US20140223558A1 - Method and device for integrating multiple threat security services - Google Patents

Method and device for integrating multiple threat security services Download PDF

Info

Publication number
US20140223558A1
US20140223558A1 US14/249,349 US201414249349A US2014223558A1 US 20140223558 A1 US20140223558 A1 US 20140223558A1 US 201414249349 A US201414249349 A US 201414249349A US 2014223558 A1 US2014223558 A1 US 2014223558A1
Authority
US
United States
Prior art keywords
layer
security services
multiple threat
packet data
patterns
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/249,349
Inventor
Bai Ling Wang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Enterprise Solutions Singapore Pte Ltd
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US14/249,349 priority Critical patent/US20140223558A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WANG, BAI LING
Publication of US20140223558A1 publication Critical patent/US20140223558A1/en
Assigned to LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD. reassignment LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTERNATIONAL BUSINESS MACHINES CORPORATION
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the various embodiments described herein generally relate to network threat security services and, more particularly, to a method and device for integrating multiple threat security services.
  • IPS Intrusion Detection/Protection System
  • CF content filter
  • WF worm filter
  • a single threat security service in a single device is not an effective solution because of the uncontrolled expenses of on-site administration and troubleshooting.
  • Many platforms offer a multitude of security services in one Unified Threat Management (UTM) device, which is a combination of the above security services with a firewall and which is used by enterprises and service providers to increase their security while reducing total operating costs.
  • UTM Unified Threat Management
  • a common characteristic among the aforementioned security threat security services is that they all need to scan the entire packet data to obtain corresponding application data. That is to say, each threat security service has its own protocol stack, and each always parses the packet data to obtain corresponding application data. Illustration will be provided in the context of an example according to the prior art, as shown in FIG. 2 .
  • an IP packet enters a gateway, it first enters a firewall threat security service, which performs parsing to determine whether to apply a corresponding threat security service to the packet.
  • the packet enters an Intrusion Detection/Protection threat security service, at which parsing processing is again performed on the packet in order to obtain application data required by the Intrusion Detection/Protection threat security service so that it may be determined whether the Intrusion Detection/Protection threat security service should be applied to this incoming packet. Similar steps are performed until for the rest of the preset multiple threat security services (e.g., the Content Filter, Worm Filter, and Anti Virus Anti Spam threat security services as shown in FIG. 2 ).
  • protocol parsing has been one of the most computation-intensive operations. This situation is a significant obstacle against UTM's popularity.
  • the various embodiments described herein provide a method for integrating multiple threat security services that can filter incoming data packets with respect to multiple threat security services.
  • a method for integrating multiple threat security services.
  • the method may parse an incoming packet at a current layer and may analyze the packet with respect to multiple threat security services so that one or more threat security services needed by the packet may be determined.
  • a device for integrating multiple threat security services.
  • the device may comprise a plurality of parsers, wherein each parser of the plurality of parsers is configured for parsing an incoming packet at a current layer.
  • the device may comprise an analyzer configured for analyzing the packet with respect to the multiple threat security services so that one or more threat security services needed by the packet may be determined.
  • integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity.
  • the method and device may involve a protocol stack constructed based on multiple threat security services. Accordingly, the efficiency of filtering application data may be improved, and computation overhead may be reduced.
  • FIG. 1 provides an arrangement of multiple threat security services in a network according to the prior art.
  • FIG. 2 provides a procedure of processing multiple threat security services according to the prior art.
  • FIG. 3 provides a schematic view of a network security service environment in which an exemplary embodiment may be implemented.
  • FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment.
  • FIG. 5 provides a flowchart showing an operation of integrating multiple threat security services according to an exemplary embodiment.
  • FIG. 6 provides an architectural view of an integrated security service stack according to an exemplary embodiment.
  • FIG. 7 is a schematic view illustrating an operation performed by an event analyzer according to an exemplary embodiment.
  • FIG. 8 provides a flowchart of an operating procedure of an event analyzer management module according to an exemplary embodiment.
  • FIG. 9 provides an illustration of an operating procedure of an event analyzer scheduling module according to an exemplary embodiment.
  • FIG. 3 provides a typical network security service environment 30 in which an exemplary embodiment may be implemented.
  • an integrated threat security service device 31 on which multiple threat security services may be integrated may be connected on a link between a local area network 32 and the Internet 33 in a serial pattern or in a routing pattern. That is to say, all incoming/outgoing local area network data (e.g., SMTP, POP3, HTTP, etc.) may pass through the device 31 .
  • SMTP Short SMTP
  • POP3 HyperText Transfer Protocol
  • HTTP HyperText Transfer Protocol
  • the device 31 may connect the two networks at the data link layer and may forward data frames according to a network card physical address.
  • a network bridge including the device 31 may form a transparent pathway between the local area network 32 and the Internet 33 and may enable the device 31 to monitor and filter the communication between a client and a server without changing the network configuration or informing the client.
  • the device 31 If the device 31 is connected among networks in a routing pattern, then it may be regarded as a node in the network configuration and may be passed through by appropriately configuring a route. Data messages passing through the device 31 may be monitored and filtered.
  • the device 31 needs to secure the pathways to the Internet 33 .
  • the device 31 may support the connection between the local area network 32 and the Internet 33 , thereby guaranteeing the network service.
  • the device 31 may be interconnected with a database 34 and a control node 35 via a network (can be via a link or by multiplexing).
