Protecting against denial of service attacks using guard tables
First Claim
Patent Images
1. A computer implemented method comprising:
- receiving a login request at a first processing node, the login request is for network resources located on a server external from the first processing node, the first processing node comprises an intermediate device between a user associated with the login request and the network resources that is part of a distributed network security system from the user and the external network resources, wherein the login request comprises addressing information for the external network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring;
deriving a login key from the login request;
hashing the login key with a hash function, wherein the output of the hash function is a candidate bit position;
determining a value at the candidate bit position in a guard table in a first stage of an information look up procedure by the first processing node;
in a second stage of the information look up procedure, querying user credential data to authenticate the login request for the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the network resources, wherein the second stage is performed by the server with the network resources;
receiving new user credential information for a new user by the first processing node;
deriving a new credential key from the new user credential information by the first processing node;
hashing the new credential key with the hashing function by the first processing node, wherein the output of the hashing function is a new credential bit position;
setting a bit at the new credential bit position in the guard table to generate an updated guard table by the first processing node;
sending the updated guard table to a central authority server by the first processing node;
receiving the updated guard table by the central authority server;
sending the updated guard table to a second processing node by the central authority server; and
storing the updated guard table by the second processing node.
2 Assignments
0 Petitions
Accused Products
Abstract
Guard tables including absence information are used in a security system to protect a network service from a denial of service attack. A login key corresponding to a login request is hashed and the output of the hash is a bit position in a guard table. The bit value at the bit position in the guard table can be checked to determine if login information corresponding to the key is present. Further processing of the login request can be based on the indicated presence or absence of the information.
-
Citations
29 Claims
-
1. A computer implemented method comprising:
-
receiving a login request at a first processing node, the login request is for network resources located on a server external from the first processing node, the first processing node comprises an intermediate device between a user associated with the login request and the network resources that is part of a distributed network security system from the user and the external network resources, wherein the login request comprises addressing information for the external network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring; deriving a login key from the login request; hashing the login key with a hash function, wherein the output of the hash function is a candidate bit position; determining a value at the candidate bit position in a guard table in a first stage of an information look up procedure by the first processing node; in a second stage of the information look up procedure, querying user credential data to authenticate the login request for the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the network resources, wherein the second stage is performed by the server with the network resources; receiving new user credential information for a new user by the first processing node; deriving a new credential key from the new user credential information by the first processing node; hashing the new credential key with the hashing function by the first processing node, wherein the output of the hashing function is a new credential bit position; setting a bit at the new credential bit position in the guard table to generate an updated guard table by the first processing node; sending the updated guard table to a central authority server by the first processing node; receiving the updated guard table by the central authority server; sending the updated guard table to a second processing node by the central authority server; and storing the updated guard table by the second processing node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a central authority server configured to communicate at least one security policy to a plurality of processing nodes; and a plurality of processing nodes comprising server computer devices and configured to; receive a login request for network resources located on a server external from the plurality of processing nodes, the plurality of processing nodes comprise intermediate devices between a user associated with the login request and the network resources that are part of a distributed network security system external from the user and the network resources, wherein the login request comprises addressing information for the network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring; derive a login key from the login request; hash the login key with a hash function, wherein the output of the hash function is a candidate bit position; determine a value at the candidate bit position in a guard table in a first stage of an information look up procedure; and in a second stage of the information look up procedure, send the login request to the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the external network resources, wherein the server with the network resources is configured to query user credential data to authorize the login request; wherein the first processing node is further configured to; receive new user credential information for a new user; derive a new credential key from the new user credential information; hash the new credential key with the hashing function, wherein the output of the hashing function is a new credential bit position; and set a bit at the new credential bit position in the guard table to generate an updated guard table; wherein the first processing node is further configured to send the updated guard table to a central authority server, and wherein the central authority server is configured to; receive the updated guard table; and send the updated guard table to a second processing node of the plurality of processing nodes; and wherein the second processing node is configured to store the updated guard table. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification