Systems and methods for improved network based content inspection

US 7,630,379 B2
Filed: 01/05/2007
Issued: 12/08/2009
Est. Priority Date: 01/05/2006
Status: Active Grant

First Claim

Patent Images

1. A system for enhancing network based content inspection of a plurality of concurrently received data payloads entering a computer network comprising:

at least one computer, such that at least one computer carries out the steps of;

a) subjecting each newly arriving data payload to content recognition to determine if the newly arriving data payload content has been previously inspected, has not been inspected or is currently under inspection;

b) allowing a newly arriving data payload recognized as previously inspected to be delivered without content inspection;

c) subjecting a newly arriving data payload recognized as not been inspected to content inspection to produce a new payload inspection result whereby the newly arriving data payload becomes a newly inspected data payload;

d) storing a message digest for the newly inspected data payload with the new payload inspection result in a content history lookup tablewherein content recognition includes the steps of;

i) subjecting each newly arriving data payload to a one way hash function to calculate a message digest of the newly arriving data payload;

ii) comparing the message digest of the newly arriving data payload to previously stored message digests in the content history lookup table wherein each previously stored message digest has an associated inspection result;

and whereiniii) if the message digest of the newly arriving data payload from step ii) is identical to a previously stored message digest determining;

a. if the previously stored message digest is flagged as inspected theni. determining a policy action based on the inspection result;

orb. if the previously stored message digest is flagged as under-inspection theni. waiting a pre-determined time period before repeating step ii).

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to network based content inspection (NBCI). More specifically, the invention provides systems and methods for improved NBCI in complex networks that are typical for enterprises and service providers. These networks are shared by large numbers of concurrent users who send and retrieve application content of various sizes via a variety of communication protocols. This invention improves the efficiency of the NBCI of an individual communication session by learning from the processing results of other communication sessions which may be carried via different network protocols. In addition, the invention provides methods that do not weaken the overall security for the network and that improve the stability of NBCI systems by minimizing the risk of system resource exhaustion if subjected to a burst of large payloads. The invention also improves perceived network stability by preventing the system resources from being “live-locked” by a few large content inspection tasks. Further still, the invention improves the cost-effectiveness of NBCI by allowing the optimization knowledge gained by one NBCI node be shared with other nodes.

45 Citations

View as Search Results

19 Claims

1. A system for enhancing network based content inspection of a plurality of concurrently received data payloads entering a computer network comprising:
- at least one computer, such that at least one computer carries out the steps of;
  
  a) subjecting each newly arriving data payload to content recognition to determine if the newly arriving data payload content has been previously inspected, has not been inspected or is currently under inspection;
  
  b) allowing a newly arriving data payload recognized as previously inspected to be delivered without content inspection;
  
  c) subjecting a newly arriving data payload recognized as not been inspected to content inspection to produce a new payload inspection result whereby the newly arriving data payload becomes a newly inspected data payload;
  
  d) storing a message digest for the newly inspected data payload with the new payload inspection result in a content history lookup tablewherein content recognition includes the steps of;
  
  i) subjecting each newly arriving data payload to a one way hash function to calculate a message digest of the newly arriving data payload;
  
  ii) comparing the message digest of the newly arriving data payload to previously stored message digests in the content history lookup table wherein each previously stored message digest has an associated inspection result;
  
  and whereiniii) if the message digest of the newly arriving data payload from step ii) is identical to a previously stored message digest determining;
  
  a. if the previously stored message digest is flagged as inspected theni. determining a policy action based on the inspection result;
  