  • the database 34 may have multiple functions. One function may be to store information of a system on which multiple threat security services are integrated, such as configuration and matching patterns, in order to provide the information to be used by the device 31 during initialization and running. Another function may be to store illegal behavior patterns found by the device 31 during operation thereof.
  • the control node 35 may add keywords to the database 34 , may control integration information of the integrated multiple threat security services, and/or may view detection results.
  • FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment.
  • multiple threat security services in the form of a histogram are shown in conjunction with a protocol hierarchical structure and various corresponding parsers (described in further detail herein), each shown by a dotted line.
  • the firewall security service may use an Internet Protocol (IP) parser
  • the content/worm filter security service may use an IP parser, a Transmission Control Protocol (TCP) parser, or an application layer protocol parser.
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • the right portion of FIG. 4 shows an integrated security service stack 401 according to an exemplary embodiment.
  • Each parser in the integrated security service stack 401 may send parsed packet data to an event analyzer 400 after the completion of corresponding parsing, and the event analyzer 400 may process the data with respect to multiple threat security services, thereby determining the one or more threat security services to be executed.
  • FIG. 5 is a flowchart showing the operation of integrating multiple threat security services according to an exemplary embodiment.
  • a packet entering a network may be parsed at each layer in accordance with the hierarchical structure of the integrated security service stack 401 .
  • the packet being parsed at a current layer may be analyzed with respect to multiple threat security services.
  • the one or more threat security services required by the packet may be determined via matching algorithms. With reference to FIGS. 6-9 , a detailed description will be provided for the steps shown in FIG. 5 .
  • FIG. 6 provides an architecture view of the integrated security service stack according to an exemplary embodiment.
  • parsers are distributed according to the layers in the histogram of FIG. 4 .
  • the parsers illustrated in FIG. 6 include a TCP/IP parser 610 , an application layer protocol parser 611 , and a file parser 612 .
  • the device 31 after receiving a data message, the device 31 first may send the data message to the TCP/IP parser 610 .
  • the TCP/IP parser 610 may restore data packets entering the transport layer by invoking corresponding plug-ins based on different classifications of protocols.
  • the TCP/IP parser 610 upon capturing a TCP message, the TCP/IP parser 610 first may establish information on a connection and may submit the established information on the connection to the corresponding TCP protocol processing plug-in. Then, in step 602 the corresponding TCP protocol processing plug-in may send the restored information (e.g., an IP source address, source port number, destination address, destination port number, message length, etc.) to the event analyzer 400 for further analysis and filtering (a detailed description will be provided herein regarding the operation of the event analyzer 400 ).
  • the restored information e.g., an IP source address, source port number, destination address, destination port number, message length, etc.
  • the TCP/IP parser 610 may send generated packets from the transport layer to the appropriate application layer protocol parser 611 (e.g., HTTP protocol parser, SMTP protocol parser, POP3 protocol parser, FTP protocol parser, or Telnet protocol parser).
  • This step may entail identifying the appropriate application layer protocol type.
  • a general method of identifying a protocol type is to determine the type of a protocol using the protocol default port specified by the Request for Comments (RFC). However, the accuracy of such method is not high.
  • RRC Request for Comments
  • a few protocols e.g., the DNS and SMTP protocols
  • all protocols can change a connected port.
  • the HTTP protocol uses the port 80 in a default situation under the RFC
  • a large amount of HTTP services use other ports, such as 1080, 8080, etc., in practical applications.
  • the protocol type may be identified intelligently by intensifying analysis of the content of a data message.
  • the application layer protocol parser 611 may restore the uploaded content and may send the restored information to the event analyzer 400 for analysis and filtering.
  • the application layer protocol parser 611 may send the data to the file parser 612 in step 605 .
  • the file parser 612 may parse the received file, may restore the data, and may send it to the event analyzer 400 for filtering.
  • parsers of the various embodiments described herein are not limited to the described TCP/IP parser 610 , application layer protocol parser 611 , and file parser 612 . Accordingly, other types of parsers may be constructed for hierarchical structures of various security service protocol stacks without departing from the spirit and scope of the disclosure.
  • FIG. 7 provides the event analyzer 400 and pattern databases (i.e., pattern DBs) DB1 through DBn.
  • Pattern database DB1 may be a virus pattern database
  • pattern database DB2 may be an IPS pattern database
  • pattern database DB3 may be a WF pattern database
  • pattern database DBn may be a CF pattern database.
  • the event analyzer 400 may comprise a management module 701 , a string matching algorithm pool 704 comprising string matching algorithms 702 , and a scheduling module 703 .
  • the pattern databases DB1 through DBn may store patterns corresponding to all threat security services.
  • the pattern database of each threat security service may comprise patterns for the various layers in the integrated security service stack 401 .
  • the management module 701 of the event analyzer 400 may be responsible for initializing all of the string matching algorithms 702 , which comprise the core of the event analyzer 400 .
  • the event analyzer 400 may carry out a matching procedure that may be divided primarily into three phases: a pattern input phase, a compiling phase, and a string matching phase.
  • the management module 701 may extract patterns from the pattern databases DB1 through DBn and may arrange them into a pattern set.
  • the patterns may be tagged so that the threat security service corresponding to each pattern may be identified.
  • tag 1 may be assigned to patterns from the pattern database DB1
  • tag 2 may be assigned to patterns from the pattern database DB2, and so forth. Such tagging will be further described herein with reference to FIG. 8 .
  • the second phase (compiling phase) may be executed after all patterns have been prepared; in this phase, string matching algorithms 702 may be compiled using the patterns.
  • This phase may be fulfilled by the management module 701 , as is further described herein with reference to FIG. 8 .
