US20200014709A1 - Configuration management for network activity detectors - Google Patents
Configuration management for network activity detectors Download PDFInfo
- Publication number
- US20200014709A1 US20200014709A1 US16/573,820 US201916573820A US2020014709A1 US 20200014709 A1 US20200014709 A1 US 20200014709A1 US 201916573820 A US201916573820 A US 201916573820A US 2020014709 A1 US2020014709 A1 US 2020014709A1
- Authority
- US
- United States
- Prior art keywords
- activity detector
- network activity
- network
- configuration information
- configuration settings
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Network activity detectors, such as firewalls, communicate with one another to form a Unified Threat Management System. A first network activity detector sends a request for configuration settings to a second network activity detector. The second network activity detector sends a set of configuration settings in response to the request. The configuration settings include information for detecting digital security threats and/or for responding to detected digital security threats. In this way, configuration settings are propagated from one network activity detector to another so that network activity detectors within a UTMS system are configured consistently, e.g., have up-to-date information for detecting and/or responding to digital security threats.
Description
- This application is a continuation of U.S. patent application Ser. No. 15/889,069, filed on Feb. 5, 2018, entitled “CONFIGURATION MANAGEMENT FOR NETWORK ACTIVITY DETECTORS”, which is a continuation of U.S. patent application Ser. No. 14/666,815, filed on Mar. 24, 2015, issued as U.S. Pat. No. 9,888,018 on Feb. 6, 2018, and entitled “CONFIGURATION MANAGEMENT FOR NETWORK ACTIVITY DETECTORS”, which is a continuation of U.S. patent application Ser. No. 14/207,382, filed on Mar. 12, 2014, issued as U.S. Pat. No. 9,021,574 on Apr. 28, 2015, and entitled “CONFIGURATION MANAGEMENT FOR NETWORK ACTIVITY DETECTORS”, which claims the benefit of U.S. Provisional Application No. 61/778,305, filed on Mar. 12, 2013. The content of these applications is hereby incorporated by reference.
- The present disclosure relates generally to the field of digital security, and more specifically to the configuration management of network activity detectors, including network activity detectors that detect malicious network activities.
- The proliferation of computing and networking technologies has presented challenges in the field of digital security. For instance, one networked computer (i.e., a network node) may spread malicious computer data to other network nodes, and can inflict substantial system disruption across the network thereby causing economic loss.
- Conventional digital security technologies include computer logic, generally embodied as “anti-virus programs” and/or “firewalls,” that reside at network nodes and that scan for digital security threats such as viruses, malware, worms, Trojan horses, and the like, in computer data. To maintain effective, a conventional digital security solution needs to be configured and managed (e.g., updated) properly. Configuration management of conventional digital security solutions often results in undesirable tradeoffs among efficacy, configurability, and scalability.
- For instance, conventional digital securities technologies require updates, such as computer virus signature files, in order to maintain effectiveness against ever-changing digital security threats. The relatively large size of the typical computer virus signature file (i.e., 50 megabytes (“MB”) to 300 MB) reduces the scalability of conventional digital security systems in at least two ways. First, large updates utilize significant network bandwidth, and thus limit the number of installations and/or frequency of updates that may be supported by a given network infrastructure. Second, large updates require substantial data processing by a computer processor, and thus limit the types of network nodes that can support installations of conventional digital security technologies to those with sufficient processing power. Therefore, scalability is compromised.
- Further, the need to ensure the authenticity of updates also encourages technical implementations in which a few entities (e.g., manufacturers of conventional digital security technology solutions) control the dissemination of updates to many network nodes. The resulting network architecture tend be flat in that many network nodes download updates from A few authorized servers. Such an architecture makes it difficult for an intermediate entity, such as the network administrator of a company, to provide configurations (i.e., updates) that are unique within the company's local network. Therefore, configurability is compromised.
- In some embodiments, a system of network activity detectors comprises a first network activity detector, a second network activity detector, and a third network activity detector. The first network activity detector is configured to run on a first network node of a network; send, to the second network activity detector, a first User Datagram Protocol (UDP) network packet, where the first UDP network packet comprises a request for configuration information; and receive, from the second network activity detector, a second UDP network packet, where the second UDP network packet comprises a first configuration information, where the first configuration information includes a set of information for detecting digital security threats.
- The second network activity detector is configured to run on a second network node of the network; send, to the third network activity detector, a third UDP network packet, where the third UDP network packet comprises a request for configuration information; receive, from the third network activity detector, a fourth UDP network packet, where the fourth UDP network packet comprises a second configuration information, where the second configuration information includes the set of information for detecting digital security threats; and in response to receiving the first UDP network packet from the first network activity detector, send, to the first network activity detector, the first configuration information, where the first configuration information includes the set of information for detecting digital security threats.
- The third network activity detector is configured to run on a third network node of the network; create the set of information for detecting digital security threats; and in response to receiving the third UDP network packet from the second network activity detector, send, to the second network activity detector, the second configuration information, where the second configuration information includes the set of information for detecting digital security threats.
- In some embodiments, a network activity detector that is running on a network node comprises a network interface configured to couple with a network; and a processor configured to identify a source of configuration information, wherein the source is an another network activity detector coupled with the network, wherein the configuration information includes a set of information for detecting digital security threats; send, to the source, a request for the configuration information; receive, from the source, the configuration information; and send, to another network activity detector, the configuration information.
-
FIG. 1 depicts an exemplary unified threat management system employing network activity detectors. -
FIG. 2 depicts exemplary configuration settings for network activity detectors. -
FIG. 3 depicts an exemplary unified threat management system employing network activity detectors. -
FIG. 4 depicts an exemplary unified threat management system employing network activity detectors. -
FIG. 5 is a block diagram depicting an exemplary process for managing configuration settings by network activity detectors. -
FIGS. 6A-6B depict an exemplary unified threat management system employing network activity detectors. -
FIG. 7 is a block diagram depicting an exemplary process for managing configuration settings by network activity detectors. -
FIG. 8 depicts an exemplary performance of an encryption process. -
FIG. 9 is a block diagram depicting an exemplary encryption process. -
FIG. 10 depicts an exemplary computing system. - The following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein will be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments. Thus, the various embodiments are not intended to be limited to the examples described herein and shown, but are to be accorded the scope consistent with the claims.
