Antivirus intelligent flow framework

US 8,533,834 B1
Filed: 04/22/2011
Issued: 09/10/2013
Est. Priority Date: 04/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a network device, a packet from a device in a network;

identifying, by the network device, a plurality of data transactions associated with the packet;

assessing, by the network device, a risk level associated with a particular data transaction of the plurality of data transactions;

performing, by the network device, a content type check for the particular data transaction;

performing, by the network device, an infected content check for the particular data transaction;

classifying, by the network device, the particular data transaction for a fast path virus scanning process based on the risk level, the content type check, and the infected content check;

sending, by the network device and after classifying the particular data transaction for the fast path virus scanning process, a first portion of data, associated with the particular data transaction, to a destination device before scanning the data for a virus;

detecting, by the network device and after classifying the particular data transaction for the fast path virus scanning process, the virus in a second portion of the data; and

terminating, by the network device and based on the particular data transaction being classified for the fast path virus scanning process, a connection for the particular data transaction after sending the first portion of the data and after detecting the virus in the second portion of the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device receives a data transaction associated with packet, determines a risk level associated with the data transaction, and performs a content type check for the data transaction. The device also performs an infected content check for the data transaction, and classifies, based on the determined risk and the performed checks, the data transaction for one of a slow path virus scanning process or a fast path virus scanning process. The device further performs, based on the classification, one of the slow path virus scanning process or the fast path virus scanning process on the data transaction.

23 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving, by a network device, a packet from a device in a network;
  
  identifying, by the network device, a plurality of data transactions associated with the packet;
  
  assessing, by the network device, a risk level associated with a particular data transaction of the plurality of data transactions;
  
  performing, by the network device, a content type check for the particular data transaction;
  
  performing, by the network device, an infected content check for the particular data transaction;
  
  classifying, by the network device, the particular data transaction for a fast path virus scanning process based on the risk level, the content type check, and the infected content check;
  
  sending, by the network device and after classifying the particular data transaction for the fast path virus scanning process, a first portion of data, associated with the particular data transaction, to a destination device before scanning the data for a virus;
  
  detecting, by the network device and after classifying the particular data transaction for the fast path virus scanning process, the virus in a second portion of the data; and
  
  terminating, by the network device and based on the particular data transaction being classified for the fast path virus scanning process, a connection for the particular data transaction after sending the first portion of the data and after detecting the virus in the second portion of the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The method of claim 1, further comprising:
    - classifying another data transaction, of the plurality of data transactions, for a slow path virus scanning process;
      
      storing, after classifying the other data transaction for the slow path virus scanning process, all data associated with the other data transaction in a buffer of the network device;
      
      performing a scanning of the all data associated with the other data transaction;
      
      sending a content replacement message for the other data transaction when the virus or a different virus is detected during the scanning; and
      
      sending, to a destination device, the all data associated with the particular data transaction when no viruses are detected during the scanning.
  - 3. The method of claim 1, where detecting the virus in the second portion comprises:
    - storing, in a buffer of the network device, the second portion of the data; and
      
      scanning the second portion of the data to detect the virus after storing the second portion of the data in the buffer.
  - 4. The method of claim 1, further comprising:
    - storing information associated with the virus in a virus data structure of the network device.
  - 5. The method of claim 1, where assessing the risk level associated with the particular data transaction comprises:
    - determining a low risk rating for the risk level based on protocol layer information associated with the particular data transaction.
  - 6. The method of claim 1, where performing the content type check for the particular data transaction comprises:
    - identifying a file type associated with the particular data transaction, anddetermining that the file type is associated with a low virus risk category.
  - 7. The method of claim 1, where performing the infected content check for the particular data transaction comprises:
    - determining that some data of the particular data transaction does not resemble infected content identified in a virus data structure that includes information regarding previously found infected content.
  - 20. The method of claim 1, where classifying the particular data transaction includes:
    - determining a risk that the particular data transaction contains the virus based on the risk level, the content type check, and the infected content check, andclassifying the particular data transaction for the fast path virus scanning process based on the risk being less than a particular threshold.