  • the third phase (string matching phase) may occur when the system service is running. After data from a parser in the integrated security service stack 401 (i.e., the TCP/IP parser 610 , the application layer protocol parser 611 , or the file parser 612 as described herein and shown in FIG. 6 ) is sent to the event analyzer 400 , the scheduling module 703 may select a corresponding string matching algorithm 702 based on the type of inputted data (i.e., based on the stack layer at which the data is sent).
  • a parser in the integrated security service stack 401 i.e., the TCP/IP parser 610 , the application layer protocol parser 611 , or the file parser 612 as described herein and shown in FIG. 6
  • the scheduling module 703 may select a corresponding string matching algorithm 702 based on the type of inputted data
  • FIG. 8 provides a flowchart of the operating procedure of the management module 701 of the event analyzer 400 according to an exemplary embodiment.
  • the management module 701 may read patterns for multiple threat security services at a respective layer from various pattern databases.
  • the management module 701 may read patterns from pattern databases DB1 through DBn for all security services at the TCP/IP layer (e.g., pattern 1.1.1.1, pattern 10.10.10.10:80, etc.).
  • the multiple security service patterns as read may be tagged in order to identify the threat security service that corresponds to each pattern. As shown in FIG.
  • tag 1 may be assigned to each of multiple patterns from the virus pattern database DB1
  • tag 2 may be assigned to each of multiple patterns from the IPS pattern database DB2
  • tag 3 may be assigned to each of multiple patterns from the WF pattern database DB3
  • tag n may be assigned to each of multiple patterns from the CF pattern database DBn.
  • the management module 701 may generate (i.e., compile) a string matching algorithm 702 for the respective layer by using the tagged patterns, wherein all patterns focusing on the layer in the integrated security service stack 401 may be merged into a pattern set used for initializing such string matching algorithm 702 . This procedure may be followed for multiple threat security services at all layers in the integrated security service stack 401 .
  • a TCP/IP string matching algorithm, an application layer string matching algorithm, and the like may be generated via the operation procedure of the management module 701 .
  • the string matching algorithms 702 for the various layers may be placed into the string matching algorithm pool 704 , as indicated by the grouping of spring matching algorithms 702 in FIG. 7 .
  • one or more state machines may be generated so that a lookup for a certain section of inputted text can be performed via such state machines. Such procedure is named “string search”.
  • Highly efficient string matching algorithms 702 may improve the performance of a program.
  • a finite state machine algorithm is that each of all possible inputs for a matching character string has a state value in each step, and if this state value is equal to the length of the matching character string, a successful match is proven.
  • matching algorithms may be divided into software pattern matching, TCAM pattern matching, and ASCI pattern matching.
  • an algorithm matching one character string is called a single-pattern matching algorithm, and an algorithm for simultaneously matching multiple character strings is called a multi-pattern matching algorithm.
  • TCAM pattern matching involves a dedicated chip used for table lookup operations and is characterized by scoring a hit only once (i.e., an inspection is made all at one time). Moreover, the lookup speed is irrelevant to the size of a table.
  • TCAM pattern matching requires the location of a matching character string to be relatively fixed.
  • ASCI pattern matching requires a character string that is to be detected to be first complied with a regular expression and then loaded to a chip. Afterwards, matching is performed.
  • the string matching algorithms described herein are merely illustrative. Accordingly, any suitable string matching algorithm may be selected to implement the various embodiments by those skilled in the art without departing from the spirit and scope of the disclosure.
  • FIG. 9 shows the operating procedure of the scheduling module 703 of the event analyzer 400 according to an exemplary embodiment.
  • the scheduling module 703 may select a corresponding string matching algorithm 702 from the string matching algorithm pool 704 to filter (i.e., match) the data and then may return one or more results with tag i (with i being one of tag 1, tag 2 . . . tag n). Due to the tag i, a receiver of the filtering result (not shown) may know to which one of multiple pattern databases the pattern identified by tag i belongs, and accordingly the receiver may determine threat security services corresponding to the incoming packet based on such knowledge.
  • the threat security services may detect whether the packet contains one or more threats and may perform appropriate response processing such as alarming, blocking, and the like (e.g., via event responders) in order to address any such threats.
  • the procedure for integrating multiple threat security services will be provided in the context of an exemplary incoming message.
  • the IP address of a user is 1.1.1.1 and that the user accesses the port 80 of a remote Web server 10.10.10.10 through the local port 25467 (i.e., sends a HTTP request).
  • the content of the first message ‘P’ sent by the user generally includes a request command and request content, such as “GET http://news.zzz.com/20071205/12345.shtml”.
  • the event analyzer 400 may perform the following operations.
  • the scheduling module 703 of the event analyzer 400 invokes the string matching algorithm 702 for the TCP/IP layer.
  • the scheduling module 703 filters the sent information and finds that the information matches the pattern 1.1.1.1 assigned with tag 3 and corresponding to the WF threat security service and that the information also matches the pattern 10.10.10.10:80 assigned with tag 2 and corresponding to the IPS threat security service.
  • the scheduling module 703 may provide tags 3 and 2 indicating corresponding threat security services WF and IPS (respectively) to a receiver, and the receiver may determine from the tags 3 and 2 that the threat security services WF and IPS (respectively) need to be provided. Once provided, if one or both of the WF and IPS threat security services detect that the message contains one or more threats, then one or both may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like.
  • the scheduling module 703 invokes the string matching algorithm 702 for the application layer. As a result, the scheduling module 703 filters the sent information and finds that the information matches the pattern news.zzz.com assigned with tag 2 and corresponding to the IPS threat security service. Accordingly, the scheduling module 703 may provide tag 2 indicating corresponding threat security service IPS to a receiver, and the receiver may determine from the tag 2 that the threat security service IPS needs to be provided. Once provided, if the IPS threat security service detects that the message contains one or more threats, then it may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like.

