Method and system for prioritizing security operations in a communication network
First Claim
Patent Images
1. A method comprising:
- performing a plurality of different security operations on each of a plurality of data packets at a single network security device, the plurality of security operations including dropping of malicious data packets;
recording a rate of malicious data packets being dropped by each of the plurality of security operations;
associating a priority to each security operation based on a rate of malicious data packets being dropped such that a given security operation having a higher rate of malicious data packets being dropped has a higher priority than a given security operation having a lower rate of malicious data packets being dropped; and
re-ordering the plurality of security operations at the network security device, the re-ordering being based on a decreasing order of priority, wherein the plurality of security operations are re-ordered automatically.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and apparatus for filtering data packets through an integrated network security device are provided. Various security operations are performed on the data packets belonging to a network connection while they pass through the integrated network security device in a communication network. A classification engine is applied to the first packet of the connection. The result of this filtering is stored in a per-connection control key, and determines which of the security operations must be applied to each of the data packets of the connection. These security operations may be prioritized and re-ordered, based on the rate at which they detect and drop malicious data packets.
8 Citations
12 Claims
-
1. A method comprising:
-
performing a plurality of different security operations on each of a plurality of data packets at a single network security device, the plurality of security operations including dropping of malicious data packets; recording a rate of malicious data packets being dropped by each of the plurality of security operations; associating a priority to each security operation based on a rate of malicious data packets being dropped such that a given security operation having a higher rate of malicious data packets being dropped has a higher priority than a given security operation having a lower rate of malicious data packets being dropped; and re-ordering the plurality of security operations at the network security device, the re-ordering being based on a decreasing order of priority, wherein the plurality of security operations are re-ordered automatically. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
means for performing a plurality of different security operations on each of a plurality of data packets at a single network security device; means for recording a rate of malicious data packets being dropped by each of the plurality of security operations; means for associating a priority to each security operation based on a rate of malicious data packets being dropped such that a given security operation having a higher rate of malicious data packets being dropped has a higher priority than a given security operation having a lower rate of malicious data packets being dropped; and means for re-ordering the plurality of security operations at the single network security device, the re-ordering being based on a decreasing order of priority, wherein the plurality of security operations are re-ordered automatically.
-
-
7. A system comprising:
-
one or more security operations modules, the one or more security operations module performing a plurality of different security operations on each of a plurality of data packets at a single network security device; a recording module for recording a rate of malicious data packets being dropped by each of the plurality of security operations module; and a re-ordering module for automatically re-ordering the plurality of security operations at the single network security device, the re-ordering being based on a decreasing order of priority, wherein each security operation is associated with a rate of malicious data packets being dropped such that a given security operation having a higher rate of malicious data packets being dropped has a higher priority than a given security operation having a lower rate of malicious data packets being dropped. - View Dependent Claims (8, 9, 10)
-
-
11. An apparatus comprising:
-
a processing system including a processor coupled to a display and user input device; a machine-readable medium including instructions executable by the processor comprising; one or more instructions for performing a plurality of different security operations on each of a plurality of data packets at a single network security device, the plurality of security operations including dropping of malicious data packets; one or more instructions for recording a rate of the malicious data packets being dropped by each of the plurality of security operations; one or more instructions for associating a priority to each security operation based on a rate of malicious data packets being dropped such that a given security operation having a higher rate of malicious data packets being dropped has a higher priority than a given security operation having a lower rate of malicious data packets being dropped; and one or more instructions for re-ordering the plurality of security operations at a single network security device, the re-ordering being based on a decreasing order of priority, wherein the plurality of security operations are re-ordered automatically.
-
-
12. A non-transitory machine-readable medium including instructions executable by a processor, the machine-readable medium comprising:
-
one or more instructions for performing a plurality of different security operations on each of a plurality of data packets at a single network security device, the plurality of security operations including dropping of malicious data packets; one or more instructions for recording a rate of the malicious data packets being dropped by each of the plurality of security operations; one or more instructions for associating a priority to each security operation based on a rate of malicious data packets being dropped such that a given security operation having a higher rate of malicious data packets being dropped has a higher priority than a given security operation having a lower rate of malicious data packets being dropped; and one or more instructions for re-ordering the plurality of security operations at a single network security device, the re-ordering being based on a decreasing order of priority, wherein the plurality of security operations are re-ordered automatically.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
InventorsGuillem, Jordi Juan, Rabadan, Carlos Lopez, Sankar, Swaminathan
-
Primary Examiner(s)Zand; Kambiz
-
Assistant Examiner(s)Wyszynski; Aubrey H
-
Application NumberUS11/123,661Publication NumberTime in Patent Office1,909 DaysField of Search726/13US Class Current726/13CPC Class CodesH04L 63/0227 Filtering policies mail mes...H04L 63/1441 Countermeasures against mal...
