Scalable network security with fast response protocol

US 9,167,001 B1
Filed: 04/10/2015
Issued: 10/20/2015
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising instructions stored on non-transitory computer readable storage, the instructions when executed to cause at least one computer of a first network to:

receive a query from a query source from outside the first network, the query specifying an identifier of a possible network security threat;

determine whether the query is of a first type or a second type; and

according to the determined type of queryif the query is of a first type, perform a localized search of at least one database for network security data responsive to the query, the localized search not including results solely obtainable from outside of the first network, generate a response to the query, even if there is no information responsive to the query found within the first network, and irrespective if additional information is available from one or more remote information sources obtainable via a wide area network external to the first network, and transmit the response to the query source,if the query is of a second type, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, update at least one local information repository corresponding to the at least one database responsive to the interrogation of the one or more remote information sources, generate the response to the query to include information responsive to the query found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmit the response including information as updated to the query source;

wherein the instructions when executed are further to cause the at least one computer to;

if the query is of the first type, transmit the response to query to the query source within an enforced response time, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, and responsively update one or more local information repositories within the first network, and if the query is of the second type, transmit the response to the query source irrespective passage of the enforced response time and only once the one or more remote information sources have responded to the interrogation.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

28 Citations

View as Search Results

16 Claims

1. An apparatus comprising instructions stored on non-transitory computer readable storage, the instructions when executed to cause at least one computer of a first network to:
- receive a query from a query source from outside the first network, the query specifying an identifier of a possible network security threat;
  
  determine whether the query is of a first type or a second type; and
  
  according to the determined type of queryif the query is of a first type, perform a localized search of at least one database for network security data responsive to the query, the localized search not including results solely obtainable from outside of the first network, generate a response to the query, even if there is no information responsive to the query found within the first network, and irrespective if additional information is available from one or more remote information sources obtainable via a wide area network external to the first network, and transmit the response to the query source,if the query is of a second type, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, update at least one local information repository corresponding to the at least one database responsive to the interrogation of the one or more remote information sources, generate the response to the query to include information responsive to the query found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmit the response including information as updated to the query source;
  
  wherein the instructions when executed are further to cause the at least one computer to;
  
  if the query is of the first type, transmit the response to query to the query source within an enforced response time, responsively interrogate the one or more remote information sources via a wide area network for network security data responsive to the query, and responsively update one or more local information repositories within the first network, and if the query is of the second type, transmit the response to the query source irrespective passage of the enforced response time and only once the one or more remote information sources have responded to the interrogation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the query is to be received by the at least one computer via a wide area network connection external to the first network using a transmission control protocol and wherein the instructions when executed are further to cause the at least one computer to transmit the response to the query to the query source also via the wide area network connection external to the first network also using a transmission control protocol.
  - 3. The apparatus of claim 1, wherein the instructions when executed are further to cause the at least one computer to transmit the response to the query to multiple predetermined destinations associated with respective networks using a broadcast transmission format, the multiple destinations encompassing the query source.
  - 4. The apparatus of claim 1, wherein if the query is of the first type:
    - the response transmitted to the query source is a first response; and
      
      the instructions are further to cause the at least one computer to, if the one or more remote information sources have provided information responsive to the interrogation, generate a second response to the query to include information found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmit the second response to the query source.
  - 5. The apparatus of claim 4, wherein the first response is to be synchronously transmitted to the query source in response to the query and the second response is to be asynchronously transmitted to the query source in response to the query.
  - 6. The apparatus of claim 1, wherein if the query is of the first type and the one or more remote information sources have provided information responsive to the interrogation, the instructions when executed are further to cause the at least one computer to withhold reporting of updated data responsive to the interrogation of the one or more remote information sources to the query source.
  - 7. The apparatus of claim 1, wherein the first network comprises one or more network security machines to perform distributed threat analytics and wherein the at least one database is to store the network security data in response to performance of the distributed threat analytics.
  - 8. The apparatus of claim 1, wherein the at least one database is to store one or more public fields and one or more private fields associated with the network security data, and wherein the instructions when executed are to cause the at least one computer to generate the response so as to not include information from the private fields.

9. A method of operating at least one computer of a first network,the method comprising:
- receiving, using a hardware processor, a query from a query source from outside the first network, the query specifying an identifier of a possible network security threat;
  
  determining whether the query is of a first type or a second type; and
  
  according to the determined type of queryif the query is of a first type, performing a localized search of at least one database for network security data responsive to the query, the localized search not including results solely obtainable from outside of the first network, generating a response to the query, even if there is no information responsive to the query found within the first network, and irrespective if additional information is available from one or more remote information sources obtainable via a wide area network external to the first network, and transmitting the response to the query source,if the query is of a second type, responsively interrogating the one or more remote information sources via a wide area network for network security data responsive to the query, updating at least one local information repository corresponding to the at least one database responsive to the interrogation of the one or more remote information sources, generating the response to the query to include information responsive to the query found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmitting the response including information as updated to the query source;
  
  wherein the method further comprisesif the query is of the first type, transmitting the response to query to the query source within an enforced response time, responsively interrogating the one or more remote information sources via a wide area network for network security data responsive to the query, and responsively updating one or more local information repositories within the first network, and if the query is of the second type, transmitting the response to the query source irrespective passage of the enforced response time and only once the one or more remote information sources have responded to the interrogation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the query is to be received by the at least one computer via a wide area network connection external to the first network using a transmission control protocol and wherein the method further comprises causing the at least one computer to transmit the response to the query to the query source also via the wide area network connection external to the first network also using a transmission control protocol.
  - 11. The method of claim 9, further comprising transmitting the response to the query to multiple predetermined destinations associated with respective networks using a broadcast transmission format, the multiple destinations encompassing the query source.
  - 12. The method of claim 9, wherein if the query is of the first type:
    - the response transmitted to the query source is a first response; and
      
      the method further comprises, if the one or more remote information sources have provided information responsive to the interrogation, generating a second response to the query to include information found within the first network as updated responsive to the interrogation of the one or more remote information sources, and transmitting the second response to the query source.
  - 13. The method of claim 12, further comprising synchronously transmitting the first response to the query source in response to the query and the asynchronously transmitting the second response to the query source in response to the query.
  - 14. The method of claim 9, wherein the method further comprises, if the query is of the first type and the one or more remote information sources have provided information responsive to the interrogation, withholding reporting of updated data responsive to the interrogation of the one or more remote information sources to the query source.
  - 15. The method of claim 9, wherein the first network comprises one or more network security machines to perform distributed threat analytics and wherein the at least one database is to store the network security data in response to performance of the distributed threat analytics.
  - 16. The method of claim 9, wherein the at least one database is to store one or more public fields and one or more private fields associated with the network security data, and wherein the method further comprises generating the response so as to not include information from the private fields.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
BrightPoint Security, Inc. (ServiceNow Incorporated)
Inventors
Haugsnes, Andreas Seip, Hahn, Markus
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/683,986
Time in Patent Office

193 Days
Field of Search

726/23, 707/769, 715/786, 710/316, 710/309, 710/311, 382/305
US Class Current

1/1
CPC Class Codes

G06F 16/23   Updating

G06F 16/245   Query processing

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 21/552   involving long-term monitor...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

H04L 67/1097   for distributed storage of ...

H04W 12/12   Detection or prevention of ...

Scalable network security with fast response protocol

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable network security with fast response protocol

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links