Computerized system and method for advanced network content processing

US 8,468,589 B2
Filed: 01/13/2006
Issued: 06/18/2013
Est. Priority Date: 01/13/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a plurality of packets at a first interface of a multi-purpose network protection firewall device including one or more processors and a memory;

identifying a transmission protocol according to which network content distributed among a subset of packets of the plurality of packets is formatted as an instant messaging (IM) protocol;

using information regarding the identified transmission protocol to redirect the subset of packets to a proxy module integrated within the multi-purpose protection firewall device;

extracting the network content from the subset of packets and buffering at least a portion of the network content by the proxy module;

processing, by the proxy module, the buffered portion of the network content in accordance with at least one content processing rule selected from a plurality of content processing rules based on the identified transmission protocol;

identifying a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;

using information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose protection firewall device;

wherein the second transmission protocol is distinct from the transmission protocol;

wherein the processing comprises filtering the buffered portion of the network content;

wherein the plurality of content processing rules includes one or more content filtering rules; and

wherein the proxy module is implemented at least in part by the one or more processors and the memory, the memory having instructions tangibly embodied therein representing at least a portion of the proxy module that are executable by the one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method for processing network content in accordance with at least one content processing rule. In accordance with the inventive method, the network content is received at a first interface. The inventive system identifies a transmission protocol information of the received network content and uses the identified transmission protocol information to intercept at least a portion of the received network content formatted in accordance with a transmission protocol. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning. The processed portion of network content may be forwarded using the second interface.

32 Citations

View as Search Results

76 Claims

1. A computer-implemented method comprising:
- receiving a plurality of packets at a first interface of a multi-purpose network protection firewall device including one or more processors and a memory;
  
  identifying a transmission protocol according to which network content distributed among a subset of packets of the plurality of packets is formatted as an instant messaging (IM) protocol;
  
  using information regarding the identified transmission protocol to redirect the subset of packets to a proxy module integrated within the multi-purpose protection firewall device;
  
  extracting the network content from the subset of packets and buffering at least a portion of the network content by the proxy module;
  
  processing, by the proxy module, the buffered portion of the network content in accordance with at least one content processing rule selected from a plurality of content processing rules based on the identified transmission protocol;
  
  identifying a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
  
  using information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose protection firewall device;
  
  wherein the second transmission protocol is distinct from the transmission protocol;
  
  wherein the processing comprises filtering the buffered portion of the network content;
  
  wherein the plurality of content processing rules includes one or more content filtering rules; and
  
  wherein the proxy module is implemented at least in part by the one or more processors and the memory, the memory having instructions tangibly embodied therein representing at least a portion of the proxy module that are executable by the one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The computer-implemented method of claim 1, wherein an additional content processing rule is selected from the plurality of content processing rules based on traffic selectors associated with the network content.
  - 3. The computer-implemented method of claim 1, further comprising forwarding the processed portion of the network content to a destination using a second interface.
  - 4. The computer-implemented method of claim 3, wherein at least one of the first and second interfaces are networking interfaces selected from a group consisting of a Virtual Local Area Network (VLAN) interface, a Point-to-Point Protocol over Ethernet (PPPoE) interface and an Internet Protocol Security (IPsec) tunnel interface.
  - 5. The computer-implemented method of claim 1, further comprising:
    - identifying a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
      
      using information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose network protection firewall device; and
      
      wherein the second transmission protocol is the (IM) protocol, another (IM) protocol type, a peer-to-peer protocol type, an e-mail protocol type, a web browsing protocol type, a file sharing protocol type or a network news protocol type.
  - 6. The computer-implemented method of claim 1, further comprising:
    - identifying a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
      
      using information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose protection firewall device; and
      
