Scalable network security with fast response protocol

US 9,756,082 B1
Filed: 09/15/2015
Issued: 09/05/2017
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising instructions stored on non-transitory, tangible, computer-readable storage, the instructions when executed to cause at least one computer of a first network to:

receive a query from a query source, the query specifying an indicator of a possible network security threat;

access a local database and process content of the local database to identify whether the local database contains data corresponding to the possible network security threat;

determine a threat level associated with the possible network security threat;

if threat level is not greater than a threshold, update the local database by transmitting a query from the at least one computer of the first network to at least one other computer via a wide area network (WAN), obtaining results from the at least one other computer, updating the threat level associated with the possible network security threat dependent on the results, and storing the updated threat level in the local database in association with the possible network security threat;

if the threat level is greater than the threshold, transmit a response to the query source responsive to data in the local database corresponding to the possible network security threat without regard to whether at least one other computer possesses additional data regarding the at least one network security threat; and

transmit, dependent on at least one of the threat level determined by the at least one computer of the first network or the updated threat level, a remedial measure to the query source to counteract the possible network security threat in a manner to cause a machine of the query source to automatically instantiate a policy to counteract the possible network security threat.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

53 Citations

View as Search Results

20 Claims

1. An apparatus comprising instructions stored on non-transitory, tangible, computer-readable storage, the instructions when executed to cause at least one computer of a first network to:
- receive a query from a query source, the query specifying an indicator of a possible network security threat;
  
  access a local database and process content of the local database to identify whether the local database contains data corresponding to the possible network security threat;
  
  determine a threat level associated with the possible network security threat;
  
  if threat level is not greater than a threshold, update the local database by transmitting a query from the at least one computer of the first network to at least one other computer via a wide area network (WAN), obtaining results from the at least one other computer, updating the threat level associated with the possible network security threat dependent on the results, and storing the updated threat level in the local database in association with the possible network security threat;
  
  if the threat level is greater than the threshold, transmit a response to the query source responsive to data in the local database corresponding to the possible network security threat without regard to whether at least one other computer possesses additional data regarding the at least one network security threat; and
  
  transmit, dependent on at least one of the threat level determined by the at least one computer of the first network or the updated threat level, a remedial measure to the query source to counteract the possible network security threat in a manner to cause a machine of the query source to automatically instantiate a policy to counteract the possible network security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the local database comprises security event data associated with the networks of respective clients, and wherein the instructions are, when executed, to cause the at least one computer of the first network to update the local database in dependence on the security event data associated with the networks of the respective clients and to update the threat level for the possible network security threat in dependence thereon.
  - 3. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to determine the threat level in dependence on the query from the query source.
  - 4. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to determine the threat level by:
    - matching the possible network security threat to content of the local database;
      
      retrieving an existent threat level value stored in the local database in association with the possible network security threat; and
      
      determining the threat level based on the existent threat level value.
  - 5. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to update the local database by obtaining results from multiple data sources and by updating the threat level based on the results as well as preexisting content of the local database, to obtain the updated threat level.
  - 6. The apparatus of claim 5, wherein the instructions, when executed, are to cause the at least one computer of the first network to obtain the updated threat level from the results from the multiple data sources and the preexisting content according to a voting process.
  - 7. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to:
    - if the threat level is greater than the threshold, transmit the response to the query source within a response time; and
      
      if the threat level is not greater than the threshold, not transmit any response to the query source within the response time.
  - 8. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to:
    - if the threat level is greater than the threshold, transmit the response to the query source within a response time; and
      
      if threat level is not greater than the threshold, withhold response to the query source notwithstanding the response time pending return of the results from the at least one other computer from over the WAN.
  - 9. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to:
    - if threat level is not greater than the threshold, transmit a first response to the query source within a response time, dependent on content of the local database; and
      
      transmit, following the response time, the receipt of the results from the at least one other computer and the update of the threat level, a second response to the query source dependent on the results from the at least one other computer, where the second response conveys the updated threat level.
  - 10. The apparatus of claim 1, wherein the instructions, when executed, are to cause the at least one computer of the first network to:
    - transmit the response on a broadcast basis to multiple network destinations, said response conveying the determined threat level which exceeds the threshold.

