Creating and managing a network security tag

US 9,231,976 B2
Filed: 03/15/2013
Issued: 01/05/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable storage medium that includes code for execution for managing network data, and when executed by at least one processor is operable to:

perform a number of actions on the network data to identify network information about the network data, wherein the network data is to be forwarded to a next network device en route to a destination device after the number of actions are performed;

determine whether the next network device is one of a group of network devices operable to perform at least a number of other actions on the network data; and

responsive to a determination that the next network device is one of the group of network devices;

generate a metadata tag with a number of fields to include data indicating the network information, wherein at least one of the fields is included in the metadata tag based on a type of information used by the next network device;

generate an identifier for the network data;

encrypt the metadata tag using an encryption key and the identifier for the network data;

associate the metadata tag with the network data; and

transmit the network data with the metadata tag to the next network device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, computer readable medium, and method are provided in one example embodiment and include a network device, an analysis module, and a tag module. The analysis module may be configured to perform a number of actions on the network data to identify network information about the network data. The tag module may be configured to determine whether a destination for the network data is within a set of destinations; and responsive to a determination that the destination for the network data is within the set of destinations: generate a metadata tag based on the network information, associate the metadata tag with the network data, and transmit the network information and the metadata tag.

20 Citations

View as Search Results

24 Claims

1. At least one non-transitory computer readable storage medium that includes code for execution for managing network data, and when executed by at least one processor is operable to:
- perform a number of actions on the network data to identify network information about the network data, wherein the network data is to be forwarded to a next network device en route to a destination device after the number of actions are performed;
  
  determine whether the next network device is one of a group of network devices operable to perform at least a number of other actions on the network data; and
  
  responsive to a determination that the next network device is one of the group of network devices;
  
  generate a metadata tag with a number of fields to include data indicating the network information, wherein at least one of the fields is included in the metadata tag based on a type of information used by the next network device;
  
  generate an identifier for the network data;
  
  encrypt the metadata tag using an encryption key and the identifier for the network data;
  
  associate the metadata tag with the network data; and
  
  transmit the network data with the metadata tag to the next network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 22, 23)
- - 2. The at least one non-transitory computer readable storage medium of claim 1, wherein the code when executed by the at least one processor is operable to;
    - receive the network data with an initial metadata tag; and
      
      identify initial network information from the initial metadata tag.
  - 3. The at least one non-transitory computer readable storage medium of claim 2, wherein the code when executed by the at least one processor is operable to:
    - perform the number of actions on the network data based on the initial network information to identify the network information.
  - 4. The at least one non-transitory computer readable rage medium of claim 2, wherein the code when executed by the at least one processor is operable to:
    - responsive to a determination that the next network device for the network data is not within the group of network devices, remove the initial metadata tag; and
      
      transmit the network data without the metadata tag.
  - 5. The at least one non-transitory computer readable storage medium of claim 2, wherein the code when executed by the at least one processor is operable to:
    - determine whether the initial metadata tag is encrypted;
      
      responsive to a determination that the initial metadata tag encrypted decrypt the initial metadata tag; and
      
      encrypt the metadata tag prior to transmitting the network data and the metadata tag.
  - 6. The at least one non-transitory computer readable storage medium of claim 1, wherein the number of actions is selected from a group consisting of:
    - a) a virus scan;
      
      b) a protocol flow analysis;
      
      c) a host identification;
      
      d) sharing private data; and
      
      e) an intrusion protection scan.
  - 7. The at least one non-transitory computer readable storage medium of claim 1, wherein the network information is selected from a group consisting of:
    - a) protocol flow information;
      
      b) a security risk analysis;
      
      c) an identification of a blocked source address;
      
      d) an antivirus scan result; and
      
      e) an intrusion protection scan result.
  - 22. The at least one non-transitory computer readable storage medium of claim 1, wherein at least one of the group of network devices is implemented as a virtual machine in a virtual environment.
  - 23. The at least one non-transitory computer readable storage medium of claim 1, wherein the data in the metadata tag is to be used by the next network device to identify one or more actions not to be performed on the transmitted network data.

8. An apparatus for managing network data, comprising:
- a first network device including at least one hardware processor;
  
  an analysis module coupled to the first network device, wherein the analysis module, when running on the at least one hardware processor, is to perform a number of actions on the network data to identify network information about the network data, wherein the network data is to be forwarded to a second network device en route to a destination device after the number of actions are performed; and
  
  a tag module coupled to the network device and the analysis module, wherein the tag module, when running on the at least one hardware processor, is to determine whether the second network device is one of a group of network devices operable to perform at least a number of other actions on the network data; and
  
  responsive to a determination that the second network device is one of the group of network devices;
  
  generate a metadata tag with a number of fields to include data indicating the network information, wherein at least one of the fields is included in the metadata tag based on a type of information used by the next network device;
  
  generate an identifier for the network data;
  
  encrypt the metadata tag using an encryption key and the identifier for the network data;
  
  associate the metadata tag with the network data; and
  
  transmit the network data with the metadata tag to the second network device.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 24)
- - 9. The apparatus of claim 8, wherein the network device is further configured to:
    - receive the network data with an initial metadata tag; and
      
