Scalable network security with fast response protocol
First Claim
1. An apparatus comprising instructions stored on non-transitory computer readable storage, the apparatus adapted to receive a query having at least one field having an identifier of a possible network security threat, the instructions when executed operable to cause a computer having fast access memory:
- to determine whether the query is of a first type, that requires response within a predetermined period of time, or a second type, that does not require response within the predetermined period of time;
if the query is determined to be of the first type, to determine whether data responsive to the query is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory, andif the data is stored in the fast access memory, to automatically transmit the data to a source of the query via packet-based wide area network transmission within the period of time;
if the data is not stored in the fast access memory, totransmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, andgenerate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the first request, and asynchronously update the fast access memory to reflect data responsive to the first request; and
if the query is determined to be of the second type, to generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, to receive one or more responses to second request, and to automatically transmit data responsive to the second request to a source of the query via packet-based wide area network transmission in a manner not constrained to be within the predetermined period of time relative to the query.
4 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.
188 Citations
20 Claims
-
1. An apparatus comprising instructions stored on non-transitory computer readable storage, the apparatus adapted to receive a query having at least one field having an identifier of a possible network security threat, the instructions when executed operable to cause a computer having fast access memory:
-
to determine whether the query is of a first type, that requires response within a predetermined period of time, or a second type, that does not require response within the predetermined period of time; if the query is determined to be of the first type, to determine whether data responsive to the query is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory, and if the data is stored in the fast access memory, to automatically transmit the data to a source of the query via packet-based wide area network transmission within the period of time; if the data is not stored in the fast access memory, to transmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, and generate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the first request, and asynchronously update the fast access memory to reflect data responsive to the first request; and if the query is determined to be of the second type, to generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, to receive one or more responses to second request, and to automatically transmit data responsive to the second request to a source of the query via packet-based wide area network transmission in a manner not constrained to be within the predetermined period of time relative to the query. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An apparatus comprising at least one hardware processor, embodied in at least one network-attachable device, said apparatus further comprising:
-
means for determining whether a query received via a wide area network is of a first type, that requires response within a predetermined period of time, or of a second type, that does not require response within the predetermined period of time, wherein the query has at least one field having an identifier of a possible network security threat; means for, if the query is determined to be of the first type, further determining whether data responsive to the query and corresponding to the identifier is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory; means for, if the query is determined to be of the first type and if the data is stored in the fast access memory, transmitting a response to the query within the period of time via packet-based wide area network transmission to a source of the query; means for, if the query is determined to be of the first type and if the data is not stored in the fast access memory, transmitting an indication within the period of time that the data is not stored in the fast access memory to the source of the query, and generating a first request, transmitting the first request to at least one other network data source to retrieve asynchronously load the fast access memory with the data responsive to the query, and asynchronously updating the fast access memory to reflect data from the at least one other network data source retrieved responsive to the query; and means for, if the query is determined to be of the second type, generating a second request, transmitting the second request to at least one other network data source to retrieve data responsive to the query, receiving one or more responses to second request, and automatically transmitting data responsive to the second request to a source of the query via packet-based wide area network transmission.
-
-
16. An intrusion detection system comprising at least one computer and instructions stored on non-transitory computer-readable media, each computer having at least one hardware processor, the intrusion detection system further comprising:
-
a transmission control protocol module adapted to receive queries as to whether the intrusion detection system is aware of a network security threat associated with at least one identifier specified by each respective query, each identifier identifying a possible network security threat; logic to determine for each query whether the query is of a first type, that is to be responded to within a predetermined period of time, or of a second type, that does not require response within the predetermined period of time; and a memory manager adapted to determine for each respective query determined to be of the first type whether a fast access memory has a record associating the network security threat that matches the at least one specified identifier, and if the fast access memory does have such a record, to responsively transmit a response via the transmission control protocol module to a source of the respective query which identifies the network security threat; wherein the memory manager is adapted to, in the event the fast access memory does not have such a record, transmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, and generate a first request, transmit the first request to at least one other network data source to asynchronously load the fast access memory with the data responsive to the query, and asynchronously update the fast access memory to reflect data from the at least one other network data source retrieved responsive to the query in a manner adapted for use in responding to a future, similar query, and wherein the memory manager is adapted to for each respective query determined to be of the second type, generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the second request, and to responsively transmit a response via the transmission control protocol module responsive to the respective query of the second type representing the one or more responses to the second request. - View Dependent Claims (17, 18, 19)
-
-
20. A method comprising:
-
using at least one computer, each computer comprising at least hardware processor, to determine whether a query received via a wide area network is of a first type that requires response within a predetermined period of time, or of a second type that does not require response within the predetermined period of time, wherein the query has at least one field having an identifier of a possible network security threat; if the query is determined to be of the first type, using the at least one computer to determine whether data responsive to the query and is stored in a fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory; if the query is determined to require response within the predetermined period of time and if the data is stored in the fast access memory, using the at least one computer to automatically transmit a response to the query within the period of time to a source of the query; if the query is determined to be of the first type and if the data is not stored in the fast access memory, using the at least one computer to transmit an indication within the period of time that the data is not stored in the fast access memory to the source of the query, and automatically generate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, and asynchronously update the fast access memory to reflect data from the at least one other network data source retrieved responsive to the query; and
,if the query is determined to be of the second type, to collect responses from one or more remote data sources and respond to the query only follow receipt of the responses from the one or more remote data sources.
-
Specification