System and method for automatic provisioning of multi-stage rule-based traffic filtering

US 9,497,167 B2
Filed: 07/29/2013
Issued: 11/15/2016
Est. Priority Date: 07/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by an interface, one or more filtering rules, for filtering communication packets by a multi-stage filtering system that includes multiple filtering units, including at least a front-end filtering unit that performs a first filtering operation on the communication packets based on layer-2 to layer-4 attributes of the communication packets at a request-response transaction level and one or more back-end filtering units that perform a second filtering operation on the communication packets that passed through the first filtering operation, the second filtering operation being based on content extracted from payloads of the filtered communication packets at a level of entire reconstructed packet flows;

automatically translating, by a processor, the filtering rules into a set of filtering directives, by at least converting a first filtering rule into both a first filtering directive and a second filtering directive, wherein the first filtering directive instructs the front-end filtering unit to perform the first filtering operation and to communicate the communication packets that passed through the first filtering operation to at least one of the back-end filtering units, wherein the second filtering directive instructs the at least one of the back-end filtering units to perform the second filtering operation on the communication packets that passed through the first filtering operation, and wherein translating the filtering rules further comprises instructing a given filtering unit to mark the communication packets that passed through a given filtering operation of a given filtering directive with respective identifiers of one or more filtering rules from which the given filtering directive was derived; and

configuring, by the processor, the multi-stage filtering system to filter the communication packets in accordance with the filtering rules, by configuring the filtering units with the filtering directives.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for filtering communication packets using a multi-stage filtering system that receives a large volume of communication packets from a communication network that filters the packets in two or more successive stages. The system comprises at least one front-end filtering unit and multiple back-end filtering units. Typically although not necessarily, the front-end filtering unit filters the packets based on layer-2 to layer-4 attributes of the packets. The back-end filtering units, on the other hand, filter the packets based on content extracted from the packet payloads. The back-end filtering units may perform filtering, for example, based on keyword spotting, application classification, malware detection and other content-related criteria. The front-end filtering unit typically performs filtering at the individual packet level and/or at the level of request-response transactions. The back-end filtering units, on the other hand, typically perform filtering at the level of entire reconstructed packet flows.

16 Citations

View as Search Results

10 Claims

1. A method, comprising:
- receiving, by an interface, one or more filtering rules, for filtering communication packets by a multi-stage filtering system that includes multiple filtering units, including at least a front-end filtering unit that performs a first filtering operation on the communication packets based on layer-2 to layer-4 attributes of the communication packets at a request-response transaction level and one or more back-end filtering units that perform a second filtering operation on the communication packets that passed through the first filtering operation, the second filtering operation being based on content extracted from payloads of the filtered communication packets at a level of entire reconstructed packet flows;
  
  automatically translating, by a processor, the filtering rules into a set of filtering directives, by at least converting a first filtering rule into both a first filtering directive and a second filtering directive, wherein the first filtering directive instructs the front-end filtering unit to perform the first filtering operation and to communicate the communication packets that passed through the first filtering operation to at least one of the back-end filtering units, wherein the second filtering directive instructs the at least one of the back-end filtering units to perform the second filtering operation on the communication packets that passed through the first filtering operation, and wherein translating the filtering rules further comprises instructing a given filtering unit to mark the communication packets that passed through a given filtering operation of a given filtering directive with respective identifiers of one or more filtering rules from which the given filtering directive was derived; and
  
  configuring, by the processor, the multi-stage filtering system to filter the communication packets in accordance with the filtering rules, by configuring the filtering units with the filtering directives.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein translating the filtering rules further comprises producing a filtering directive that is derived from two or more filtering rules, which instructs the given filtering unit to both perform a given filtering operation only once for the two or more filtering rules and to mark the communication packets that passed through the single filtering operation with the identifiers of the two or more filtering rules.
  - 3. The method according to claim 1, wherein translating the filtering rules further comprises producing a filtering directive that instructs one of the back-end filtering units to identify one or more subsequent packet flows that relate to a given filtering rule, to mark the identified subsequent packet flows with an identifier of the given filtering rule, and to notify the front-end filtering unit with the identified subsequent packet flows.
  - 4. The method according to claim 1, wherein translating the filtering rules further comprises converting a given filtering rule into at least a filtering directive that instructs a given filtering unit to output results of the respective filtering operation to a user.
  - 5. The method according to claim 1, wherein translating the filtering rules further comprises specifying in a given filtering directive one or more of the filtering rules from which the given filtering directive is derived.

6. Apparatus, comprising:
- an interface, which is configured to receive one or more filtering rules for filtering communication packets by a multi-stage filtering system that includes multiple filtering units, including at least a front-end filtering unit that performs a first filtering operation on the communication packets based on layer-2 to layer-4 attributes of the communication packets at a request-response transaction level and one or more back-end filtering units that perform a second filtering operation on the communication packets that passed through the first filtering operation, the second filtering operation being based on content extracted from payloads of the filtered communication packets at a level of entire reconstructed packet flows; and
  
  a processor, which is configured to automatically translate the filtering rules into a set of filtering directives by at least converting a first filtering rule into both a first filtering directive and a second filtering directive, wherein the first filtering directive instructs the front-end filtering unit to perform the first filtering operation and to communicate to at least one of the back-end filtering units the communication packets that passed through the first filtering operation, and wherein the second filtering directive instructs at least one of the back-end filtering units to perform the second filtering operation on the communication packets that passed through the first filtering operation, and to configure the multi-stage filtering system to filter the communication packets in accordance with the filtering rules, by configuring the filtering units with the filtering directives;
  
  wherein the processor is further configured to instruct a given filtering unit to mark the communication packets that passed through a given filtering operation of a given filtering directive with respective identifiers of one or more filtering rules from which the given filtering directive was derived.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus according to claim 6, wherein the processor is further configured to produce a filtering directive that is derived from two or more filtering rules, which instructs the given filtering unit to both perform a given filtering operation only once for the two or more filtering rules and to mark the results of the single filtering operation with the identifiers of the two or more filtering rules.
  - 8. The apparatus according to claim 6, wherein the processor is further configured to produce a filtering directive that instructs one of the back-end filtering units to identify one or more subsequent packet flows that relate to a given filtering rule, to mark the identified subsequent packet flows with an identifier of the given filtering rule, and to notify the front-end filtering unit with the identified subsequent packet flows.
  - 9. The apparatus according to claim 6, wherein the processor is further configured to convert a given filtering rule into at least a filtering directive that instructs a given filtering unit to output results of the respective filtering operation to a user.
  - 10. The apparatus according to claim 6, wherein the processor is further configured to specify in a given filtering directive one or more of the filtering rules from which the given filtering directive is derived.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Weintraub, Dana, Frid, Naomi
Primary Examiner(s)
Shaifer Harriman, Dant

Application Number

US13/953,141
Publication Number

US 20140096228A1
Time in Patent Office

1,205 Days
Field of Search

726/13
US Class Current

1/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

System and method for automatic provisioning of multi-stage rule-based traffic filtering

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

System and method for automatic provisioning of multi-stage rule-based traffic filtering

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others