System and method for optimizing name-resolution overhead in a caching network intermediary device

US 8,671,157 B2
Filed: 08/25/2011
Issued: 03/11/2014
Est. Priority Date: 08/25/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for a network intermediary device communicatively coupled to a client and a server, the method comprising:

receiving by the network intermediary device a request for an object, the object request associated with a network protocol;

querying an object storage to determine whether the object, as identified by an object name determined from the object request, is stored in the object storage;

responsive to the object being stored in the object storage, examining one or more trust properties of the object to determine whether the object was obtained from a supplier trusted by the network intermediary device; and

responsive to the object being obtained from a supplier not trusted by the network intermediary device, comparing an identity of the supplier with an implied client-resolved supplier address to determine whether the supplier identity matches the implied client-resolved supplier address.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention describes a system, method, and article of manufacture for resolving names received in network protocol requests by a network intermediary device coupled between a client network and a server network. A deferred trust model caching engine in the network intermediary device includes a transactor module configured to efficiently process a protocol request with a sequence of determinant criteria, although the sequence can occur in different orders. The deferred trust model caching engine includes a cacheability evaluator component configured to determine whether the protocol request is for a resource that the protocol permits to be cached by the network intermediate device, and a supplier trust evaluator component configured to compare information about the client'"'"'s network protocol request and a cached object representation to determine if the object is trustworthy or not. The cached object representation associates an object with a supplier identity and a supplier trust property.

4 Citations

29 Claims

1. A computer-implemented method for a network intermediary device communicatively coupled to a client and a server, the method comprising:
- receiving by the network intermediary device a request for an object, the object request associated with a network protocol;
  
  querying an object storage to determine whether the object, as identified by an object name determined from the object request, is stored in the object storage;
  
  responsive to the object being stored in the object storage, examining one or more trust properties of the object to determine whether the object was obtained from a supplier trusted by the network intermediary device; and
  
  responsive to the object being obtained from a supplier not trusted by the network intermediary device, comparing an identity of the supplier with an implied client-resolved supplier address to determine whether the supplier identity matches the implied client-resolved supplier address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The computer-implemented method as recited in claim 1, further comprising, determining, prior to the querying step, whether the object is cacheable, the object being cacheable if the associated network protocol permits the object to be cached by the network intermediary device.
  - 3. The computer-implemented method as recited in claim 1, further comprising, if the supplier identity of the object does not match the implied client-resolved supplier address, determining, after the comparing step, an authoritative list of supplier identities.
  - 4. The computer-implemented method as recited in claim 1, wherein the receiving step comprises intercepting the object request by the network intermediary device.
  - 5. The computer-implemented method as recited in claim 1, wherein the receiving step comprises auditing the object request while the object request flows through the network intermediary device en route to the server.
  - 6. The computer-implemented method as recited in claim 1, wherein the network intermediary device acts as a remote agent disposed between the client and the server.
  - 7. The computer-implemented method as recited in claim 2, wherein the object is determined to be cacheable if the associated network protocol is a standardized protocol.
  - 8. The computer-implemented method as recited in claim 2, wherein the object is determined to be non-cacheable if the associated network protocol has an observed property that is not permitted by a network protocol module in the network intermediate device.
  - 9. The computer-implemented method as recited in claim 2, wherein determining whether the object is cacheable comprises using a cacheability heuristic or statistical means.
  - 10. The computer-implemented method as recited in claim 2, wherein determining whether the object is cacheable comprises a combination of determining whether the associated network protocol is a standardized protocol, determining whether the associated network protocol has an observed property that is not permitted by a network protocol module in the network intermediate device, and using a cacheability heuristic or statistical means.
  - 11. The computer-implemented method as recited in claim 2, further comprising, if the object is determined to be non-cacheable, employing the implied client-resolved supplier address on the object request.
  - 12. The computer-implemented method as recited in claim 1, further comprising, if the object is stored in the object storage, certifying the object is usable for a direct communication between the client and the server.
  - 13. The computer-implemented method as recited in claim 1, further comprising, if the object is stored in the object storage, certifying the object partially satisfies a policy logic as set forth in a network protocol module in the network intermediary device.
  - 14. The computer-implemented method as recited in claim 1, further comprising, if the object is stored in the object storage, retrieving the one or more trust properties and the supplier identity associated with the object from the object storage.
  - 15. The computer-implemented method as recited in claim 1, further comprising, if the object is not stored in the object storage, employing the implied client-resolved supplier address to obtain the object from the untrusted supplier.
  - 16. The computer-implemented method as recited in claim 15, further comprising marking the object stored in the object storage with the supplier identifier and the one or more trust properties.
  - 17. The computer-implemented method as recited in claim 1, further comprising, if the supplier identity of the object matches the implied client-resolved supplier address, retrieving, after the comparing step, the object from the object storage to fulfill the object request.
  - 18. The computer-implemented method as recited in claim 3, further comprising, if the supplier identity of the object does not match any supplier identities from the authoritative list of supplier identities, discarding the object from the object storage.
  - 19. The computer-implemented method as recited in claim 3, further comprising, if the supplier identity of the object matches any supplier identities from the authoritative list of supplier identities, escalating the object to a trusted status.
  - 20. The computer-implemented method as recited in claim 19, further comprising, if the supplier identity of the object matches any supplier identities from the authoritative list of supplier identities, marking the object as associated with a trusted supplier.
  - 21. The computer-implemented method as recited in claim 1, wherein the object is embodied in an electronic message.
  - 22. The computer-implemented method as recited in claim 1, wherein the object comprises a HyperText Transfer Protocol (HTTP) message.
  - 23. The computer-implemented method as recited in claim 1, wherein the object comprises a HyperText Transfer Protocol (HTTP) response message, and wherein the object name comprises a Uniform Resource Identifier (URI).
  - 24. The computer-implemented method as recited in claim 1, wherein the object comprises a HyperText Transfer Protocol (HTTP) response message, and wherein the object name comprises a Uniform Resource Identifier (URI) and additional representation information.
  - 25. The computer-implemented method as recited in claim 1, wherein the object comprises a portion of a HyperText Transfer Protocol (HTTP) response message, and wherein the object name comprises a Uniform Resource Identifier (URI).
  - 26. The computer-implemented method as recited in claim 1, wherein the object comprises a portion of a HyperText Transfer Protocol (HTTP) response message, and wherein the object name comprises a Uniform Resource Identifier (URI) and additional representation information.
  - 27. The computer-implemented method as recited in claim 1, wherein the network intermediary device comprises a HyperText Transfer Protocol (HTTP) caching proxy device.

