Locked down network interface

US 9,426,124 B2
Filed: 04/08/2014
Issued: 08/23/2016
Est. Priority Date: 04/08/2013
Status: Active Grant

First Claim

Patent Images

1. A logic device for intercepting a data flow from a network source to a network destination, the logic device comprising:

a data store holding a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period;

a packet inspector configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow, wherein the temporary compliance rule is generated in response to the inspected data flow being associated with a compliance rule with a corresponding action comprising the generation of said temporary compliance rule; and

a packet filter configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid,wherein said logic device is further configured to when the data flow is identified as being associated with the temporary compliance rule, inform a compliance rule controller of the generation of a temporary compliance rule, the compliance rule controller being configured to audit the data flow and determine whether the temporary compliance rule is to be made permanent.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A logic device and method are provided for intercepting a data flow from a network source to a network destination. A data store holds a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period. A packet inspector is configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow. A packet filter is configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid.

193 Citations

20 Claims

1. A logic device for intercepting a data flow from a network source to a network destination, the logic device comprising:
- a data store holding a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period;
  
  a packet inspector configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow, wherein the temporary compliance rule is generated in response to the inspected data flow being associated with a compliance rule with a corresponding action comprising the generation of said temporary compliance rule; and
  
  a packet filter configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid,wherein said logic device is further configured to when the data flow is identified as being associated with the temporary compliance rule, inform a compliance rule controller of the generation of a temporary compliance rule, the compliance rule controller being configured to audit the data flow and determine whether the temporary compliance rule is to be made permanent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
- - 2. The logic device of claim 1 wherein the data store is further configured to receive a new compliance rule in replacement of the temporary compliance rule.
  - 3. The logic device of claim 2 wherein the packet filter is further configured to in response to the packet inspector identifying the new compliance rule as being associated with the inspected data flow, carry out an action corresponding to the new compliance rule.
  - 4. The logic device of claim 1 further configured to generate the temporary compliance rule in response to an inspected data flow not corresponding to a compliance rule.
  - 5. The logic device of claim 1 wherein the data store is further configured to receive a new compliance rule from the compliance rule controller.
  - 6. The logic device of claim 1 wherein the compliance rules are configured to ensure compliance of at one of said network source and network destination with allowed behaviour.
  - 7. The logic device of claim 1, wherein the packet inspector is further configured to identify the compliance rule associated with the data flow by parsing the received data flow to determine a characteristic of that data flow.
  - 8. The logic device of claim 1 wherein a compliance rule identifies a characteristic within the data flow for which there is an associated action.
  - 9. The logic device of claims 8 wherein the characteristic identifies a network destination for which there is an associated action.
  - 10. The logic device of claim 9 wherein the associated action is blocking a data flow directed to the network destination.
  - 11. The logic device of claim 10 wherein the associated action is allowing a data flow directed to the network destination to continue to be transmitted to the network.
  - 20. The logic device of claim 1, further configured to, if it is determined that the temporary compliance rule is not to be made permanent, block the data flow after a predetermined time period or after a predefined number of transactions.

12. A method comprising:
- intercepting a data flow from a network source to a network destination;
  
  storing a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period;
  
  inspecting the intercepted data flow and identifying a temporary compliance rule associated with the inspected data flow, wherein the temporary compliance rule is generated in response to the inspected data flow being associated with a compliance rule with a corresponding action comprising the generation of said temporary compliance rule;
  
  when the data flow is identified as being associated with the temporary compliance rule, carrying out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid;
  
  when the data flow is identified as being associated with the temporary compliance rule, informing a compliance rule controller of the generation of a temporary compliance rule; and
  
  auditing by the compliance rule controller the data flow and determining whether the temporary compliance rule is to be made permanent.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method claim 12 further comprising receiving a new compliance rule in replacement of the temporary compliance rule.
  - 14. The method of claim 13 further comprising in response to identifying the new compliance rule as being associated with the inspected data flow, carrying out an action corresponding to the new compliance rule.
  - 15. The method of claim 12 further comprising generating the temporary compliance rule in response to an inspected data flow not corresponding to a compliance rule.
  - 16. The method of claim 12 further comprising receiving a new compliance rule from the compliance rule controller.
  - 17. The method of claim 12 wherein the compliance rules are configured to ensure compliance of at one of said network source and network destination with allowed behaviour.
  - 18. The method of claim 12, further comprising identifying the compliance rule associated with the data flow by parsing the received data flow to determine a characteristic of that data flow.
  - 19. The method of claim 12 wherein a compliance rule identifies a characteristic within the data flow for which there is an associated action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Original Assignee
SolarFlare Communications Incorporated (Advanced Micro Devices, Inc.)
Inventors
Pope, Steve L., Roberts, Derek, Riddoch, David J.
Primary Examiner(s)
Jeudy, Josnel

Application Number

US14/248,082
Publication Number

US 20140304803A1
Time in Patent Office

868 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/0263 Rule management

Locked down network interface

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

193 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Locked down network interface

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others