System, method and computer program product for monitoring and controlling network connections from a supervisory operating system

US 8,805,994 B2
Filed: 06/22/2007
Issued: 08/12/2014
Est. Priority Date: 08/23/2002
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring and controlling a networked environment, the method comprising:

receiving, by a network device via a network, a first packet;

receiving, by a network device via a network, a second packet; and

invoking an event handler in response to receiving each of the first packet and the second packet, wherein the event handler is a task of a supervisory operating system, and the event handler is interposed between a network device driver executing on the supervisory operating system and a network client application operating under a secondary operating system, and wherein the event handler performs operations comprising;

examining at least one field of the first packet;

determining, based at least in part on content of the at least one field of the first packet, that the first packet is acceptable;

in response to determining that the first packet is acceptable, passing the first packet to the network client application of the secondary operating system;

examining at least one field of the second packet;

determining, based at least in part on content of the at least one field of the second packet, that the second packet is not acceptable; and

in response to determining that the second packet is not acceptable, not passing the second packet to the network client application of the secondary operating system;

wherein each of the determining that the first packet is acceptable and the determining that the second packet is not acceptable comprises one or more of;

determining whether the first packet or the second packet is destined for a port that has been identified as being a critical port;

determining whether the first packet or the second packet contains a predetermined message;

determining whether the first packet or the second packet was transmitted from a processing system that is a member of a predefined group of processing systems; and

determining whether the first packet or the second packet comprises a perceived security threat,wherein the supervisory operating system and the secondary operating system execute concurrently on a machine.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product that is designed to support high-availability, rapid fault recovery, out of band condition signaling and/or other quality of service assurances and security in a networked environment. In one aspect, a method of the invention includes the step of providing a processing system with a dual-kernel or multi-kernel software operating system. The operating system includes a supervisory operating system and a secondary operating system that provides network functions to user applications. The method also includes the step of providing a Network Control Software (NCS) in the supervisory operating system. The NCS is configured to transparently monitor and control network operations in the secondary operating system.

57 Citations

34 Claims

1. A method for monitoring and controlling a networked environment, the method comprising:
- receiving, by a network device via a network, a first packet;
  
  receiving, by a network device via a network, a second packet; and
  
  invoking an event handler in response to receiving each of the first packet and the second packet, wherein the event handler is a task of a supervisory operating system, and the event handler is interposed between a network device driver executing on the supervisory operating system and a network client application operating under a secondary operating system, and wherein the event handler performs operations comprising;
  
  examining at least one field of the first packet;
  
  determining, based at least in part on content of the at least one field of the first packet, that the first packet is acceptable;
  
  in response to determining that the first packet is acceptable, passing the first packet to the network client application of the secondary operating system;
  
  examining at least one field of the second packet;
  
  determining, based at least in part on content of the at least one field of the second packet, that the second packet is not acceptable; and
  
  in response to determining that the second packet is not acceptable, not passing the second packet to the network client application of the secondary operating system;
  
  wherein each of the determining that the first packet is acceptable and the determining that the second packet is not acceptable comprises one or more of;
  
  determining whether the first packet or the second packet is destined for a port that has been identified as being a critical port;
  
  determining whether the first packet or the second packet contains a predetermined message;
  
  determining whether the first packet or the second packet was transmitted from a processing system that is a member of a predefined group of processing systems; and
  
  determining whether the first packet or the second packet comprises a perceived security threat,wherein the supervisory operating system and the secondary operating system execute concurrently on a machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 28, 31)
- - 2. The method of claim 1, wherein the determining that the second packet is not acceptable comprises determining that the second packet contains a predetermined message, and wherein the method further comprises sending a second predetermined message to an application that originated the second packet.
  - 3. The method of claim 1, wherein determining that the second packet is not acceptable comprises determining that the second packet is used to initiate a connection, and the method further comprises:
    - in response to determining that the second packet is a packet that is used to initiate a connection, determining that a warning flag is set; and
      
      discarding the second packet, wherein the warning flag indicates that (a) the machine may be experiencing a denial of service attack and/or (b) a number of packets waiting in a queue is equal to or greater than a threshold value.
  - 4. The method of claim 1, wherein determining that the second packet is not acceptable comprises determining that the second packet is used to initiate a connection, and wherein the method further comprises:
    - in response to determining that the second packet is a packet that is used to initiate a connection, determining that no relevant warning flag is set; and
      
      in response to determining that (a) the packet is a packet that is used to initiate a connection and (b) no relevant warning flag is set, setting the warning flag if a value of a counter is greater than or equal to a predetermined value.
  - 5. The method of claim 1, further comprising determining whether the first packet or the second packet is an ACK packet and, in response to a determination that the first packet or the second packet is an ACK packet, decrementing a counter.
  - 6. The method of claim 1, wherein determining that the second packet is not acceptable comprises:
    - determining that the second packet is not destined for a port that has been identified as being a critical port; and
      