  orb. if the previously stored message digest is flagged as under-inspection theni. waiting a pre-determined time period before repeating step ii).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the at least one computer further carries out the step of:
    - after content inspection, associating the inspection result and additional information with the message digest.
  - 3. The system of claim 2 wherein the additional information includes any one of or a combination of inspection history information, content classification information and content manipulation instructions.
  - 4. The system of claim 1 wherein a message digest is associated with time of creation information for preventing a collision attack and wherein a message digest is retired if time of creation information exceeds a pre-determined value calculated as less than the time required to achieve a message digest collision.
  - 5. The system of claim 4 wherein a message digest is associated with size information used in conjunction with time of creation information to prevent a message digest collision.
  - 6. The system of claim 5 wherein a content inspection process is aborted when the time spent on the inspection exceeds a predefined threshold to prevent run away inspection processes.
  - 7. The system of claim 1 wherein the data payload is data of an application level network protocol.
  - 8. The system of claim 1 wherein the data payload is decomposed prior to content inspection into logical portions for content inspection.
  - 9. The system of claim 1 wherein, when the computer network is receiving a plurality of data payloads, further comprising the step of assigning a priority to each data payload for content inspection.
  - 10. The system of claim 9 wherein the step of assigning a priority to each data payload is determined on the basis of the time of arrival of individual data payloads and the size of each data payload.
  - 11. The system of claim 10 further comprising the step of allocating computer system resources for content inspection on the basis of the priority assigned to each data payload.
  - 12. The system of claim 9 wherein data payloads are individually registered with a scheduling manager and the scheduling manager assigns priority to each data payload based on the length of time each data payload has been registered with the scheduling manager.
  - 13. The system of claim 1 wherein, when the computer network is receiving a plurality of data payloads, further comprising the step of temporarily preventing content inspection of data payloads determined to be identical to a data payload currently identified as under-inspection.
  - 14. The method of claim 1 wherein a data payload recognized as previously inspected in step b) is delivered to a policy module wherein a policy action is determined by the previous inspection result stored in the content history lookup table.

15. A system for enhancing network based content inspection of a plurality of concurrently received data payloads comprising:
- at least one computer, the at least one computer having a content recognition module for recognizing if each newly arriving data payload has been previously inspected for content, has not been inspected or is currently under inspection wherein the content recognition module;
  
  allows a newly arriving data payload recognized as previously inspected to be delivered without content inspection;
  
  subjecting a newly arriving data payload recognized as not been inspected to content inspection to produce a new payload inspection result and whereby the newly arriving data payload becomes a newly inspected data payload;
  
  storing the message digest for the newly inspected data payload with the new payload inspection result in a content history lookup tablewherein content recognition includes the steps of;
  
  i) subjecting each newly arriving data payload to a one way hash function to calculate a message digest of the newly arriving data payload;
  
  ii) comparing the message digest of the newly arriving data payload to previously stored message digests in the content history lookup table wherein each previously stored message digest has an associated inspection result;
  
  and whereiniii) if the message digest of the newly arriving data payload from step ii) is identical to a previously stored message digest determining;
  
  c. if the previously stored message digest is flagged as inspected theni. determining a policy action based on the inspection result;
  
  ord. if the previously stored message digest is flagged as under-inspection theni. waiting a pre-determined time period before repeating step ii).
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15 wherein the content inspection module is a co-processor.
  - 17. The system of claim 15 wherein the content inspection module utilizes CAM (Content-Addressable Memory).
  - 18. The system of claim 15 wherein the system comprises at least two content inspection modules operatively connected to a common look-up table.
  - 19. The system of claim 18 wherein the results of content inspection from at least two content modules is added to the common look-up table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wedge Networks, Inc.
Original Assignee
Wedge Networks, Inc.
Inventors
Kinawi, Husam, Morishita, Isao, Zhang, Hongwen
Primary Examiner(s)
Yao; Kwang B
Assistant Examiner(s)
LIU, JUNG

Application Number

US11/620,556
Publication Number

US 20070160062A1
Time in Patent Office

1,068 Days
Field of Search

370/395
US Class Current

370/395.31
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/56   Provisioning of proxy servi...

H04L 67/564   Enhancement of application ...

H04L 67/568   Storing data temporarily at...

Systems and methods for improved network based content inspection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for improved network based content inspection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links