- The embodiments described herein include devices, techniques, and/or applications for managing the configurations of network activity detectors. A network activity detector resides at a network node and detects network activities of interest, such as digital security threats like computer viruses, malware, worms, Trojan horses, bots, intrusions (e.g., unauthorized access), exploits (e.g., escalation of privileges, violation of confidentiality), timed-based attacks (e.g., Denial of Service), so forth. An exemplary network activity detector is described in U.S. Non-provisional patent application Ser. No. 13/479,222 filed on May 23, 2012, now U.S. Pat. No. 8,347,391, which is incorporated herein by reference for all purposes.
- As a preliminary matter, it should be noted that although digital security threats is used as an example of what may be detected as an “activity of interest” by a network activity detector, other activities of interest exist and may also be detected using a network activity detector. Examples of other activities interest may be the transmission of obscene and/or copyrighted materials over a network, among others. Thus, while the examples and embodiments provided below refer to the detection of digital security threats for sake of clarity and consistency, the devices, techniques, and/or applications that are conveyed via the examples and embodiments provided are not limited to the detection of digital security threats only.
- Network activity detectors may be implemented into a variety of electronic devices, including desktop computers, laptop computers, tablet computers, phones, routers, firewalls, modems, gateways, and any other suitable electronic devices that support network communications. In some embodiments, a network activity detector is a computer program that runs on a network node. In other embodiments, a network activity detector is part of the electronic circuitry (e.g., application-specific integrated circuitry) of a network node.
- The configuration settings of a network activity detector govern the operation of the network activity detector. For instance, the configuration settings of a network activity detector may control the types of digital security threats that are to be detected by the network activity detector. The configuration settings may also control the response of the network activity detector to an intrusion. Given the large number of network activity detectors that may exist in a network, robust mechanisms for managing the configuration settings of multiple network activity detectors are desirable.
-
FIG. 1 illustrates multiple network activity detectors that form anexemplary system 100 overnetwork 101. The term “Unified Threat Management System” (UTMS) is used for purposes here to refer to a system of network activity detectors such assystem 100.Network 101 may be the internet, a private network, a public network, or a combination thereof.UTMS system 100 includes asystems operator 102, which may be, e.g., a television cable company.UTMS system 100 also includes anothersystems operator 103, which may be, e.g., an internet service provider. A portion ofUTMS system 100 is anenterprise network 104. -
Systems operator 102 provides network access to network nodes 110-112, which may (but need not) be physically adjacent, via anintegrated modem router 110.Network node 111 is a laptop computer andcomputing device 112 is a tablet computer.Systems operator 103 provides network access to network nodes 120-124, which may (but need not) be located within at a small business company.Network node 120 is a router and is connected to network 101 and to computing devices 121-124.Enterprise network 104 is an enterprise network infrastructure that provides network access to network nodes 130-136 and 140-144, which may (but need not) be located at geographically separate offices of alarge business company 105.Network nodes enterprise network 104 and serve computing devices 131-136 and 141-144, respectively. - One or more of network nodes 110-112, 120-124, 130-136, and 140-144 in
UTMS system 100 can each embody a network activity detector.UTMS system 100 thus highlights the need for the robust configuration management of network activity detectors that are spread across a UTMS system. Consider, for instance, thatsystems operator 102 may wish to manage the configuration of downstream network activity detectors in its downstream network, andlarge business company 105 may wish to maintain distinct configuration settings for network activity detectors in different parts of its network infrastructure. - As discussed above, the configuration settings of a network activity detector govern the operation of the network activity detector.
FIG. 2 illustratesexemplary configuration settings 201 of a network activity detector. As shown,configuration settings 201 include the settings of, e.g., enabling or disabling virus detection by a network activity detector, specifying whether a network activity detector should cloak (i.e., hide) a network node when a digital security threat is detected, and the like. -
Configuration settings 201 also includeinformation 202 regarding the meta-expressions that are used by the network activity detector to detect specific network activities. As described in U.S. Non-provisional patent application Ser. No. 13/479,222 filed on May 23, 2012, incorporated herein by reference for all purposes, meta-expressions are used by a network activity detector to detect network activities of interest. Put another way, the specific digital security threats that are to be detected by a network activity detector may be governed by the meta-expressions being used by the network activity detector. Also, as described in U.S. Non-provisional patent application Ser. No. 13/479,222, it has been determined that only a handful of meta-expressions are necessary to detect all known digital security threats and their variants (even if the variants are unknown), which total over 2.5 million in number. As shown inFIG. 2 , the configuration settings of the exemplary network activity detector includes twelve meta-expressions for this purpose. - In some embodiments, a web-based user interface, such as
webpage 200, is presented by the network activity detector so that a user can change the configuration settings of the network activity detector. In some embodiments, it is possible for a network activity detector to receive configuration settings programmatically over a network from other network activity detectors. That is, configuration settings that are received by a network activity detector over a network can be implemented into the network activity detector without requiring user intervention. The received configuration settings can include one or more settings shown onwebpage 200 and meta-expressions for detecting digital security threats. - Exemplary transmissions of configuration settings between network activity detectors are discussed with reference to
FIG. 3 . InFIG. 3 ,UTMS system 300 includessystems operator 302, which controlsnetwork gateway 303 connected tonetwork 301.Gateway 303 provides network access tonetwork nodes modem 310.Network nodes Modem 310,laptop computer 311, andtablet computer 312 each embodies a network activity detector. For example, a network activity detector is implemented into the chipset ofmodem 310 and another is implemented into the operating system kernel oftablet computer 312. Also, a network activity detector is installed as an application program into the operating system oflaptop computer 311. - An exemplary transmission of configuration settings between network activity detectors is now discussed with reference to
network nodes FIG. 3 . During start-up, the network activity detector oflaptop computer 311 sends a request for configuration settings to a designated network activity detector. The designated network activity detector can be any other network activity detector, e.g., a network activity detector that is running on a different network node likemodem 310. In response to the request from the network activity detector oflaptop computer 311, the network activity detector ofmodem 310 sends a set of configuration settings, via network, tolaptop computer 311. Upon receiving the configuration settings, the network activity detector oflaptop computer 311 implements the received configuration settings. In addition, the network activity detector oflaptop computer 311 may begin to operate based on the configuration settings. - Another exemplary transmission of configuration settings between network activity detectors is now discussed with reference to
network nodes FIG. 3 . During start-up, the network activity detector oftablet computer 312 sends a request for configuration settings to a network activity detector that is running onmodem 310. In response to the request, the network activity detector ofmodem 310 sends a set of configuration settings totablet computer 312, which are then implemented and used by the network activity detector oftablet computer 312. - Notably, the configuration settings that are sent by the network activity detector of
modem 310 tolaptop computer 311 and totablet computer 312 may be similar, identical, or identical in part. By sending configuration settings that are consistent (meaning that the configuration settings are at least identical in part), the network activity detector ofmodem 310 ensures that its downstream network activity detectors (i.e., those oflaptop computer 311 and tablet computer 312) are operating based on consistent configuration settings. In this way,modem 310 may ensure that the network activity detectors oflaptop computer 311 andtablet computer 312 are able to detect the same digital security threats and are configured to respond to detected digital security threats in the same manner. - Yet another exemplary transmission of configuration settings between network activity detectors is now discussed with reference to