      determining that a congestion warning flag is set;
      
      orwherein determining that the first packet is acceptable comprises;
      
      determining that the first packet is destined for the port that has been identified as being a critical port;
      
      ordetermining that the congestion warning flag is not set.
  - 7. The method of claim 2, wherein determining that the second packet is not acceptable comprises determining that the second packet was transmitted to the machine from a processing system that is a member of a predefined group of processing systems.
  - 8. The method of claim 1, wherein the second packet is discarded.
  - 28. The method of claim 1, wherein the determination that the second packet is unacceptable is further based on a perceived threat.
  - 31. The method of claim 1, wherein the first packet is passed to the secondary operating system via a virtual network driver between the supervisory operating system and the secondary operating system.

9. A network control system for monitoring and controlling a networked environment, the system comprising:
- a network device configured to communicate with a network via a communications medium and configured to receive a first and a second packet, the first packet and the second packet transmitted using the communications medium;
  
  a supervisory operating system;
  
  a secondary operating system, wherein the supervisory operating system and the secondary operating system execute concurrently on a machine;
  
  a network device driver configured to execute on the supervisory operating system;
  
  a network client application configured to run as a task of the secondary operating system; and
  
  a network control software application, interposed between the network device driver and the network client application, and configured to run as a task of the supervisory operating system and configured to;
  
  examine at least one field of the first packet received by the network device;
  
  determine, based at least in part on content of the at least one field of the first packet, that the first packet is acceptable;
  
  in response to determining that the first packet is acceptable, pass the first packet to the network client application of the secondary operating system;
  
  examine at least one field of the second packet received by the network device;
  
  determine, based at least in part on content of the at least one field of the second packet that the second packet is not acceptable; and
  
  in response to determining that the second packet is not acceptable, not pass the second packet to the network client application of the secondary operating system wherein each of the determining that the first packet is acceptable and the determining that the second packet is not acceptable comprises one or more of;
  
  determining whether the first packet or the second packet is destined for a port that has been identified as being a critical port;
  
  determining whether the first packet or the second packet contains a predetermined message;
  
  determining whether the first packet or the second packet was transmitted from a processing system that is a member of a predefined group of processing systems; and
  
  determining whether the first packet or the second packet comprises a perceived security threat.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 29, 32)
- - 10. The system of claim 9, wherein the network control system is configured to determine whether the first packet or the second packet contains a predetermined message.
  - 11. The system of claim 10, wherein the network control system is configured to send a second predetermined message to an application that originated the second packet and discard the second packet in response to determining that the second packet contains the predetermined message.
  - 12. The system of claim 9, wherein the network control system is configured to:
    - determine that the second packet is used to initiate a connection;
      
      in response to determining that the second packet is used to initiate a connection, determine that a warning flag is set; and
      
      discard the second packet, wherein the warning flag indicates that (a) the machine may be experiencing a denial of service attack and/or (b) a number of packets waiting in a queue is equal to or greater than a threshold value.
  - 13. The system of claim 9, wherein the network control system is further configured to set a warning flag if a value of a counter is greater than or equal to a predetermined value and if either the first packet or the second packet is determined to initiate a connection.
  - 14. The system of claim 13, wherein the network control system is configured to determine whether the first packet or the second packet is an ACK packet and decrement the counter in response to determining that the first packet or the second packet is an ACK packet.
  - 15. The system of claim 9, wherein the network control system is configured to determine that the second packet is not acceptable by:
    - determining that the second packet is not destined for a port that has been identified as being a critical port; and
      
      determining that a congestion warning flag is set;
      
      orwherein the network control system is configured to determine that the first packet is acceptable by;
      
      determining that the first packet is destined for a port that has been identified as being a critical port;
      
      ordetermining that the congestion warning flag is not set.
  - 16. The system of claim 9, wherein the network control system is configured to:
    - determine that the second packet is not acceptable based in part on the second packet being transmitted to the network control system from a processing system that is a member of a predefined group of processing systems.
  - 17. The system of claim 9, wherein the network client application is a virtual network driver.
  - 18. The system of claim 9, wherein the second packet is discarded.
  - 29. The system of claim 9, wherein the determination that the second packet is unacceptable is further based on a perceived threat.
  - 32. The system of claim 9, wherein the first packet is passed to the secondary operating system via a virtual network driver between the supervisory operating system and the secondary operating system.

