Method and device for synchronizing network data flow detection status

US 9,729,560 B2
Filed: 09/10/2014
Issued: 08/08/2017
Est. Priority Date: 10/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a status synchronizing server for synchronizing network data flow detection status, wherein the status synchronization server is communicatively coupled to at least two security device nodes, the method comprising:

receiving a first request sent by a first security device node, wherein the first request carries a first flow entry, wherein the first flow entry uniquely identifies a first data flow that is currently detected by the first security device node;

determining first network data flow detection status corresponding to the first flow entry, wherein the first network data flow detection status comprises a first sequence of network events that have previously occurred in the first data flow and that are detected by another security device node, and wherein the other security device node is different than the first security device node; and

sending a first response to the first security device node, wherein the first response carries the first network data flow detection status, wherein the first network data flow detection status carried in the first response is used by the first security device node to generate second network data flow detection status stored locally, wherein the second network data flow detection status comprises a second sequence of network events, wherein the second sequence of network events is generated by connecting the first sequence of network events with a third sequence of network events that occurred in the first data flow and detected by the first security device node, and wherein the second sequence of network events is used by the first security device to determine whether an attack occurs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a device for synchronizing network data flow detection status are provided. The method includes: a status synchronizing server receives a first request sent by a first security device node, where the first request carries a first flow entry of a first data flow that is currently detected by the first security device node; determines first network data flow detection status corresponding to the first flow entry; sends a first response to the first security device node, where the first response carries the first network data flow detection status. A security device node requests previous network data flow detection status of a data flow from a status synchronizing server so as to synchronize network data flow detection status, thereby allowing the security device node to detect a network attack in a more accurate way and improving network system security.

5 Citations

View as Search Results

19 Claims

1. A method implemented by a status synchronizing server for synchronizing network data flow detection status, wherein the status synchronization server is communicatively coupled to at least two security device nodes, the method comprising:
- receiving a first request sent by a first security device node, wherein the first request carries a first flow entry, wherein the first flow entry uniquely identifies a first data flow that is currently detected by the first security device node;
  
  determining first network data flow detection status corresponding to the first flow entry, wherein the first network data flow detection status comprises a first sequence of network events that have previously occurred in the first data flow and that are detected by another security device node, and wherein the other security device node is different than the first security device node; and
  
  sending a first response to the first security device node, wherein the first response carries the first network data flow detection status, wherein the first network data flow detection status carried in the first response is used by the first security device node to generate second network data flow detection status stored locally, wherein the second network data flow detection status comprises a second sequence of network events, wherein the second sequence of network events is generated by connecting the first sequence of network events with a third sequence of network events that occurred in the first data flow and detected by the first security device node, and wherein the second sequence of network events is used by the first security device to determine whether an attack occurs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein determining the first network data flow detection status corresponding to the first flow entry comprises:
    - querying at least one locally stored registration record for a registration record that comprises the first flow entry, wherein each one of the at least one locally stored registration record comprises a flow entry as well as a security device node and network data flow detection status that correspond to the flow entry; and
      
      determining, according to a result of the query, the first network data flow detection status corresponding to the first flow entry.
  - 3. The method according to claim 2, wherein no registration record that comprises the first flow entry is found, and wherein determining, according to the result of the query, the first network data flow detection status corresponding to the first flow entry comprises locally adding a registration record that comprises the first flow entry, setting network data flow detection status in the added registration record to NULL, and determining that the first network data flow detection status is NULL.
  - 4. The method according to claim 2, wherein the registration record that comprises the first flow entry is found, and wherein determining, according to the result of the query, the first network data flow detection status corresponding to the first flow entry comprises determining, according to information about a security device node corresponding to the first flow entry in the found registration record, the first network data flow detection status corresponding to the first flow entry.
  - 5. The method according to claim 4, wherein determining, according to the information about the security device node corresponding to the first flow entry in the found registration record, the first network data flow detection status corresponding to the first flow entry comprises determining network data flow detection status corresponding to the first flow entry in the found registration record as the first network data flow detection status when the security device node corresponding to the first flow entry in the found registration record is NULL.
  - 6. The method according to claim 4, wherein determining, according to the information about the security device node corresponding to the first flow entry in the registration record, the first network data flow detection status corresponding to the first flow entry comprises:
    - sending a second request to a second security device node when the security device node corresponding to the first flow entry in the found registration record is the second security device node, wherein the second request carries the first flow entry to request the second security device node to send third network data flow detection status, wherein the third network data flow detection status is a sequence of network events that have occurred in the first data flow and that are detected by the second security device node;
      