gateway 303 andmodem 310 ofFIG. 3 .Gateway 303 is operated bysystems operator 302 that provides internet networking services, meaning thatgateway 303 acts as a conduit of network traffic betweennetwork 301 and the customers ofsystems operator 302. It is thus desirable forsystems operator 302 to minimize digital security threats that pass throughgateway 303. - One way in which
systems operator 302 can help prevent the transmission of digital security threats via its infrastructure (e.g., gateway 303) is by controlling the configuration settings of network activity detectors that are downstream from its infrastructure.Systems operator 302 may do so by, e.g., sending configuration settings to network activity detectors that run on downstream devices. - In the present example, the network activity detector of
modem 310 is configured to, during start-up, request configuration settings from the network activity detector ofgateway 303. In response to the request, the network activity detector ofgateway 303 sends a set of configuration settings tomodem 310. The received configuration settings are implemented bymodem 310. Since, as discussed above, the network activity detector ofmodem 310 is responsible for sending configuration settings todownstream network nodes modem 310 can provide configuration settings—that are consistent with those received fromgateway 303—to networknodes modem 310,laptop computer 311, andtablet computer 312 are able to detect the same digital security threats and are configured to respond to detected digital security threats in a consistent manner. - It should be noted that, while the network activity detector of
gateway 303 is primarily responsible for controlling the configuration settings of other network activity detectors inUTMS system 300, it is possible for other network activity detectors of UTMS system 300 (i.e., those running on network nodes 310-312) to become senders of configuration settings, if necessary. That is, any one (or more) network activity detectors ofUTMS system 300 can be configured to provide configuration settings to other network activity detectors. - The ability of a network activity detector to receive, and to provide, when needed, configuration settings to other network activity detectors significantly increases the scalability of a UTMS system. For example, should
tablet computer 312 ofUTMS system 300 become configured to act as a mobile wireless access hotspot forcellular phone 313 to accessnetwork 301, the network activity detector oftablet computer 312 can provide configuration settings to a network activity detector that is running oncellular phone 313. In this way,UTMS system 300 can scale to accommodate new network activity detectors that come online in a UTMS system. - Further, a network activity detector can provide configuration settings that are consistent with or different from the configuration settings that are received by the network activity detector. That is to say, the configuration settings that are sent, e.g., by
tablet computer 312 tocellular phone 313 can be consistent with or can be different from the configuration settings that are used bytablet computer 312. In this way, subsets of network nodes in a UTMS system can have network activity detectors that operate with different configurations settings, thereby improving the configurability of the UTMS system. - In some instances, the appropriate configuration settings to be sent to the network activity detector of
cellular phone 313 is a set that is consistent with the configuration settings imposed bysystems operator 302 by way ofgateway 303. In some instances, the appropriate configuration settings to be sent to the network activity detector ofcellular phone 313 are a set of more restrictive configuration settings as compared with the configuration settings fromgateway 303. The provision of more restrictive configuration settings further reduces the chance ofcellular phone 313 becoming compromised by a digital security threat. By the same token, the provision also further reduces the chance oftablet computer 312 becoming comprised by a digital security threat that originates fromcellular phone 313. The latter result is especially important for a device such astablet computer 312 that allows tethering. - In some embodiments, whether a network activity detector provides configuration settings to other network activity detectors is determined based the mode of operation of the network activity detector. In a first mode of operation, which may be referred to as a “super” mode, a network activity detector can send configuration settings to other network activity detectors. For purposes of this disclosure, a network activity detector that is operating in “super” mode is referred to as a super network activity detector, and a network node having a super network activity detector is referred to as a “super network node.” A super network activity detector sends configuration settings to a downstream network activity detector when a request for configuration settings is received from the downstream network activity detector.
- In a second mode of operation, which may be referred to as a “standard” mode, a network activity detector is not configured to send configuration settings to other network activity detectors. For purposes of this disclosure, a network activity detector that is operating in “standard” mode is referred to as a standard network activity detector, and a network node having a standard network activity detector that is operating in “standard” mode is referred to as a “standard network node,” or simply a “network node.”
- In some embodiments, the mode of operation is managed via a configuration setting at a network activity detector. The mode of operation of such a network activity detector is thus switched by changing its configuration settings. In some embodiments, the mode of operation switches automatically (e.g., programmatically). For instance, a network activity detector may programmatically switch to super mode when a request for configuration settings is received.
- Regardless of operation mode, a network activity detector may request configuration settings from a super network activity detector. When a network activity detector receives configuration settings from a super network activity detector, the configuration settings are processed and used by the receiving network activity detector. As discussed above, an important aspect of configuration settings is the inclusion of meta-expressions, which can be used by the receiving network activity detector to detect digital security threats. Put another way, a super network activity detector can itself request for configuration settings from another super network activity detector.
- An exemplary implementation of network activity detectors is now discussed with respect to
FIG. 4 . InFIG. 4 , network nodes 402-405 are connected directly or indirectly to network 401 and form aUTMS system 400. In some embodiments,network nodes gateway 303,modem 310,laptop computer 311, andtablet computer 312 illustrated inFIG. 3 . Each of network nodes 402-405 embodies a network activity detector. -
Network nodes super network node 402 does embody a super network activity detector that is configured to provide configuration settings to other network activity detectors, such as those inUTMS system 400. Further,super network node 403 embodies a super network activity detector that receives configuration settings fromsuper network node 402 and that is configured to relay at least portions of the received configuration settings to the network activity detectors ofstandard network nodes super network node 402 controls the configuration settings of downstream network nodes 403-405. -
FIG. 5 illustratesexemplary process 500 which may be performed by a network activity detector to participate in a UTMS system as described above. In some embodiments,process 500 is performed by one or more of the network activity detectors of network nodes 402-405 (FIG. 4 ). Atblock 510, the network activity detector that is carrying out process 500 (referred to as the “local network activity detector”) identifies a super network activity detector to which it is to send a request for configuration settings. - In some embodiments, the identity of the super network activity detector is managed via a configuration setting at the local network activity detector. The configuration setting may have been previously obtained by the local network activity detector or may have been previously stored into the local network activity detector by way of a suitable mechanism, such as during a computer program installation process. In some embodiments, the identity of the super network activity detector is hardcoded into the computer-executable instructions of the local network activity detector. The identity of the super network activity detector node can be a null value, because it is possible for a network activity detector to not request configuration settings from another network activity detector. Such a network activity detector could produce its own configuration settings based on user input, creation of meta-expressions as described in U.S. Non-provisional patent application Ser. No. 13/479,222 filed on May 23, 2012, or other suitable configuration processes.