8. A network device comprising:
- a memory; and
  
  a processor to;
  
  identify a data transaction,determine a risk level associated with the data transaction,perform a content type check for the data transaction,perform an infected content check for the data transaction,classify the data transaction for a fast path virus scanning process based on the risk level, the content type check, and the infected content check,send, after classifying the data transaction for the fast path virus scanning process, a first portion of data associated with the data transaction to a destination device without scanning the first portion of the data for a virus,detect, after classifying the data transaction for the fast path virus scanning process, the virus in a second portion of the data, andclose a connection for the data transaction after sending the first portion of the data and based on detecting the virus in the second portion of the data.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 21)
- - 9. The network device of claim 8, where the processor is further to:
    - classify a different data transaction for a slow path virus scanning process,store, in the memory, all data associated with the different data transaction,perform a scan, for viruses, of the all data associated with the different data transaction,send a content replacement message for the different data transaction when the virus or a different virus is detected during the scan, andsend, to a destination device, the all data associated with the different data transaction when no viruses are detected during the scan.
  - 10. The network device of claim 8, where, when detecting the virus in the second portion of the data, the processor is further to:
    - store, in the memory, the second portion of the data associated with the data transaction, andscan, for viruses, the second portion of the data to detect the virus after storing the second portion of the data.
  - 11. The network device of claim 8, where the processor is further to:
    - store information associated with the virus in a virus data structure stored in the memory.
  - 12. The network device of claim 8, where, when determining the risk level associated with the data transaction, the processor is further to:
    - determine the risk level based on protocol layer information associated with the data transaction.
  - 13. The network device of claim 8, where, when performing the content type check for the data transaction, the processor is further to:
    - identify a file type associated with the data transaction, anddetermine whether the file type is associated with a low virus risk category.
  - 14. The network device of claim 8, where, when performing the infected content check for the data transaction, the processor is further to:
    - determine whether some data of the data transaction resembles infected content identified in the memory.
  - 21. The network device of claim 8, where, when classifying the data transaction, the processor is to:
    - determine a degree of confidence that the data transaction is safe based on the risk level, the content type check, and the infected content check, andclassify the data transaction for the fast path virus scanning process when the degree of confidence is greater than a particular confidence threshold.

15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  receive a packet associated with a plurality of data transactions;
  
  assess a risk level associated with a particular data transaction of the plurality of data transactions;
  
  perform a content type check for the particular data transaction;
  
  perform an infected content check for the particular data transaction;
  
  classify the particular data transaction for a fast path virus scanning process based on the risk level, the content type check, and the infected content check indicating that a risk of the particular data transaction containing a virus is less than a particular threshold;
  
  send, after classifying the particular data transaction for the fast path virus scanning process, a first portion of data associated with the particular data transaction to a destination device without scanning the first portion of the data for the virus;
  
  detect, after classifying the particular data transaction for the fast path virus scanning process, the virus in a second portion of the data; and
  
  terminate, based on the particular data transaction being classified for the fast path virus scanning process, a connection for the particular data transaction after detecting the virus in the second portion of the data.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory computer-readable medium of claim 15, where the instructions further comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
      
      classify a different data transaction, of the plurality of data transactions, for a slow path virus scanning process;
      
      store, in a buffer, all data associated with the different data transaction after classifying the different data transaction for the slow path virus scanning process;
      
      perform a scan of the all data associated with the different data transaction;
      
      send a content replacement message for the different data transaction when the virus or a different virus is detected during the scan; and
      
      send, to a destination device, the all data associated with the different data transaction when no viruses are detected during the scan.
  - 17. The non-transitory computer-readable medium of claim 15, where the one or more instructions to detect the virus in the second portion of the data comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
      
      store, in a buffer of the network device, the particular portion of data associated with the particular data transaction; and
      
      scan of the second portion of the data to detect the virus after storing the second portion of the data.
  - 18. The non-transitory computer-readable medium of claim 15, where the one or more instructions to perform the content type check for the particular data transaction comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
      
      identify a file type associated with the particular data transaction; and
      
      determine whether the file type is associated with a low virus risk category.
  - 19. The non-transitory computer-readable medium of claim 15, where the one or more instructions to perform the infected content check for the particular data transaction comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
      
      determine whether some data of the different transaction resembles infected content based on a data structure that stores information regarding the infected content that was previously identified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Li, De Xiong, Cheng, Chunqing, Wong, Peter
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US13/092,388
Time in Patent Office

872 Days
Field of Search

726 22- 25, 713187-188, 709217-229
US Class Current

726/24
CPC Class Codes

H04L 63/14 for detecting or protecting...

Antivirus intelligent flow framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Antivirus intelligent flow framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links