Distributed security provisioning
First Claim
Patent Images
1. A network security system, comprising:
- a plurality of processing nodes external to network edges of a plurality of external systems, each processing node including one or more computers and comprising;
a processing node data store storing security policy data defining security policies for each of the external systems;
a plurality of data inspection engines, each data inspection engine configured to perform a threat detection process to classify content items according to a threat classification for a corresponding threat; and
a processing node manager in data communication with the data inspection engines and configured to access the security policy data stored in the processing node data store and manage the classified content item in accordance with the security policy data so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems; and
an authority node in data communication with the processing nodes, the authority node including one or more computers and comprising an authority node data store storing security policy data for each of the plurality of external systems, and including an authority node manager configured to provide the security policy data to each of the processing nodes;
wherein the data store in each processing node includes threat data classifying content items by threat classifications and a detection process filter indicating whether content items have been processed by one or more of the data inspection engines, and the processing node manager in each process node is configured to;
determine whether a content item is classified by the threat data by accessing the detection processing filter to determine whether the content item has been processed;
if the content item is determined to have not been processed and thus not classified by the threat data, then;
cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
transmit the threat data update to the authority node;
if the content item is determined to have been processed and thus classified by the threat data, then manage the content item in accordance with the security policy data and the classification of the content item;
wherein the authority node manager is further configured to;
update threat data stored in the authority node data store according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and
update a detection process filter stored in the authority node data store according to the threat data update and transmit the updated detection process filter to the processing nodes.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems.
33 Citations
21 Claims
-
1. A network security system, comprising:
a plurality of processing nodes external to network edges of a plurality of external systems, each processing node including one or more computers and comprising; a processing node data store storing security policy data defining security policies for each of the external systems; a plurality of data inspection engines, each data inspection engine configured to perform a threat detection process to classify content items according to a threat classification for a corresponding threat; and a processing node manager in data communication with the data inspection engines and configured to access the security policy data stored in the processing node data store and manage the classified content item in accordance with the security policy data so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems; and an authority node in data communication with the processing nodes, the authority node including one or more computers and comprising an authority node data store storing security policy data for each of the plurality of external systems, and including an authority node manager configured to provide the security policy data to each of the processing nodes; wherein the data store in each processing node includes threat data classifying content items by threat classifications and a detection process filter indicating whether content items have been processed by one or more of the data inspection engines, and the processing node manager in each process node is configured to; determine whether a content item is classified by the threat data by accessing the detection processing filter to determine whether the content item has been processed; if the content item is determined to have not been processed and thus not classified by the threat data, then; cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification; generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and transmit the threat data update to the authority node; if the content item is determined to have been processed and thus classified by the threat data, then manage the content item in accordance with the security policy data and the classification of the content item; wherein the authority node manager is further configured to; update threat data stored in the authority node data store according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and update a detection process filter stored in the authority node data store according to the threat data update and transmit the updated detection process filter to the processing nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
18. A computer implemented method of security provisioning, comprising:
-
providing data communication from a plurality of processing nodes to a plurality of external systems, the processing nodes external to network edges of the plurality of external systems, and in each processing node; storing security policies defining security policies for each of the external systems and received from an authority node; storing threat data classifying content items by threat classifications; monitoring content items requested by or sent from the external systems; determining whether a content item is classified by the threat data by accessing a detection processing filter indicating whether content items have been processed by one or more data inspection engines to determine whether the content item has been processed; if the content item is determined to have not been processed and thus not classified by the threat data, then; threat detecting content items using the one or more data inspection engines to classify the content items according to threat classifications for a corresponding threat generating a threat data update that includes data indicating the threat classification for the content item from the threat detecting; transmitting the threat data update to an authority node; and if the content item is determined to have been processed and thus classified by the threat data, then enforcing, external to the network edges of the external systems, the security policies for the plurality of external systems in accordance with the security policies and the classifications of the content items; providing data communications between the processing nodes and the authority node, and in the authority node; update threat data stored in the authority node according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and update a detection process filter stored in the authority node according to the threat data update and transmit the updated detection process filter to the processing nodes. - View Dependent Claims (19, 20)
-
-
21. One or more machine readable storage device storing software comprising instructions executable by a processing node system and an authority node system, and in response to such execution causes the processing node system to perform operations comprising:
-
receiving and storing security policy data defining security policies for each of a plurality of the external systems, threat classification data defining threat classifications for a plurality of content items, and detection processing filtering data defining whether content items have been threat detection processed; identifying a content item requested by or sent from a external system; determining whether the content item is classified by the threat classification data by accessing the detection processing filter data; if the content item is determined to have not been processed and thus not classified by the threat data, then; threat detecting content items using the one or more data inspection engines to classify the content items according to threat classifications for a corresponding threat; generating a threat data update that includes data indicating the threat classification for the content item from the threat detecting; transmitting the threat data update to an authority node; and if the content item is determined to have been processed and thus classified by the threat data, then enforcing, external to the network edges of the external systems, the security policies for the plurality of external systems in accordance with the security policies and the classifications of the content items; and upon such execution cause the authority node system to perform operations comprising; updating threat data stored in the authority node according to the threat data update received from the processing node system; transmitting the updated threat data to the processing node system; and updating a detection process filter stored in the authority node according to the threat data update and transmit the updated detection process filter to the processing node system.
-
Specification