Security actuator for a dynamically programmable computer network

US 9,571,523 B2
Filed: 07/02/2014
Issued: 02/14/2017
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A security service for a dynamically-programmable computer network, the security service embodied in one or more non-transitory computer readable storage media of a computing system and comprising a plurality of instructions that, when executed, cause the computing system to:

monitor the dynamically programmable network for receipt of a flow policy directive from a flow policy directive source, the flow policy directive including a command and a set of parameters, wherein the command and the set of parameters describe a flow policy objective for the dynamically programmable computer network;

in response to the monitoring, convert the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to cause one or more network switches of the dynamically programmable computer network to implement the flow policy directive to control flow of communications across the dynamically programmable computer network;

compare the one or more packet disposition directives to a set of currently active flow rules of the dynamically programmable computer network; and

in response to the comparison of the one or more packet disposition directives to the set of currently active flow rules, add the one or more packet disposition directives to the set of currently active flow rules,wherein conversion of the flow policy directive comprises parsing the flow policy directive to identify at least one valid command,wherein receipt of the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier including one or more of a network address or a network port, andwherein conversion of the flow policy directive further comprises creation of a first quarantine flow policy trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier, creation of a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier, creation, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address, and creation, in response to the receipt of the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier, andwherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine flow policy trigger rule and the second quarantine flow policy trigger rule.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with packet disposition directives. A security actuator receives flow policy directives from a number of network applications. The flow policy directives express higher-level network security policy goals, including blocking and/or redirecting network traffic. The security actuator converts a flow policy directive into one or more packet disposition directives. The packet disposition directives may include trigger rules to cause network communications to be monitored for matching trigger packets. An automated mechanism initiated by the security actuator may cause trigger packets to be forwarded to the security actuator for analysis. The security actuator may generate packet disposition directives in response to receiving the trigger packets.

119 Citations

View as Search Results

28 Claims

1. A security service for a dynamically-programmable computer network, the security service embodied in one or more non-transitory computer readable storage media of a computing system and comprising a plurality of instructions that, when executed, cause the computing system to:
- monitor the dynamically programmable network for receipt of a flow policy directive from a flow policy directive source, the flow policy directive including a command and a set of parameters, wherein the command and the set of parameters describe a flow policy objective for the dynamically programmable computer network;
  
  in response to the monitoring, convert the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to cause one or more network switches of the dynamically programmable computer network to implement the flow policy directive to control flow of communications across the dynamically programmable computer network;
  
  compare the one or more packet disposition directives to a set of currently active flow rules of the dynamically programmable computer network; and
  
  in response to the comparison of the one or more packet disposition directives to the set of currently active flow rules, add the one or more packet disposition directives to the set of currently active flow rules,wherein conversion of the flow policy directive comprises parsing the flow policy directive to identify at least one valid command,wherein receipt of the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier including one or more of a network address or a network port, andwherein conversion of the flow policy directive further comprises creation of a first quarantine flow policy trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier, creation of a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier, creation, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address, and creation, in response to the receipt of the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier, andwherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine flow policy trigger rule and the second quarantine flow policy trigger rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The security service of claim 1, wherein, conversion of the flow policy directive further comprises to:
    - create a forwarding trigger rule to cause the one or more network switches to forward a forwarding trigger packet to a computing device; and
      
      create, in response to receipt of the forwarding trigger packet, a flow modification rule to cause the one or more network switches to control flow of communications across the dynamically programmable computer network.
  - 3. The security service of claim 1, wherein conversion of the flow policy directive further comprises, in response to a flow policy directive to modify communications associated with a network service identifier, to create a plurality of flow modification rules to cause the one or more network switches to modify the communications associated with the network service identifier.
  - 4. The security service of claim 1, further comprising to receive the flow policy directive further comprises to receive a flow policy directive to deny communications associated with a network service identifier comprising one or more of a network address or a network port;
    - andconversion of the flow policy directive further comprises to, in response to the flow policy directive, create a plurality of flow modification rules to drop data communications associated with the network service identifier.
  - 5. The security service of claim 4, further comprising to convert the deny flow policy directive, wherein the conversion of the deny flow policy directive comprises to (i) create a first flow modification rule to drop data communications addressed from the network service identifier and (ii) create a second flow modification rule to drop data communications addressed to the network service identifier.
  - 6. The security service of claim 1, wherein receipt of the flow policy directive further comprises receiving a deny flow policy directive to deny communications associated with a network service identifier comprising one or more of a network address or a network port;
    - andconversion of the flow policy directive comprises to, in response to the deny flow policy directive, create a plurality of deny flow policy trigger rules to cause the one or more network switches to (i) forward to a computing device a trigger packet associated with the network service identifier and (ii) drop data communications associated with the network service identifier.
  - 7. The security service of claim 6, wherein conversion of the deny flow policy directive further comprises to:
    - create a first deny flow policy trigger rule to cause the one or more network switches to forward to the computing device a first deny flow trigger packet addressed from the network service identifier;
      
      create a second deny flow policy trigger rule to cause the one or more network switches to forward to the computing device a second deny flow trigger packet addressed to the network service identifier;
      