      determining the network data flow detection status corresponding to the first flow entry in the found registration record as the first network data flow detection status when no response to the second request is received from the second security device node; and
      
      updating the network data flow detection status that corresponds to the first flow entry and is in the local found registration record to the third network data flow detection status, and determining the third network data flow detection status as the first network data flow detection status when the third network data flow detection status sent by the second security device node is received.
  - 7. The method according to claim 1, wherein before receiving the first request sent by the first security device node, the method further comprises:
    - receiving a connection request sent by the first security device node; and
      
      authenticating an identity of the first security device node according to the connection request to configure a request permission of the first security device node.
  - 8. The method according to claim 1, further comprising:
    - receiving a status update request that is sent by a third security device node according to a preset triggering event or periodically, wherein the status update request carries a second flow entry and network data flow detection status corresponding to the second flow entry, wherein the second flow entry uniquely identifies a second data flow that is currently detected by the third security device node; and
      
      maintaining, according to the status update request, locally stored registration record of flow entries.
  - 9. The method according to claim 8, wherein maintaining, according to the status update request, the locally stored registration record of flow entries comprises:
    - adding a registration record that comprises the second flow entry when no registration record that comprises the second flow entry is locally stored, wherein network data flow detection status in the added registration record is recorded as the network data flow detection status carried in the status update request, and wherein security device node in the added registration record is recorded as the third security device node or NULL;
      
      updating, by using network data flow detection status carried in the status update request, network data flow detection status that is in a locally stored registration record that comprises the second flow entry when the registration record that comprises the second flow entry is locally stored and a security device node in the locally stored registration record is the third security device node; and
      
      ignoring the status update request when the registration record that comprises the second flow entry is locally stored and the security device node in the locally stored registration record is not the third security device node.
  - 10. The method according to claim 9, wherein the status update request further carries an event type, wherein the event type is used to indicate whether the status update request is sent according to a preset triggering event or periodically, and wherein maintaining, according to the status update request, the locally stored registration record of flow entries further comprises:
    - setting the security device node corresponding to the second flow entry in the registration record that comprises the second flow entry to NULL when the event type indicates that the status update request is sent according to the preset triggering event; and
      
      setting the security device node corresponding to the second flow entry in the registration record that comprises the second flow entry to the third security device node when the event type indicates that the status update request is sent periodically.

11. A method implemented by a first security device node for synchronizing network data flow detection status, comprising:
- sending a first request to a status synchronizing server, wherein the first request carries a first flow entry, wherein the first flow entry uniquely identifies a first data flow that is currently detected by the first security device node;
  
  receiving a first response that is sent by the status synchronizing server according to the first request, wherein the first response carries first network data flow detection status corresponding to the first flow entry, wherein the first network data flow detection status comprises a first sequence of network events that have previously occurred in the first data flow and that are detected by another security device node, and wherein the other security device node is different than the first security device node; and
  
  generating second network data flow detection status stored locally, wherein the second network data flow detection status comprises a second sequence of network events, wherein the second sequence of network events is generated by connecting the first sequence of network events with a third sequence of network events that occurred in the first data flow and detected by the first security device node; and
  
  determining that an attack occurs in the first data flow when the the second sequence of network events matches with a detection rule.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method according to claim 11, further comprising:
    - receiving a second request sent by the status synchronizing server, wherein the second request carries a third flow entry, wherein the third flow entry uniquely identifies a third data flow that is currently detected by a forth security device node;
      
      acquiring third network data flow detection status that corresponds to the third flow entry and is recorded on the first security device node, wherein the third network data flow detection status comprises a sequence of network events that have previously occurred in the third data flow and are detected by the first security device node; and
      
      sending a second response to the status synchronizing server, wherein the second response carries the third network data flow detection status.
  - 13. The method according to claim 11, wherein before sending the first request to the status synchronizing server, the method further comprises:
    - sending a connection request to the status synchronizing server such that the status synchronizing server authenticates an identity of the first security device node according to the connection request; and
      
      receiving information about a request permission of the first security device node, wherein the request permission is configured by the status synchronizing server after the identity authentication succeeds.
  - 14. The method according to claim 11, further comprising sending a status update request to the status synchronizing server according to a preset triggering event or periodically, wherein the status update request carries a second flow entry and network data flow detection status corresponding to the second flow entry, wherein the second flow entry uniquely identifies the second data flow that is currently detected by the first security device node, wherein the network data flow detection status corresponding to the second flow entry comprises a sequence of network events that have previously occurred in the second data flow and are detected by the first security device node, and wherein the status update request is used by the status synchronizing server to maintain a registration record stored on the status synchronizing server.
  - 15. The method according to claim 14, wherein the status update request further carries an event type, and wherein the event type is used to indicate the status update request is sent according to a preset triggering event or periodically.

