Systems and methods for processing data flows

US 8,135,657 B2
Filed: 08/24/2011
Issued: 03/13/2012
Est. Priority Date: 09/25/2000
Status: Active Grant

First Claim

Patent Images

1. A method in a flow processing facility for securing a computer resource, comprising:

providing a data flow processing facility comprising a plurality of network addressable data processing modules;

receiving a data flow;

identifying data packets associated with a subscriber profile in the data flow;

employing a policy to make a determination, the determination indicating which of a plurality of network addresses of the plurality of the network addressable data processing modules to select for first processing of the identified data packets based on at least one of the subscriber profile in the data flow and the policy;

accessing a configuration, the configuration associating two or more processing actions with the policy;

delivering the identified data packets to a first network addressable data processing module for executing one of the actions that are associated with the policy, the first network addressable data processing module being accessible at the network address that the determination indicates, the one of the actions modifying the data flow;

determining a second network address of a network addressable data processing module for second processing of the identified data packets based on the configuration and at least one of the subscriber profile and the policy; and

delivering the identified data packets from the first network address to the second network address to secure a computer resource.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.

466 Citations

19 Claims

1. A method in a flow processing facility for securing a computer resource, comprising:
- providing a data flow processing facility comprising a plurality of network addressable data processing modules;
  
  receiving a data flow;
  
  identifying data packets associated with a subscriber profile in the data flow;
  
  employing a policy to make a determination, the determination indicating which of a plurality of network addresses of the plurality of the network addressable data processing modules to select for first processing of the identified data packets based on at least one of the subscriber profile in the data flow and the policy;
  
  accessing a configuration, the configuration associating two or more processing actions with the policy;
  
  delivering the identified data packets to a first network addressable data processing module for executing one of the actions that are associated with the policy, the first network addressable data processing module being accessible at the network address that the determination indicates, the one of the actions modifying the data flow;
  
  determining a second network address of a network addressable data processing module for second processing of the identified data packets based on the configuration and at least one of the subscriber profile and the policy; and
  
  delivering the identified data packets from the first network address to the second network address to secure a computer resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining a second network address is performed by the network addressable data processing module for first processing of the identified data packets.
  - 3. The method of claim 2, wherein determining a second network address is based on a result of first processing.
  - 4. The method of claim 1, wherein delivering the identified data packets to at least one of the first network address and the second network address includes delivering the identified data packets through a network switch fabric.
  - 5. The method of claim 1, further including processing the data packets with a first application in the network addressable data processing module identified by the first network address.
  - 6. The method of claim 5, wherein the first application is based on the policy.
  - 7. The method of claim 5, further including processing the data packets with a second application in the network addressable data processing module identified by the second network address.
  - 8. The method of claim 7, wherein the second application is based on the policy.
  - 9. The method of claim 7, wherein the second application is based in part on a result of first processing.
  - 10. The method of claim 1, wherein identifying data packets associated with a subscriber profile is performed by a network processor module of the data flow processing facility.

11. A serial data flow processing facility to secure a computer resource, comprising:
- a plurality of network addressable data processing modules;
  
  a policy for applying to data packets;
  
  a network processor module for identifying data packets associated with a subscriber profile in a stream of data packets, determining a first network address of a network addressable data processing module of the plurality of network addressable data processing modules for first processing of the identified data packets based on at least one of the subscriber profile and the policy, and delivering the identified data packets to the first network address; and
  
  the network addressable data processing module at the first network address for first processing the identified data packets, determining a second network address of a network addressable data processing module of the plurality of network addressable data processing modules for second processing of the identified data packets based on at least one of the subscriber profile and the policy, and delivering data packets from the first network address to the second network address to secure a computer resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The serial data flow processing facility of claim 11, wherein determining a second network address is performed by the network addressable data processing module for first processing of the identified data packets.
  - 13. The serial data flow processing facility of claim 12, wherein the second network address is determined based on a result of first processing.
  - 14. The serial data flow processing facility of claim 11, further including a network switch fabric for delivering the identified data packets to at least one of the first network address and the second network address.
  - 15. The serial data flow processing facility of claim 11, wherein the network addressable data flow processor module at the first network address includes a processor and a first application for executing by the processor for first processing the data packets.
  - 16. The serial data flow processing facility of claim 15, wherein the first application is based on the policy.
  - 17. The serial data flow processing facility of claim 15, wherein the network addressable data flow processor module at the second network address includes a processor and a second application for executing by the processor for second processing the data packets.
  - 18. The serial data flow processing facility of claim 17, wherein the second application is based on the policy.
  - 19. The serial data flow processing facility of claim 17, wherein the second application is based in part on a result of first processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Crossbeam Systems Incorporated (Gen Digital Inc.)
Inventors
Fu, Chunsheng, Xu, Weidong, Kapoor, Harsh, Akerman, Moisey, Justus, Stephen D., Ferguson, John C., Korsunsky, Yevgeny, Gallo, Paul S., Lee, Charles Ching, Martin, Timothy M.
Primary Examiner(s)
Gaffin, Jeffrey A
Assistant Examiner(s)
Kim, David H

Application Number

US13/216,739
Publication Number

US 20120017262A1
Time in Patent Office

202 Days
Field of Search

706/45
US Class Current

706/45
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/505   considering the load

G06N 3/047   Probabilistic or stochastic...

H04L 2463/141   Denial of service attacks a...

H04L 43/026   using flow identification

H04L 63/0227   Filtering policies mail mes...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 67/10   in which an application is ...

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04L 67/62 : Establishing a time schedul...

H04L 67/63 : Routing a service request d...

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

View All

Systems and methods for processing data flows

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

466 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for processing data flows

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

466 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links