Dynamic filtering for SDN API calls across a security boundary

US 9,258,315 B2
Filed: 01/13/2014
Issued: 02/09/2016
Est. Priority Date: 01/13/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

dynamically loading one or more filters that validate data across an application programming interface (API) boundary in a network element of a software defined network, such that a reboot of the network element is not required to use the one or more filters;

receiving an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function;

validating the parameters using the one or more filters;

if it is determined that the one or more filters validate the parameters for the API function, executing the API function using the parameter values; and

if it is determined that the one or more filters do not validate the parameters for the API function, aborting execution of the API function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Presented herein are techniques to reduce the vulnerabilities of network elements to malicious API calls. One or more filters that validate data across an API boundary at a network element are dynamically loaded into the network element such that a reboot of the network element is not required to use the one or more filters. An API call is received for an API function, wherein the API call contains one or more parameter values associated with the API function. The parameters may be validated using the one or more filters. If it is determined that the one or more filters validate the parameters for the API function, the API function may be executed using the parameter values. If it is determined that the one or more filters do not validate the parameters for the API function, the execution of the API function may be aborted.

21 Citations

View as Search Results

20 Claims

1. A method comprising:
- dynamically loading one or more filters that validate data across an application programming interface (API) boundary in a network element of a software defined network, such that a reboot of the network element is not required to use the one or more filters;
  
  receiving an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function;
  
  validating the parameters using the one or more filters;
  
  if it is determined that the one or more filters validate the parameters for the API function, executing the API function using the parameter values; and
  
  if it is determined that the one or more filters do not validate the parameters for the API function, aborting execution of the API function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising presenting to a user performance cost data associated with loading the one or more filters;
    - receiving confirmation from the user as to whether to load the one or more filters; and
      
      loading the one or more filters only depending on whether confirmation from the user is received.
  - 3. The method of claim 1, further comprising:
    - in response to receiving the API call, applying one or more filters to identify malformed data in the API call; and
      
      in response to determining that there is no malformed data in the API call, parsing the API call to determine the parameter values.
  - 4. The method of claim 3, further comprising:
    - parsing the API call to determine authorization values; and
      
      applying one or more filters to identify malicious authorization values.
  - 5. The method of claim 1, wherein the loading of the one or more filters is initiated by a software defined networking controller to download the one or more filters to the network element.
  - 6. The method of claim 1, wherein the one or more filters comprise at least one of:
    - a regular expression black list filter and regular expression white list filter.
  - 7. The method of claim 1, further comprising:
    - monitoring a plurality of API calls; and
      
      in response to identifying a sequence of API calls in the plurality of API calls defined in the one or more filters that poses a security risk, dropping one or more API calls from the sequence of API calls.
  - 8. The method of claim 1, wherein validating the API call further comprises:
    - if it is determined that there are one or more filters associated with the API function, determining whether there are one or more filters associated with the one or more parameters; and
      
      if it is determined that there are one or more filters associated with the one or more parameters, validating the API parameters using the associated one or more filters.
  - 9. The method of claim 1, further comprising:
    - receiving a firmware update for the network element to fix a security vulnerability associated with one or more filters that have already been loaded into the network element; and
      
      in response to receiving the firmware update, removing the filters associated with the security vulnerability.

10. An apparatus comprising:
- a plurality of network ports;
  
  a network processor unit coupled to the plurality of network ports;
  
  a processor coupled to the network processor unit, and configured to;
  
  dynamically load one or more filters that validate data across an application programming interface (API) boundary in a software defined network, such that a reboot of a network element is not required to use the one or more filters;
  
  receive an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function;
  
  validate the parameters using one or more filters that validate data traversing an API boundary of a network element;
  
  if it is determined that the one or more filters validate the parameters for the API function or there are no associated filters, execute the API function using the parameter values; and
  
  if it is determined that the one or more filters do not validate the parameters for the API function, abort execution of the API function.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the processor is further configured to:
    - present to a user performance cost data associated with loading the one or more filters;
      
      receive confirmation from the user as to whether to load the one or more filters; and
      
      load the one or more filters only depending on whether confirmation from the user is received.
  - 12. The apparatus of claim 10, wherein the processor is further configured to:
    - in response to receiving the API call, apply one or more filters to identify malformed data in the API call; and
      
      in response to determining that there is no malformed data in the API call, parse the API call to determine the parameter values.
  - 13. The apparatus of claim 10, wherein the processor is further configured to:
    - monitor a plurality of API calls; and
      
      in response to identifying a sequence of API calls in the plurality of API calls defined in the one or more filters that poses a security risk, drop one or more API calls from the sequence of API calls.
  - 14. The apparatus of claim 10, wherein the processor is further configured to:
    - if it is determined that there are one or more filters associated with the API function, determine whether there are one or more filters associated with the one or more parameters; and
      
      if it is determined that there are one or more filters associated with the one or more parameters, validate the parameters using the one or more associated filters.
  - 15. The apparatus of claim 10, wherein the processor is configured to:
    - receive a firmware update for the network element to fix a security vulnerability associated with a filter that has already been loaded into the network element; and
      
      in response to receiving the firmware update, remove the filters associated with the fixed security vulnerabilities.

16. A non-transitory computer-readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- dynamically load one or more filters that validate data across an application programming interface (API) boundary in a software defined network, such that a reboot of a network element is not required to use the one or more filters;
  
  receive an API call for an API function associated with the software defined network, wherein the API call contains one or more parameter values associated with the API function;
  
  validate the parameters using one or more filters that validate data traversing an API boundary of a network element;
  
  if it is determined that the one or more filters validate the parameters for the API function or there are no associated filters, execute the API function using the parameter values; and
  
  if it is determined that the one or more filters do not validate the parameters for the API function, abort execution of the API function.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage media of claim 16, further comprising instructions operable to:
    - present to a user performance cost data associated with loading the one or more filters;
      
      receive confirmation from the user as to whether to load the one or more filters; and
      
      load the one or more filters only depending on whether confirmation from the user is received.
  - 18. The non-transitory computer-readable storage media of claim 16, further comprising instructions operable to:
    - in response to receiving the API call, apply one or more filters to identify malformed data in the API call; and
      
      in response to determining that there is no malformed data in the API call, parse the API call to determine the parameter values.
  - 19. The non-transitory computer-readable storage media of claim 16, further comprising instructions operable to:
    - if it is determined that there are one or more filters associated with the API function, determine whether there are one or more filters associated with the one or more parameters; and
      
      if it is determined that there are one or more filters associated with the one or more parameters, validate the API call parameters using the one or more filters.
  - 20. The non-transitory computer-readable storage media of claim 16, further comprising instructions operable to:
    - monitor a plurality of API calls; and
      
      in response to identifying a sequence of API calls in the plurality of API calls defined in the one or more filters that poses a security risk, drop one or more API calls from the sequence of API calls.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Martin, Antonio
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US14/153,742
Publication Number

US 20150200955A1
Time in Patent Office

757 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

H04L 41/0813   characterised by the condit...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

Dynamic filtering for SDN API calls across a security boundary

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic filtering for SDN API calls across a security boundary

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links