      wherein the second transmission protocol is Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) or telnet protocol.
  - 7. The computer-implemented method of claim 5, further comprising anti-malware scanning of network content distributed among the second subset of packets.
  - 8. The computer-implemented method of claim 5, further comprising scanning network content distributed among the second subset of packets for unsolicited advertising in accordance with at least one scanning criterion.
  - 9. The computer-implemented method of claim 5, further comprising scanning network content distributed among the second subset of packets for phishing attempts in accordance with at least one scanning criterion.
  - 10. The computer-implemented method of claim 5, further comprising scanning network content distributed among the second subset of packets for patterns relating to terrorism or criminal activities in accordance with at least one scanning criterion.
  - 11. The computer-implemented method of claim 5, further comprising detecting at least one nonsensical message within network content distributed among the second subset of packets.
  - 12. The computer-implemented method of claim 1, wherein the processing comprises scanning the buffered portion of the network content for at least one predetermined word.
  - 13. The computer-implemented method of claim 1, wherein the processing comprises scanning the buffered portion of the network content in accordance with at least one scanning criterion.
  - 14. The computer-implemented method of claim 13, wherein the processing further comprises blocking content that has been identified during the scanning operation.
  - 15. The computer-implemented method of claim 13, wherein the processing further comprises inserting an administrative message into content that has been identified during the scanning operation.
  - 16. The computer-implemented method of claim 13, wherein the processing further comprises logging content that has been identified during the scanning operation.
  - 17. The computer-implemented method of claim 13, wherein the processing further comprises altering content that has been identified during the scanning operation.
  - 18. The computer-implemented method of claim 17, wherein altering comprises masking content that has been identified during the scanning operation.
  - 19. The computer-implemented method of claim 13, wherein the processing further comprises dropping a network connection associated with content that has been identified during the scanning operation.
  - 20. The computer-implemented method of claim 13, wherein the processing further comprises delaying content that has been identified during the scanning operation.
  - 21. The computer-implemented method of claim 13, wherein the processing further comprises archiving content that has been identified during the scanning operation.
  - 22. The computer-implemented method of claim 13, wherein processing comprises generating at least one alert based on content that has been identified during the scanning operation.
  - 23. The computer-implemented method of claim 13, wherein processing comprises performing an authentication operation based on content that has been identified during the scanning operation.
  - 24. The computer-implemented method of claim 13, wherein the at least one scanning criterion is selected from a plurality of scanning criteria based on connection information associated with the network content and wherein the connection information comprises at least one of a group consisting of the identified transmission protocol, a source Internet Protocol (IP) address, a destination IP address, a source port number, a destination port number, a source firewall interface, a destination firewall interface, a size of the network content, a date, a time of day and authentication information.
  - 25. The computer-implemented method of claim 13, wherein at least one scanning criterion is selected from a plurality of scanning criteria based on a data packet information.
  - 26. The computer-implemented method of claim 13, wherein the scanning comprises identifying phrases in the buffered portion of network content.
  - 27. The computer-implemented method of claim 13, wherein the scanning comprises identifying regular expressions in the buffered portion of the network content.
  - 28. The computer-implemented method of claim 13, wherein the scanning comprises identifying patterns in the buffered portion of the network content.
  - 29. The computer-implemented method of claim 13, wherein scanning comprises determining whether the buffered portion of the network content comprises a link to external content, and, if so, verifying the external content.
  - 30. The computer-implemented method of claim 29, wherein verifying comprises checking the link against a white list of links or a black list of links.
  - 31. The computer-implemented method of claim 29, wherein verifying comprises authorizing the external content based on a request sent to an external server.
  - 32. The computer-implemented method of claim 13, wherein scanning comprises determining whether the buffered portion of the network content comprises an attachment, and, if so, buffering and scanning the attachment.
  - 33. The computer-implemented method of claim 1, wherein processing comprises performing statistical analysis on the buffered portion of the network content.
  - 34. The computer-implemented method of claim 1, wherein the processing comprises network usage monitoring in relation to usage by authorized users.
  - 35. The computer-implemented method of claim 1, wherein the processing is initiated prior to the completion of the buffering.

36. A multi-purpose network protection firewall device comprising:
- a first interface operable to receive a plurality of packets formatted in accordance with a plurality of transmission protocols;
  
  a plurality of proxy module coupled in communication with the first interface;
  
  a networking subsystem, coupled in communication with the proxy module, operable to;
  
  identify a transmission protocol of the plurality of transmission protocols according to which network content distributed among a subset of packets of the plurality of packets is formatted as an instant messaging (IM) protocol, redirect the subset of packets to the proxy module;
  
  identify a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted; and
  
  use information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose network protection firewall device;
  
  wherein the second transmission protocol is distinct from the transmission protocol;
  
  wherein the proxy is operable to scan the buffered portion of the network content in accordance with at least one scanning criterion;
  
  wherein the proxy module is configured to extract the network content from the subset of packets, buffer at least a portion of the network content, and process the buffered portion of the network content in accordance with the at least one content processing rule selected from a plurality of content processing rules based on the identified transmission protocol; and
  