Abstract

A method and device for integrating multiple threat security services are disclosed. The method may comprise parsing an incoming packet at a current layer and analyzing the packet with respect to multiple threat security services and so that one or more threat security services needed by the packet may be determined. According to an exemplary embodiment, the current layer may be a layer in a protocol stack constructed based on the multiple threat security services. With this method, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity, and thus the efficacy of filtering application data may be improved while computation overhead may be reduced.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • The present application is a continuation application of U.S. patent application Ser. No. 12/331,912, filed Dec. 10, 2008. The present application claims priority under 35 U.S.C. §120 to U.S. patent application Ser. No. 12/331,912, which claims priority under 35 U.S.C. §119 to Chinese Patent Application No. 200710199827.X filed Dec. 13, 2007, the contents of which are incorporated herein by reference.
    • BACKGROUND
  • The various embodiments described herein generally relate to network threat security services and, more particularly, to a method and device for integrating multiple threat security services.
  • With the growing application of communication networks, individuals attach increasing importance to security and prevention of threats within communication networks. To this end, a range of security services can be activated on a gateway, such as Intrusion Detection/Protection System (IPS), anti virus, anti spam, content filter (CF) (i.e., firewall), and worm filter (WF), as shown in FIG. 1 according to the prior art. However, a single threat security service in a single device is not an effective solution because of the uncontrolled expenses of on-site administration and troubleshooting. Many platforms offer a multitude of security services in one Unified Threat Management (UTM) device, which is a combination of the above security services with a firewall and which is used by enterprises and service providers to increase their security while reducing total operating costs.
  • A common characteristic among the aforementioned security threat security services is that they all need to scan the entire packet data to obtain corresponding application data. That is to say, each threat security service has its own protocol stack, and each always parses the packet data to obtain corresponding application data. Illustration will be provided in the context of an example according to the prior art, as shown in FIG. 2. When an IP packet enters a gateway, it first enters a firewall threat security service, which performs parsing to determine whether to apply a corresponding threat security service to the packet. If the firewall threat security service does not need to be provided, then the packet enters an Intrusion Detection/Protection threat security service, at which parsing processing is again performed on the packet in order to obtain application data required by the Intrusion Detection/Protection threat security service so that it may be determined whether the Intrusion Detection/Protection threat security service should be applied to this incoming packet. Similar steps are performed until for the rest of the preset multiple threat security services (e.g., the Content Filter, Worm Filter, and Anti Virus Anti Spam threat security services as shown in FIG. 2). Along with an increasing number of integrated threat security services and growth of computation complicacy, protocol parsing has been one of the most computation-intensive operations. This situation is a significant obstacle against UTM's popularity.
  • In view of this situation, current mechanisms focus on hardware acceleration to improve UTM performance, such as Fortinet's FortiGate, which is an ASIC-accelerated multi-threat security system. However, only some security services can be integrated into Fortinet's UTM device.
  • Therefore, there is currently a need for a more complete solution for integrating multiple threat security services that can reduce computation overhead.
    • SUMMARY
  • In order to overcome the deficiencies in the prior art, the various embodiments described herein provide a method for integrating multiple threat security services that can filter incoming data packets with respect to multiple threat security services.
  • According to one aspect of the various embodiments, a method is provided for integrating multiple threat security services. The method may parse an incoming packet at a current layer and may analyze the packet with respect to multiple threat security services so that one or more threat security services needed by the packet may be determined.
  • According to another aspect of the various embodiments, a device is provided for integrating multiple threat security services. The device may comprise a plurality of parsers, wherein each parser of the plurality of parsers is configured for parsing an incoming packet at a current layer. Moreover, the device may comprise an analyzer configured for analyzing the packet with respect to the multiple threat security services so that one or more threat security services needed by the packet may be determined.
  • According to the method and device of an exemplary embodiment, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity. Specifically, the method and device may involve a protocol stack constructed based on multiple threat security services. Accordingly, the efficiency of filtering application data may be improved, and computation overhead may be reduced.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • The various embodiments described herein will be described in detail with reference to the following figures.
  • FIG. 1 provides an arrangement of multiple threat security services in a network according to the prior art.
  • FIG. 2 provides a procedure of processing multiple threat security services according to the prior art.
  • FIG. 3 provides a schematic view of a network security service environment in which an exemplary embodiment may be implemented.
  • FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment.
  • FIG. 5 provides a flowchart showing an operation of integrating multiple threat security services according to an exemplary embodiment.
  • FIG. 6 provides an architectural view of an integrated security service stack according to an exemplary embodiment.
  • FIG. 7 is a schematic view illustrating an operation performed by an event analyzer according to an exemplary embodiment.
  • FIG. 8 provides a flowchart of an operating procedure of an event analyzer management module according to an exemplary embodiment.
  • FIG. 9 provides an illustration of an operating procedure of an event analyzer scheduling module according to an exemplary embodiment.
    •  DETAILED DESCRIPTION
  • Description will be provided below with respect to various exemplary embodiments with reference to the accompanying drawings.
  • FIG. 3 provides a typical network security service environment 30 in which an exemplary embodiment may be implemented. In the environment 30, an integrated threat security service device 31 on which multiple threat security services may be integrated may be connected on a link between a local area network 32 and the Internet 33 in a serial pattern or in a routing pattern. That is to say, all incoming/outgoing local area network data (e.g., SMTP, POP3, HTTP, etc.) may pass through the device 31.
  • If the device 31 is connected between networks in a serial pattern, it may connect the two networks at the data link layer and may forward data frames according to a network card physical address. A network bridge including the device 31 may form a transparent pathway between the local area network 32 and the Internet 33 and may enable the device 31 to monitor and filter the communication between a client and a server without changing the network configuration or informing the client.
  • If the device 31 is connected among networks in a routing pattern, then it may be regarded as a node in the network configuration and may be passed through by appropriately configuring a route. Data messages passing through the device 31 may be monitored and filtered.
  • The device 31 needs to secure the pathways to the Internet 33. In the event of a system failure, the device 31 may support the connection between the local area network 32 and the Internet 33, thereby guaranteeing the network service. The device 31 may be interconnected with a database 34 and a control node 35 via a network (can be via a link or by multiplexing).
