Content filtering of remote file-system access protocols

US 9,825,988 B2
Filed: 08/13/2015
Issued: 11/21/2017
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, by a proxy implemented within a network gateway device of a private network, remote file-system access protocol sessions involving one or more of a plurality of client computer systems and a server computer system associated with the private network; and

for each file of a plurality of files on a share of the server computer system being accessed by one or more of the plurality of client computer systems;

creating, by the proxy, a shared holding buffer corresponding to the file within a shared memory of the network gateway device that is accessible to a plurality of processes running within the network gateway device;

buffering, by the proxy, into the shared holding buffer data being read from or written to the file by the monitored remote file-system access protocol sessions; and

responsive to a predetermined event, determining, by the proxy, whether malicious, dangerous or unauthorized content is contained within the shared holding buffer by performing content filtering on the shared holding buffer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a proxy, implemented within a network gateway device of a private network, monitors remote file-system access protocol sessions involving client computer systems and a server computer system associated with the private network. For each file on a share of the server computer system being accessed by one or more of the client computer systems: (i) a shared holding buffer corresponding to the file is created within a shared memory of the network gateway device; (ii) data being read from or written to the file by the monitored remote file-system access protocol sessions is buffered into the shared holding buffer; and (iii) responsive to a predetermined event, content filtering is performed on the shared holding buffer to determine whether malicious, dangerous or unauthorized content is contained within the shared holding buffer.

38 Citations

View as Search Results

14 Claims

1. A method comprising:
- monitoring, by a proxy implemented within a network gateway device of a private network, remote file-system access protocol sessions involving one or more of a plurality of client computer systems and a server computer system associated with the private network; and
  
  for each file of a plurality of files on a share of the server computer system being accessed by one or more of the plurality of client computer systems;
  
  creating, by the proxy, a shared holding buffer corresponding to the file within a shared memory of the network gateway device that is accessible to a plurality of processes running within the network gateway device;
  
  buffering, by the proxy, into the shared holding buffer data being read from or written to the file by the monitored remote file-system access protocol sessions; and
  
  responsive to a predetermined event, determining, by the proxy, whether malicious, dangerous or unauthorized content is contained within the shared holding buffer by performing content filtering on the shared holding buffer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 3. The method of claim 1, further comprising tracking, by the proxy, usage and modification of each of the shared holding buffers with a corresponding usage table.
  - 4. The method of claim 3, wherein the usage tables contain information indicative of free and filled portions of respective shared holding buffers.
  - 5. The method of claim 4, wherein the predetermined event comprises the shared holding buffer reaching a predetermined or configurable fullness threshold.
  - 6. The method of claim 1, further comprising when a result of said determining is affirmative, restoring, by the proxy device, the file on the server computer system from a clean copy of the file maintained in a shadow buffer within the memory of the network gateway device.
  - 7. The method of claim 1, further comprising tracking a number of file identifiers currently referencing the file by:
    - when a remote file-system access protocol command observed by the proxy represents a command to open the file, then incrementing, by the proxy, a reference count of the shared holding buffer; and
      
      when the remote file-system access protocol command represents a request to close the file, then decrementing, by the proxy, the reference count.

8. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network gateway device, logically interposed between a plurality of client computer systems associated with a private network and a server computer system associated with the private network, cause a proxy implemented within the network gateway device to perform a method comprising:
- monitoring remote file-system access protocol sessions involving one or more of the plurality of client computer systems and the server computer system; and
  
  for each file of a plurality of files on a share of the server computer system being accessed by one or more of the plurality of client computer systems;
  
  creating a shared holding buffer corresponding to the file within a shared memory of the network gateway device that is accessible to a plurality of processes running within the network gateway device;
  
  buffering into the shared holding buffer data being read from or written to the file by the monitored remote file-system access protocol sessions; and
  
  responsive to a predetermined event, determining whether malicious, dangerous or unauthorized content is contained within the shared holding buffer by performing content filtering on the shared holding buffer.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the method further comprises tracking usage and modification of each of the shared holding buffers with a corresponding usage table.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein the usage tables contain information indicative of free and filled portions of respective shared holding buffers.
  - 12. The non-transitory computer-readable storage medium of claim 11, wherein the predetermined event comprises the shared holding buffer reaching a predetermined or configurable fullness threshold.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the method further comprises when a result of said determining is affirmative, restoring the file on the server computer system from a clean copy of the file maintained in a shadow buffer within the memory of the network gateway device.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the method further comprises tracking a number of file identifiers currently referencing the file by:
    - when a remote file-system access protocol command observed by the proxy represents a command to open the file, then incrementing a reference count of the shared holding buffer; and
      
      when the remote file-system access protocol command represents a request to close the file, then decrementing the reference count.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William Jeffrey
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US14/825,990
Publication Number

US 20150350162A1
Time in Patent Office

831 Days
Field of Search

726 24, 726 12
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 49/90   Buffering arrangements

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/145   the attack involving the pr...

H04L 65/102   Gateways arrangements for c...

H04L 67/06   specially adapted for file ...

H04L 67/289   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

Content filtering of remote file-system access protocols

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Content filtering of remote file-system access protocols

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others