Scalable network security with fast response protocol

US 8,914,406 B1
Filed: 07/24/2012
Issued: 12/16/2014
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising instructions stored on non-transitory computer readable storage, the apparatus adapted to receive a query having at least one field having an identifier of a possible network security threat, the instructions when executed operable to cause a computer having fast access memory:

to determine whether the query is of a first type, that requires response within a predetermined period of time, or a second type, that does not require response within the predetermined period of time;

if the query is determined to be of the first type, to determine whether data responsive to the query is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory, andif the data is stored in the fast access memory, to automatically transmit the data to a source of the query via packet-based wide area network transmission within the period of time;

if the data is not stored in the fast access memory, totransmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, andgenerate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the first request, and asynchronously update the fast access memory to reflect data responsive to the first request; and

if the query is determined to be of the second type, to generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, to receive one or more responses to second request, and to automatically transmit data responsive to the second request to a source of the query via packet-based wide area network transmission in a manner not constrained to be within the predetermined period of time relative to the query.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

188 Citations

20 Claims

1. An apparatus comprising instructions stored on non-transitory computer readable storage, the apparatus adapted to receive a query having at least one field having an identifier of a possible network security threat, the instructions when executed operable to cause a computer having fast access memory:
- to determine whether the query is of a first type, that requires response within a predetermined period of time, or a second type, that does not require response within the predetermined period of time;
  
  if the query is determined to be of the first type, to determine whether data responsive to the query is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory, andif the data is stored in the fast access memory, to automatically transmit the data to a source of the query via packet-based wide area network transmission within the period of time;
  
  if the data is not stored in the fast access memory, totransmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, andgenerate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the first request, and asynchronously update the fast access memory to reflect data responsive to the first request; and
  
  if the query is determined to be of the second type, to generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, to receive one or more responses to second request, and to automatically transmit data responsive to the second request to a source of the query via packet-based wide area network transmission in a manner not constrained to be within the predetermined period of time relative to the query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The apparatus of claim 1, wherein the instructions when executed are further operable to cause the computer to, if the query is determined to be of the second type:
    - determine whether the data responsive to the query and corresponding to the identifier is stored in the fast access memory;
      
      if the data is stored in the fast access memory, to automatically transmit the data to the source of the query via packet-based wide area network transmission as a first response; and
      
      if the data is not stored in the fast access memory, to transmit the second request in order to load the fast access memory with the data responsive to the query and, once the data responsive to the query is loaded, to automatically transmit the data to the source of the query via packet-based wide area network transmission as a second response.
  - 3. The apparatus of claim 1, wherein the instructions further comprise application software and emulation software adapted to run the application software as a virtual machine.
  - 4. The apparatus of claim 3, wherein the application software comprises at least one of intrusion detection software, firewall software, intrusion prevention software, security event manager software, antivirus software or vulnerability assessment software.
  - 5. The apparatus of claim 3, wherein the application software comprises intrusion detection software.
  - 6. The apparatus of claim 3, wherein the query conveys a template having plural fields including a field for the identifier, and wherein the instructions when executed are operable to cause the computer to determine whether the data responsive to the query is stored in the fast access memory by attempting to match at least two fields of the template to a record stored in the fast access memory, the at least two fields including the field for the identifier.
  - 7. The apparatus of claim 6, wherein each of the template and the record includes the at least two fields, and the at least two fields further include a threat level field representing whether a corresponding item has been determined to present a network threat having a specified threat level, the corresponding item being one of a machine, a network destination, a file or an application.
  - 8. The apparatus of claim 1, wherein the instructions when executed are operable to cause the computer to generate the request to asynchronously load the fast access memory with the data responsive to the query by transmitting a packet-based message requesting the data in a manner adapted for transmission to a remote network destination via a wide area network.
  - 9. The apparatus of claim 8, wherein the remote network destination corresponds to a virtual machine security product and wherein the instructions when executed are operable to transmit the packet-based message using a transmission control protocol to the virtual machine security product.
  - 10. The apparatus of claim 1, wherein the instructions are further operable to generate the response to the query in a manner that includes a locator for non-cached data responsive to the query.
  - 11. The apparatus of claim 10, wherein the locator is a uniform resource identifier corresponding to a computer.
  - 12. The apparatus of claim 1, wherein the fast access memory comprises random access memory.
  - 13. The apparatus of claim 1, wherein the instructions when executed are adapted to cause the computer to maintain at least three databases in the fast access memory includingan index representing locators associated with respective security services;
    - a first database indicating whether the fast access memory possesses cached data responsive to the query; and
      
      a second database representing whether the fast access memory possesses a locator for non-cached data responsive to the query.
  - 14. The apparatus of claim 1, wherein the instructions when executed are adapted to cause the computer to, if the data is stored in the fast access memory, generate the response to the query within the period of time, and further, to generate a request to an external network destination to asynchronously update the data fast access memory.

