Distributed cloud-based security systems and methods
First Claim
1. A method comprising:
- monitoring, in a processing node in a distributed security system, a content item sent from or requested by an external system, wherein the processing node is external from a network edge of the external system and communications between the processing node and the external system are via a proxy, a tunnel, and redirection such that all the communications from the external system which are destined for or received from the Internet are processed through the processing node; and
determining, responsive to a security policy associated with the external system, a threat classification of the content item utilizing a hash of an information key associated with the content item to generate an index that is compared with a detection processing filter, the information key including an identification of a file name of an executable file associated with the content item and an identification of a file size of the executable file associated with the content item that are represented in the index generated by the hash; and
performing one of in the processing node based on comparison of the index with the detection processing filter;
allowing the content item through the processing node if the threat classification is clean;
precluding the content item at the processing node if the threat classification is violating; and
threat detecting the content item at the processing node if the threat classification is unknown and one of allowing or precluding the content item based on the threat detecting,wherein the content item is one of spyware, malware, a virus, spam, and undesirable content which is precluded based on the security policy, andwherein the information key further includes an address of the content item.
2 Assignments
0 Petitions
Accused Products
Abstract
A distributed security method is implemented in a processing node of a distributed security system comprising one or more processing nodes and one or more authority nodes, wherein the distributed security system is located external to a network edge of an enterprise and external from one of a computer device and a mobile device associated with a user. The distributed security method includes monitoring a content item sent from or requested by an external system which is external from a network edge of the external system; and responsive to a security policy associated with the external system, performing one of allowing the content item through the processing node; precluding the content item at the processing node; and threat detecting the content item at the processing node and one of allowing or precluding the content item based on the threat detecting.
83 Citations
15 Claims
-
1. A method comprising:
-
monitoring, in a processing node in a distributed security system, a content item sent from or requested by an external system, wherein the processing node is external from a network edge of the external system and communications between the processing node and the external system are via a proxy, a tunnel, and redirection such that all the communications from the external system which are destined for or received from the Internet are processed through the processing node; and determining, responsive to a security policy associated with the external system, a threat classification of the content item utilizing a hash of an information key associated with the content item to generate an index that is compared with a detection processing filter, the information key including an identification of a file name of an executable file associated with the content item and an identification of a file size of the executable file associated with the content item that are represented in the index generated by the hash; and performing one of in the processing node based on comparison of the index with the detection processing filter; allowing the content item through the processing node if the threat classification is clean; precluding the content item at the processing node if the threat classification is violating; and threat detecting the content item at the processing node if the threat classification is unknown and one of allowing or precluding the content item based on the threat detecting, wherein the content item is one of spyware, malware, a virus, spam, and undesirable content which is precluded based on the security policy, and wherein the information key further includes an address of the content item. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A processing node in a distributed security system, comprising:
-
one or more processors; and memory storing instructions that, when executed, cause the one or processors to communicate with an external system, wherein the processing node is external from a network edge of the external system and communications between the processing node and the external system are via a proxy, a tunnel, and redirection such that all the communications from the external system which are destined for or received from the Internet are processed through the processing node; monitor a content item sent from or requested by an external system; and determine, responsive to a security policy associated with the external system, a threat classification of the content item utilizing a hash of an information key associated with the content item to generate an index that is compared with a detection processing filter, the information key including an identification of a file name of an executable file associated with the content item and an identification of a file size of the executable file associated with the content item that are represented in the index generated by the hash; and perform one of based on comparison of the index with the detection processing filter; allow the content item through the processing node if the threat classification is clean; preclude the content item at the processing node if the threat classification is violating; and threat detect the content item at the processing node if the threat classification is unknown and one of allow or preclude the content item based on the threat detection, wherein the content item is one of spyware, malware, a virus, spam, and undesirable content which is precluded based on the security policy, and wherein the information key further includes an address of the content item. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An external system comprising one of a computer device and a mobile device, comprising:
-
one or more processors; and memory storing instructions that, when executed, cause the one or processors to communicate on a Wide Area Network (WAN) through a processing node in a distributed security system, wherein the processing node is external from a network edge of the external system and communications between the processing node and the external system are via a proxy, a tunnel, and redirection such that all the communications from the external system which are destined for or received from the Internet are processed through the processing node; and one of send and request a content item over the WAN, wherein, responsive to a security policy associated with the external system, the content item is threat classified by the processing node utilizing a hash of an information key associated with the content item to generate an index that is compared with a detection processing filter, the information key including an identification of a file name of an executable file associated with the content item and an identification of a file size of the executable file associated with the content item that are represented in the index generated by the hash, and, based on comparison of the index with the detection processing filter, one of; allowed through the processing node if a threat classification is clean; precluded at the processing node if the threat classification is violating; and threat detected at the processing node if the threat classification is unknown and one of allowed or precluded the content item based on the threat detection, wherein the content item is one of spyware, malware, a virus, spam, and undesirable content which is precluded based on the security policy, and wherein the information key further includes an address of the content item. - View Dependent Claims (13, 14, 15)
-
Specification