  • The database 34 may have multiple functions. One function may be to store information of a system on which multiple threat security services are integrated, such as configuration and matching patterns, in order to provide the information to be used by the device 31 during initialization and running. Another function may be to store illegal behavior patterns found by the device 31 during operation thereof. The control node 35 may add keywords to the database 34, may control integration information of the integrated multiple threat security services, and/or may view detection results.
  • FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment. In the left portion of FIG. 4, multiple threat security services in the form of a histogram are shown in conjunction with a protocol hierarchical structure and various corresponding parsers (described in further detail herein), each shown by a dotted line. For example, as indicated by the histogram, the firewall security service may use an Internet Protocol (IP) parser, and the content/worm filter security service may use an IP parser, a Transmission Control Protocol (TCP) parser, or an application layer protocol parser. The right portion of FIG. 4 shows an integrated security service stack 401 according to an exemplary embodiment. Each parser in the integrated security service stack 401 may send parsed packet data to an event analyzer 400 after the completion of corresponding parsing, and the event analyzer 400 may process the data with respect to multiple threat security services, thereby determining the one or more threat security services to be executed.
  • FIG. 5 is a flowchart showing the operation of integrating multiple threat security services according to an exemplary embodiment. In step 501, a packet entering a network may be parsed at each layer in accordance with the hierarchical structure of the integrated security service stack 401. In step 502, the packet being parsed at a current layer may be analyzed with respect to multiple threat security services. In step 503, the one or more threat security services required by the packet may be determined via matching algorithms. With reference to FIGS. 6-9, a detailed description will be provided for the steps shown in FIG. 5.
  • FIG. 6 provides an architecture view of the integrated security service stack according to an exemplary embodiment. In FIG. 6, parsers are distributed according to the layers in the histogram of FIG. 4. The parsers illustrated in FIG. 6 include a TCP/IP parser 610, an application layer protocol parser 611, and a file parser 612. As shown in FIG. 6, after receiving a data message, the device 31 first may send the data message to the TCP/IP parser 610. In step 601, the TCP/IP parser 610 may restore data packets entering the transport layer by invoking corresponding plug-ins based on different classifications of protocols. For example, upon capturing a TCP message, the TCP/IP parser 610 first may establish information on a connection and may submit the established information on the connection to the corresponding TCP protocol processing plug-in. Then, in step 602 the corresponding TCP protocol processing plug-in may send the restored information (e.g., an IP source address, source port number, destination address, destination port number, message length, etc.) to the event analyzer 400 for further analysis and filtering (a detailed description will be provided herein regarding the operation of the event analyzer 400).
  • In step 603, the TCP/IP parser 610 may send generated packets from the transport layer to the appropriate application layer protocol parser 611 (e.g., HTTP protocol parser, SMTP protocol parser, POP3 protocol parser, FTP protocol parser, or Telnet protocol parser). This step may entail identifying the appropriate application layer protocol type. A general method of identifying a protocol type is to determine the type of a protocol using the protocol default port specified by the Request for Comments (RFC). However, the accuracy of such method is not high. At present, while a few protocols (e.g., the DNS and SMTP protocols) can make a determination based on the destination port of a TCP connection, all protocols can change a connected port. For example, while the HTTP protocol uses the port 80 in a default situation under the RFC, a large amount of HTTP services use other ports, such as 1080, 8080, etc., in practical applications. In addition to or in lieu of using a protocol default port specified by the RFC, the protocol type may be identified intelligently by intensifying analysis of the content of a data message.
  • After invoking a corresponding application layer protocol analysis plug-in, in step 604 the application layer protocol parser 611 may restore the uploaded content and may send the restored information to the event analyzer 400 for analysis and filtering.
  • If a file from the application data stream (e.g., a mail attachment) needs to be reverted, the application layer protocol parser 611 may send the data to the file parser 612 in step 605. In step 606, the file parser 612 may parse the received file, may restore the data, and may send it to the event analyzer 400 for filtering.
  • It should be noted that the parsers of the various embodiments described herein are not limited to the described TCP/IP parser 610, application layer protocol parser 611, and file parser 612. Accordingly, other types of parsers may be constructed for hierarchical structures of various security service protocol stacks without departing from the spirit and scope of the disclosure.
  • Referring to FIG. 7, a detailed description will be provided regarding the operation procedure of the event analyzer 400 according to an exemplary embodiment. FIG. 7 provides the event analyzer 400 and pattern databases (i.e., pattern DBs) DB1 through DBn. Pattern database DB1 may be a virus pattern database, pattern database DB2 may be an IPS pattern database, pattern database DB3 may be a WF pattern database, and pattern database DBn may be a CF pattern database. The event analyzer 400 may comprise a management module 701, a string matching algorithm pool 704 comprising string matching algorithms 702, and a scheduling module 703. The pattern databases DB1 through DBn may store patterns corresponding to all threat security services. The pattern database of each threat security service may comprise patterns for the various layers in the integrated security service stack 401. The management module 701 of the event analyzer 400 may be responsible for initializing all of the string matching algorithms 702, which comprise the core of the event analyzer 400.
  • The event analyzer 400 may carry out a matching procedure that may be divided primarily into three phases: a pattern input phase, a compiling phase, and a string matching phase. In the first phase (pattern input phase), the management module 701 may extract patterns from the pattern databases DB1 through DBn and may arrange them into a pattern set. The patterns may be tagged so that the threat security service corresponding to each pattern may be identified. For example, tag 1 may be assigned to patterns from the pattern database DB1, tag 2 may be assigned to patterns from the pattern database DB2, and so forth. Such tagging will be further described herein with reference to FIG. 8. The second phase (compiling phase) may be executed after all patterns have been prepared; in this phase, string matching algorithms 702 may be compiled using the patterns. Different compiling methods may be used based on different matching algorithms. This phase may be fulfilled by the management module 701, as is further described herein with reference to FIG. 8. The third phase (string matching phase) may occur when the system service is running. After data from a parser in the integrated security service stack 401 (i.e., the TCP/IP parser 610, the application layer protocol parser 611, or the file parser 612 as described herein and shown in FIG. 6) is sent to the event analyzer 400, the scheduling module 703 may select a corresponding string matching algorithm 702 based on the type of inputted data (i.e., based on the stack layer at which the data is sent).