- At
block 520, the local network activity detector sends a request for configuration settings to the super network activity detector identified atblock 510. In some embodiments, requests for configuration settings are sent using User Datagram Protocol (UDP) datagrams. UDP datagrams are used because UDP introduces relatively low overhead as compared to other transport protocols. Also, because UDP is stateless, its use reduces the amount processor power required that is to track UDP traffic at a network activity detector. The stateless nature of UDP is such that if an initial UDP datagram (representing a request for configuration settings) is dropped en route to its destination network node, the sending of a subsequent UDP datagram makes up for the dropped UDP datagram. Even though it would not be aware of the dropped UDP datagram, when the super network activity detector at the destination network node finally receives the subsequent UDP datagram, it would provide the most up-to-date configuration settings. Those configuration settings would leapfrog any intermediate configuration settings, if any, that were missed due to the dropped UDP datagram. Despite the benefits provided by a stateless transport layer protocol (such as UDP), it should be noted that communication between network activity detectors can, alternatively, utilize a different network transport layer protocol. For example, in some embodiments, requests for configuration settings and/or configuration settings can be sent using Transmission Control Protocol (TCP) datagrams, even though TCP communications are considered stateful. - In some embodiments, block 520 is performed at timed intervals so that the local network activity detector requests configuration settings from time to time. The duration of the timed interval generally depends on the size of network packets that are used for updating configuration settings and the processing overhead that are required. In some embodiments, the timed interval is a predetermined interval of between one to five minutes. In some embodiments, the timed interval changes based on processor load on the local network activity detector.
- At
block 530, the local network activity detector receives configuration settings from a super network activity detector and begins to operate based on the received configuration settings. The received configuration settings can include meta-expressions that are used by the local network activity detector to detect digital security threats. Atblock 540, the local network activity detector determines whether it is operating in super mode. If the network activity detector is operating in super mode, processing proceeds to block 550. Otherwise, processing ends. Atblock 550, the local network activity detector receives a request for configuration settings from another network activity detector. Atblock 560, the local network activity detector creates a set of configuration settings. The created configuration settings can include meta-expressions for detecting digital security threats. Atblock 570, the local network activity detector sends the created configuration settings to the requesting network activity detector. - Another exemplary implementation of network activity detectors is now discussed with respect to
FIG. 6A-6B . InFIG. 6 , network nodes 610-614 and 620-626 are connected directly or indirectly to network 601 and form a UTMS system 600. In some embodiments, network nodes 610-614 and 620-626 correspond to the network nodes of large business company 105 (FIG. 1 ). -
Super network node 612 embodies a super network activity detector that provides configuration settings to the other network nodes of UTMS system 600, i.e., network nodes 610-614 and 620-626. Depending on the processing capabilities ofsuper network node 612 and the processing load caused by other running processes,super network node 612 may experience high levels of processor load that comprise its ability to perform as a super network node. For instance, under high processor load, the super network activity detector ofsuper network node 612 may not keep up with incoming requests for configuration settings. When this occurs, it would be desirable for the super network activity detector ofsuper network node 612 to scale back its responsibilities to maintain the integrity of UTMS system 600. - One way in which the super network activity detector of
super network node 612 can scale back its responsibilities is to offload some of its configuration management processes to other network activity detectors within UTMS system 600. In some embodiments, this is done via a “helixing” process. The helixing process increases the number of super network nodes within a UTMS system and spreads out requests for configuration settings to those additional super network nodes. - More specifically, the super network activity detector of
super network node 612 can initiate the helixing process by identifying another target network activity detector within UTMS system 600 that can help respond to requests for configuration settings. The super network activity detector ofsuper network node 612 is aware of the existence of other network activity detectors in UTMS system 600 because, as a super network activity detector, it has previously received requests for configuration settings from other network activity detectors in UTMS system 600. For instance, the super network activity detector ofsuper network node 612 receives requests for configuration settings from the network activity detectors ofnetwork nodes super network node 612 is aware of their existence, and can therefore identify one (or more) of these network activity detectors as a target network activity detector. - A network activity detector need not be operating in super mode in order to be identified as a target, because the targeting super network activity detector can instruct the targeted network activity detector to switch to super mode, if necessary. For instance, the super network activity detector of
super network node 612 can instruct the target network activity detector ofnetwork node 620 to operate in super mode, if the target network activity detector is not operating in standard mode, by sending appropriate configuration settings to the target network activity detector ofnetwork node 620. In response, the network activity detector ofnetwork node 620 begins to operate in super mode.FIG. 6B illustratesnetwork node 620 as a super network node. - The super network activity detector of
super network node 612 continues the helixing process by instructing other network activity detectors in UTMS system 600 to request for configuration settings from the network activity detector ofnetwork node 620, which is now operating in super mode. For instance, when the super network activity detector ofsuper network node 612 receives requests for configuration settings from the network activity detectors of network nodes 621-626, it responds by sending configuration settings that instruct requesting network activity detector(s) to, in the future, request for configuration settings from the super network activity detector ofsuper node 620. In this way,super network node 612 offloads at least a part of its responsibility to provide configuration settings tosuper network node 620, thereby transferring some processing load from itself tosuper network node 620, and ensuring that configuration settings are transmitted as necessary to maintain the integrity of UTMS system 600. - Notably, while network nodes that are visually arranged in
FIG. 6B such thatsuper network nodes network portions standard network node 626 can request configuration settings from the network activity detector ofsuper network node 612, regardless of whether the two network nodes are physically proximate. -
FIG. 7 illustratesexemplary process 700 which may be performed by a network activity detector to perform the above-described helixing process.Process 700 can be performed by one or more network activity detectors of a UTMS system. In some embodiments,process 700 is performed by the network activity detectors ofnetwork nodes 612 and 620 (FIGS. 6A-6B ). - At
block 710, the network activity detector that is carrying out process 700 (referred to as the “local network activity detector”) identifies a super network activity detector to which it is to send a request for configuration settings. Atblock 720, the local network activity detector sends a request to the identified super network activity detector. Atblock 730, the local network activity detector receives configuration settings from the identified super network activity detector and begins to operate based on the received configuration settings. Atblock 740, the local network activity detector determines whether it is operating in “super” mode. If the local network activity detector is operating in “super” mode, processing proceeds to block 750. Otherwise, processing continues to block 745. - At