  wherein the plurality of content processing rules includes one or more content filtering rules.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 37. The multi-purpose network protection firewall device of claim 36, wherein the proxy module further comprises:
    - a proxy buffering engine operable to buffer the portion of the network content;
      
      at least one scanning engine operable to process the buffered portion of the network content in accordance with the at least one content processing rule; and
      
      a proxy forwarding engine operable to forward the processed portion of the network content to a second interface.
  - 38. The multi-purpose network protection firewall device of claim 36, further comprising a rule server operable to provide the at least one content processing rule to the proxy module via a network.
  - 39. The multi-purpose network protection firewall device of claim 36, further comprising a log server operable to log the buffered portion of the network content.
  - 40. The multi-purpose network protection firewall device of claim 36, wherein an additional content processing rule is selected from the plurality of content processing rules based on traffic selectors associated with the network content.
  - 41. The multi-purpose network protection firewall device of claim 36, further comprising a second interface operable to forward the processed portion of the network content to a destination.
  - 42. The multi-purpose network protection firewall device of claim 41, wherein at least one of the first and second interfaces are networking interfaces selected from a group consisting of a Virtual Local Area Network (VLAN) interface, a Point-to-Point Protocol over Ethernet (PPPoE) interface and an Internet Protocol Security (IPsec) tunnel interface.
  - 43. The multi-purpose network protection firewall device of claim 36, wherein the networking subsystem is further operable to:
    - identify a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
      
      use information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose network protection firewall device; and
      
      wherein the second transmission protocol is the (IM) protocol, another instant messaging protocol type, a peer-to-peer protocol type, an e-mail protocol type, a web browsing protocol type, or a file sharing protocol type.
  - 44. The multi-purpose network protection firewall device of claim 36, wherein the networking subsystem is further operable to:
    - identify a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
      
      use information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose network protection firewall device; and
      
      wherein the second transmission protocol is Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) or telnet protocol.
  - 45. The multi-purpose network protection firewall device of claim 36, wherein the proxy module is operable to filter the buffered portion of the network content.
  - 46. The multi-purpose network protection firewall device of claim 43, wherein the proxy module comprises at least one scanning engine operable to scan the network content distributed among the second subset of packets for malware.
  - 47. The multi-purpose network protection firewall device of claim 43, wherein the proxy module comprises at least one scanning engine operable to scan network content distributed among the second subset of packets for unsolicited advertising in accordance with at least one scanning criterion.
  - 48. The multi-purpose network protection firewall device of claim 43, wherein the proxy module comprises at least one scanning engine operable to scan network content distributed among the second subset of packets for phishing attempts in accordance with at least one scanning criterion.
  - 49. The multi-purpose network protection firewall device of claim 43, wherein the proxy module comprises at least one scanning engine operable to scan network content distributed among the second subset of packets for patterns relating to terrorism or criminal activities in accordance with at least one scanning criterion.
  - 50. The multi-purpose network protection firewall device of claim 43, wherein the proxy module comprises at least one scanning engine operable to detect at least one nonsensical message within network content distributed among the second subset of packets based on a result of a heuristic test for probable stenographic content.
  - 51. The multi-purpose network protection firewall device of claim 36 wherein the proxy module comprises at least one scanning engine operable to scan the buffered portion of network content for at least one word.
  - 52. The multi-purpose network protection firewall device of claim 36, wherein the proxy module further comprises at least one scanning engine operable to scan the buffered portion of the network content in accordance with at least one scanning criterion.
  - 53. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to block content that has been identified during the scanning operation.
  - 54. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to insert an administrative message into content that has been identified during the scanning operation.
  - 55. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to log content that has been identified during the scanning operation.
  - 56. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to alter content that has been identified during the scanning operation.
  - 57. The multi-purpose network protection firewall device of claim 56, wherein the proxy module is operable to mask content that has been identified during the scanning operation.
  - 58. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to drop a network connection associated with content that has been identified during the scanning operation.
  - 59. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to delay content that has been identified during the scanning operation.
  - 60. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to archive content that has been identified during the scanning operation.
  - 61. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to generate at least one alert based on content that has been identified during the scanning operation.
  - 62. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to perform an authentication operation based on content that has been identified during the scanning operation.
  - 63. The multi-purpose network protection firewall device of claim 52, wherein the at least one scanning criterion is selected from a plurality of scanning criteria based on connection information associated with the network content and wherein the connection information comprises at least one of a group consisting of the identified transmission protocol, a source Internet Protocol (IP) address, a destination IP address, an source port number, a destination port number, a source firewall interface, a destination firewall interface, a size of the network content, a date, a time of day and authentication information.
  - 64. The multi-purpose network protection firewall device of claim 52, wherein the at least one scanning criterion is selected from a plurality of scanning criteria based on a data packet information.
  - 65. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to identify phrases in the buffered portion of the network content.
  - 66. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to identify regular expressions in the buffered portion of the network content.
  - 67. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to identify patterns in the buffered portion of the network content.
  - 68. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to determine whether the buffered portion of the network content comprises a link to external content, and, if so, verify the external content.
  - 69. The multi-purpose network protection firewall device of claim 68, wherein the proxy module is operable to check the link against a white list of links or a black list of links.
  - 70. The multi-purpose network protection firewall device of claim 68, wherein the proxy module is operable to send a request to an external server and to authorize the external content based on the request.
  - 71. The multi-purpose network protection firewall device of claim 52, wherein the proxy module is operable to determine whether the buffered portion of the network content comprises an attachment, and, if so, buffer and scan the attachment.
  - 72. The multi-purpose network protection firewall device of claim 36, wherein the proxy module is configured to perform statistical analysis on the buffered portion of the network content.
  - 73. The multi-purpose network protection firewall device of claim 36, wherein the proxy module is configured to perform network usage monitoring in relation to usage by authorized users.
  - 74. The multi-purpose network protection firewall device of claim 36, wherein the proxy module is operable to initiate the processing prior to the completion of the buffering.