19. A computer-readable device, storing instructions that, when executed by a computing system, cause the computing system to perform operations comprising:
- receiving a first packet and a second packet that each were received by a network device via a network; and
  
  invoking an event handler in response to receiving each of the first packet and the second packet, wherein the event handler is a task of a supervisory operating system, the event handler is interposed between a network device driver executing on the supervisory operating system and a network client application operating under a secondary operating system, and wherein the event handler performs operations comprising;
  
  examining at least one field of the first packet;
  
  determining, based at least in part on content of the at least one field of the first packet, that the first packet is acceptable;
  
  in response to determining that the first packet is acceptable, passing the first packet to the network client application of the secondary operating system;
  
  examining at least one field of the second packet;
  
  determining, based at least in part on content of the at least one field of the second packet, that the second packet is not acceptable; and
  
  in response to determining that the second packet is not acceptable, not passing the second packet to the network client application of the secondary operating system;
  
  wherein each of the determining that the first packet is acceptable and the determining that the second packet is not acceptable comprises one or more of;
  
  determining whether the first packet or the second packet is destined for a port that has been identified as being a critical port;
  
  determining whether the first packet or the second packet contains a predetermined message;
  
  determining whether the first packet or the second packet was transmitted from a processing system that is a member of a predefined group of processing systems; and
  
  determining whether the first packet or the second packet comprises a perceived security threat,wherein the supervisory operating system and the secondary operating system execute concurrently on a machine.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 30, 33, 34)
- - 20. The computer-readable device of claim 19, wherein the event handler is configured to determine whether the first packet or the second packet contains a predetermined message.
  - 21. The computer-readable device of claim 20, wherein the event handler is configured to, in response to determining that the second packet contains the predetermined message, send a second predetermined message to an application that originated the second packet and discard the second packet.
  - 22. The computer-readable device of claim 19, wherein the event handler is configured to:
    - determine that the second packet is a packet that is used to initiate a connection;
      
      determine that a warning flag is set in response to determining that the second packet is a packet that is used to initiate a connection; and
      
      discard the second packet, wherein the warning flag indicates that (a) the machine may be experiencing a denial of service attack and/or (b) a number of packets waiting in a queue is equal to or greater than a threshold value.
  - 23. The computer-readable device of claim 19, wherein the event handler is further configured to set a warning flag if a value of a counter is greater than or equal to a predetermined value and if either the first packet or second packet is determined to be a packet that is used to initiate a connection.
  - 24. The computer-readable device of claim 23, wherein the event handler is configured to determine whether the first packet or the second packet is an ACK packet and decrement the counter in response to determining that either the first packet or second packet is an ACK packet.
  - 25. The computer-readable device of claim 19, wherein the event handler is configured to determine that the second packet is not acceptable by:
    - determining that the second packet is not destined for a port that has been identified as being a critical port; and
      
      determining that a congestion warning flag is set if the packet is not destined for a port that been identified as being a critical port;
      
      orwherein the event handler is configured to determine that the first packet is acceptable by;
      
      determining that the first packet is destined for a port that has been identified as being a critical port;
      
      ordetermining that the congestion warning flag is not set.
  - 26. The computer-readable device of claim 19, wherein the event handler is configured to:
    - determine that the second packet is unacceptable in part by determining that the second packet was transmitted to the machine from a processing system that is a member of a predefined group of processing systems.
  - 27. The computer-readable device of claim 19, wherein the network client application is a virtual network driver.
  - 30. The computer-readable device of claim 19, wherein the determination that the second packet is unacceptable is further based on a perceived threat.
  - 33. The computer-readable device of claim 19, wherein the first packet is passed to the secondary operating system via a virtual network driver between the supervisory operating system and the secondary operating system.
  - 34. The computer-readable device of claim 19, wherein the second packet is discarded.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures II LLC (Intellectual Ventures LLC)
Original Assignee
Intellectual Ventures Funding LLC (Intellectual Ventures LLC)
Inventors
Yodaiken, Victor J.
Primary Examiner(s)
Nawaz, Asad
Assistant Examiner(s)
HARLEY, JASON A

Application Number

US11/812,875
Publication Number

US 20080256236A1
Time in Patent Office

2,608 Days
Field of Search

714/2
US Class Current

709/224
CPC Class Codes

G06F 9/45537   Provision of facilities of ...

H04L 41/0663   Performing the actions pred...

H04L 41/5019   Ensuring fulfilment of SLA

H04L 43/00   Arrangements for monitoring...

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/16   Threshold monitoring

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 69/12   Protocol engines

H04L 69/16   Implementation or adaptatio...

System, method and computer program product for monitoring and controlling network connections from a supervisory operating system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

System, method and computer program product for monitoring and controlling network connections from a supervisory operating system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others