block 745, the local network activity detector reviews the received configuration settings to determine if they include an instruction for the local network activity detector to operate in “super” mode. If the received configuration settings include such an instruction, processing proceeds to block 750. Otherwise, processing ends. - At
block 750, the local network activity detector receives a request for configuration settings from another network activity detector. Atblock 755, the local network activity detector determines whether it is experiencing high levels of processor load. For instance, a processor load of 85% utilization, on average over a 24-hour period may be considered a high level of processor load. - If the local network activity detector is experiencing high processor load, processing proceeds to block 765. At
block 765, the local network activity detector identifies a target network activity detector based on previously received requests for configuration information. Atblock 766, the local network activity detector creates configuration settings that, among other things, instruct the target network activity detector to operate in super mode. In addition, atblock 767, the local network activity detector creates configuration settings that, among other things, instruct a receiving network activity detector to request configuration settings from the target network activity detector, in the future. - If the local network activity detector is not experiencing high processor load, processing proceeds to block 760. At
block 760, the local network activity creates configuration settings. In contrast to the configuration settings created atblock 766, the configuration settings created atblock 760 do not instruct a receiving network activities detector to switch to “super” mode. Also, in contrast the configuration settings created atblock 767, the configuration settings created atblock 760 do not instruct a receiving network activities detector to request for configuration settings from another super network activity detector in the future. Atblock 770, the configuration setting(s) created atblocks block 770. - Configuration settings can be encrypted to improve the integrity of a UTMS system. Configuration settings can be encrypted during transmission between network nodes. It is desirable for encrypted configuration settings to be difficult to decrypt without valid decryption credentials so that configuration settings cannot be recognized as such during transmission. Configuration settings can also be encrypted while they reside at a network node. An encryption mechanism would be futile if configuration settings are compromised while in decrypted form.
- In some embodiments, configuration settings are encrypted using an encryption mechanism that utilizes local operating parameters of an individual network activity detector that cannot be easily identified outside the operating environments of the network activity detector. Put another way, the encryption mechanism encrypts, at least in part, based on local operating parameters of an operating environment.
- By way of background, various asymmetric key algorithms and symmetric key encryption algorithms generate encryption keys and decryption keys based on a number. In asymmetric key algorithms, the number is used to generate complementary public and private keys. In symmetric key algorithms, the number is used to generate a shared key. In this context, a number of high entropy is preferred because the uncertainty between the digits of the number decreases the possibility of reverse-engineering the number (and thereby obtaining the necessary key for decryption). A number such as “11112222” has low entropy and is not preferred for generating cryptography keys because the digits of “11112222” are somewhat predictable. One of ordinary skill in the art would recognize that a number of high entropy is often referred to as a “random” number in the art because the digits of such a number appear random.
- In some embodiments, configuration settings are encrypted based on a random number that is in turn based on: (1) a unique identifier (“UID”) of a network node, (2) the UID of a processor of the network node, and/or (3) the UID of a process that is running on the processor of the network node. The UID of a network node can be, e.g., the MAC address that is reported by the network node. The UID of a processor can be, e.g., the serial number of a central processing unit (“CPU”) that may be accessed through software instructions such as processor operation code instructions (also referred to as “opcodes”). The UID of a process can be, e.g., an operating environment process identifier (also referred to as “PIDs”). UIDs can be combined by way of mathematical or logical operations (e.g., mathematical addition, logical addition) to form a string that is then given as input to a hash function (e.g., Message-Digest Algorithm, Secure Hash Algorithm) to produce a number having high entropy for use in an encryption algorithm.
- The use of UIDs for encrypting configuration settings is further described with reference to
FIG. 8 , which depicts astandard network node 800 and asuper network node 810.Standard network node 800 includesnetwork interface 801 andCPU 802, and operates under an operating environment that providesshell 803.Network interface 801 provides MAC address information.CPU 802 provides serial number information.Shell 803 provides PID information regarding processes that are running onstandard network node 800. The foregoing PID information is provided to ahash function 804, which computes a number having high entropy that is then provided tokey generator function 805, which computes aprivate key 806 and apublic key 807 for purposes of encrypting configuration settings that reside at and/or that are sent tostandard network node 800.Standard network node 800 makespublic key 807 available to other network nodes, e.g., by includingpublic key 807 in requests for configuration settings that are sent to super network activity detectors.Super network node 810 usesencryption function 812 andpublic key 807 to encryptconfiguration settings 813 that are then sent tostandard network node 800. -
Configuration settings 813, once received bystandard network node 800, can remain encrypted until their contents (e.g., meta-expressions) are needed to carry out processes for detecting digital security threats. When needed,configuration settings 813 are loaded into processor memory and provided todecryption function 808 so thatstandard network 800 can operate based on the configuration settings. -
FIG. 9 illustratesexemplary process 900 which may be performed by a network activity detector at a network node to carry out the above-described encryption techniques. Atblock 910, the network activity detector that is carrying out process 900 (referred to as the “local network activity detector”) obtains one or more UIDs. The obtained UIDs may include a MAC ID, a CPU serial number, and/or a PID. Atblock 920, the obtained UIDs are combined and a hash function is used to produce a number having high entropy based on the UIDs. Atblock 930, one or more keys are calculated based on the hash number. The keys may be a private key, a public key, and/or a shared key. Atblock 940, one of keys obtained atblock 930 is sent to a super network activity detector. Atblock 950, configuration settings that have been encrypted using the same key are received by the local network activity detector. Atblock 960, the local network activity detector decrypts the received configuration settings using one of the keys obtained atblock 930. Atblock 970, the decrypted configuration settings are used by the local network activity detector to detect network digital security threats. -
Process 900 is desirable for at least three reasons. First, the number that is obtained based on the above-described UIDs has high entropy (even before the application of a hash function), and is thus a good random number for purposes of encryption. For instance, MAC addresses are intended to be universally unique. Second, the number is difficult to reverse-engineer because it is difficult to identify (e.g., reverse-engineer) a CPU serial number without physical or low-level access to a CPU, and because it is difficult to predict the PID number of a running processes. Third, the decrypted output ofblock 960, which is a set of configuration settings that includes meta-expressions for detecting digital security threats, can reside within processor memory. Unlike larger signature files, meta-expressions (which typically total less than 1 kilobyte in size) can reside completely within the internal memory of many modern processors without needing to be stored in external memory locations during operation. As one of ordinary skill in the art would recognize, it would be difficult to obtain the decrypted meta-expressions (and/or other configuration settings) from the internal memory of a CPU without physical or low-level access (e.g., debug mode) to the CPU, both of which would be difficult for a malicious entity to achieve in a typical network-based attack. - Portions of the above-described processes may be implemented in
