Systems and methods for processing data flows

US 7,979,368 B2
Filed: 10/29/2007
Issued: 07/12/2011
Est. Priority Date: 07/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a flow processing facility for securing a computer resource, comprising:

providing a data flow processing facility comprising a plurality of network addressable data processing modules;

receiving a data flow;

identifying data packets associated with a subscriber profile in the data flow;

employing a policy to make a determination, the determination indicating a first plurality of network addresses of a portion of the plurality of network addressable data processing modules for processing the identified data packets based on at least one of the subscriber profile in the data flow and the policy;

accessing a configuration, the configuration associating one or more processing actions with the policy;

delivering the identified data packets in parallel to each of the first plurality of network addresses that the determination indicates; and

processing the identified data packets with the one or more processing actions in each of the network addressable data processing modules identified by the first plurality of network addresses to secure a computer resource.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.

67 Citations

View as Search Results

18 Claims

1. A method in a flow processing facility for securing a computer resource, comprising:
- providing a data flow processing facility comprising a plurality of network addressable data processing modules;
  
  receiving a data flow;
  
  identifying data packets associated with a subscriber profile in the data flow;
  
  employing a policy to make a determination, the determination indicating a first plurality of network addresses of a portion of the plurality of network addressable data processing modules for processing the identified data packets based on at least one of the subscriber profile in the data flow and the policy;
  
  accessing a configuration, the configuration associating one or more processing actions with the policy;
  
  delivering the identified data packets in parallel to each of the first plurality of network addresses that the determination indicates; and
  
  processing the identified data packets with the one or more processing actions in each of the network addressable data processing modules identified by the first plurality of network addresses to secure a computer resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein processing the data packets is based on the policy.
  - 3. The method of claim 1, wherein processing the data packets in each of the network addressable data processing modules comprises:
    - processing the data packets in a first of the network addressable data processing modules with a first application; and
      
      processing the data packets in a second of the network addressable data processing modules with a second application.
  - 4. The method of claim 3, wherein the first application is based on the policy.
  - 5. The method of claim 3, wherein the first application is based on the subscriber profile.
  - 6. The method of claim 3, wherein the second application is based on the policy.
  - 7. The method of claim 1, wherein delivering the identified data packets in parallel to each of the first plurality of determined network addresses includes delivering the identified data packets through a network switch fabric.
  - 8. The method of claim 1, wherein identifying data packets associated with a subscriber profile is performed by a network processor module of the data flow processing facility.
  - 9. The method of claim 8, further including delivering data packets from at least one of the network addressable data processing modules identified by the first plurality of network addresses to the network processor module based on a network address of the network processor module.
  - 10. The method of claim 1, wherein employing the policy is based on the subscriber profile.

11. A parallel data flow processing facility to secure a computer resource, comprising:
- a plurality of network addressable data processing modules;
  
  a policy for applying to data packets;
  
  a network processor module for identifying data packets associated with a subscriber profile in a stream of data packets, determining a first plurality of network addresses of a portion of the plurality of network addressable data processing modules for processing the identified data packets based on at least one of the subscriber profile and the policy, and delivering the identified data packets in parallel to each of the first plurality of determined network addresses; and
  
  the network addressable data processing modules identified by the first plurality of network addresses for processing the delivered data packets to secure a computer resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The parallel data flow processing facility of claim 11, wherein processing the delivered data packets is based on the policy.
  - 13. The parallel data flow processing facility of claim 11, wherein processing the delivered data packets includes:
    - processing the data packets in a first of the network addressable data processing modules identified by the first plurality of network addresses with a first application; and
      
      processing the data packets in a second of the network addressable data processing modules identified by the first plurality of network addresses with a second application.
  - 14. The parallel data flow processing facility of claim 13, wherein the first application is based on the policy.
  - 15. The parallel data flow processing facility of claim 13, wherein the first application is based on the subscriber profile.
  - 16. The parallel data flow processing facility of claim 13, wherein the second application is based on the policy.
  - 17. The parallel data flow processing facility of claim 11, further including a network switch fabric for delivering the identified data packets in parallel to each of the first plurality of determined network addresses.
  - 18. The parallel data flow processing facility of claim 11, wherein the policy is based on the subscriber profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Crossbeam Systems Incorporated (Gen Digital Inc.)
Inventors
Kapoor, Harsh, Akerman, Moisey, Justus, Stephen D., Ferguson, John C., Korsunsky, Yevgeny, Gallo, Paul S., Lee, Charles Ching, Martin, Timothy M., Fu, Chunsheng, Xu, Weidong
Primary Examiner(s)
STARKS, WILBERT L

Application Number

US11/926,307
Publication Number

US 20080262991A1
Time in Patent Office

1,352 Days
Field of Search

706/20, 706/45
US Class Current

706/20
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 2463/141   Denial of service attacks a...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Systems and methods for processing data flows

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for processing data flows

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links