28. A network intermediary device disposed between a client network and a server network, the network intermediary device comprising:
- a processor;
  
  a storage device communicatively coupled to the processor; and
  
  a set of instructions on the storage device that, when executed by the processor, cause the processor to;
  
  receive a request for an object, the object request associated with a network protocol;
  
  query an object storage to determine whether the object, as identified by an object name determined from the object request, is stored in the object storage;
  
  responsive to the object being stored in the object storage, examine one or more trust properties of the object to determine whether the object was obtained from a supplier trusted by the network intermediary device; and
  
  responsive to the object being obtained from a supplier not trusted by the network intermediary device, compare an identity of the supplier with an implied client-resolved supplier address to determine whether the supplier identity matches the implied client-resolved supplier address.

29. A computer program product comprising a non-transitory computer readable storage medium structured to store instructions, that when executed by a processor, cause the processor to:
- receive a request for an object, the object request associated with a network protocol;
  
  query an object storage to determine whether the object, as identified by an object name determined from the object request, is stored in the object storage;
  
  responsive to the object being stored in the object storage, examine one or more trust properties of the object to determine whether the object was obtained from a supplier trusted by a network intermediary device; and
  
  responsive to the object being obtained from a supplier not trusted by the network intermediary device, compare an identity of the supplier with an implied client-resolved supplier address to determine whether the supplier identity matches the implied client-resolved supplier address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Maki, Eric
Primary Examiner(s)
Patel, Chirag R

Application Number

US13/218,348
Publication Number

US 20130054671A1
Time in Patent Office

929 Days
Field of Search

709225-226, 709217-219, 726/30, 726/26
US Class Current

709/217
CPC Class Codes

H04L 2463/145   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/126   the source of the received ...

H04L 63/1466   Active attacks involving in...

System and method for optimizing name-resolution overhead in a caching network intermediary device

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

4 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for optimizing name-resolution overhead in a caching network intermediary device

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links