exemplary computing system 1000 illustrated inFIG. 10 . In some embodiments,computing system 1000 is a network device, such as a router, gateway, and a firewall, or the like. In some embodiments,computing system 1000 is a gateway device, such as a modem, or the like. In some embodiments,computing system 1000 is a mobile device, such as a desktop computer, a laptop computer, a cellular phone, a tablet, or the like. In some embodiments,computing system 1000 is a network interface “card.” - As shown in
FIG. 10 , thecomputing system 1000 includes acomputer motherboard 1002 withbus 1010 that connects I/O section 1004, one or more central processing units (CPU) 1006, and amemory section 1008 together.Memory section 1008 may havememory module 1020 related to it.Memory module 1020 may be, for example, a flash memory and/or a removable memory device. The I/O section 1004 is connected tonetwork interface 1012, which receives and/or transmits network packets. I/O section 1004 may be connected to display 1014,input device 1016, and/orstorage unit 1018.Memory section 1008,memory module 1020, and/or storage unit 1022 can store (e.g., tangibly embody) a computer-readable medium that contains computer-executable instructions and/or data for performing any one of the above-describedprocesses using CPU 1006. The computer-executable instructions may be written, for example, in a general-purpose programming language (e.g., LISP, C, JSON) or some specialized application-specific language.Input device 1016 may be a USB port supporting input from USB-compliant devices, such as a keyboard, a mouse, a memory stick, or the like. At least some values based on the results of the above-described processes can be saved into memory such asmemory 1008,memory module 1020, and/ordisk storage unit 1018 for subsequent use. - Portions of above-described processes also may be implemented into a processor by way of specifically arranged integrated circuits (e.g., application-specific integrated circuits). In some embodiments, the integrated circuit can be part of the main processor of a device, such as the main processor of a cellular phone. In some embodiments, the integrated circuit can be part of an auxiliary processor of a device, such as a processor that is connected to the motherboard of a laptop. The integrated circuits can contain computer-executable instructions and/or data for performing any one of the above-described processes. The computer-executable instructions may be written, for example, in a specialized application-specific (e.g., processor-specific) language.
- Although only certain exemplary embodiments have been described in detail above, those skilled in the art will readily appreciate that many modifications are possible in the exemplary embodiments without materially departing from the novel teachings and advantages of this disclosure. For example, aspects of embodiments disclosed above can be combined in other combinations to form additional embodiments. Accordingly, all such modifications are intended to be included within the scope of this technology.
Claims (20)
1. A method of promoting security of a computer network, the method comprising:
sending, by a first network activity detector of a first device coupled with a network, a request for configuration information to a second network activity detector of a second device identified as being a source of configuration information, wherein the second device is coupled with the network, wherein the configuration information includes a set of information for detecting digital security threats, wherein the first device is separate and distinct from the second device;
receiving, by the first network activity detector, the configuration information from the second network activity detector; and
sending, by the first network activity detector, the configuration information to a third network activity detector of a third device, wherein the third device is separate and distinct from the first device and the second device.
2. The method of claim 1 , wherein the request is sent using a UDP network packet.
3. The method of claim 1 , wherein:
the configuration information sent by the first network activity detector to the third network activity detector is at least partially encrypted; and
the encryption of the configuration information is based on one or more of a MAC address of the third network activity detector, a process identifier of an operating environment running on the third network activity detector, and a serial number of a processor of the third network activity detector.
4. The method of claim 1 , further comprising creating another set of configuration information.
5. The method of claim 1 , further comprising:
receiving, from the third network activity detector, a request for the configuration information; and
instructing, by the first network activity detector, the third network activity detector to send future requests for configuration information to a fourth network activity detector,
wherein the fourth network activity detector is different from the first network activity detector.
6. The method of claim 5 , further comprising:
instructing, by the first network activity detector, the fourth network activity detector to respond to requests for configuration information.
7. A non-transitory computer-readable storage medium having computer-executable instructions, wherein the computer-executable instructions, when executed by one or more computer processors, cause the one or more computer processors to promote security of a computer network, the computer-executable instructions comprising instructions for:
sending, by a first network activity detector of a first device coupled with the network, a request for configuration information to a second network activity detector of a second device identified as being a source of configuration information, wherein the second device is coupled with the network, wherein the configuration information includes a set of information for detecting digital security threats and wherein the first device is separate and distinct from the second device;
receiving, from the second network activity detector, by the first network activity detector, the configuration information; and
sending, by the first network activity detector, the configuration information to a third network activity detector of a third device, wherein the third device is separate and distinct from the first device and the second device.
8. The non-transitory computer-readable storage medium of claim 7 , wherein the request is sent using a UDP network packet.
9. The non-transitory computer-readable storage medium of claim 7 , wherein:
the configuration information sent by the first network activity detector to the third network activity detector is at least partially encrypted; and
the encryption is based on one or more of a MAC address of the third network activity detector, a process identifier of an operating environment running on the third network activity detector, and a serial number of a processor of the third network activity detector.
10. The non-transitory computer-readable storage medium of claim 7 , wherein the computer-executable instructions further comprises instructions for creating another set of configuration information.
11. The non-transitory computer-readable storage medium of claim 7 , wherein the computer-executable instructions further comprises instructions for:
receiving, from the third network activity detector, a request for the configuration information; and
instructing, by the first network activity detector, the third network activity detector to send future requests for configuration information to a fourth network activity detector,
wherein the fourth network activity detector is different from the first network activity detector.
12. The non-transitory computer-readable storage medium of claim 11 , wherein the computer-executable instructions further comprises instructions for:
instructing, by the first network activity detector, the fourth activity detector to respond to requests for configuration information.
13. The computer-readable storage medium of claim 7 , wherein the second network activity detector is in a predefined operating mode.
