Delivering security functions to distributed networks

US 9,525,697 B2
Filed: 04/02/2015
Issued: 12/20/2016
Est. Priority Date: 04/02/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a switch;

a plurality of network assets, the network assets including at least one virtual machine;

an enforcement point communicatively coupled to the switch and at least one network asset of the plurality of network assets, the enforcement point processing, using a rule set, a data packet received from the switch, the enforcement point forwarding the processed data packet to a distributed security processor when the processing indicates the data packet is malicious, the enforcement point being another virtual machine, the data packet directed to the at least one network asset;

the distributed security processor communicatively coupled to the enforcement point and not being in the data traffic flow, the distributed security processor inspecting the processed data packet forwarded from the enforcement point, the distributed security processor directing the enforcement point to at least one of forward the processed data packet to the at least one network asset and drop the processed data packet, using the inspection and the rule set;

a logging module communicatively coupled to at least one of the switch, the enforcement point, and the distributed security processor, the logging module accumulating data associated with at least one of the data packet, the processing, and the inspection; and

an analytics module communicatively coupled to the logging module and a compiler, the analytics module analyzing the at least one of the data packet, the processing, and the inspection, the analytics module initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

145 Citations

16 Claims

1. A system comprising:
- a switch;
  
  a plurality of network assets, the network assets including at least one virtual machine;
  
  an enforcement point communicatively coupled to the switch and at least one network asset of the plurality of network assets, the enforcement point processing, using a rule set, a data packet received from the switch, the enforcement point forwarding the processed data packet to a distributed security processor when the processing indicates the data packet is malicious, the enforcement point being another virtual machine, the data packet directed to the at least one network asset;
  
  the distributed security processor communicatively coupled to the enforcement point and not being in the data traffic flow, the distributed security processor inspecting the processed data packet forwarded from the enforcement point, the distributed security processor directing the enforcement point to at least one of forward the processed data packet to the at least one network asset and drop the processed data packet, using the inspection and the rule set;
  
  a logging module communicatively coupled to at least one of the switch, the enforcement point, and the distributed security processor, the logging module accumulating data associated with at least one of the data packet, the processing, and the inspection; and
  
  an analytics module communicatively coupled to the logging module and a compiler, the analytics module analyzing the at least one of the data packet, the processing, and the inspection, the analytics module initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 further comprising:
    - a synthetic server communicatively coupled to the enforcement point, the synthetic server receiving a malicious data packet from the enforcement point and performing a security function,wherein the enforcement point processes the malicious data packet and forwards the malicious data packet to the synthetic server.
  - 3. The system of claim 2 wherein the synthetic server emulates operation of the at least one network asset and studies the malicious data packet to ascertain intent and future actions of an originator of the malicious data packet.
  - 4. The system of claim 2 wherein the synthetic server is at least one of a honeypot, tarpit, and intrusion protection system.
  - 5. The system of claim 1 wherein the enforcement point includes a high speed data cache for processing the data packet.
  - 6. The system of claim 1 wherein the inspection is a processor-intensive, stateful packet inspection.
  - 7. The system of claim 1 wherein the analytics module calculates a risk score associated with the at least one network asset, the risk score being a security characteristic corresponding to the at least one network asset.
  - 8. The system of claim 1 wherein the enforcement point receives and uses the updated rule set.

9. A method comprising:
- processing, by an enforcement point, using a rule set, a data packet received from a switch, the data packet directed to at least one network asset, the enforcement point being a virtual machine;
  
  forwarding, by the enforcement point, the processed data packet to a distributed security processor when the processing indicates the data packet is malicious;
  
  inspecting, by the distributed security processor, the processed packet forwarded from the enforcement point, the distributed security processor not being in the data traffic flow;
  
  directing, by the distributed security processor, the enforcement point to at least one of forward the processed data packet to the at least one network asset and drop the processed data packet, using the inspection and the rule set, the at least one network asset being at least another virtual machine;
  
  accumulating, by a logging module, data associated with at least one of the data packet, the processing, and the inspection;
  
  analyzing, by an analytics module, the at least one of the data packet, the processing, and the inspection; and
  
  initiating, by an analytics module, compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 further comprising:
    - receiving, by a synthetic server, a malicious data packet from the enforcement point; and
      
      performing, by a synthetic server, a security function,wherein the enforcement point processes the malicious data packet and forwards the malicious data packet to the synthetic server.
  - 11. The method of claim 10 further comprising:
    - emulating, by the synthetic server, operation of the at least one network asset; and
      
      studying, by a synthetic server, the malicious data packet to ascertain intent and future actions of an originator of the malicious data packet.
  - 12. The method of claim 10 wherein the synthetic server is at least one of a honeypot, tarpit, and intrusion protection system.
  - 13. The method of claim 9 wherein the enforcement point processes the data packet using at least a high speed data cache.
  - 14. The method of claim 9 wherein the inspection includes a processor-intensive, stateful packet inspection.
  - 15. The method of claim 9 further comprising:
    - calculating, by the analytics module, a risk score associated with the at least one network asset, the risk score being a measurement of relative security corresponding to the at least one network asset.
  - 16. The method of claim 9 further comprising:
    - receiving, by the enforcement point, the updated rule set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Woolward, Marc, Shieh, Choung-Yaw, Lian, Jia-Jyi
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US14/677,755
Publication Number

US 20160294858A1
Time in Patent Office

628 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 2463/141   Denial of service attacks a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Delivering security functions to distributed networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Delivering security functions to distributed networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links