Method for providing authoritative application-based routing and an improved application firewall

US 9,369,435 B2
Filed: 09/30/2013
Issued: 06/14/2016
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method for providing an improved application firewall, the method comprising the steps of:

receiving, at one or more first computing devices, from a second computing device, a hash of an application requesting network access, along with associated information associated with the second computing device executing the application;

determining, at the one or more first computing devices, an application identifier for the application using the received hash and the received associated information;

communicating, at the one or more first computing devices, the application identifier to the second computing device and a third computing device executing the firewall to increase efficiency in validation and lookup processes of the firewall by correlating multiple disparate flows originating from the second computing device to an associated single application executing thereon identified by a given application identifier tagged to a given packet, wherein, for each packet having a given application identifier received at the firewall, the third computing device executing the firewall;

references a network information database with the received application identifier to limit a comparison, by a policy engine associated with the firewall, of the received packet to a reduced set of application network behavior information of a plurality of application network behavior information stored on the network information database, wherein a set of application network behavior information, collectively defines a normal or abnormal traffic associated with a given application; and

signals termination of the received packet or further inspection of the received packet if the referenced one or more behavior information associated with the received application identifier match one or more abnormal flow patterns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

97 Citations

View as Search Results

15 Claims

1. A method for providing an improved application firewall, the method comprising the steps of:
- receiving, at one or more first computing devices, from a second computing device, a hash of an application requesting network access, along with associated information associated with the second computing device executing the application;
  
  determining, at the one or more first computing devices, an application identifier for the application using the received hash and the received associated information;
  
  communicating, at the one or more first computing devices, the application identifier to the second computing device and a third computing device executing the firewall to increase efficiency in validation and lookup processes of the firewall by correlating multiple disparate flows originating from the second computing device to an associated single application executing thereon identified by a given application identifier tagged to a given packet, wherein, for each packet having a given application identifier received at the firewall, the third computing device executing the firewall;
  
  references a network information database with the received application identifier to limit a comparison, by a policy engine associated with the firewall, of the received packet to a reduced set of application network behavior information of a plurality of application network behavior information stored on the network information database, wherein a set of application network behavior information, collectively defines a normal or abnormal traffic associated with a given application; and
  
  signals termination of the received packet or further inspection of the received packet if the referenced one or more behavior information associated with the received application identifier match one or more abnormal flow patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the determining step further comprises receiving application information from a cloud service.
  - 3. The method of claim 1, wherein the associated information comprises one selected from the group consisting of an application name, size, path, run time information, code sections, source IP address, destination IP address, ports, and protocols associated with a given application.
  - 4. The method of claim 2, wherein the received application information comprises one selected from the group consisting of the name, version, or producing company of the application.
  - 5. The method of claim 1, wherein the third computing device executing the firewall comprises the policy engine.
  - 6. The method of claim 5, wherein the policy engine executes on a stand-alone fourth computer device.
  - 7. The method of claim 1, wherein the third computing device executing the firewall comprises a device selected from the group consisting of a network switch and router.
  - 8. The method of claim 1, wherein the third computing device executing the firewall signals the termination of the received packet upon the referenced one or more behavior information associated with the received application identifier matching one or more abnormal flow patterns.
  - 9. The method of claim 1, wherein the third computing device executing the firewall signals deep packet inspection of the received packet upon the referenced one or more behavior information associated with the received application identifier matching one or more abnormal flow patterns.

10. An apparatus comprising:
- a network interface;
  
  a processor operatively coupled to the network interface; and
  
  a memory having instructions stored thereon, wherein the instructions, when executed by the processor, cause the processor to;
  
  reference, with a tag embedded within a packet received at the network interface, a network information database and limit a comparison, by a policy engine associated with the apparatus, of the received packet to a reduced set of application network behavior information of a plurality of application network behavior information stored on the network information database, wherein a set of application network behavior information, collectively defines a normal or abnormal traffic associated with a given application; and
  
  signal termination of the received packet or further inspection of the received packet if the referenced one or more behavior information associated with the received tag match one or more abnormal flow patterns;
  
  wherein, the received tag embedded within the packet is referenced to a plurality of tags, each of the plurality of tags being associated with an application executing on a given computing device having originated the packet, the application having been determined by a correlation of multiple disparate flows originating from the computing device using i) a hash of the application and ii) associated information associated with the computing device.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the instructions, when executed by the processor, cause the processor to signal the termination of the received packet upon the referenced one or more behavior information associated with the received tag matching one or more abnormal flow patterns.
  - 12. The apparatus of claim 10, wherein the instructions, when executed by the processor, cause the processor to signal deep packet inspection of the received packet upon the referenced one or more behavior information associated with the received tag matching one or more abnormal flow patterns.
  - 13. The apparatus of claim 10, wherein the instructions, when executed by the processor, cause the processor to receive and store i) an identifying tag corresponding to an application identifier associated with a given application and ii) a set of associated application network behavior information, collectively, defining a normal or abnormal traffic behavior associated with the given application.
  - 14. The apparatus of claim 10, wherein the instructions, when executed by the processor, cause the processor to execute the policy engine.
  - 15. The apparatus of claim 10, wherein the instructions, when executed by the processor, cause the processor to receive, via the network interface, comparison output from the policy engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Short, Todd, Zawadowskiy, Andrew, Martin, Antonio, Parla, Vincent E.
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
Li, Mary

Application Number

US14/041,107
Publication Number

US 20150096008A1
Time in Patent Office

988 Days
Field of Search

726/13
US Class Current

1/1
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 45/566   Routing instructions carrie...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

Method for providing authoritative application-based routing and an improved application firewall

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing authoritative application-based routing and an improved application firewall

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links