the first network client; and
  
  download the selected security algorithm to be used for communications with the first network client to the processor.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The network communication device of claim 33, wherein the processor is programmed to present the second set of the security algorithms so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the first or second set of the security algorithms are presented to the first network client.
  - 35. The network communication device of claim 33, wherein the processor functions as a gateway to a virtual private network.
  - 36. The network communication device of claim 33, wherein the processor is programmed to use security key exchange information received from the first network client to generate the first and second sets of the security algorithms.
  - 37. The network communication device of claim 33, wherein the plurality of security algorithms include authentication and encryption algorithms.

38. An apparatus comprising:
- a machine accessible medium; and
  
  instructions stored on the machine accessible medium and adapted to be executed by a processor to;
  
  receive a request for a connection to the processor from a first network client;
  
  determine whether a second network client is already connected to the processor;
  
  present a first plurality of available security algorithms to the first network client when a second network client is not already connected to the processor and a second plurality of available security algorithms to the first network client when the second network client is already connected to the processor, wherein at least some of the second plurality of available security algorithms are different from the first plurality of available security algorithms;
  
  select a security algorithm from one of the first or second plurality of available security algorithms to be used for communications with the first network client; and
  
  download the selected security algorithm to be used for communications with the first network client to the processor.
- View Dependent Claims (39, 40)
- - 39. The apparatus of claim 38, wherein the instructions are adapted to be executed by the processor to present the second plurality of available security algorithms to the first network client so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the first or second plurality of available security algorithms are presented to the first network client.
  - 40. The apparatus of claim 38, wherein the instructions are adapted to be executed by the processor to download the selected security algorithm to be used for communications with the first network client to the processor by loading the selected security algorithm in the fast path of the processor.

41. A machine accessible medium having associated data that, when accessed, causes a machine to:
- receive a request for a connection to the processor from a first network client;
  
  determine whether a second network client is already connected to the processor;
  
  present a first plurality of available security algorithms to the first network client when the second network client is not already connected to the processor and a second set of the plurality of security algorithms to the first network client when the second network client is already connected to the processor, wherein at least some security algorithms in the second set of the plurality of security algorithms are different from security algorithms in the first set of the plurality of security algorithms;
  
  select a security algorithm from one of the first or second plurality of available security algorithms to be used for communications with the first network client; and
  
  download the selected security algorithm to be used for communications with the first network client to the processor.
- View Dependent Claims (42, 43)
- - 42. The machine accessible medium of claim 41, wherein the data, when accessed, causes the machine to present the second plurality of available security algorithms to the first network client so that at least one previously downloaded security algorithm and one security algorithm that has not been downloaded from the first or second plurality of available security algorithms are presented to the first network client.
  - 43. The machine accessible medium of claim 41, wherein the data, when accessed, causes the machine to download the selected security algorithm to be used for communications with the first network client to the processor by loading the selected security algorithm in the fast path of the processor.

44. A method comprising:
- monitoring a characteristic of communications on a network;
  
  detecting a network security attack based at least in part on the monitored characteristic;
  
  determining whether to load a security algorithm based on an amount of download time to download the security algorithm; and
  
  loading the security algorithm in a fast path of a processor based on the determining whether to load the security algorithm.
- View Dependent Claims (45, 46)
- - 45. The method of claim 44, wherein monitoring the characteristic of the communications on the network includes generating one or more of a communication packet statistic or a resource statistic.
  - 46. The method of claim 45, wherein detecting the network security attack based at least in part on the monitored characteristic includes comparing the monitored characteristic to a threshold value associated with the network security attack.

47. A computer system, comprising:
- a memory containing a plurality of security algorithms; and
  
  a processor coupled to the memory and programmed to;
  
  monitor communications on a network;
  
  load the one of the plurality of security algorithms in the processor based on the monitored communications in response to determining that an amount of download time to download the security algorithm is acceptable relative to a second amount of time indicative of an elapsed duration since a previous download of the security algorithm.
- View Dependent Claims (48, 49, 50)
- - 48. The computer system of claim 47, wherein the plurality of security algorithms include one or more of an authentication algorithm, an encryption algorithm, or an algorithm responsive to a network security attack.
  - 49. The computer system of claim 47, wherein the processor is programmed to generate a statistic based on the monitored communications and to load the one of the plurality of security algorithms in the processor based on the monitored communications by comparing the statistic to a value associated with a network security attack.
  - 50. The computer system of claim 47, wherein the processor is further programmed to calculate a value function result associated with loading the one of the plurality of algorithms in the processor and to load the one of the plurality of security algorithms in the processor based at least in part on the value function result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Ahmed, Suhail, Johnson, Erik J., Deval, Manasi
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US10/280,250
Publication Number

US 20040083385A1
Time in Patent Office

2,405 Days
Field of Search

726 22- 25
US Class Current

726/23
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Dynamic network security apparatus and methods or network processors

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic network security apparatus and methods or network processors

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links