  • FIG. 8 provides a flowchart of the operating procedure of the management module 701 of the event analyzer 400 according to an exemplary embodiment. First, in step 801 the management module 701 may read patterns for multiple threat security services at a respective layer from various pattern databases. For example, the management module 701 may read patterns from pattern databases DB1 through DBn for all security services at the TCP/IP layer (e.g., pattern 1.1.1.1, pattern 10.10.10.10:80, etc.). Next, in step 802 the multiple security service patterns as read may be tagged in order to identify the threat security service that corresponds to each pattern. As shown in FIG. 7, tag 1 may be assigned to each of multiple patterns from the virus pattern database DB1, tag 2 may be assigned to each of multiple patterns from the IPS pattern database DB2, tag 3 may be assigned to each of multiple patterns from the WF pattern database DB3, and tag n may be assigned to each of multiple patterns from the CF pattern database DBn. Subsequently, in step 803 the management module 701 may generate (i.e., compile) a string matching algorithm 702 for the respective layer by using the tagged patterns, wherein all patterns focusing on the layer in the integrated security service stack 401 may be merged into a pattern set used for initializing such string matching algorithm 702. This procedure may be followed for multiple threat security services at all layers in the integrated security service stack 401.
  • According to an exemplary embodiment, a TCP/IP string matching algorithm, an application layer string matching algorithm, and the like may be generated via the operation procedure of the management module 701. The string matching algorithms 702 for the various layers may be placed into the string matching algorithm pool 704, as indicated by the grouping of spring matching algorithms 702 in FIG. 7. According to existing patterns, one or more state machines may be generated so that a lookup for a certain section of inputted text can be performed via such state machines. Such procedure is named “string search”. Highly efficient string matching algorithms 702 may improve the performance of a program.
  • A brief illustration will be provided of a string matching algorithm 702 that may be employed according to an exemplary embodiment. Such string matching algorithm 702 may be used for determining whether a text such as Text=t1 . . . tn contains a method for one or more character strings P=p1 . . . pm. For example, the principle of a finite state machine algorithm is that each of all possible inputs for a matching character string has a state value in each step, and if this state value is equal to the length of the matching character string, a successful match is proven.
  • According to an implementation manner, matching algorithms may be divided into software pattern matching, TCAM pattern matching, and ASCI pattern matching. Among string matching algorithms, an algorithm matching one character string is called a single-pattern matching algorithm, and an algorithm for simultaneously matching multiple character strings is called a multi-pattern matching algorithm. TCAM pattern matching involves a dedicated chip used for table lookup operations and is characterized by scoring a hit only once (i.e., an inspection is made all at one time). Moreover, the lookup speed is irrelevant to the size of a table. TCAM pattern matching requires the location of a matching character string to be relatively fixed. ASCI pattern matching requires a character string that is to be detected to be first complied with a regular expression and then loaded to a chip. Afterwards, matching is performed. It should be noted that the string matching algorithms described herein are merely illustrative. Accordingly, any suitable string matching algorithm may be selected to implement the various embodiments by those skilled in the art without departing from the spirit and scope of the disclosure.
  • FIG. 9 shows the operating procedure of the scheduling module 703 of the event analyzer 400 according to an exemplary embodiment. After data from a parser in the integrated security service stack 401 is sent to the event analyzer 400, the scheduling module 703 may select a corresponding string matching algorithm 702 from the string matching algorithm pool 704 to filter (i.e., match) the data and then may return one or more results with tag i (with i being one of tag 1, tag 2 . . . tag n). Due to the tag i, a receiver of the filtering result (not shown) may know to which one of multiple pattern databases the pattern identified by tag i belongs, and accordingly the receiver may determine threat security services corresponding to the incoming packet based on such knowledge. The threat security services may detect whether the packet contains one or more threats and may perform appropriate response processing such as alarming, blocking, and the like (e.g., via event responders) in order to address any such threats.
  • For illustrative purposes, a detailed description will be provided of the procedure for integrating multiple threat security services according to an exemplary embodiment in the context of an exemplary incoming message. Assume that the IP address of a user is 1.1.1.1 and that the user accesses the port 80 of a remote Web server 10.10.10.10 through the local port 25467 (i.e., sends a HTTP request). In this case, the content of the first message ‘P’ sent by the user generally includes a request command and request content, such as “GET http://news.zzz.com/20071205/12345.shtml”.
  • Suppose that there is a pattern 1.1.1.1 assigned with tag 3 at the TCP/IP layer in the WF pattern database DB3 (FIG. 7), there is a pattern 10.10.10.10:80 assigned with tag 2 at the TCP/IP layer in the IPS pattern database DB2 (FIG. 7), and there is a pattern news.zzz.com assigned with tag 2 at the application layer in the IPS pattern database DB2 (FIG. 7). After the parser at each layer in the integrated security service stack 401 sends the parsed content to the event analyzer 400, the event analyzer 400 may perform the following operations.
  • When the TCP/IP parser 610 sends information (e.g., IP source address 1.1.1.1, source port number 25467, destination address 10.10.10.10, destination port number 80, the length of a message, etc.) to the event analyzer 400, the scheduling module 703 of the event analyzer 400 invokes the string matching algorithm 702 for the TCP/IP layer. As a result, the scheduling module 703 filters the sent information and finds that the information matches the pattern 1.1.1.1 assigned with tag 3 and corresponding to the WF threat security service and that the information also matches the pattern 10.10.10.10:80 assigned with tag 2 and corresponding to the IPS threat security service. Accordingly, the scheduling module 703 may provide tags 3 and 2 indicating corresponding threat security services WF and IPS (respectively) to a receiver, and the receiver may determine from the tags 3 and 2 that the threat security services WF and IPS (respectively) need to be provided. Once provided, if one or both of the WF and IPS threat security services detect that the message contains one or more threats, then one or both may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like.
  • Similarly, when the application protocol parser 611 sends the information “GET http://news.zzz.com/20071205/12345.shtml” to the event analyzer 400, the scheduling module 703 invokes the string matching algorithm 702 for the application layer. As a result, the scheduling module 703 filters the sent information and finds that the information matches the pattern news.zzz.com assigned with tag 2 and corresponding to the IPS threat security service. Accordingly, the scheduling module 703 may provide tag 2 indicating corresponding threat security service IPS to a receiver, and the receiver may determine from the tag 2 that the threat security service IPS needs to be provided. Once provided, if the IPS threat security service detects that the message contains one or more threats, then it may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like.
  • It should be noted that in order to facilitate easier understanding of the various embodiments described herein, the foregoing description omits various technical details that are well known to those skilled in the art.
  • The various embodiments have been presented for purposes of illustration and description and are not intended to be exhaustive or limited to the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. Accordingly, the various embodiments have been chosen and described in order to best explain key principles and to enable others of ordinary skill in the art to understand that all modifications and alterations made without departing from the spirit of disclosure fall within the scope as defined in the appended claims.