15. An apparatus comprising at least one hardware processor, embodied in at least one network-attachable device, said apparatus further comprising:
- means for determining whether a query received via a wide area network is of a first type, that requires response within a predetermined period of time, or of a second type, that does not require response within the predetermined period of time, wherein the query has at least one field having an identifier of a possible network security threat;
  
  means for, if the query is determined to be of the first type, further determining whether data responsive to the query and corresponding to the identifier is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory;
  
  means for, if the query is determined to be of the first type and if the data is stored in the fast access memory, transmitting a response to the query within the period of time via packet-based wide area network transmission to a source of the query;
  
  means for, if the query is determined to be of the first type and if the data is not stored in the fast access memory,transmitting an indication within the period of time that the data is not stored in the fast access memory to the source of the query, andgenerating a first request, transmitting the first request to at least one other network data source to retrieve asynchronously load the fast access memory with the data responsive to the query, and asynchronously updating the fast access memory to reflect data from the at least one other network data source retrieved responsive to the query; and
  
  means for, if the query is determined to be of the second type, generating a second request, transmitting the second request to at least one other network data source to retrieve data responsive to the query, receiving one or more responses to second request, and automatically transmitting data responsive to the second request to a source of the query via packet-based wide area network transmission.

16. An intrusion detection system comprising at least one computer and instructions stored on non-transitory computer-readable media, each computer having at least one hardware processor, the intrusion detection system further comprising:
- a transmission control protocol module adapted to receive queries as to whether the intrusion detection system is aware of a network security threat associated with at least one identifier specified by each respective query, each identifier identifying a possible network security threat;
  
  logic to determine for each query whether the query is of a first type, that is to be responded to within a predetermined period of time, or of a second type, that does not require response within the predetermined period of time; and
  
  a memory manager adapted to determine for each respective query determined to be of the first type whether a fast access memory has a record associating the network security threat that matches the at least one specified identifier, and if the fast access memory does have such a record, to responsively transmit a response via the transmission control protocol module to a source of the respective query which identifies the network security threat;
  
  wherein the memory manager is adapted to, in the event the fast access memory does not have such a record, transmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, and generate a first request, transmit the first request to at least one other network data source to asynchronously load the fast access memory with the data responsive to the query, and asynchronously update the fast access memory to reflect data from the at least one other network data source retrieved responsive to the query in a manner adapted for use in responding to a future, similar query, andwherein the memory manager is adapted to for each respective query determined to be of the second type, generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the second request, and to responsively transmit a response via the transmission control protocol module responsive to the respective query of the second type representing the one or more responses to the second request.
- View Dependent Claims (17, 18, 19)
- - 17. The intrusion detection system of claim 16, wherein the computer comprises the fast access memory, and wherein the fast access memory comprises random access memory.
  - 18. The intrusion detection system of claim 16, wherein the memory manager is adapted to maintain a first cache and a second cache in the fast access memory, and whereinthe first cache is adapted to contain a response to the query if known to the intrusion detection system;
    - andthe second cache is adapted to contain a uniform resource indicator identifying a network address representing data responsive to the query.
  - 19. The intrusion detection system of claim 16, wherein the instructions are adapted for execution on the computer as a virtual machine.

20. A method comprising:
- using at least one computer, each computer comprising at least hardware processor, to determine whether a query received via a wide area network is of a first type that requires response within a predetermined period of time, or of a second type that does not require response within the predetermined period of time, wherein the query has at least one field having an identifier of a possible network security threat;
  
  if the query is determined to be of the first type, using the at least one computer to determine whether data responsive to the query and is stored in a fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory;
  
  if the query is determined to require response within the predetermined period of time and if the data is stored in the fast access memory, using the at least one computer to automatically transmit a response to the query within the period of time to a source of the query;
  
  if the query is determined to be of the first type and if the data is not stored in the fast access memory, using the at least one computer totransmit an indication within the period of time that the data is not stored in the fast access memory to the source of the query, andautomatically generate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, and asynchronously update the fast access memory to reflect data from the at least one other network data source retrieved responsive to the query; and
  
  ,if the query is determined to be of the second type, to collect responses from one or more remote data sources and respond to the query only follow receipt of the responses from the one or more remote data sources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
Vorstack, Inc.
Inventors
Haugsnes, Andreas Seip, Hahn, Markus
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/556,553
Time in Patent Office

875 Days
Field of Search

707/769, 715/786, 710/316, 710/309, 710/311, 382/305, 726/23
US Class Current

707/769
CPC Class Codes

G06F 16/23   Updating

G06F 16/245   Query processing

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 21/552   involving long-term monitor...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

H04L 67/1097   for distributed storage of ...

H04W 12/12   Detection or prevention of ...

Scalable network security with fast response protocol

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

188 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Scalable network security with fast response protocol

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others