Packet classification in a network security device
First Claim
Patent Images
1. A method for a network security device comprising:
- receiving, by a processor of the network security device, a data packet having a header and content;
determining whether the data packet is associated with a flow that is known based on both the header information and the content;
in the event that the data packet is not associated with a flow that is known;
associating a new session identifier with the data packet;
determining whether the data packet should be allowed based on the new session identifier; and
in the event that the data packet should be allowed, generating a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
initially classifying a flow associated with the packet using information included in the header and content; and
updating the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions.
-
Citations
20 Claims
-
1. A method for a network security device comprising:
- receiving, by a processor of the network security device, a data packet having a header and content;
determining whether the data packet is associated with a flow that is known based on both the header information and the content;
in the event that the data packet is not associated with a flow that is known;
associating a new session identifier with the data packet;
determining whether the data packet should be allowed based on the new session identifier; and
in the event that the data packet should be allowed, generating a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
initially classifying a flow associated with the packet using information included in the header and content; and
updating the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- receiving, by a processor of the network security device, a data packet having a header and content;
-
11. A system for a network security device comprising:
- a processor of the network security device, wherein the processor is configured to;
receive a data packet having a header and content;
determine whether the data packet is associated with a flow that is known based on both the header information and the content;
in the event that the data packet is not associated with a flow that is known;
associate a new session identifier with the data packet;
determine whether the data packet should be allowed based on the new session identifier; and
in the event that the data packet should be allowed, generate a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
initially classify a flow associated with the packet using information included in the header and content; and
update the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching; and
a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (12, 13, 14, 15)
- a processor of the network security device, wherein the processor is configured to;
-
16. A computer program product for a network security device, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- receiving a data packet having a header and content;
determining whether the data packet is associated with a flow that is known based on both the header information and the content;
in the event that the data packet is not associated with a flow that is known;
associating a new session identifier with the data packet;
determining whether the data packet should be allowed based on the new session identifier; and
in the event that the data packet should be allowed, generating a new flow record associated with the data packet, the new flow record including information for the new session identifier associated with the data packet;
initially classifying a flow associated with the packet using information included in the header and content; and
updating the initial classification of the flow based on a processing of one or more packets of the flow, wherein the processing includes one or more of content based protocol decoding, content based object extraction, or content based pattern matching. - View Dependent Claims (17, 18, 19, 20)
- receiving a data packet having a header and content;
Specification