14. A first network activity detector of a first device, the first network activity detector comprising:
a network interface configured to couple with a network; and
a processor configured to:
send a request for configuration information across the network to a second network activity detector of a second device identified as being a source of configuration information, wherein the configuration information includes a set of information for detecting digital security threats, and wherein the first device is separate and distinct from the second device,
receive the configuration information from the second network activity detector; and
send the configuration information to a third network activity detector of a third device, the third device being separate and distinct from the first and second devices.
15. The first network activity detector of claim 14 , wherein the request is sent using a UDP network packet.
16. The first network activity detector of claim 14 , wherein the network activity detector is a first network activity detector, and wherein:
the configuration information sent by the first network activity detector to the third network activity detector is at least partially encrypted; and
the encryption is based on one or more of a MAC address of the third network activity detector, a process identifier of an operating environment running on the third network activity detector, and a serial number of a processor of the third network activity detector.
17. The first network activity detector of claim 14 , wherein the processor is further configured to create another set of configuration information.
18. The first network activity detector of claim 14 , wherein the network activity detector is a first network activity detector and the processor of the first network activity detector is further configured to:
receive, from the third network activity detector, a request for the configuration information; and
instruct, by the first network activity detector, the third network activity detector to send future requests for configuration information to a fourth network activity detector,
wherein the fourth network activity detector is different from the first network activity detector.
19. The first network activity detector of claim 18 , wherein the processor is further configured to:
instruct, by the first network activity detector, the fourth activity detector to respond to requests for configuration information.
20. The network activity detector of claim 15 , wherein the second network activity detector is in a predefined operating mode.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/573,820 US20200014709A1 (en) | 2013-03-12 | 2019-09-17 | Configuration management for network activity detectors |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201361778305P | 2013-03-12 | 2013-03-12 | |
US14/207,382 US9021574B1 (en) | 2013-03-12 | 2014-03-12 | Configuration management for network activity detectors |
US14/666,815 US9888018B1 (en) | 2013-03-12 | 2015-03-24 | Configuration management for network activity detectors |
US15/889,069 US10440038B2 (en) | 2013-03-12 | 2018-02-05 | Configuration management for network activity detectors |
US16/573,820 US20200014709A1 (en) | 2013-03-12 | 2019-09-17 | Configuration management for network activity detectors |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/889,069 Continuation US10440038B2 (en) | 2013-03-12 | 2018-02-05 | Configuration management for network activity detectors |
Publications (1)
Publication Number | Publication Date |
---|---|
US20200014709A1 true US20200014709A1 (en) | 2020-01-09 |
Family
ID=52987186
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/207,382 Active US9021574B1 (en) | 2013-03-12 | 2014-03-12 | Configuration management for network activity detectors |
US14/666,815 Active - Reinstated US9888018B1 (en) | 2013-03-12 | 2015-03-24 | Configuration management for network activity detectors |
US15/889,069 Active US10440038B2 (en) | 2013-03-12 | 2018-02-05 | Configuration management for network activity detectors |
US16/573,820 Abandoned US20200014709A1 (en) | 2013-03-12 | 2019-09-17 | Configuration management for network activity detectors |
Family Applications Before (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/207,382 Active US9021574B1 (en) | 2013-03-12 | 2014-03-12 | Configuration management for network activity detectors |
US14/666,815 Active - Reinstated US9888018B1 (en) | 2013-03-12 | 2015-03-24 | Configuration management for network activity detectors |
US15/889,069 Active US10440038B2 (en) | 2013-03-12 | 2018-02-05 | Configuration management for network activity detectors |
Country Status (1)
Country | Link |
---|---|
US (4) | US9021574B1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9021574B1 (en) * | 2013-03-12 | 2015-04-28 | TrustPipe LLC | Configuration management for network activity detectors |
US10084825B1 (en) * | 2017-05-08 | 2018-09-25 | Fortinet, Inc. | Reducing redundant operations performed by members of a cooperative security fabric |
US10938819B2 (en) | 2017-09-29 | 2021-03-02 | Fisher-Rosemount Systems, Inc. | Poisoning protection for process control switches |
US20190372973A1 (en) * | 2018-05-30 | 2019-12-05 | Cisco Technology, Inc. | Device onboarding with automatic ipsk provisioning in wireless networks |
US11082451B2 (en) * | 2018-12-31 | 2021-08-03 | Citrix Systems, Inc. | Maintaining continuous network service |
Family Cites Families (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8260961B1 (en) * | 2002-10-01 | 2012-09-04 | Trustwave Holdings, Inc. | Logical / physical address state lifecycle management |
US7978716B2 (en) * | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US8072945B2 (en) * | 2004-09-24 | 2011-12-06 | Aes Corporation | Link layered networks |
WO2006086296A1 (en) * | 2005-02-07 | 2006-08-17 | Arris International, Inc. | Method for securely distributing configuration information to a device |
US7747763B2 (en) * | 2005-07-26 | 2010-06-29 | Novell, Inc. | System and method for ensuring a device uses the correct instance of a network service |
US7707400B2 (en) * | 2005-10-31 | 2010-04-27 | Microsoft Corporation | Direct computing experience |
US7779465B2 (en) * | 2006-05-26 | 2010-08-17 | Microsoft Corporation | Distributed peer attack alerting |
CN101257514B (en) * | 2007-02-26 | 2012-11-21 | 国际商业机器公司 | Control element for sensor network and method thereof |
US10845399B2 (en) * | 2007-04-03 | 2020-11-24 | Electro Industries/Gaugetech | System and method for performing data transfers in an intelligent electronic device |
US8272044B2 (en) * | 2007-05-25 | 2012-09-18 | New Jersey Institute Of Technology | Method and system to mitigate low rate denial of service (DoS) attacks |
US20140173731A1 (en) * | 2007-07-27 | 2014-06-19 | Redshift Internetworking, Inc. | System and Method for Unified Communications Threat Management (UCTM) for Converged Voice, Video and Multi-Media Over IP Flows |
