DISTRIBUTED SECURITY PROVISIONING

US 20090300045A1
Filed: 05/28/2008
Published: 12/03/2009
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A network security system, comprising:

a plurality of processing nodes external to network edges of a plurality of external systems, each processing node comprising;

a processing node data store storing security policy data defining security policies for each of the external systems;

a plurality of data inspection engines, each data inspection engine configured to perform a threat detection process to classify content items according to a threat classification for a corresponding threat; and

a processing node manager in data communication with the data inspection engines and configured to access the security policy data stored in the processing node data store and manage the classified content item in accordance with the security policy data so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems; and

an authority node in data communication with the processing nodes, the authority node including a authority node data store storing security policy data for each of the plurality of external systems, and including an authority node manager configured to provide the security policy data to each of the processing nodes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems.

88 Citations

View as Search Results

29 Claims

1. A network security system, comprising:
- a plurality of processing nodes external to network edges of a plurality of external systems, each processing node comprising;
  
  a processing node data store storing security policy data defining security policies for each of the external systems;
  
  a plurality of data inspection engines, each data inspection engine configured to perform a threat detection process to classify content items according to a threat classification for a corresponding threat; and
  
  a processing node manager in data communication with the data inspection engines and configured to access the security policy data stored in the processing node data store and manage the classified content item in accordance with the security policy data so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems; and
  
  an authority node in data communication with the processing nodes, the authority node including a authority node data store storing security policy data for each of the plurality of external systems, and including an authority node manager configured to provide the security policy data to each of the processing nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The security system of claim 1, wherein the data store in each processing node includes threat data classifying content items by threat classifications, and the processing node manager in each process node is configured to:
    - determine whether a content item is classified by the threat data;
      
      if the content item is determined to not be classified by the threat data, then;
      
      cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
      
      generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
      
      transmit the threat data update to the authority node;
      
      if the content item is determined to be classified by the threat data, then manage the content item in accordance with the security policy data and the classification of the content item.
  - 3. The system of claim 2, wherein:
    - the authority node manager is further configured to update threat data stored in the authority node data store according to the threat data update received from the processing node, and to transmit the updated threat data to other processing nodes; and
      
      each processing node manager is further configured to store the updated threat data received from the authority node in its processing node data store.
  - 4. The system of claim 3, wherein one of the data inspection engines comprises a virus scanning engine and the threat classifications include infected and clean.
  - 5. The system of claim 3, wherein one of the data inspection engines comprises a uniform resource locator filter and the threat classifications include allowed and restricted.
  - 6. The security system of claim 1, wherein the processing node data store in each processing node includes threat data classifying content items by threat classifications, and the processing node manager in each process node is configured to:
    - determine whether a content item is classified by the threat data;
      
      if the content item is determined to not be classified by the threat data, then request responsive threat data for the content item from the authority node;
      
      determine whether a reply from the authority node in response to the request includes the responsive threat data classifying the content item;
      
      if the did not include the responsive threat data classifying the content item, then;
      
      cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
      
      generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
      
      transmit the threat data update to the authority node; and
      
      if the reply did include responsive data classifying the content item, then manage the content item in accordance with the security policy data and the classification of the content item.
  - 7. The system of claim 6, wherein:
    - the authority node manager is further configured to receive the responsive threat data request from the processing node, and determine if the responsive threat data is stored in the authority node data store;
      
      if responsive threat data is stored in the authority node data store, then provide a reply that includes the responsive threat data to the processing node in response to the threat data request; and
      
      if the responsive threat data is not stored in the authority node data store, then;
      
      provide a reply to the processing node that does not include the responsive threat data; and
      
      update threat data stored in the authority node data store according to the threat data update received from the processing node.
  - 8. The system of claim 1, wherein the data store in each processing node includesthreat data classifying content items by threat classifications;
    - anda detection process filter indicating whether content items have been processed by one or more of the data inspection engines; and
      
      wherein the processing node manager in each processing node is configured to;
      
      access the detection process filter to determine whether the content item has been processed;
      
      in response to determining that the content item has been processed, then manage the content item in accordance with the security policy data and the classification of the content item; and
      
      in response to determining that the content item has not been processed;
      
      cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
      
      generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
      
      transmit the threat data update to the authority node.
  - 9. The system of claim 8, wherein the authority node manager is further configured to:
    - update threat data stored in the authority node data store according to the threat data update received from the processing node, and transmit the updated threat data to the processing nodes; and
      
      update a detection process filter stored in the authority node data store according to the threat data update and transmit the updated detection process filter to the processing nodes.
  - 10. The system of claim 8, wherein the detection process filter comprises a bloom filter including a hash index and a plurality of binary data indicating whether a content item resolved to a hash index has been processed by a detection engine.
  - 11. The system of claim 1, wherein the data store in each processing node includes a detection process filter indicating whether content items have been processed by one or more of the data inspection engines, and wherein the processing node manager in each processing node is configured to:
    - access the detection process filter to determine whether the content item has been processed;
      
      in response to determining that the content item has not been processed, then request responsive threat data for the content item from the authority node;
      
      determine whether a reply from the authority node in response to the request includes the responsive threat data classifying the content item;
      
      if the reply did not include responsive data classifying the content item, then;
      
      cause the data inspection engines to perform the threat detection processes to classify the content item according to a threat classification;
      
      generate a threat data update that includes data indicating the threat classification for the content item from the threat detection process; and
      
      transmit the threat data update to the authority node; and
      
      if the reply did include the responsive data classifying the content item, then manage the content item in accordance with the security policy data and the classification of the content item.
  - 12. The system of claim 11, wherein:
    - the authority node manager is further configured to receive the threat data request from the processing node, and determine if responsive threat data is stored in the authority node data store;
      
      if responsive threat data is stored in the authority node data store, then provide a reply that includes responsive threat data to the processing node in response to the threat data request; and
      
      if responsive threat data is not stored in the authority node data store, then;
      
      provide a reply to the processing node that does not include the responsive threat data; and
      
      update threat data stored in the authority node data store according to the threat data update received from the processing node.
  - 13. The system of claim 1, further comprising a logging node in data communication with the plurality of processing nodes and including a logging data store and a logger configured to store security transaction data each of the plurality of external systems.
  - 14. The system of claim 13, wherein the security transaction data comprises content item logs indicating content item requests from the external systems and corresponding threat classifications of the requested content items.
  - 15. The system of claim 1, wherein the content items include one or more of e-mail messages, web pages, and files.
  - 16. The system of claim 1, wherein the data inspection engines in each processing node comprise a user layer inspection engine configured to perform authentication processes.
  - 17. The system of claim 1, wherein the data inspection engines in each processing node comprise a network layer engine configured to perform network layer processes.
  - 18. The system of claim 17, wherein the network layer processes include identifying internet protocol addresses associated with a content item and allowing or disallowing the content item based on the identified internet protocol address.
  - 19. The system of claim 1, wherein the data inspection engines in each processing node comprise an object layer engine configured to perform object layer processes.
  - 20. The system of claim 19, wherein the object layer processes include identifying an hypertext transfer protocol header associated with a content item and allowing or disallowing the content item based on the identified hypertext transfer protocol header.
  - 21. The system of claim 1, wherein the data inspection engines in each processing node comprise a content layer engine configured to perform content layer processes.
  - 22. The system of claim 21, wherein the content layer processes include virus scanning a content item and allowing or disallowing the content item based on the virus scanning.

23. A computer implemented method of security provisioning, comprising:
- providing data communication from a plurality of processing nodes to a plurality of external systems, the processing nodes external to network edges of the plurality of external systems, and in each processing node;
  
  storing security policies received from an authority node;
  
  monitoring content items requested by or sent from the external systems;
  
  threat detecting content items to classify the content items according to threat classifications; and
  
  enforcing, external to the network edges of the external systems, the security policies for the plurality of external systems in accordance with the security policies and the classifications of the content items.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method of claim 23, further comprising:
    - storing in each processing node threat data classifying content items by threat classifications; and
      
      wherein threat detecting content items comprises;
      
      determining in the processing node whether a content item is classified by the threat data;
      
      if the content item is determined to not be classified by the threat data, then;
      
      threat detection processing the content item to classify the content item according to a threat classification;
      
      generating a threat update that indicates the threat classification for the content item from the threat detection processing; and
      
      transmitting the threat update to the authority node.
  - 25. The method of claim 23, further comprising:
    - storing in each processing node threat data classifying content items by threat classifications; and
      
      wherein threat detecting content items comprises;
      
      determining in the processing node whether a content item is classified by the threat data;
      
      if the content item is determined to not be classified by the threat data, then requesting responsive threat data for the content item from an authority node;
      
      determining whether a reply from the authority node in response to the request includes the responsive threat data classifying the content item;
      
      if the reply did not include the responsive threat data classifying the content item, then;
      
      threat detection processing to classify the content item according to a threat classification;
      
      generating a threat data update that includes data indicating the threat classification for the content item from the threat detection processing; and
      
      transmitting the threat data update to the authority node; and
      
      if the reply did include responsive threat data classifying the content item, then managing the content item in accordance with the security policy data and the classification of the content item.
  - 26. The method of claim 23, further comprising:
    - storing in each processing node a detection process filter indicating whether a content item has been processed; and
      
      wherein threat detecting content items comprises;
      
      accessing the detection process filter to determine whether the content item has been processed;
      
      in response to determining that the content item has not been processed, then request responsive threat data for the content item from the authority node;
      
      determining whether a reply from the authority node in response to the request includes the responsive threat data classifying the content item;
      
      if the reply did not include responsive data classifying the content item, then;
      
      threat detection processing to classify the content item according to a threat classification;
      
      generating a threat data update that includes data indicating the threat classification for the content item from the threat detection processing; and
      
      transmitting the threat data update to the authority node; and
      
      if the reply did include the responsive threat data classifying the content item, then managing the content item in accordance with the security policy data and the classification of the content item.
  - 27. The method of claim 23, wherein threat detecting content items comprises:
    - detecting threats at a user layer;
      
      detecting threats at a network layer;
      
      detecting threats at an object layer; and
      
      detecting threats at a content layer.

28. Software stored in a computer readable medium and comprising instructions executable by a processing node system, and in response to such execution causes the processing node system to perform operations comprising:
- receiving and storing security policy data defining security policies for each of a plurality of the external systems, threat classification data defining threat classifications for a plurality of content items, and detection processing filtering data defining whether content items have been threat detection processed;
  
  identifying a content item requested by or sent from a external system;
  
  detection process filtering the content item to determine whether the content item has been threat detection processed;
  
  performing a threat detection exception process to classify content items according to a threat classification for a corresponding threat if the detection processing filtering determines that the content item has not been threat detection processed; and
  
  generating threat update data for updating the threat classification data and the detection processing filter; and
  
  transmitting the threat update data to an authority node for distribution to other processing node systems.

29. Software stored in a computer readable medium and comprising instructions executable by an authority node system, and in response to such execution causes the authority node system to perform operations comprising:
- receiving and storing security policy data defining security policies for each of a plurality of the external systems, threat classification data defining threat classifications for a plurality of content items, and detection processing filtering data defining whether content items have been threat detection processed;
  
  distributing the security policy data, the threat classification data, and the detection processing filtering data to a plurality of processing node systems;
  
  receiving threat update data from a processing node system, the threat update data for updating the threat classification data and the detection processing filter;
  
  updating the threat classification data and the detection processing filtering data based on the threat update data; and
  
  distributing the updated threat classification data and the updated detection processing filtering data to the plurality of processing nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Safe Channel Incorporated
Inventors
Kailash, Kailash, Devarajan, Srikanth, Paul, Narinder, Schekochikhin, Arcady V., Chaudhry, Jay

Granted Patent

US 7,899,849 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

H04L 63/0218   Distributed architectures, ...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

DISTRIBUTED SECURITY PROVISIONING

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED SECURITY PROVISIONING

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links