Claims (24)

1. A method for integrating multiple threat security services, said method comprising:
generating parsed packet data by parsing an incoming packet at each layer of an integrated security service stack;
analyzing said generated parsed packet data at each layer of the integrated security service stack with respect to one or more patterns, wherein each of said one or more patterns corresponds to one of said multiple threat security services; and
consequent to analyzing said parsed packet data with respect to said one or more patterns, determining one or more of said multiple threat security services needed by said parsed packet data.
2. The method according to claim 1, wherein said integrated security service stack is in a protocol stack constructed based on said multiple threat security services.
3. (canceled)
4. (canceled)
5. The method according to claim 1, wherein each of said one or more patterns corresponds to a layer of said integrated security service stack.
6. The method according to claim 5, wherein determining one or more of said multiple threat security services needed by said parsed packet data comprises forming a matching algorithm for each layer of said integrated security service stack.
7. The method according to claim 6, wherein forming a matching algorithm for said each layer of said integrated security service stack comprises assigning a tag to each of said one or more patterns, wherein each tag identifies one of said multiple threat security services.
8. A device for integrating multiple threat security services, said device comprising:
a plurality of parsers, loaded in a computer, wherein each of said plurality of parsers is configured for generating parsed packet data by parsing an incoming packet at each layer of an integrated security service stack; and
an analyzer, also loaded in said computer, configured for analyzing said generated parsed packet data at each layer of the integrated security service stack with respect to one or more patterns and determining one or more of said multiple threat security services needed by said parsed packet data consequent to analyzing said parsed packet data with respect to said one or more patterns, wherein each of said one or more patterns corresponds to one of said multiple threat security services.
9. The device according to claim 8, wherein said integrated security service stack is in a protocol stack constructed based on said multiple threat security services.
10. (canceled)
11. (canceled)
12. The device according to claim 8, wherein each of said one or more patterns corresponds to a layer of said integrated security service stack.
13. The device according to claim 12, wherein said analyzer is configured for determining one or more of said multiple threat security services needed by said parsed packet data by forming a matching algorithm for each layer of said integrated security service stack.
14. The device according to claim 13, wherein said analyzer is configured for forming a matching algorithm for each layer of said integrated security service stack by assigning a tag to each of tagging said one or more patterns, wherein each tag identifies one of said multiple threat security services.
15. The method according to claim 6, wherein forming said matching algorithm for each layer of said integrated security service stack comprises merging all of said one or more patterns corresponding to the layer into a pattern set.
16. The method according to claim 6, wherein said matching algorithm is a string matching algorithm.
17. The method according to claim 7, wherein determining one or more of said multiple threat security services needed by said parsed packet data further comprises:
for each layer of said integrated security service stack:
filtering parsed packet data at the layer by invoking a matching algorithm for the layer; and
returning one or more tagged results identifying one or more of said multiple threat security services.
18. The device according to claim 13, wherein said analyzer is configured for forming a matching algorithm for each layer of said integrated security service stack by merging all of said one or more patterns corresponding to the layer into a pattern set.
19. The device according to claim 13, wherein said matching algorithm is a string matching algorithm.
20. The device according to claim 14, wherein said analyzer is further configured for determining one or more of said multiple threat security services needed by said parsed packet data by:
for each layer of said integrated security service stack:
filtering parsed packet data at the layer by invoking a matching algorithm for the layer; and
returning one or more tagged results identifying one or more of said multiple threat security services.
21. The method according to claim 1, wherein said multiple threat security services include at least one of an anti virus service, an anti spam service, an intrusion detection/protection system, a firewall, or a worm filter.
22. The method according to claim 1, wherein generating parsed packet data comprises parsing said incoming packet via at least one of an Internet Protocol (IP) parser, a Transmission Control Protocol (TCP) parser, an application layer protocol parser, or a file parser.
23. The device according to claim 8, wherein said multiple threat security services include at least one of an anti virus service, an anti spam service, an intrusion detection/protection system, a firewall, or a worm filter.
24. The device according to claim 8, wherein said plurality of filters include at least one of an Internet Protocol (IP) parser, a Transmission Control Protocol (TCP) parser, an application layer protocol parser, or a file parser.
US14/249,349 2007-12-13 2014-04-09 Method and device for integrating multiple threat security services Abandoned US20140223558A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/249,349 US20140223558A1 (en) 2007-12-13 2014-04-09 Method and device for integrating multiple threat security services

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CNA200710199827XA CN101459660A (en) 2007-12-13 2007-12-13 Method for integrating multi-threat security service
CN200710199827.X 2007-12-13
US12/331,912 US8751787B2 (en) 2007-12-13 2008-12-10 Method and device for integrating multiple threat security services
US14/249,349 US20140223558A1 (en) 2007-12-13 2014-04-09 Method and device for integrating multiple threat security services

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/331,912 Continuation US8751787B2 (en) 2007-12-13 2008-12-10 Method and device for integrating multiple threat security services

Publications (1)

Publication Number Publication Date
US20140223558A1 true US20140223558A1 (en) 2014-08-07

Family

ID=40755123

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/331,912 Active 2030-08-21 US8751787B2 (en) 2007-12-13 2008-12-10 Method and device for integrating multiple threat security services
US14/249,349 Abandoned US20140223558A1 (en) 2007-12-13 2014-04-09 Method and device for integrating multiple threat security services

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/331,912 Active 2030-08-21 US8751787B2 (en) 2007-12-13 2008-12-10 Method and device for integrating multiple threat security services

Country Status (2)

Country Link
US (2) US8751787B2 (en)
CN (1) CN101459660A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332784A (en) * 2017-06-19 2017-11-07 上海高顿教育培训有限公司 A kind of security protection system for server interface
CN107579960A (en) * 2017-08-22 2018-01-12 深圳市盛路物联通讯技术有限公司 A kind of data filtering method and device
CN111262812A (en) * 2018-11-30 2020-06-09 比亚迪股份有限公司 Data packet screening method and device