11. A method of processing security event data, implemented on at least one computer of a first network, the method comprising:
- receiving a query from a query source, the query specifying an indicator of a possible network security threat;
  
  accessing a local database and process content of the local database to identify whether the local database contains data corresponding to the possible network security threat;
  
  determining a threat level associated with the possible network security threat;
  
  if threat level is not greater than a threshold, transmitting a query from the at least one computer of the first network to at least one other computer via a wide area network (WAN), obtaining results from the at least one other computer, updating the threat level associated with the possible network security threat dependent on the results, and storing the updated threat level in the local database in association with the possible network security threat to thereby update the threat level in the local database; and
  
  if the threat level is greater than the threshold, transmitting a response to the query source responsive to data in the local database corresponding to the possible network security threat without regard to whether the whether the at least one other computer possesses additional data regarding the at least one network security threat;
  
  transmitting, dependent on at least one of the threat level determined by the at least one computer of the first network or the updated threat level, a remedial measure to the query source to counteract the possible network security threat;
  
  wherein transmitting the remedial measure is performed in a manner to cause a machine of the query source to automatically instantiate a policy to counteract the possible network security threat.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the local database comprises security event data associated with the networks of respective clients, and wherein updating further comprises updating the local database in dependence on the security event data associated with the networks of the respective clients and obtaining the updated threat level for the possible network security threat in dependence thereon.
  - 13. The method of claim 11, wherein determining further comprises determining the threat level in dependence on the query from the query source.
  - 14. The method of claim 11, wherein determining further comprises:
    - matching the possible network security threat to content of the local database;
      
      retrieving an existent threat level value stored in the local database in association with the possible network security threat; and
      
      determining the threat level based on the existent threat level value.
  - 15. The method of claim 11, wherein obtaining further comprises obtaining results from multiple data sources and wherein updating further comprises updating the threat level based on the results as well as preexisting content of the local database, to obtain the updated threat level.
  - 16. The method of claim 15, wherein updating further comprises causing the least one computer of the first network to calculate the updated threat level from the results from the multiple data sources and the preexisting content according to a voting process.
  - 17. The method of claim 11, wherein:
    - if the threat level is greater than the threshold, transmitting the response to the query source is performed within a response time; and
      
      if the threat level is not greater than the threshold, no response is transmitted to the query source within the response time.
  - 18. The method of claim 11, wherein:
    - if the threat level is greater than the threshold, transmitting the response to the query source is performed within a response time; and
      
      if threat level is not greater than the threshold, the method further comprises withholding response to the query source notwithstanding the response time, pending return of the results from the at least one other computer from over the WAN.
  - 19. The method of claim 11, wherein:
    - transmitting the response comprises transmitting a first response to the query source within a response time, dependent on content of the local database; and
      
      the method further comprises, if threat level is not greater than the threshold, and notwithstanding the response time, transmitting a second response to the query source dependent on the results from the at least one other computer, where the second response conveys the updated threat level.
  - 20. The method of claim 11, wherein transmitting the response, if the threat level is greater than the threshold, comprises transmitting the response on a broadcast basis to multiple network destinations, in a manner which conveys the determined threat level which exceeds the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Haugsnes, Andreas Seip, Hahn, Markus
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Shirazi, Sayed Beheshti

Application Number

US14/855,310
Time in Patent Office

721 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/23   Updating

G06F 16/245   Query processing

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 21/552   involving long-term monitor...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

H04L 67/1097   for distributed storage of ...

H04W 12/12   Detection or prevention of ...

Scalable network security with fast response protocol

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable network security with fast response protocol

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links