Differential threat detection processing

US 7,937,761 B1
Filed: 12/17/2004
Issued: 05/03/2011
Est. Priority Date: 12/17/2004
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a network security threat, comprising:

classifying network traffic with a security risk related classification, the classification being determined at least in part by applying a threat detection heuristic to at least a portion of the network traffic;

tagging the network traffic with classification data that indicates the security risk related classification into which the network traffic has been classified;

sending the tagged network traffic, including the classification data, down each of a plurality of parallel paths, each path having associated with it one or more inline security measures configured to apply to the tagged network traffic one or more types of network security threat detection processing to an extent determined based at least in part on the classification data, wherein the same tagged network traffic is sent down each of the plurality of parallel paths;

processing the tagged network traffic sent down each of the plurality of parallel paths according to the respective one or more inline security measures based at least in part on the classification data, wherein processing the tagged network traffic sent down each of the plurality of parallel paths comprises dropping the tagged network traffic if the tagged network traffic fails a security check and forwarding the tagged network traffic if the tagged network traffic passes the security check;

determining whether the forwarded network traffic was received from a minimum number of the plurality of parallel paths; and

transmitting the forwarded network traffic based on the determination that the forwarded network traffic was received from at least the minimum number of the plurality of parallel paths.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a network security threat is disclosed. Network traffic is classified with a security risk related classification, the classification being determined at least in part by applying a threat detection heuristic to at least a portion of the network traffic. Classification data that indicates the security risk related classification into which the network traffic has been classified is added to the network traffic. The network traffic is subjected to a level of network security threat detection processing that corresponds to the security risk related classification into which the network traffic has been classified as determined based at least in part on the classification data.

Citations

9 Claims

1. A method of detecting a network security threat, comprising:
- classifying network traffic with a security risk related classification, the classification being determined at least in part by applying a threat detection heuristic to at least a portion of the network traffic;
  
  tagging the network traffic with classification data that indicates the security risk related classification into which the network traffic has been classified;
  
  sending the tagged network traffic, including the classification data, down each of a plurality of parallel paths, each path having associated with it one or more inline security measures configured to apply to the tagged network traffic one or more types of network security threat detection processing to an extent determined based at least in part on the classification data, wherein the same tagged network traffic is sent down each of the plurality of parallel paths;
  
  processing the tagged network traffic sent down each of the plurality of parallel paths according to the respective one or more inline security measures based at least in part on the classification data, wherein processing the tagged network traffic sent down each of the plurality of parallel paths comprises dropping the tagged network traffic if the tagged network traffic fails a security check and forwarding the tagged network traffic if the tagged network traffic passes the security check;
  
  determining whether the forwarded network traffic was received from a minimum number of the plurality of parallel paths; and
  
  transmitting the forwarded network traffic based on the determination that the forwarded network traffic was received from at least the minimum number of the plurality of parallel paths.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein the classification data comprises a virtual local area network (VLAN) tag.
  - 3. The method as recited in claim 1, wherein the classification data comprises a multiprotocol label switching (MPLS) label.
  - 4. The method as recited in claim 1, further comprising:
    - forwarding the tagged network traffic down each of the plurality of parallel paths if no threat is detected in the tagged network traffic as a result of the respective network security threat detection processing.
  - 5. The method as recited in claim 4, further comprising:
    - receiving the tagged network traffic at a common end node of the parallel paths; and
      
      forwarding the tagged network traffic if tagged the network traffic is received at the common node from a prescribed number of the parallel paths.
  - 6. The method as recited in claim 5, wherein the prescribed number of parallel paths includes all of the parallel paths along which the network traffic was sent.
  - 7. The method as recited in claim 5, wherein the prescribed number of parallel paths includes only a portion of the parallel paths along which the tagged network traffic was sent.

8. A system for detecting a network security threat, comprising:
- a communication interface configured to receive network traffic; and
  
  a processor configured to;
  
  classify the received network traffic with a security risk related classification, the classification being determined at least in part by applying a threat detection heuristic to at least a portion of the network traffic;
  
  tag the network traffic with classification data that indicates the security risk related classification into which the network traffic has been classified;
  
  send the tagged network traffic, including the classification data, down each of a plurality of parallel paths, each path having associated with it one or more inline security measures configured to apply to the tagged network traffic one or more types of network security threat detection processing to an extent determined based at least in part on the classification data, wherein the same tagged network traffic is sent down each of the plurality of parallel paths;
  
  process the tagged network traffic sent down each of the plurality of parallel paths according to the respective one or more inline security measures based at least in part on the classification data, wherein processing the tagged network traffic sent down each of the plurality of parallel paths comprises dropping the tagged network traffic if the tagged network traffic fails a security check and forwarding the tagged network traffic if the tagged network traffic passes the security check;
  
  determining whether the forwarded network traffic was received from a minimum number of the plurality of parallel paths; and
  
  transmitting the forwarded network traffic based on the determination that the forwarded network traffic was received from at least the minimum number of the plurality of parallel paths.

9. A non-transitory computer readable storage medium having embodied thereon computer instructions which when executed by a computer cause the computer to perform a method comprising the steps of:
- classifying network traffic with a security risk related classification, the classification being determined at least in part by applying a threat detection heuristic to at least a portion of the network traffic;
  
  tagging the network traffic with classification data that indicates the security risk related classification into which the network traffic has been classified;
  
  sending the tagged network traffic, including the classification data, down each of a plurality of parallel paths, each path having associated with it one or more inline security measures configured to apply to the tagged network traffic one or more types of network security threat detection processing to an extent determined based at least in part on the classification data, wherein the same tagged network traffic is sent down each of the plurality of parallel paths;
  
  processing the tagged network traffic sent down each of the plurality of parallel paths according to the respective one or more inline security measures based at least in part on the classification data, wherein processing the tagged network traffic sent down each of the plurality of parallel paths comprises dropping the tagged network traffic if the tagged network traffic fails a security check and forwarding the tagged network traffic if the tagged network traffic passes the security check;
  
  determining whether the forwarded network traffic was received from a minimum number of the plurality of parallel paths; and
  
  transmitting the forwarded network traffic based on the determination that the forwarded network traffic was received from at least the minimum number of the plurality of parallel paths.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bennett, Jeremy
Primary Examiner(s)
Song; Hosuk
Assistant Examiner(s)
Schwartz; Darren B

Application Number

US11/016,535
Time in Patent Office

2,328 Days
Field of Search

370/234, 370/464, 709/224, 713153-154, 726 11- 13, 726 22- 25
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1433 Vulnerability analysis

Differential threat detection processing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Differential threat detection processing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links