US8561129B2 (en) * | 2008-02-28 | 2013-10-15 | Mcafee, Inc | Unified network threat management with rule classification |
US8365259B2 (en) * | 2008-05-28 | 2013-01-29 | Zscaler, Inc. | Security message processing |
US8180891B1 (en) * | 2008-11-26 | 2012-05-15 | Free Stream Media Corp. | Discovery, access control, and communication with networked services from within a security sandbox |
US20100262688A1 (en) * | 2009-01-21 | 2010-10-14 | Daniar Hussain | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
GB2474545B (en) * | 2009-09-24 | 2015-06-24 | Fisher Rosemount Systems Inc | Integrated unified threat management for a process control system |
GB201002217D0 (en) * | 2010-02-10 | 2010-03-31 | Zarlink Semiconductor Inc | Clock recovery method over packet switched networks based on network quiet period detection |
US8384559B2 (en) * | 2010-04-13 | 2013-02-26 | Silicon Laboratories Inc. | Sensor device with flexible interface and updatable information store |
US8321503B2 (en) * | 2010-06-24 | 2012-11-27 | Microsoft Corporation | Context-specific network resource addressing model for distributed services |
US8590014B1 (en) * | 2010-09-13 | 2013-11-19 | Zynga Inc. | Network application security utilizing network-provided identities |
US8495737B2 (en) * | 2011-03-01 | 2013-07-23 | Zscaler, Inc. | Systems and methods for detecting email spam and variants thereof |
US9065800B2 (en) * | 2011-03-18 | 2015-06-23 | Zscaler, Inc. | Dynamic user identification and policy enforcement in cloud-based secure web gateways |
US8813223B2 (en) * | 2011-07-26 | 2014-08-19 | Intel Corporation | Secure network topology on a virtualized server |
US9118686B2 (en) * | 2011-09-06 | 2015-08-25 | Microsoft Technology Licensing, Llc | Per process networking capabilities |
US10862784B2 (en) * | 2011-10-04 | 2020-12-08 | Electro Industries/Gauge Tech | Systems and methods for processing meter information in a network of intelligent electronic devices |
US10275840B2 (en) * | 2011-10-04 | 2019-04-30 | Electro Industries/Gauge Tech | Systems and methods for collecting, analyzing, billing, and reporting data from intelligent electronic devices |
US20150356104A9 (en) * | 2011-10-04 | 2015-12-10 | Electro Industries/Gauge Tech | Systems and methods for collecting, analyzing, billing, and reporting data from intelligent electronic devices |
US9065745B2 (en) | 2011-10-06 | 2015-06-23 | International Business Machines Corporation | Network traffic distribution |
US8856290B2 (en) * | 2011-10-24 | 2014-10-07 | General Instrument Corporation | Method and apparatus for exchanging configuration information in a wireless local area network |
US8832831B2 (en) * | 2012-03-21 | 2014-09-09 | Radware, Ltd. | Method and system for detecting and mitigating attacks performed using cryptographic protocols |
US8347391B1 (en) * | 2012-05-23 | 2013-01-01 | TrustPipe LLC | System and method for detecting network activity of interest |
US8910282B2 (en) * | 2012-09-04 | 2014-12-09 | Jonathan Somers | System and method for protecting devices on dynamically configured network |
US9436623B2 (en) * | 2012-09-20 | 2016-09-06 | Intel Corporation | Run-time fabric reconfiguration |
US9055390B2 (en) * | 2012-10-19 | 2015-06-09 | Hong Kong Applied Science And Technology Research Institute Co., Ltd. | Apparatus, system, and method for peer group formation for mobile devices by proximity sensing |
US9031776B2 (en) * | 2012-11-29 | 2015-05-12 | Nissan North America, Inc. | Vehicle intersection monitoring system and method |
US9620014B2 (en) * | 2012-11-29 | 2017-04-11 | Nissan North America, Inc. | Vehicle intersection monitoring system and method |
US9349291B2 (en) * | 2012-11-29 | 2016-05-24 | Nissan North America, Inc. | Vehicle intersection monitoring system and method |
US8847787B2 (en) * | 2012-11-29 | 2014-09-30 | Nissan North America, Inc. | Vehicle intersection warning system and method |
US8973146B2 (en) * | 2012-12-27 | 2015-03-03 | Mcafee, Inc. | Herd based scan avoidance system in a network environment |
US9020728B2 (en) * | 2013-01-17 | 2015-04-28 | Nissan North America, Inc. | Vehicle turn monitoring system and method |
US9021574B1 (en) * | 2013-03-12 | 2015-04-28 | TrustPipe LLC | Configuration management for network activity detectors |
US9344440B2 (en) * | 2013-06-20 | 2016-05-17 | Arbor Networks, Inc. | Forced alert thresholds for profiled detection |
US10284570B2 (en) * | 2013-07-24 | 2019-05-07 | Wells Fargo Bank, National Association | System and method to detect threats to computer based devices and systems |
US8990001B2 (en) * | 2013-07-26 | 2015-03-24 | Nissan North America, Inc. | Vehicle collision monitoring method |
-
2014
- 2014-03-12 US US14/207,382 patent/US9021574B1/en active Active
-
2015
- 2015-03-24 US US14/666,815 patent/US9888018B1/en active Active - Reinstated
-
2018
- 2018-02-05 US US15/889,069 patent/US10440038B2/en active Active
-
2019
- 2019-09-17 US US16/573,820 patent/US20200014709A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
US10440038B2 (en) | 2019-10-08 |
US9888018B1 (en) | 2018-02-06 |
US20190058716A1 (en) | 2019-02-21 |
US9021574B1 (en) | 2015-04-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11290478B2 (en) | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking | |
US10440038B2 (en) | Configuration management for network activity detectors | |
US10652210B2 (en) | System and method for redirected firewall discovery in a network environment | |
US8800024B2 (en) | System and method for host-initiated firewall discovery in a network environment | |
US9680795B2 (en) | Destination domain extraction for secure protocols | |
JP6175520B2 (en) | Computer program, processing method, and network gateway | |
US9489193B2 (en) | Method and system for providing software updates to local machines | |
US10903999B1 (en) | Protecting PII data from man-in-the-middle attacks in a network | |
WO2013006296A1 (en) | Methods and apparatus for secure data sharing | |
US20160036795A1 (en) | Method and system for providing a virtual asset perimeter | |
US10021070B2 (en) | Method and apparatus for federated firewall security | |
Kumar | Possible solutions on security and privacy issues in fog computing | |
Pranav et al. | Security in mobile cloud computing: A review | |
Prabhu et al. | Fog Security and Privacy | |
Wang et al. | Communication Boundary Stealth Technology of Power Internet of Things Terminal Network | |
Quibell | Implementation and evaluation of a low-cost intrusion detection system for community wireless mesh networks | |
GB2489936A (en) | Preventing cyber attack damage by reloading a copy of a master copy of an operating system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
AS | Assignment |
Owner name: SECURESKY, INC., NEBRASKA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EVENGX, LLC;REEL/FRAME:052593/0623 Effective date: 20181016 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |