Distributed security provisioning

US 7,899,849 B2
Filed: 05/28/2008
Issued: 03/01/2011
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A network security system, comprising:

a plurality of processing nodes external to network edges of a plurality of external systems, each processing node including one or more computers and comprising;

a processing node data store storing security policy data defining security policies for each of the external systems;

a plurality of data inspection engines, each data inspection engine configured to perform a threat detection process to classify content items according to a threat classification for a corresponding threat; and

a processing node manager in data communication with the data inspection engines and configured to access the security policy data stored in the processing node data store and manage the classified content item in accordance with the security policy data so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems; and

an authority node in data communication with the processing nodes, the authority node including one or more computers and comprising an authority node data store storing security policy data for each of the plurality of external systems, and including an authority node manager configured to provide the security policy data to each of the processing nodes;

wherein the data store in each processing node includes threat data classifying content items by threat classifications and a detection process filter indicating whether content items have been processed by one or more of the data inspection engines, and the processing node manager in each process node is configured to;

determine whether a content item is classified by the threat data by accessing the detection processing filter to determine whether the content item has been processed;

if the content item is determined to have not been processed and thus not classified by the threat data, then;

cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;

generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and

transmit the threat data update to the authority node;

if the content item is determined to have been processed and thus classified by the threat data, then manage the content item in accordance with the security policy data and the classification of the content item;

wherein the authority node manager is further configured to;

update threat data stored in the authority node data store according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and

update a detection process filter stored in the authority node data store according to the threat data update and transmit the updated detection process filter to the processing nodes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems.

33 Citations

View as Search Results

21 Claims

1. A network security system, comprising:
- a plurality of processing nodes external to network edges of a plurality of external systems, each processing node including one or more computers and comprising;
  
  a processing node data store storing security policy data defining security policies for each of the external systems;
  
  a plurality of data inspection engines, each data inspection engine configured to perform a threat detection process to classify content items according to a threat classification for a corresponding threat; and
  
  a processing node manager in data communication with the data inspection engines and configured to access the security policy data stored in the processing node data store and manage the classified content item in accordance with the security policy data so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems; and
  
  an authority node in data communication with the processing nodes, the authority node including one or more computers and comprising an authority node data store storing security policy data for each of the plurality of external systems, and including an authority node manager configured to provide the security policy data to each of the processing nodes;
  
  wherein the data store in each processing node includes threat data classifying content items by threat classifications and a detection process filter indicating whether content items have been processed by one or more of the data inspection engines, and the processing node manager in each process node is configured to;
  
  determine whether a content item is classified by the threat data by accessing the detection processing filter to determine whether the content item has been processed;
  
  if the content item is determined to have not been processed and thus not classified by the threat data, then;
  
  cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
  
  generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
  
  transmit the threat data update to the authority node;
  
  if the content item is determined to have been processed and thus classified by the threat data, then manage the content item in accordance with the security policy data and the classification of the content item;
  
  wherein the authority node manager is further configured to;
  
  update threat data stored in the authority node data store according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and
  
  update a detection process filter stored in the authority node data store according to the threat data update and transmit the updated detection process filter to the processing nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein:
    - the authority node manager is further configured to update threat data stored in the authority node data store according to the threat data update received from the processing node, and to transmit the updated threat data to other processing nodes; and
      
      each processing node manager is further configured to store the updated threat data received from the authority node in its processing node data store.
  - 3. The system of claim 2, wherein one of the data inspection engines comprises a virus scanning engine and the threat classifications include infected and clean.
  - 4. The system of claim 2, wherein one of the data inspection engines comprises a uniform resource locator filter and the threat classifications include allowed and restricted.
  - 5. The security system of claim 1, wherein the processing node manager in each process node is configured to:
    - request responsive threat data for the content item from the authority node if the content item is determined to not be classified by the threat data;
      
      determine whether a reply from the authority node in response to the request includes the responsive threat data classifying the content item;
      
      if the reply did not include the responsive threat data classifying the content item, then;
      
      cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
      
      generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
      
      transmit the threat data update to the authority node; and
      
      if the reply did include responsive data classifying the content item, then manage the content item in accordance with the security policy data and the classification of the content item.
  - 6. The system of claim 5, wherein:
    - the authority node manager is further configured to receive the responsive threat data request from the processing node, and determine if the responsive threat data is stored in the authority node data store;
      
      if responsive threat data is stored in the authority node data store, then provide a reply that includes the responsive threat data to the processing node in response to the threat data request; and
      
      if the responsive threat data is not stored in the authority node data store, then;
      
      provide a reply to the processing node that does not include the responsive threat data; and
      