75. A non-transitory computer-readable storage medium tangibly embodying one or more sequences of instructions, which when executed by one or more processors of a multi-purpose network protection firewall device, causes the one or more processors to perform a method comprising:
- receiving a plurality of packets formatted in accordance with a plurality of transmission protocols at a first interface of the multi-purpose network protection firewall device;
  
  identifying a transmission protocol according to which network content distributed among a subset of packets of the plurality of packets is formatted as an instant messaging (IM) protocol;
  
  using information regarding the identified transmission protocol to redirect the subset of packets to a proxy module integrated within the multi-purpose protection firewall device;
  
  extracting the network content from the subset of packets and buffering at least a portion of the network content by the proxy module; and
  
  processing, by the proxy module, the buffered portion of the network content in accordance with the at least one content processing rule selected from a plurality of content processing rules based on the identified transmission protocol;
  
  identifying a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
  
  using information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose protection firewall device;
  
  wherein the second transmission protocol is distinct from the transmission protocol;
  
  wherein the processing comprises filtering the buffered portion of the network content; and
  
  wherein the plurality of content processing rules includes one or more content filtering rules.

76. A multi-purpose network protection firewall device comprising:
- a first interface operable to receive a plurality of packets formatted in accordance with a plurality of transmission protocols;
  
  a proxy means coupled in communication with the first interface for extracting the network content from the subset of packets, buffering at least a portion of the network content, and processing the buffered portion of the network content in accordance with the at least one content processing rule selected from a plurality of content processing rules based on the identified transmission protocol;
  
  a networking subsystem, coupled in communication with the proxy module, operable to;
  
  identify a transmission protocol of the plurality of transmission protocols according to which network content distributed among a subset of packets of the plurality of packets is formatted as an instant messaging (IM) protocol, redirect the subset of packets to the proxy module;
  
  identify a second transmission protocol according to which network content distributed among a second subset of packets of the plurality of packets is formatted; and
  
  use information regarding the identified second transmission protocol to redirect the second subset of packets to a second proxy module integrated within the multi-purpose network protection firewall device;
  
  wherein the second transmission protocol is distinct from the transmission protocol;
  
  wherein the proxy is operable to scan the buffered portion of the network content in accordance with at least one scanning criterion; and
  
  wherein the plurality of content processing rules includes one or more content filtering rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Krywaniuk, Andrew
Primary Examiner(s)
Mehedi, Morshed

Application Number

US11/331,030
Publication Number

US 20070169184A1
Time in Patent Office

2,713 Days
Field of Search

726/11, 726/22
US Class Current

726/11
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/02   for separating internal fro...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Computerized system and method for advanced network content processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

76 Claims

Specification

Use Cases

Quick Links

Others

Computerized system and method for advanced network content processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

76 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others