16. A status synchronizing server, comprising:
- a receiving circuit;
  
  a sending circuit;
  
  a processor; and
  
  a memory,wherein the receiving circuit is configured to receive a first request sent by a first security device node,wherein the first request carries a first flow entry,wherein the first flow entry uniquely identifies a first data flow that is currently detected by the first security device node,wherein the memory stores an instruction for the processor to determine first network data flow detection status corresponding to the first flow entry,wherein the first network data flow detection status comprises a first sequence of network events that have previously occurred in the first data flow and are detected by another security device node,wherein the other security device node is different than the first security device node,wherein the sending circuit is configured to send a first response to the first security device node,wherein the first response carries the first network data flow detection status determined by the processor,wherein the first network data flow detection status carried in the first response is used by the first security device node to generate second network data flow detection status stored locally,wherein the second network data flow detection status comprises a second sequence of network events,wherein the second sequence of network events is generated by connecting the first sequence of network events with a third sequence of network events that occurred in the first data flow and detected by the first security device node, andwherein the second sequence of network events is used by the first security device to determine whether an attack occurs.

17. A security device node, comprising:
- a receiving circuit;
  
  a sending circuit;
  
  a processor, anda memory,wherein the sending circuit is configured to send a first request to a status synchronizing server,wherein the first request carries a first flow entry,wherein the first flow entry uniquely identifies a first data flow that is currently detected by the first security node,wherein the receiving circuit is configured to receive a first response that is sent by the status synchronizing server according to the first request,wherein the first response carries first network data flow detection status corresponding to the first flow entry,wherein the first network data flow detection status comprises a first sequence of network events that have previously occurred in the first data flow and are detected by another security device node,wherein the other security device node is different than the first security device node, andwherein the memory is configured to store an instruction for the processor to;
  
  generate second network data flow detection status stored locally, wherein the second network data flow detection status comprises a second sequence of network events, wherein the second sequence of network events is generated by connecting the first sequence of network events with a third sequence of network events that occurred in the first data flow and detected by the first security device node; and
  
  determine an attack occurs in the first data flow when the second sequence of network events matches with a detection rule.

18. A network system, comprising:
- a status synchronizing server configured to;
  
  receive a first request sent by a first security device node, wherein the first request carries a first flow entry, wherein the first flow entry uniquely identifies a first data flow that is currently detected by the first security device node;
  
  determine first network data flow detection status corresponding to the first flow entry, wherein the first network data flow detection status comprises a first sequence of network events that have previously occurred in the first data flow and are detected by another security device node, and wherein the other security device node is different than the first security device node;
  
  send a first response to the first security device node, wherein the first response carries the first network data flow detection status determined; and
  
  at least one host device, a host device of the at least one host device comprises one or more virtual machines and the first security device node, wherein the host device is configured to;
  
  send the first request to a status synchronizing server;
  
  receive the first response that is sent by the status synchronizing server according to the first request;
  
  generate second network data flow detection status stored locally, wherein the second network data flow detection status comprises a second sequence of network events, wherein the second sequence of network events is generated by connecting the first sequence of network events with a third sequence of network events that occurred in the first data flow and detected by the first security device node; and
  
  determine an attack occurs in the first data flow when the second sequence of network events matches with a detection rule, andwherein a data connection is established between the first security device node and the status synchronizing server to exchange network data flow detection status.
- View Dependent Claims (19)
- - 19. The network system according to claim 18, wherein the at least one host device comprises a first host device and a second host device, wherein a first virtual machine on the first host device migrates to the second host device, and wherein a security device node on the second host device acquires, from the status synchronizing server, network data flow detection status of a data flow generated by the first virtual machine before the migration of the first virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Dacheng, Meng, Jian, Wang, Yuchen
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Debnath, Suman

Application Number

US14/482,210
Publication Number

US 20140380415A1
Time in Patent Office

1,063 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and device for synchronizing network data flow detection status

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for synchronizing network data flow detection status

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links