Packet classification in a network security device

US 8,009,566 B2
Filed: 06/26/2006
Issued: 08/30/2011
Est. Priority Date: 06/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a processor, a data packet;

examining the data packet to initially classify the data packet including initially classifying the data packet using information included in an header and content;

determining flow instructions for processing the data packet based on both the header and the content including determining, using at least one of the header or the content, whether the data packet is associated with a data flow that has previously been classified;

if the data flow has previously been classified, performing at least one of content based protocol decoding, content based object extraction, or content based pattern matching;

if the data flow has not previously been classified, processing the data packet based on whether the data flow is a known data flow;

updating the initial classification based on a processing result of one or more of the content based protocol decoding, content based object extraction, or content based pattern matching; and

using the updated classification to determine whether a next data flow has previously been classified.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions.

109 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, by a processor, a data packet;
  
  examining the data packet to initially classify the data packet including initially classifying the data packet using information included in an header and content;
  
  determining flow instructions for processing the data packet based on both the header and the content including determining, using at least one of the header or the content, whether the data packet is associated with a data flow that has previously been classified;
  
  if the data flow has previously been classified, performing at least one of content based protocol decoding, content based object extraction, or content based pattern matching;
  
  if the data flow has not previously been classified, processing the data packet based on whether the data flow is a known data flow;
  
  updating the initial classification based on a processing result of one or more of the content based protocol decoding, content based object extraction, or content based pattern matching; and
  
  using the updated classification to determine whether a next data flow has previously been classified.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 where examining the data packet includes classifying the data packet based on the content.
  - 3. The method of claim 1 where performing includes performing at least two of the content based protocol decoding, content based object extraction, and content based pattern matching.
  - 4. The method of claim 1 where performing includes performing content based protocol decoding, content based object extraction, and content based pattern matching.
  - 5. The method of claim 1 further comprising performing, based on a result of the content based protocol decoding, content based object extraction or content based pattern matching, an action selected from a group comprising logging, storing, allowing the packet to pass, setting an alarm, blocking, or dropping the packet.
  - 6. The method of claim 1, where processing the data packet based on whether the data flow is a known data flow includes:
    - determining the data flow is known but has not previously been classified;
      
      retrieving one or more previously received data packets associated with the data flow;
      
      processing the data packet and the one or more previously received data packets associated with the data flow including performing at least one of the content based protocol decoding, the content based object extraction or the content based pattern matching on the data packet and the one or more previously received data packets.
  - 7. The method of claim 1, where processing the data packet based on whether the data flow is a known data flow includes:
    - determining the data flow is unknown and has not previously been classified;
      
      associating a new session with the data packet;
      
      generating a new flow record associated with the data packet, the new flow record including information for the new session associated with the data packet; and
      
      processing the data packet based on the new flow record including performing at least one of the content based protocol decoding, the content based object extraction or the content based pattern matching on the data packet.

8. A method comprising:
- receiving, by a processor, a data packet;
  
  examining the data packet to initially classify the data packet including initially classifying the data packet using information included in a header portion of the data packet and separately initially classifying the data packet based on a content portion of the data packet where initially separately classifying the data packet based on the content includes determining an application associated with the packet;
  
  determining flow instructions for processing the data packet based on the information in the header portion;
  
  determining special processing instructions for processing the data packet based on the content portion and the application;
  
  determining selected instructions from among the flow and special processing instructions for processing the data packet including determining, using the selected instructions, whether the data packet is associated with a data flow that has previously been classified;
  
  if the data flow has previously been classified, performing at least one of content based protocol decoding, content based object extraction, or content based pattern matching; and
  
  if the data flow has not previously been classified, processing the data packet based on whether the data flow is a known data flow;
  
  where the special processing instructions include instructions to update the initial classification based on a processing result of one or more of the content based protocol decoding, content based object extraction, or content based pattern matching, and additional instructions to use the updated classification to determine whether the data flow has previously been classified.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8 where the special processing instructions include instructions to perform at least two of the content based object extraction, content based pattern matching, or content based protocol decoding based on the application.
  - 10. The method of claim 8 where the special processing instructions include instructions to perform content based protocol decoding, content based object extraction, and content based pattern matching based on the application.
  - 11. The method of claim 8 further comprising performing, based on a result of the content based protocol decoding, content based object extraction or content based pattern matching, an action selected from a group comprising logging, storing, allowing the packet to pass, setting an alarm, blocking, or dropping the data packet.

12. A device comprising:
- a multi-mode classification engine for classifying received data packets, the multi-mode classification engine including;
  
  a header classification engine for classifying data packets in accordance with header data associated with the data packets, the header classification engine generating first classification data; and
  
  a content classification engine for initially classifying data packets in accordance with content of the data packets, the content classification engine generating second classification data including data about which application is associated with the data packets, the content classification engine is further configured to;
  
  determine, using at least one of the header data or the content, whether the received data packets are associated with a data flow that has previously been classified; and
  
  a security block for evaluating the data packets including evaluating the data packets using both of the first and the second classification data including the application data, the security block is further configured to;
  
  perform content based pattern matching on the received data packets if the data flow has previously been classified; and
  
  process the received data packets based on whether the data flow is a known data flow if the data flow has not previously been classified;
  
  where the content classification engine is further operable to update the second classification data based on a processing result of one or more of content based protocol decoding, content based object extraction or content based pattern matching; and
  
  where the security block is operable to evaluate the received data packets based on the updated second classification data.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The device of claim 12 further comprisinga protocol block operable to receive the second classification data from the multi-mode classification engine and provide content based protocol decoding of received data packets based on the application.
  - 14. The device of claim 12 further comprising an object extraction block operable to receive the second classification data from the multi-mode classification engine and provide content based object extraction of received data packets based on the application.
  - 15. The device of claim 12 where the multi-mode classification engine further comprises a session manager for determining session data associated with the data packets.
  - 16. The device of claim 12 where the multi-mode classification engine further comprises rules indexed by the second classification data and based on the application.
  - 17. The device of claim 12 where the content classification engine includes a signature matching engine and a signature database for use by the signature matching engine that includes one or more patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zuk, Nir, Wang, Song, Leung, Siu-Wang, Gong, Fengmin
Primary Examiner(s)
Yao; Kwang B
Assistant Examiner(s)
Bokhari; Syed M

Application Number

US11/475,393
Publication Number

US 20070297333A1
Time in Patent Office

1,891 Days
Field of Search

370/351, 370/229, 370/389, 370/315, 709/219, 709/206, 711/122, 726/23, 726/22, 713/201, 395/500
US Class Current

370/235
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

Packet classification in a network security device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Packet classification in a network security device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links