      update threat data stored in the authority node data store according to the threat data update received from the processing node.
  - 7. The system of claim 1, wherein the detection process filter comprises a bloom filter including a hash index and a plurality of binary data indicating whether a content item resolved to a hash index has been processed by a detection engine.
  - 8. The system of claim 1, further comprising a logging node in data communication with the plurality of processing nodes and including a logging data store and a logger configured to store security transaction data each of the plurality of external systems.
  - 9. The system of claim 8, wherein the security transaction data comprises content item logs indicating content item requests from the external systems and corresponding threat classifications of the requested content items.
  - 10. The system of claim 1, wherein the content items include one or more of e-mail messages, web pages, and files.
  - 11. The system of claim 1, wherein the data inspection engines in each processing node comprise a user layer inspection engine configured to perform authentication processes.
  - 12. The system of claim 1, wherein the data inspection engines in each processing node comprise a network layer engine configured to perform network layer processes.
  - 13. The system of claim 12, wherein the network layer processes include identifying internet protocol addresses associated with a content item and allowing or disallowing the content item based on the identified internet protocol address.
  - 14. The system of claim 1, wherein the data inspection engines in each processing node comprise an object layer engine configured to perform object layer processes.
  - 15. The system of claim 14, wherein the object layer processes include identifying an hypertext transfer protocol header associated with a content item and allowing or disallowing the content item based on the identified hypertext transfer protocol header.
  - 16. The system of claim 1, wherein the data inspection engines in each processing node comprise a content layer engine configured to perform content layer processes.
  - 17. The system of claim 16, wherein the content layer processes include virus scanning a content item and allowing or disallowing the content item based on the virus scanning.

18. A computer implemented method of security provisioning, comprising:
- providing data communication from a plurality of processing nodes to a plurality of external systems, the processing nodes external to network edges of the plurality of external systems, and in each processing node;
  
  storing security policies defining security policies for each of the external systems and received from an authority node;
  
  storing threat data classifying content items by threat classifications;
  
  monitoring content items requested by or sent from the external systems;
  
  determining whether a content item is classified by the threat data by accessing a detection processing filter indicating whether content items have been processed by one or more data inspection engines to determine whether the content item has been processed;
  
  if the content item is determined to have not been processed and thus not classified by the threat data, then;
  
  threat detecting content items using the one or more data inspection engines to classify the content items according to threat classifications for a corresponding threatgenerating a threat data update that includes data indicating the threat classification for the content item from the threat detecting;
  
  transmitting the threat data update to an authority node; and
  
  if the content item is determined to have been processed and thus classified by the threat data, then enforcing, external to the network edges of the external systems, the security policies for the plurality of external systems in accordance with the security policies and the classifications of the content items;
  
  providing data communications between the processing nodes and the authority node, and in the authority node;
  
  update threat data stored in the authority node according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and
  
  update a detection process filter stored in the authority node according to the threat data update and transmit the updated detection process filter to the processing nodes.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, whereinif the content item is determined to not be classified by the threat data, then requesting responsive threat data for the content item from an authority node;
    - determining whether a reply from the authority node in response to the request includes the responsive threat data classifying the content item;
      
      if the reply did not include the responsive threat data classifying the content item, then;
      
      threat detection processing to classify the content item according to a threat classification;
      
      generating a threat data update that includes data indicating the threat classification for the content item from the threat detection processing; and
      
      transmitting the threat data update to the authority node; and
      
      if the reply did include responsive threat data classifying the content item, then managing the content item in accordance with the security policy data and the classification of the content item.
  - 20. The method of claim 18, wherein threat detecting content items comprises:
    - detecting threats at a user layer;
      
      detecting threats at a network layer;
      
      detecting threats at an object layer; and
      
      detecting threats at a content layer.

21. One or more machine readable storage device storing software comprising instructions executable by a processing node system and an authority node system, and in response to such execution causes the processing node system to perform operations comprising:
- receiving and storing security policy data defining security policies for each of a plurality of the external systems, threat classification data defining threat classifications for a plurality of content items, and detection processing filtering data defining whether content items have been threat detection processed;
  
  identifying a content item requested by or sent from a external system;
  
  determining whether the content item is classified by the threat classification data by accessing the detection processing filter data;
  
  if the content item is determined to have not been processed and thus not classified by the threat data, then;
  
  threat detecting content items using the one or more data inspection engines to classify the content items according to threat classifications for a corresponding threat;
  
  generating a threat data update that includes data indicating the threat classification for the content item from the threat detecting;
  
  transmitting the threat data update to an authority node; and
  
  if the content item is determined to have been processed and thus classified by the threat data, then enforcing, external to the network edges of the external systems, the security policies for the plurality of external systems in accordance with the security policies and the classifications of the content items; and
  
  upon such execution cause the authority node system to perform operations comprising;
  
  updating threat data stored in the authority node according to the threat data update received from the processing node system;
  
  transmitting the updated threat data to the processing node system; and
  
  updating a detection process filter stored in the authority node according to the threat data update and transmit the updated detection process filter to the processing node system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Kailash, Kailash, Devarajan, Srikanth, Paul, Narinder, Schekochikhin, Arcady V., Chaudhry, Jay
Primary Examiner(s)
Vital; Pierre M
Assistant Examiner(s)
Vo; Troung V

Application Number

US12/128,371
Publication Number

US 20090300045A1
Time in Patent Office

1,007 Days
Field of Search

707/609, 707/705, 707/821
US Class Current

707/821
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

H04L 63/0218   Distributed architectures, ...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Distributed security provisioning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed security provisioning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links