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7606225B2 (en) 2006-02-06 2009-10-20 Fortinet, Inc. Integrated security switch
US9065799B2 (en) 2011-04-15 2015-06-23 Lockheed Martin Corporation Method and apparatus for cyber security
CN102546606B (en) * 2011-12-23 2014-12-31 华为数字技术(成都)有限公司 Telnet command filter method, network safety device and network safety system
CN102594623B (en) 2011-12-31 2015-07-29 华为数字技术(成都)有限公司 The data detection method of fire compartment wall and device
CN102891855B (en) * 2012-10-16 2015-06-03 北京神州绿盟信息安全科技股份有限公司 Method and device for securely processing network data streams
CN103346980B (en) * 2013-07-02 2016-08-10 华为技术有限公司 A kind of business scheduling method, device and the network equipment
CN103607313B (en) * 2013-12-09 2017-04-19 深圳市双赢伟业科技股份有限公司 TCP (transmission control protocol) message matching method on Regular expression
CN103825888A (en) * 2014-02-17 2014-05-28 北京奇虎科技有限公司 Network threat processing method and apparatus
WO2019136282A1 (en) * 2018-01-04 2019-07-11 Opaq Networks, Inc. Control maturity assessment in security operations environments
CN108462707B (en) * 2018-03-13 2020-08-28 中山大学 Mobile application identification method based on deep learning sequence analysis
US10333898B1 (en) 2018-07-09 2019-06-25 Centripetal Networks, Inc. Methods and systems for efficient network protection
US11646995B2 (en) 2019-12-11 2023-05-09 Cisco Technology, Inc. Partitioned intrusion detection
FR3114212B1 (en) * 2020-09-14 2023-02-10 Mbda France Method and firewall configured to control messages transiting between two communication elements.
CN113608741B (en) * 2021-07-07 2023-08-29 中国电子科技集团公司第三十研究所 Network security service integration method and device
US20230224275A1 (en) * 2022-01-12 2023-07-13 Bank Of America Corporation Preemptive threat detection for an information system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030145226A1 (en) * 2002-01-28 2003-07-31 International Business Machines Corporation Integrated intrusion detection services
US20030154399A1 (en) * 2002-02-08 2003-08-14 Nir Zuk Multi-method gateway-based network security systems and methods
US20060123481A1 (en) * 2004-12-07 2006-06-08 Nortel Networks Limited Method and apparatus for network immunization
US20090003317A1 (en) * 2007-06-29 2009-01-01 Kasralikar Rahul S Method and mechanism for port redirects in a network switch
US7891001B1 (en) * 2005-08-26 2011-02-15 Perimeter Internetworking Corporation Methods and apparatus providing security within a network
US8166554B2 (en) * 2004-02-26 2012-04-24 Vmware, Inc. Secure enterprise network

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6625650B2 (en) * 1998-06-27 2003-09-23 Intel Corporation System for multi-layer broadband provisioning in computer networks
US7765313B2 (en) 2001-10-09 2010-07-27 Alcatel Lucent Hierarchical protocol classification engine
EP1563393A4 (en) 2002-10-22 2010-12-22 Unho Choi Integrated emergency response system in information infrastructure and operating method therefor
US20040088425A1 (en) 2002-10-31 2004-05-06 Comverse, Ltd. Application level gateway based on universal parser
CA2442799A1 (en) 2003-09-26 2005-03-26 Ibm Canada Limited - Ibm Canada Limitee Generalized credential and protocol management of infrastructure
US7421737B1 (en) * 2004-05-04 2008-09-02 Symantec Corporation Evasion detection
US7460476B1 (en) * 2004-10-18 2008-12-02 Ubicom, Inc. Automatic adaptive network traffic prioritization and shaping
US8656488B2 (en) * 2005-03-11 2014-02-18 Trend Micro Incorporated Method and apparatus for securing a computer network by multi-layer protocol scanning
CN1905555B (en) * 2005-07-30 2010-07-07 华为技术有限公司 Fire wall controlling system and method based on NGN service

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030145226A1 (en) * 2002-01-28 2003-07-31 International Business Machines Corporation Integrated intrusion detection services
US20030154399A1 (en) * 2002-02-08 2003-08-14 Nir Zuk Multi-method gateway-based network security systems and methods
US8166554B2 (en) * 2004-02-26 2012-04-24 Vmware, Inc. Secure enterprise network
US20060123481A1 (en) * 2004-12-07 2006-06-08 Nortel Networks Limited Method and apparatus for network immunization
US7891001B1 (en) * 2005-08-26 2011-02-15 Perimeter Internetworking Corporation Methods and apparatus providing security within a network
US20090003317A1 (en) * 2007-06-29 2009-01-01 Kasralikar Rahul S Method and mechanism for port redirects in a network switch

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332784A (en) * 2017-06-19 2017-11-07 上海高顿教育培训有限公司 A kind of security protection system for server interface
CN107579960A (en) * 2017-08-22 2018-01-12 深圳市盛路物联通讯技术有限公司 A kind of data filtering method and device
CN111262812A (en) * 2018-11-30 2020-06-09 比亚迪股份有限公司 Data packet screening method and device

Also Published As

Publication number Publication date
CN101459660A (en) 2009-06-17
US20090158428A1 (en) 2009-06-18
US8751787B2 (en) 2014-06-10

Similar Documents

Publication Publication Date Title
US8751787B2 (en) Method and device for integrating multiple threat security services
US7706378B2 (en) Method and apparatus for processing network packets
EP1873992B1 (en) Packet classification in a network security device
CN101213811B (en) Multi-pattern packet content inspection mechanisms employing tagged values
CA2892471C (en) Systems and methods for detecting and mitigating threats to a structured data storage system
US9769276B2 (en) Real-time network monitoring and security
US7548848B1 (en) Method and apparatus for semantic processing engine
US7954151B1 (en) Partial document content matching using sectional analysis
US8522348B2 (en) Matching with a large vulnerability signature ruleset for high performance network defense
US7302480B2 (en) Monitoring the flow of a data stream
US6609205B1 (en) Network intrusion detection signature analysis using decision graphs
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
Li et al. Netshield: massive semantics-based vulnerability signature matching for high-speed networks
CN108701187A (en) Mixed hardware software distribution threat analysis
US20050091537A1 (en) Inferring content sensitivity from partial content matching
KR20070087198A (en) Network interface and firewall device
US20030084330A1 (en) Node, method and computer readable medium for optimizing performance of signature rule matching in a network
Zhuang et al. Applying data fusion in collaborative alerts correlation

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WANG, BAI LING;REEL/FRAME:032639/0807

Effective date: 20140319

AS Assignment

Owner name: LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD., SINGAPORE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:034194/0111

Effective date: 20140926

Owner name: LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD.,

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:034194/0111

Effective date: 20140926

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION