Packet classification in a network security device

US 9,001,661 B2
Filed: 09/04/2013
Issued: 04/07/2015
Est. Priority Date: 06/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a network security device comprising:

receiving, by a processor of the network security device, a data packet having a header and content;

determining whether the data packet is associated with a flow that is known based on both the header information and the content;

in the event that the data packet is not associated with a flow that is known;

associating a new session identifier with the data packet;

determining whether the data packet should be allowed based on the new session identifier; and

in the event that the data packet should be allowed, generating a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;

initially classifying a flow associated with the packet using information included in the header and content; and

updating the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions.

Citations

20 Claims

1. A method for a network security device comprising:
- receiving, by a processor of the network security device, a data packet having a header and content;
  
  determining whether the data packet is associated with a flow that is known based on both the header information and the content;
  
  in the event that the data packet is not associated with a flow that is known;
  
  associating a new session identifier with the data packet;
  
  determining whether the data packet should be allowed based on the new session identifier; and
  
  in the event that the data packet should be allowed, generating a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
  
  initially classifying a flow associated with the packet using information included in the header and content; and
  
  updating the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the updating the initial classification of the flow includes detecting an attempted network security intrusion.
  - 3. The method of claim 1 wherein the processing includes classifying the flow based on protocol decoding.
  - 4. The method of claim 1 wherein the processing includes classifying the flow based on content based object extraction.
  - 5. The method of claim 1 wherein the processing includes classifying the flow based on content based pattern matching.
  - 6. The method of claim 1 further comprising determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content.
  - 7. The method of claim 1 further comprising:
    - determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      processing the flow using the flow instructions.
  - 8. The method of claim 1 further comprising:
    - determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      processing the flow using the flow instructions, wherein the processing the flow includes two or more of logging, storing, allowing the packets associated with the flow, setting an alarm, blocking the packets associated with the flow, or dropping the packets associated with the flow.
  - 9. The method of claim 1 further comprising:
    - determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      processing the flow using the flow instructions, wherein the processing the flow includes one or more of allowing the packets associated with the flow to pass, blocking the packets associated with the flow, or dropping the packets associated with the flow.
  - 10. The method of claim 1 further comprising:
    - determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      processing the flow using the flow instructions, wherein the processing the flow is selected from the group consisting of logging, storing, allowing the packets associated with the flow to pass, setting an alarm, blocking the packets associated with the flow, or dropping the packets associated with the flow.

11. A system for a network security device comprising:
- a processor of the network security device, wherein the processor is configured to;
  
  receive a data packet having a header and content;
  
  determine whether the data packet is associated with a flow that is known based on both the header information and the content;
  
  in the event that the data packet is not associated with a flow that is known;
  
  associate a new session identifier with the data packet;
  
  determine whether the data packet should be allowed based on the new session identifier; and
  
  in the event that the data packet should be allowed, generate a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
  
  initially classify a flow associated with the packet using information included in the header and content; and
  
  update the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11 wherein the initial classification is performed using a multi-mode classification engine, and wherein the updating the initial classification of the flow includes detecting an attempted network security intrusion.
  - 13. The system of claim 11 wherein the processor is further configured to determine flow instructions for processing of the one or more packets of the flow based on both the header information and the content.
  - 14. The system of claim 11 wherein the processor is further configured to:
    - determine flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      process the flow using the flow instructions.
  - 15. The system of claim 11 wherein the processor is further configured to:
    - determine flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      process the flow using the flow instructions, wherein the process the flow includes two or more of logging, storing, allowing the packets associated with the flow, setting an alarm, blocking the packets associated with the flow, or dropping the packets associated with the flow.

16. A computer program product for a network security device, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- receiving a data packet having a header and content;
  
  determining whether the data packet is associated with a flow that is known based on both the header information and the content;
  
  in the event that the data packet is not associated with a flow that is known;
  
  associating a new session identifier with the data packet;
  
  determining whether the data packet should be allowed based on the new session identifier; and
  
  in the event that the data packet should be allowed, generating a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
  
  initially classifying a flow associated with the packet using information included in the header and content; and
  
  updating the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product recited in claim 16 wherein the initial classification is performed using a multi-mode classification engine, and wherein the updating the initial classification of the flow includes detecting an attempted network security intrusion.
  - 18. The computer program product recited in claim 16 further comprising computer instructions for determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content.
  - 19. The computer program product recited in claim 16 further comprising computer instructions for:
    - determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      processing the flow using the flow instructions.
  - 20. The computer program product recited in claim 16 further comprising computer instructions for:
    - determining flow instructions for processing of the one or more packets of the flow based on both the header information and the content; and
      
      processing the flow using the flow instructions, wherein the processing the flow includes two or more of logging, storing, allowing the packets associated with the flow, setting an alarm, blocking the packets associated with the flow, or dropping the packets associated with the flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zuk, Nir, Wang, Song, Leung, Siu-Wang, Gong, Fengmin
Primary Examiner(s)
Yao, Kwang B
Assistant Examiner(s)
Bokhari, Syed M

Application Number

US14/018,357
Publication Number

US 20140075539A1
Time in Patent Office

580 Days
Field of Search

370230-232, 370/235, 370/315, 370/351, 370/389, 726/22, 713/201, 709/206, 709/230
US Class Current

370/235
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

Packet classification in a network security device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Packet classification in a network security device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links