Application-based network traffic redirection for cloud security service

US 9,282,111 B1
Filed: 09/04/2014
Issued: 03/08/2016
Est. Priority Date: 06/28/2012
Status: Active Grant

First Claim

Patent Images

1. A cloud-based computer security system comprising:

a computer that receives a first network traffic, identifies a first originating application program as an originator of the first network traffic, determines a characteristic of the first originating application program, compares the characteristic of the first originating application program with a redirection policy, and redirects the first network traffic to a cloud computing system based on a result of the comparison of the characteristic of the originating application program with the redirection policy,wherein the computer further receives a second network traffic, identifies a second originating application program that is different from the first originating application program as an originator of the second network traffic, determines a characteristic of the second originating application program, compares the characteristic of the second originating application program with the redirection policy, and does not redirect the second network traffic to the cloud computing system based on a result of the comparison of the characteristic of the second originating application program with the redirection policy; and

the cloud computing system, the cloud computing system receives the first network traffic and scans the first network traffic to perform a computer security service.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud security service is made available to endpoint computers. Network traffic from originating application programs running on endpoint computers are redirected to the cloud security service based on characteristics of the originating application programs. Network traffic from an originating application program may be redirected to the cloud security service by way of a virtual private network (VPN) tunnel or generic routing encapsulation (GRE) tunnel between an endpoint computer and a cloud computing system hosting the cloud security service, for example. Network traffic from an originating application program may also be routed from an endpoint computer to a gateway system, and then redirected from the gateway system to the cloud computing system. The cloud security service may drop or forward network packets of the network traffic depending on a result of scanning the network packets.

7 Citations

View as Search Results

20 Claims

1. A cloud-based computer security system comprising:
- a computer that receives a first network traffic, identifies a first originating application program as an originator of the first network traffic, determines a characteristic of the first originating application program, compares the characteristic of the first originating application program with a redirection policy, and redirects the first network traffic to a cloud computing system based on a result of the comparison of the characteristic of the originating application program with the redirection policy,wherein the computer further receives a second network traffic, identifies a second originating application program that is different from the first originating application program as an originator of the second network traffic, determines a characteristic of the second originating application program, compares the characteristic of the second originating application program with the redirection policy, and does not redirect the second network traffic to the cloud computing system based on a result of the comparison of the characteristic of the second originating application program with the redirection policy; and
  
  the cloud computing system, the cloud computing system receives the first network traffic and scans the first network traffic to perform a computer security service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein, the cloud computing system scans the first network traffic for intrusion detection.
  - 3. The system of claim 1, wherein the cloud computing system scans the first network traffic to perform content filtering.
  - 4. The system of claim 1, wherein the cloud computing system either drops or forwards to a destination computer packets of the first network traffic based on a result of the scanning.
  - 5. The system of claim 1, wherein the cloud computing system receives the first network traffic and the second network traffic through a tunnel between the cloud computing system and the computer.
  - 6. The system of claim 5, wherein the computer forwards the second network traffic to its intended destination over a network connection that is not through the tunnel.
  - 7. The system of claim 1, wherein the computer receives the first and second network traffic from another computer.
  - 8. The system of claim 7, wherein the computer comprises a gateway system.
  - 9. The system of claim 1, wherein the computer comprises an endpoint computer that runs the first originating application program and the second originating application program.

10. A cloud-based computer security system comprising:
- an endpoint computer running a first originating application program and a second originating application program, the endpoint computer receives a first network traffic and a second network traffic, identifies the first originating application program as an originator of the first network traffic, identifies the second originating application program as an originator of the second network traffic, and provides to a gateway system the first network traffic, an identity of the first originating application program as the originator of the first network traffic, the second network traffic, and an identity of the second originating application program as the originator of the second network traffic;
  
  the gateway system in a same private computer network as the endpoint computer, the gateway system receives the first network traffic, the second network traffic, the identity of the first originating application program, and the identity of the second originating application program, compares a characteristic of the first originating application program with a redirection policy, and redirects the first network traffic to a cloud computing system based on a result of the comparison of the characteristic of the first originating application program with the redirection policy,wherein the gateway system further compares a characteristic of the second originating application program with the redirection policy and does not redirect the second network traffic to the cloud computing system based on a result of the comparison of the characteristic of the second originating application program with the redirection policy; and
  
  the cloud computing system, the cloud computing system receives the first network traffic and scans the first network traffic to perform a computer security service.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the cloud computing system scans the first network traffic for intrusion detection.
  - 12. The system of claim 10, wherein the cloud computing system either drops or forwards to a destination computer packets of the first network traffic based on a result of the scanning.
  - 13. The system of claim 10, wherein the cloud computing system receives the first network traffic through a virtual private network (VPN) tunnel between the gateway system and the cloud computing system.
  - 14. The system of claim 10, wherein the gateway system receives the first network traffic and the second network traffic through a tunnel between the gateway system and the endpoint computer.
  - 15. The system of claim 14, wherein the gateway system forwards the second network traffic to its destination over a network connection that is not through the tunnel.

16. A cloud-based computer security system comprising:
- a first computer that receives a first network traffic that is originated by a first originating application program, determines a characteristic of the first originating application program, compares the characteristic of the first originating application program with a redirection policy to generate a first result, and redirects the first network traffic to a cloud computing system through a tunnel between the first computer and the cloud computing system based on the first result,wherein the first computer further receives a second network traffic that is originated by a second originating application program that is different from the first originating application program, compares a characteristic of the second originating application program with the redirection policy to generate a second result, and forwards the second network traffic to its destination over a network connection that does not go through the tunnel to bypass the cloud computing system based on the second result; and
  
  the cloud computing system, the cloud computing system receives the first network traffic and scans the first network traffic to perform a computer security service.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein, the first computer further receives a third network traffic that is originated by the first originating application program and redirects the third network traffic to the cloud computing system based on the first result.
  - 18. The system of claim 16, wherein the first computer receives the first network traffic and the second network traffic from a second computer.
  - 19. The system of claim 16, wherein the first computer runs the first originating application program and the second originating application program.
  - 20. The system of claim 16, wherein the first computer comprises a gateway system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Wei, Shaohong Peter, Jensen, Wayne
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Asefa, Debebe

Application Number

US14/477,424
Time in Patent Office

551 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/563   Data redirection of data ne...

Application-based network traffic redirection for cloud security service

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Application-based network traffic redirection for cloud security service

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links