      create, in response to receipt of the first or second deny flow trigger packet, a first flow modification rule to drop data communications addressed from a hardware address of the trigger packet associated with the network service identifier; and
      
      create, in response to the receipt of the first or second deny flow trigger packet, a second flow modification rule to drop data communications addressed to the hardware address of the first or second deny flow trigger packet;
      
      wherein the first flow modification rule and the second flow modification rule have a higher priority than the first deny flow policy trigger rule and the second deny flow policy trigger rule.
  - 8. The security service of claim 1, wherein receipt of the flow policy directive further comprises to receive a flow policy directive to deny communications associated with a network service identifier comprising one or more of a network address or a network port;
    - andconversion of the flow policy directive further comprises to;
      
      create a first deny flow policy trigger rule to cause the one or more network switches to forward to a computing device a trigger packet addressed from the network service identifier;
      
      create a second deny flow policy trigger rule to cause the one or more network switches to forward to the computing device a trigger packet addressed to the network service identifier; and
      
      create, in response to receipt of a trigger packet, a first flow modification rule to drop data communications that match the trigger packet;
      
      wherein the first flow modification rule has a higher priority than the first deny flow policy trigger rule and the second deny flow policy trigger rule.
  - 9. The security service of claim 8, wherein to generate the packet-out comprises to generate an ICMP destination unreachable packet or a TCP connection-reset packet.
  - 10. The security service of claim 1, wherein receipt of the flow policy directive further comprises to receive a redirect flow policy directive to redirect communications associated with a network service identifier to a redirect internet address, the network service identifier to include one or more of a network address or a network port, andto convert the redirect flow policy directive comprises to, in response to the redirect flow policy directive, create a plurality of redirect trigger rules to cause the one or more network switches to redirect a trigger packet associated with the network service identifier.
  - 11. The security service of claim 1, wherein receipt of the flow policy directive further comprises to receive a flow policy directive to redirect communications associated with a network service identifier to a redirect internet address, the network service identifier to include one or more of a network address or a network port;
    - andto convert the redirect flow policy directive comprises to;
      
      create a first redirect flow policy trigger rule to cause the one or more network switches to forward to a computing device a trigger packet addressed from the network service identifier;
      
      create a second redirect flow policy trigger rule to cause the one or more network switches to forward to the computing device a trigger packet addressed from the redirect internet address;
      
      create, in response to receipt of the redirect flow policy trigger packet, a first flow modification rule to (i) forward to the redirect internet address data communications addressed from the network service identifier and addressed to a second network service identifier of the trigger packet and (ii) modify the data communications to identify the redirect internet address; and
      
      create, in response to the receipt of the redirect flow policy trigger packet, a second flow modification rule to (i) forward to the network service identifier data communications addressed from the redirect internet address and addressed to the network service identifier and (ii) modify the data communications to identify the second network service identifier;
      
      wherein the first flow modification rule and the second flow modification rule have a higher priority than the first redirect flow policy trigger rule and the second redirect flow policy trigger rule.
  - 12. The security service of claim 1, wherein receipt of the flow policy directive further comprises to receive a quarantine flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier including one or more of a network address or a network port;
    - andto convert the flow policy directive comprises to, in response to the quarantine flow policy directive, create a plurality of quarantine flow policy trigger rules to cause the one or more network switches to forward to a computing device a quarantine flow policy trigger packet associated with the network service identifier.

13. A method for actuating flow policy directives in a dynamically programmable computer network, the method comprising, with at least one computing device:
- monitoring the dynamically programmable computer network for receipt of a flow policy directive from a flow policy directive source;
  
  in response to the monitoring, converting the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to implement the flow policy directive at one or more network switches of the dynamically programmable computer network; and
  
  transmitting the one or more packet disposition directives to a security mediator of the dynamically programmable computer network, the security mediator mediating conflicts between packet disposition directives and transmitting packet disposition directives to network switches of the dynamically programmable network,wherein receiving the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier comprising one or more of a network address or a network port, andwherein converting the flow policy directive comprises;
  
  creating a first quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a first quarantine trigger packet addressed from the network service identifier;
  
  creating a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier;
  
  creating, in response to receiving the first or second trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address; and
  
  creating, in response to receiving the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier;
  
  wherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine trigger rule and the second quarantine trigger rule;
  
  wherein converting the flow policy directive comprises parsing the flow policy directive to identify at least one valid command.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein:
    - the flow policy directive includes a command and a set of parameters, the command and the set of parameters describing a flow policy objective for a dynamically programmable computer network; and
      
      the one or more packet disposition directives are to be communicated from the security mediator to the one or more network switches to cause the one or more network switches to control flow of communications across the dynamically programmable computer network to implement the flow policy directive.
  - 15. The method of claim 13, wherein converting the flow policy directive comprises creating a forwarding flow policy trigger rule to cause the one or more network switches to forward a forwarding flow policy trigger packet to the computing device.
  - 16. The method of claim 15, wherein converting the flow policy directive further comprises creating, in response to receiving the forwarding flow policy trigger packet, a flow modification rule to cause the one or more network switches to control flow of communications across the dynamically programmable computer network.
  - 17. The method of claim 13, wherein:
    - receiving the flow policy directive comprises receiving a flow policy directive to deny communications associated with a network service identifier comprising one or more of a network address or a network port; and
      
