Systems and methods for improved network based content inspection
First Claim
1. A system for enhancing network based content inspection of a plurality of concurrently received data payloads entering a computer network comprising:
- at least one computer, such that at least one computer carries out the steps of;
a) subjecting each newly arriving data payload to content recognition to determine if the newly arriving data payload content has been previously inspected, has not been inspected or is currently under inspection;
b) allowing a newly arriving data payload recognized as previously inspected to be delivered without content inspection;
c) subjecting a newly arriving data payload recognized as not been inspected to content inspection to produce a new payload inspection result whereby the newly arriving data payload becomes a newly inspected data payload;
d) storing a message digest for the newly inspected data payload with the new payload inspection result in a content history lookup tablewherein content recognition includes the steps of;
i) subjecting each newly arriving data payload to a one way hash function to calculate a message digest of the newly arriving data payload;
ii) comparing the message digest of the newly arriving data payload to previously stored message digests in the content history lookup table wherein each previously stored message digest has an associated inspection result;
and whereiniii) if the message digest of the newly arriving data payload from step ii) is identical to a previously stored message digest determining;
a. if the previously stored message digest is flagged as inspected theni. determining a policy action based on the inspection result;
orb. if the previously stored message digest is flagged as under-inspection theni. waiting a pre-determined time period before repeating step ii).
2 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to network based content inspection (NBCI). More specifically, the invention provides systems and methods for improved NBCI in complex networks that are typical for enterprises and service providers. These networks are shared by large numbers of concurrent users who send and retrieve application content of various sizes via a variety of communication protocols. This invention improves the efficiency of the NBCI of an individual communication session by learning from the processing results of other communication sessions which may be carried via different network protocols. In addition, the invention provides methods that do not weaken the overall security for the network and that improve the stability of NBCI systems by minimizing the risk of system resource exhaustion if subjected to a burst of large payloads. The invention also improves perceived network stability by preventing the system resources from being “live-locked” by a few large content inspection tasks. Further still, the invention improves the cost-effectiveness of NBCI by allowing the optimization knowledge gained by one NBCI node be shared with other nodes.
45 Citations
19 Claims
-
1. A system for enhancing network based content inspection of a plurality of concurrently received data payloads entering a computer network comprising:
-
at least one computer, such that at least one computer carries out the steps of; a) subjecting each newly arriving data payload to content recognition to determine if the newly arriving data payload content has been previously inspected, has not been inspected or is currently under inspection; b) allowing a newly arriving data payload recognized as previously inspected to be delivered without content inspection; c) subjecting a newly arriving data payload recognized as not been inspected to content inspection to produce a new payload inspection result whereby the newly arriving data payload becomes a newly inspected data payload; d) storing a message digest for the newly inspected data payload with the new payload inspection result in a content history lookup table wherein content recognition includes the steps of; i) subjecting each newly arriving data payload to a one way hash function to calculate a message digest of the newly arriving data payload; ii) comparing the message digest of the newly arriving data payload to previously stored message digests in the content history lookup table wherein each previously stored message digest has an associated inspection result; and wherein iii) if the message digest of the newly arriving data payload from step ii) is identical to a previously stored message digest determining; a. if the previously stored message digest is flagged as inspected then i. determining a policy action based on the inspection result;
orb. if the previously stored message digest is flagged as under-inspection then i. waiting a pre-determined time period before repeating step ii). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for enhancing network based content inspection of a plurality of concurrently received data payloads comprising:
-
at least one computer, the at least one computer having a content recognition module for recognizing if each newly arriving data payload has been previously inspected for content, has not been inspected or is currently under inspection wherein the content recognition module; allows a newly arriving data payload recognized as previously inspected to be delivered without content inspection; subjecting a newly arriving data payload recognized as not been inspected to content inspection to produce a new payload inspection result and whereby the newly arriving data payload becomes a newly inspected data payload; storing the message digest for the newly inspected data payload with the new payload inspection result in a content history lookup table wherein content recognition includes the steps of; i) subjecting each newly arriving data payload to a one way hash function to calculate a message digest of the newly arriving data payload; ii) comparing the message digest of the newly arriving data payload to previously stored message digests in the content history lookup table wherein each previously stored message digest has an associated inspection result; and wherein iii) if the message digest of the newly arriving data payload from step ii) is identical to a previously stored message digest determining; c. if the previously stored message digest is flagged as inspected then i. determining a policy action based on the inspection result;
ord. if the previously stored message digest is flagged as under-inspection then i. waiting a pre-determined time period before repeating step ii). - View Dependent Claims (16, 17, 18, 19)
-
Specification