Scalable network security with fast response protocol
First Claim
1. An apparatus comprising instructions stored on non-transitory computer readable storage, the instructions when executed to cause at least one computer of a first network to:
- receive a query from a query source from outside the first network, the query specifying an identifier of a possible network security threat;
determine whether the query is of a first type or a second type; and
according to the determined type of queryif the query is of a first type, perform a localized search of at least one database for network security data responsive to the query, the localized search not including results solely obtainable from outside of the first network, generate a response to the query, even if there is no information responsive to the query found within the first network, and irrespective if additional information is available from one or more remote information sources obtainable via a wide area network external to the first network, and transmit the response to the query source,if the query is of a second type, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, update at least one local information repository corresponding to the at least one database responsive to the interrogation of the one or more remote information sources, generate the response to the query to include information responsive to the query found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmit the response including information as updated to the query source;
wherein the instructions when executed are further to cause the at least one computer to;
if the query is of the first type, transmit the response to query to the query source within an enforced response time, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, and responsively update one or more local information repositories within the first network, and if the query is of the second type, transmit the response to the query source irrespective passage of the enforced response time and only once the one or more remote information sources have responded to the interrogation.
4 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.
28 Citations
16 Claims
-
1. An apparatus comprising instructions stored on non-transitory computer readable storage, the instructions when executed to cause at least one computer of a first network to:
-
receive a query from a query source from outside the first network, the query specifying an identifier of a possible network security threat; determine whether the query is of a first type or a second type; and according to the determined type of query if the query is of a first type, perform a localized search of at least one database for network security data responsive to the query, the localized search not including results solely obtainable from outside of the first network, generate a response to the query, even if there is no information responsive to the query found within the first network, and irrespective if additional information is available from one or more remote information sources obtainable via a wide area network external to the first network, and transmit the response to the query source, if the query is of a second type, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, update at least one local information repository corresponding to the at least one database responsive to the interrogation of the one or more remote information sources, generate the response to the query to include information responsive to the query found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmit the response including information as updated to the query source; wherein the instructions when executed are further to cause the at least one computer to; if the query is of the first type, transmit the response to query to the query source within an enforced response time, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, and responsively update one or more local information repositories within the first network, and if the query is of the second type, transmit the response to the query source irrespective passage of the enforced response time and only once the one or more remote information sources have responded to the interrogation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of operating at least one computer of a first network,
the method comprising: -
receiving, using a hardware processor, a query from a query source from outside the first network, the query specifying an identifier of a possible network security threat; determining whether the query is of a first type or a second type; and according to the determined type of query if the query is of a first type, performing a localized search of at least one database for network security data responsive to the query, the localized search not including results solely obtainable from outside of the first network, generating a response to the query, even if there is no information responsive to the query found within the first network, and irrespective if additional information is available from one or more remote information sources obtainable via a wide area network external to the first network, and transmitting the response to the query source, if the query is of a second type, responsively interrogating the one or more remote information sources via a wide area network for network security data responsive to the query, updating at least one local information repository corresponding to the at least one database responsive to the interrogation of the one or more remote information sources, generating the response to the query to include information responsive to the query found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmitting the response including information as updated to the query source; wherein the method further comprises if the query is of the first type, transmitting the response to query to the query source within an enforced response time, responsively interrogating the one or more remote information sources via a wide area network for network security data responsive to the query, and responsively updating one or more local information repositories within the first network, and if the query is of the second type, transmitting the response to the query source irrespective passage of the enforced response time and only once the one or more remote information sources have responded to the interrogation. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification