Apparatus for monitoring network traffic

US 7,849,502 B1
Filed: 04/30/2007
Issued: 12/07/2010
Est. Priority Date: 04/29/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A data processing apparatus, comprising:

at least one processor;

a first network interface coupled to the processor and configured to be coupled to a protected network;

a second network interface coupled to the processor and configured to be coupled to an external network;

a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor comprises logic which when executed causes the processor to perform;

receiving, from a client computer in the protected network, a request to access a resource in the external network;

blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist;

requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource;

blocking sending the request to the resource when the reputation score is below a specified threshold;

determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests;

in response to the determining, blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing apparatus can perform HTTP traffic monitoring and filtering of HTTP requests from clients and responses from servers. Example apparatus comprises a processor, a first network interface to a protected network, a second network interface to an external network, and a traffic monitor having an address-domain name database, a firewall rules manager, and a DNS snooper. The traffic monitor accesses a blacklist and can perform receiving, from a client computer, a request to access a resource in the external network; blocking the request to the resource when a user agent of the client is in the blacklist as malicious software or when a file extension in a response to the request is in the blacklist; requesting, from a web reputation service, and receiving a reputation score indicating a reputation of the resource; blocking sending the request to the resource when the reputation is below a specified threshold.

456 Citations

18 Claims

1. A data processing apparatus, comprising:
- at least one processor;
  
  a first network interface coupled to the processor and configured to be coupled to a protected network;
  
  a second network interface coupled to the processor and configured to be coupled to an external network;
  
  a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor comprises logic which when executed causes the processor to perform;
  
  receiving, from a client computer in the protected network, a request to access a resource in the external network;
  
  blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist;
  
  requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource;
  
  blocking sending the request to the resource when the reputation score is below a specified threshold;
  
  determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests;
  
  in response to the determining, blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the logic further comprises instructions which when executed cause the processor to perform:
    - fetching a response from the resource;
      
      blocking sending the response to the client computer when a content-type of the response is in the blacklist, or when the content-type identifies a size that exceeds a specified maximum side, or when the response fails to pass a check of malicious software in the response.
  - 3. The apparatus of claim 1, wherein the logic further comprises instructions which when executed cause the processor to perform:
    - fetching a response from the resource;
      
      blocking sending the response to the client computer when a content-type of the response is in the blacklist, or when the content-type identifies a size that exceeds a specified maximum side, or when the response fails to pass a check of malicious software in the response.
  - 4. The apparatus of claim 1, wherein the logic further comprises instructions which when executed cause the processor to perform blocking sending the response to the client computer when a first address of the client computer is in the blacklist, or when a second address of the resource is in the blacklist, or when a domain or uniform resource locator (URL) of the resource is in the blacklist.
  - 5. The apparatus of claim 1, wherein the first network interface is coupled to the protected network and the second network interface is coupled to the external network, and wherein the apparatus is logically interposed between the protected network and the external network.
  - 6. The apparatus of claim 1, wherein the first network interface is coupled to the protected network and the second network interface is coupled to the external network, and wherein the apparatus is logically configured to tap a link between the protected network and the external network.
  - 7. The apparatus of claim 1, wherein the DNS snooper comprises logic which when executed causes detecting that the client computer is performing a DNS lookup in the external network or in the protected network, obtaining a result of the DNS lookup, and storing the result in the database.
  - 8. The apparatus of claim 1, wherein the blocking comprises the firewall rules manager creating and providing, to a firewall of the protected network, one or more rules that implement the blocking at the firewall.

9. A data processing apparatus, comprising:
- at least one processor;
  
  a first network interface coupled to the processor and configured to be coupled to a protected network;
  
  a second network interface coupled to the processor and configured to be coupled to an external network;
  
  a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor comprises;
  
  means for receiving, from a client computer in the protected network, a request to access a resource in the external network;
  
  means for blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist;
  
  means for requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource;
  
  means for blocking sending the request to the resource when the reputation score is below a specified threshold;
  
  means for determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests;
  
  means responsive to the determining means for blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, further comprising means for fetching a response from the resource;
    - and means for blocking sending the response to the client computer when a content-type of the response is in the blacklist, or when the content-type identifies a size that exceeds a specified maximum side, or when the response fails to pass a check of malicious software in the response.
  - 11. The apparatus of claim 9, further comprising means for fetching a response from the resource;
    - means for blocking sending the response to the client computer when a content-type of the response is in the blacklist, or when the content-type identifies a size that exceeds a specified maximum side, or when the response fails to pass a check of malicious software in the response.
  - 12. The apparatus of claim 9, further comprising means for blocking sending the response to the client computer when a first address of the client computer is in the blacklist, or when a second address of the resource is in the blacklist, or when a domain or uniform resource locator (URL) of the resource is in the blacklist.
  - 13. The apparatus of claim 9, wherein the first network interface is coupled to the protected network and the second network interface is coupled to the external network, and wherein the apparatus is logically interposed between the protected network and the external network.
  - 14. The apparatus of claim 9, wherein the first network interface is coupled to the protected network and the second network interface is coupled to the external network, and wherein the apparatus is logically configured to tap a link between the protected network and the external network.
  - 15. The apparatus of claim 9, wherein the DNS snooper comprises logic which when executed causes detecting that the client computer is performing a DNS lookup in the external network or in the protected network, obtaining a result of the DNS lookup, and storing the result in the database.
  - 16. The apparatus of claim 9, wherein the blocking comprises the firewall rules manager creating and providing, to a firewall of the protected network, one or more rules that implement the blocking at the firewall.

17. A computer-readable volatile or non-volatile storage medium storing encoded thereon one more sequences of instructions which, when executed by at least one processor, cause the processor to perform:
- initiating operation of a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor is coupled to a first network interface that is coupled to the processor and configured to be coupled to a protected network, wherein the traffic monitor is coupled to a second network interface coupled to the processor and configured to be coupled to an external network;
  
  receiving, from a client computer in the protected network, a request to access a resource in the external network;
  
  blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist;
  
  requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource;
  
  blocking sending the request to the resource when the reputation score is below a specified threshold;
  
  determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests;
  
  in response to the determining, blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request.
- View Dependent Claims (18)
- - 18. The computer-readable medium of claim 17, further comprising instructions whichwhen executed cause the processor to perform:
    - fetching a response from the resource;
      
      blocking sending the response to the client computer when a content-type of the response is in the blacklist, or when the content-type identifies a size that exceeds a specified maximum side, or when the response fails to pass a check of malicious software in the response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ironport Systems (Cisco Systems, Inc.)
Original Assignee
Ironport Systems (Cisco Systems, Inc.)
Inventors
Elischer, Julian R., Moore, Doug, Thompson, Bruce, Mohan, Shalabh, Bloch, Eric, Golm, Brandon L., Pagaku, Rajendraprasad R., Krentel, Mark
Primary Examiner(s)
Song; Hosuk

Application Number

US11/742,015
Time in Patent Office

1,317 Days
Field of Search

726/2, 726 11- 15, 726 22- 25, 713150-155
US Class Current

726/11
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/16   Threshold monitoring

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

Apparatus for monitoring network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

456 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus for monitoring network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

456 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links