      converting the flow policy directive comprises (i) creating a first flow modification rule to drop data communications addressed from the network service identifier and (ii) creating a second flow modification rule to drop data communications addressed to the network service identifier.
  - 18. The method of claim 13, wherein:
    - receiving the flow policy directive comprises receiving a flow policy directive to redirect communications associated with a network service identifier to a redirect internet address, the network service identifier comprising one or more of a network address or a network port; and
      
      converting the flow policy directive comprises;
      
      creating a first redirect flow policy trigger rule to cause the one or more network switches to forward to the computing device a first redirect flow policy trigger packet addressed from the network service identifier;
      
      creating a second redirect flow policy trigger rule to cause the one or more network switches to forward to the computing device a second redirect flow policy trigger packet addressed from the redirect internet address;
      
      creating, in response to receiving a first or second redirect flow policy trigger packet, a first flow modification rule to (i) forward to the redirect internet address data communications addressed from the network service identifier and addressed to a second network service identifier of the first or second redirect flow policy trigger packet and (ii) modify the data communications to identify the redirect internet address; and
      
      creating, in response to receiving the first or second redirect flow policy trigger packet, a second flow modification rule to (i) forward to the network service identifier data communications addressed from the redirect internet address and addressed to the network service identifier and (ii) modify the data communications to identify the second network service identifier,wherein the first flow modification rule and the second flow modification rule have a higher priority than the first redirect flow policy trigger rule and the second redirect flow policy trigger rule.

19. A security actuator for actuating flow policy directives in a dynamically programmable computer network, the security actuator comprising a plurality of instructions embodied in one or more non-transitory machine accessible storage media of a computing device that, when executed, cause the computing device to:
- monitor the dynamically programmable network for receipt of a flow policy directive from a source of flow policy directives, and in response to the monitoring;
  
  initiate an automated mechanism to communicate with one or more network switches of the dynamically programmable computer network, the automated mechanism to;
  
  monitor for packets having one or more criteria matching a trigger rule; and
  
  in response to a packet having a criterion matching the trigger rule, cause the one or more network switches to implement the flow policy directive,receipt of the flow policy directive comprises to receive a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier to include one or more of a network address or a network port; and
  
  to implement the flow policy directive comprises to;
  
  create a first quarantine trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier;
  
  create a second quarantine trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier;
  
  create, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address; and
  
  create, in response to the receipt of the first or second quarantine trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier,wherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine trigger rule and the second quarantine trigger rule;
  
  wherein the security actuator, before actuating, parses the flow policy directives to identify at least one valid command.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The security actuator of claim 19, wherein the automated mechanism is to cause the one or more network switches to forward the matching packet to the security actuator.
  - 21. The security actuator of claim 19, wherein the automated mechanism is to cause the security actuator to, in response to the matching packet, create one or more packet disposition directives based on the flow policy directive.
  - 22. The security actuator of claim 19, wherein the security actuator is to, in response to a determination by the automated mechanism that a packet has a criterion matching the first or second quarantine trigger rule, transmit a packet disposition directive to a security mediator of the dynamically programmable network.
  - 23. The security actuator of claim 19, wherein the security actuator is to create a plurality of packet disposition directives in response to the flow policy directive, and the packet disposition directives comprise:
    - a packet disposition trigger rule to cause the one or more network switches to forward to the security actuator a first packet disposition trigger packet addressed from the network service identifier;
      
      a flow modification rule to one of;
      
      drop, forward, deny and redirect data communications that match the trigger packet addressed from the network service identifier.
  - 24. The security actuator of claim 23, wherein the flow modification rule has a higher priority than the packet disposition trigger rule.
  - 25. The security actuator of claim 23, wherein the security actuator is to generate a packet-out in response to receipt of the first packet disposition trigger packet.
  - 26. The security actuator of claim 23, wherein the packet disposition directives comprise a second packet disposition trigger rule to cause the one or more network switches to forward to the security actuator a second packet disposition trigger packet addressed to the network service identifier and a flow modification rule to one of:
    - drop, forward, deny and redirect data communications that match the first or second packet disposition trigger packet addressed to the network service identifier.
  - 27. The security actuator of claim 24, wherein the security actuator is to create a plurality of packet disposition directives in response to the flow policy directive, and the packet disposition directives comprise:
    - another packet disposition trigger rule to cause the one or more network switches to forward to the security actuator another trigger packet addressed from a network service identifier; and
      
      a flow modification rule to forward to an internet address data communications addressed from the network service identifier.
  - 28. The security actuator of claim 27, wherein the flow modification rule is to modify the data communications to identify the internet address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A., Skinner, Keith M., Dawson, Steven M.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Harris, Christopher C

Application Number

US14/322,617
Publication Number

US 20140317684A1
Time in Patent Office

958 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

H04L 67/63   Routing a service request d...

Security actuator for a dynamically programmable computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Security actuator for a dynamically programmable computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others