Systems and methods for message threat management
First Claim
1. A data traffic management system, the system comprising:
- a communication interface adapted to allow communication between the management system and a network;
a system data store comprising one or more data storage elements, wherein the system data store is capable of storing;
one or more sets of data traffic management goals; and
classification information;
a system processor in communication with the communication interface and the system data store, wherein the system processor comprises one or more processing elements and the one or more processing elements are programmed or adapted to;
receive a data packet directed to or from a recipient system;
apply one or more tests to the received data packet, wherein each of the one or more tests evaluates the received data packet based upon the classification information;
identify a classification associated with the received data packet based upon the applied one or more tests and the classification information, the classification identifying one or more types of traffic comprised by the received data packet identified by the one or more tests; and
throttle traffic associated with the data packet, the throttling based upon the classifications identified for the data packet and based upon the one or more sets of data traffic management goals, and wherein the throttling of traffic throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising;
receiving threat information from one or more sources;
reducing the threat information into a canonical form;
extracting features from the reduced threat information;
producing rules based on the features and the traffic management goals;
testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals;
refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and
propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals.
12 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.
-
Citations
24 Claims
-
1. A data traffic management system, the system comprising:
-
a communication interface adapted to allow communication between the management system and a network; a system data store comprising one or more data storage elements, wherein the system data store is capable of storing; one or more sets of data traffic management goals; and classification information; a system processor in communication with the communication interface and the system data store, wherein the system processor comprises one or more processing elements and the one or more processing elements are programmed or adapted to; receive a data packet directed to or from a recipient system; apply one or more tests to the received data packet, wherein each of the one or more tests evaluates the received data packet based upon the classification information; identify a classification associated with the received data packet based upon the applied one or more tests and the classification information, the classification identifying one or more types of traffic comprised by the received data packet identified by the one or more tests; and throttle traffic associated with the data packet, the throttling based upon the classifications identified for the data packet and based upon the one or more sets of data traffic management goals, and wherein the throttling of traffic throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising; receiving threat information from one or more sources; reducing the threat information into a canonical form; extracting features from the reduced threat information; producing rules based on the features and the traffic management goals; testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals; refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method comprising:
-
receiving a traffic stream through a communication interface, the traffic stream comprising a plurality of data packets; storing the packets in computer memory; applying a plurality of tests to at least one of the plurality of data packets, each of the plurality of tests being operable to identify a characteristic associated with said at least one of the plurality of data packets; determining a classification associated with the traffic stream based upon results associated with each of the application of the plurality of tests to said at least one of the plurality of data packets; and throttling, using one or more processors, the traffic stream based upon the determined classification associated with the traffic stream and based upon the one or more sets of data traffic management goals, wherein the throttling of the traffic stream throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising; receiving threat information from one or more sources; reducing the threat information into a canonical form; extracting features from the reduced threat information; producing rules based on the features and the traffic management goals; testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals; refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. Non-transitory computer readable media storing instructions that upon execution are operable to cause one or more processors to perform operations comprising:
-
receiving a traffic stream comprising a plurality of data packets; applying a plurality of tests to at least one of the plurality of data packets, each of the plurality of tests being operable to identify a characteristic associated with the traffic stream, the characteristics comprising points of comparison between the traffic stream and known classifications of traffic streams; determining a classification associated with the traffic stream based upon results associated with each of the application of the plurality of tests to said at least one of the plurality of data packets; throttling the traffic stream based upon the determined classification associated with the traffic stream and based upon the one or more sets of data traffic management goals, and wherein the throttling of the traffic stream throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising; receiving threat information from one or more sources; reducing the threat information into a canonical form; extracting features from the reduced threat information; producing rules based on the features and the traffic management goals; testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals; refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals. - View Dependent Claims (23, 24)
-
Specification