      identify initial network information from the initial metadata tag.
  - 10. The apparatus of claim 9, wherein the analysis module is further configured to:
    - perform the number of actions on the network data based on the initial network information to identify the network information.
  - 11. The apparatus of claim 9, wherein the tag module is further configured to:
    - responsive to a determination that the second network device for the network data is not within the group of network devices, remove the initial metadata tag; and
      
      wherein the first network device is further configured to;
      
      transmit the network data without the metadata tag.
  - 12. The apparatus of claim 9, wherein the tag module is further configured to:
    - determine whether the initial metadata tag is encrypted;
      
      responsive to a determination that the initial metadata tag is encrypted, decrypt the initial metadata tag; and
      
      encrypt the metadata tag prior to transmitting the network data and the metadata tag.
  - 13. The apparatus of claim 8, wherein the number of actions is selected from a group consisting of:
    - a) a virus scan;
      
      b) a protocol flow analysis;
      
      c) a host identification;
      
      d) sharing private data; and
      
      e) an intrusion protection scan.
  - 14. The apparatus of claim 8, wherein the network information is selected from a group consisting of:
    - a) protocol flow information;
      
      b) a security risk analysis;
      
      c) an identification of a blocked source address;
      
      d) an antivirus scan result; and
      
      e) an intrusion protection scan result.
  - 24. The apparatus of claim 8, wherein at least one of the group of network devices is implemented as a virtual machine in a virtual environment.

15. A method for managing network data, comprising:
- receiving the network data at a network device;
  
  performing a number of actions on the network data to identify network information about the network data, wherein the network data is to be forwarded to a next network device en route to a destination device after the number of actions are performed;
  
  determining whether the next network device is one of a group of network devices operable to perform at least a number of other actions on the network data; and
  
  responsive to a determination that the next network device is one of the group of network devices;
  
  generating, by a hardware processor of the network device, a metadata tag with a number of fields to include data indicating the network information, wherein at least one of the fields is included in the metadata tag based on a type of information used by the next network device;
  
  generating an identifier for the network data;
  
  encrypting the metadata tag using an encryption key and the identifier for the network data;
  
  associating the metadata tag with the network data; and
  
  transmitting the network data with the metadata tag to the next network device.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein receiving the network data comprises:
    - receiving the network data with an initial metadata tag; and
      
      identifying initial network information from the initial metadata tag.
  - 17. The method of claim 16, wherein the performing the number of actions on the network is based on the initial network information to identify the network information.
  - 18. The method of claim 16, further comprising:
    - responsive to a determination that the next network device for the network data is not within the group of network devices, removing the initial metadata tag; and
      
      transmitting the network data without the metadata tag.

19. An apparatus for managing network data, comprising:
- a memory element comprising instructions;
  
  a first network device including at least one hardware processor that, when executing the instructions is to;
  
  receive the network data with an initial metadata tag;
  
  determine whether the initial metadata tag is encrypted;
  
  responsive to a determination that the initial metadata tag is encrypted, decrypt the initial metadata tag to generate a decrypted initial metadata tag; and
  
  identify initial network information from the decrypted initial metadata tag;
  
  an analysis module coupled to the first network device, wherein the analysis module is configured to perform a number of actions on the network data based, at least in part, on the initial network information to identify other network information, wherein the network data is to be forwarded to a second network device after the number of actions are performed; and
  
  a tag module coupled to the first network device and the analysis module, wherein the tag module is configured to;
  
  determine whether the second network device is one of a group of network devices operable to perform at least a number of other actions on the network data; and
  
  responsive to a determination that the second network device is not one of the group of network devices;
  
  remove the initial metadata tag; and
  
  transmit the network data without the initial metadata tag to the second network device.

20. At least one non-transitory computer readable storage medium that includes code for execution for managing network data, and when executed by at least one processor is operable to:
- receive the network data with an initial metadata tag;
  
  determine whether the initial metadata tag is encrypted;
  
  responsive to a determination that the initial metadata tag is encrypted, decrypt the initial metadata tag to generate a decrypted initial metadata tag;
  
  identify initial network information from the decrypted initial metadata tag;
  
  perform a number of actions on the network data based, at least in part, on the initial network information to identify other network information, wherein the network data is to be forwarded to a next network device after the number of actions are performed;
  
  determine whether the next network device is one of a group of network devices operable to perform at least a number of other actions on the network data; and
  
  responsive to a determination that the next network device is not one of the group of network devices;
  
  remove the initial metadata tag; and
  
  transmit the network data without the initial metadata tag to the next network device.
- View Dependent Claims (21)
- - 21. The at least one non-transitory computer readable storage medium of claim 20, wherein at least one of the group of network devices is implemented as a virtual machine in a virtual environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Buruganahalli, Shivakumar, Nedbal, Manuel
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
Naghdali, Khalil

Application Number

US13/976,303
Publication Number

US 20140282843A1
Time in Patent Office

1,026 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Creating and managing a network security tag

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Creating and managing a network security tag

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links