Method, apparatus, signals, and medium for managing transfer of data in a data network

US 8,856,884 B2
Filed: 09/30/2011
Issued: 10/07/2014
Est. Priority Date: 09/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method for managing a transfer of data between a first node and a second node in a data network, the method comprising:

identifying data associated with a first communication session between the first node and the second node;

identifying, through execution of instructions on a processor, a signature associated with said data associated with said first communication session;

further processing, through execution of instructions on the processor, said first communication session when a portion of said first communication session meets a criterion, the criterion including the identified signature associated with said first communication session, the further processing defined by a policy associated with the identified signature and including at least one action to be performed by the further processing, the at least one action including logging at least a portion of data packets associated with said first communication session, altering of data packets associated with said first communication session prior to transmitting the data packets to at least one of the first node and the second node, the altering of data packets including inserting a message or removing certain data as specified by the policy associated with the identified signature, terminating the first communication session at a third node, and dividing the first communication session between the first node and the third node and a second communication session between the third node and the second node, the third node to act as a proxy node; and

permitting said first communication session to continue when said portion of said first communication session does not meet said criterion or upon completion of the further processing.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing a transfer of data in a data network identifies data associated with a communication session between a first node and a second node in the data network. Further processing of the communication session occurs when a portion of the communication session meets a criterion and the communication session is permitted to continue when the portion of the communication session does not meet the criterion.

Citations

16 Claims

1. A method for managing a transfer of data between a first node and a second node in a data network, the method comprising:
- identifying data associated with a first communication session between the first node and the second node;
  
  identifying, through execution of instructions on a processor, a signature associated with said data associated with said first communication session;
  
  further processing, through execution of instructions on the processor, said first communication session when a portion of said first communication session meets a criterion, the criterion including the identified signature associated with said first communication session, the further processing defined by a policy associated with the identified signature and including at least one action to be performed by the further processing, the at least one action including logging at least a portion of data packets associated with said first communication session, altering of data packets associated with said first communication session prior to transmitting the data packets to at least one of the first node and the second node, the altering of data packets including inserting a message or removing certain data as specified by the policy associated with the identified signature, terminating the first communication session at a third node, and dividing the first communication session between the first node and the third node and a second communication session between the third node and the second node, the third node to act as a proxy node; and
  
  permitting said first communication session to continue when said portion of said first communication session does not meet said criterion or upon completion of the further processing.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein identifying said signature comprises identifying a pattern in said data associated with said first communication session.
  - 3. The method of claim 1, wherein identifying said signature comprises performing signature analysis on said data associated with said first communication session.
  - 4. The method of claim 1, wherein identifying said signature comprises determining whether said data associated with said first communication session complies with a data transfer protocol.
  - 5. The method of claim 1, wherein identifying said signature comprises determining whether said data associated with said first communication session is addressed to a particular destination.

6. An apparatus for managing a transfer of data in a data network, the apparatus comprising:
- means for identifying data associated with a first communication session between a first node and a second node in the data network;
  
  means for identifying a signature associated with said data associated with said first communication session;
  
  means for further processing said first communication session when a portion of said first communication session meets a criterion, the criterion including the identified signature associated with said first communication session, the further processing defined by a policy associated with the identified signature and including at least one action to be performed by the further processing, the at least one action including logging at least a portion of data packets associated with said first communication session and altering of data packets associated with said first communication session prior to transmitting the data packets to at least one of the first node and the second node, the altering of data packets including inserting a message or removing certain data as specified by the policy associated with the identified signature, terminating the first communication session at a third node, and dividing the first communication session between the first node and the third node and a second communication session between the third node and the second node, the third node to act as a proxy node; and
  
  means for permitting said first communication session to continue when said portion of said first communication session does not meet said criterion or upon completion of execution by the means of the further processing.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein said means for identifying said signature comprises means for identifying a pattern in said data associated with said first communication session.
  - 8. The apparatus of claim 6, wherein said means for identifying said signature comprises means for performing signature analysis on said data associated with said first communication session.
  - 9. The apparatus of claim 6, wherein said means for identifying said signature comprises means for determining whether said data associated with said first communication session complies with a specific data transfer protocol.
  - 10. The apparatus of claim 6, wherein said means for identifying said signature comprises means for determining whether said data associated with said first communication session is addressed to a specific destination.

11. An apparatus for managing a transfer of data in a data network, the apparatus comprising:
- a processor device;
  
  a memory;
  
  a session identifier stored in the memory and executable by the processor to identify data associated with a first communication session between a first node and a second node in the data network;
  
  a session controller stored in the memory and executable by the processor and having an input for receiving a control signal indicating whether said first communication session meets a criterion, said session controller responsive to said control signal to produce a signal to indicate whether or not said first communication session should be permitted to continue or should be subjected to further processing before being allowed to continue, the session controller executable to permit said first communication session to continue upon receipt of the control signal indicating the first communication session does not meet said criterion; and
  
  a signature analyzer stored in the memory and executable by the processor to produce said control signal in response to identifying a signature associated with said data associated with said first communication session, the signature associated with a policy defining at last one action to be performed with regard to data packets of said first communication session, the at least one action including altering of data packets associated with said first communication session prior to transmitting the data packets to at least one of the first node and the second node, the altering of data packets including inserting a message or removing certain data as specified by the policy associated with the identified signature, terminating the first communication session at a third node, and dividing the first communication session between the first node and the third node and a second communication session between the third node and the second node, the third node to act as a proxy node.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein said signature comprises a pattern characteristic of a particular type of data transfer.
  - 13. The apparatus of claim 11, wherein said signature comprises a data protocol identifier.
  - 14. The apparatus of claim 11, wherein said signature comprises an address field.
  - 15. The apparatus of claim 11, wherein said signature analyzer comprises a hardware circuit comprising discrete logic components.
  - 16. The apparatus of claim 11, wherein said signature analyzer comprises an application specific integrated circuit (ASIC).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Bevan, Stephen John, Xie, Michael, Li, Hongwei, Luo, Wenping, Wei, Shaohong
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US13/250,285
Publication Number

US 20120023557A1
Time in Patent Office

1,103 Days
Field of Search

726/4, 726/13, 726/22, 726/23
US Class Current

726/4
CPC Class Codes

H04L 12/66   Arrangements for connecting...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/43   Assembling or disassembling...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/146   Markers for unambiguous ide...

H04L 67/563   Data redirection of data ne...

Method, apparatus, signals, and medium for managing transfer of data in a data network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, signals, and medium for managing transfer of data in a data network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links