Systems and methods for processing data flows

US 8,402,540 B2
Filed: 10/24/2007
Issued: 03/19/2013
Est. Priority Date: 09/25/2000
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A method of securing a plurality of virtual networks with a virtualized network security system (VNSS), comprising:

providing a plurality of flow processors, each configured as elements of the VNSS for processing a data flow, said data flow being transferred between a first port and a second port of the VNSS, the data flow comprising subscriber profile data;

establishing a first security policy for a first virtual network based at least in part on the subscriber profile data included in the data flow;

establishing a second security policy for a second virtual network based at least in part on the subscriber profile data included in the data flow;

processing the data flow received at said first port for the first and second virtual networks through at least one of the plurality of flow processors, wherein portions of the data flow that are associated with the first virtual network are processed according to the first security policy, and wherein portions of the data flow that are associated with the second virtual network are processed according to the second security policy, said processing further comprising;

making a first determination, in accordance with one of the first security policy and the second security policy, of abnormalities that are associated with the data flow, the first determination based at least in part on the subscriber identified by the subscriber profile data; and

making a second determination, in accordance with one of the first security policy and the second security policy, based at least in part on the subscriber identified by the subscriber profile data, andtransferring said data flow to said second port.

View all claims

13 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.

Citations

18 Claims

1. A method of securing a plurality of virtual networks with a virtualized network security system (VNSS), comprising:
- providing a plurality of flow processors, each configured as elements of the VNSS for processing a data flow, said data flow being transferred between a first port and a second port of the VNSS, the data flow comprising subscriber profile data;
  
  establishing a first security policy for a first virtual network based at least in part on the subscriber profile data included in the data flow;
  
  establishing a second security policy for a second virtual network based at least in part on the subscriber profile data included in the data flow;
  
  processing the data flow received at said first port for the first and second virtual networks through at least one of the plurality of flow processors, wherein portions of the data flow that are associated with the first virtual network are processed according to the first security policy, and wherein portions of the data flow that are associated with the second virtual network are processed according to the second security policy, said processing further comprising;
  
  making a first determination, in accordance with one of the first security policy and the second security policy, of abnormalities that are associated with the data flow, the first determination based at least in part on the subscriber identified by the subscriber profile data; and
  
  making a second determination, in accordance with one of the first security policy and the second security policy, based at least in part on the subscriber identified by the subscriber profile data, andtransferring said data flow to said second port.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the data flow is comprised of data packets.
  - 3. The method of claim 2, wherein the portions of the data flow associated with the first virtual network comprise the data packets associated with the first virtual network, and wherein the portions of the data flow associated with the second virtual network comprise the data packets associated with the second virtual network.
  - 4. The method of claim 1, wherein each virtual network supports one or more of an enterprise, individual user, home user, home office user, service provider, security provider, central office, remote office, data provider, university, social club, public facility, library, town offices, state offices, federal offices, and virtual private network.
  - 5. The method of claim 1, wherein each security policy supports one or more of unified threat management, intrusion detection, intrusion prevention, intrusion detection and prevention, internet firewall, URL filtering, anti-virus, anti-spam, anti-spyware, http scanning, application firewall, xml firewall, and vulnerability scanning.

6. A method of configuring virtual network security in a virtualized network security system (VNSS), comprising:
- configuring two or more of a plurality of flow processing facilities into a VNSS, said data flow being transferred between a first port and a second port of the VNSS, the data flow comprising subscriber profile data;
  
  connecting a network management facility with the plurality of flow processing facilities through the VNSS;
  
  establishing a first security policy for a first virtual network based at least in part on the subscriber profile data included in the data flow;
  
  establishing a second security policy for a second virtual network based at least in part on the subscriber profile data included in the data flow; and
  
  managing the first and second security policies, wherein the two or more flow processing facilities in the VNSS receive and execute the first and second security policies while receiving said data flow on said plurality of first ports and transferring said data flow to said plurality of second ports, said managing further comprising;
  
  making a first determination, in accordance with one of the first security policy and the second security policy, of abnormalities that are associated with the data flow, the first determination based at least in part on the subscriber identified by the subscriber profile data; and
  
  making a second determination, in accordance with one of the first security policy and the second security policy, based at least in part on the subscriber identified by the subscriber profile data.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6, wherein managing comprises updating the two or more flow processing facilities simultaneously.
  - 8. The method of claim 6, wherein each of the two or more flow processing facilities are connected to different virtual network segments.
  - 9. The method of claim 6, wherein at least one of the two or more flow processing facilities is located remotely from the others of the two or more flow processing facilities.
  - 10. The method of claim 9, wherein at least one of the two or more flow processing facilities connects to the others of the two or more flow processing facilities through the internet.
  - 11. The method of claim 6, wherein at least one of the first security policy and the second security policy of is managed by the network management facility.
  - 12. The method of claim 6, further comprising:
    - routing different portions of the data flow through a switch fabric to each of the two or more flow processing facilities.

13. A virtualized network security system (VNSS) comprising:
- a plurality of flow processing facilities configured as elements of the VNSS for processing a data flow, said data flow being transferred between a first port and a second port of the VNSS, the data flow comprising subscriber profile data;
  
  a network management facility that is networked with the plurality of flow processing facilities; and
  
  a first security policy for a first virtual network, based at least in part on the subscriber profile data included in the data flow;
  
  a second security policy for a second virtual network, based at least in part on the subscriber profile data included in the data flow, wherein the two or more flow processing facilities receive at least one of the first security policy and the second security policy while receiving said data flow on said plurality of first ports and transferring said data flow to said plurality of second ports,wherein the plurality of flow processing facilities make a first determination, in accordance with one of the first security policy and the second security policy, of abnormalities that are associated with the data flow, the first determination based at least in part on the subscriber identified by the subscriber profile data; and
  
  wherein the plurality of flow processing facilities make a second determination, in accordance with one of the first security policy and the second security policy, based at least in part on the subscriber identified by the subscriber profile data.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the network management facility updates updating the two or more flow processing facilities simultaneously.
  - 15. The system of claim 13, wherein each of the two or more flow processing facilities are connected to different virtual network segments.
  - 16. The system of claim 13, wherein at least one of the two or more flow processing facilities is located remotely from the others of the two or more flow processing facilities.
  - 17. The system of claim 16, wherein at least one of the two or more flow processing facilities connects to the others of the two or more flow processing facilities through the internet.
  - 18. The system of claim 13, further comprising:
    - a switch fabric for routing different portions of the data flow to each of the two or more flow processing facilities.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Crossbeam Systems Incorporated (Gen Digital Inc.)
Inventors
Kapoor, Harsh, Akerman, Moisey, Justus, Stephen D., Ferguson, JC, Korsunsky, Yevgeny, Gallo, Paul S., Lee, Charles Ching, Martin, Timothy M., Fu, Chunsheng, Xu, Weidong
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/877,819
Publication Number

US 20080162390A1
Time in Patent Office

1,973 Days
Field of Search

709/224, 726/22
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/505   considering the load

G06N 3/047   Probabilistic or stochastic...

H04L 2463/141   Denial of service attacks a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 67/10   in which an application is ...

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04L 67/62   Establishing a time schedul...

H04L 67/63   Routing a service request d...

H04L 69/329   in the application layer [O...

H04L 9/40 : Network security protocols

View All

Systems and methods for processing data flows

First Claim

13 Assignments

Litigations

1 Petition

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for processing data flows

First Claim

13 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links