US20200007501A1 - High-performance computer security gateway for cloud computing platform - Google Patents
High-performance computer security gateway for cloud computing platform Download PDFInfo
- Publication number
- US20200007501A1 US20200007501A1 US16/019,539 US201816019539A US2020007501A1 US 20200007501 A1 US20200007501 A1 US 20200007501A1 US 201816019539 A US201816019539 A US 201816019539A US 2020007501 A1 US2020007501 A1 US 2020007501A1
- Authority
- US
- United States
- Prior art keywords
- data
- item
- computer device
- hardware
- hardware portion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012545 processing Methods 0.000 claims abstract description 124
- 238000004891 communication Methods 0.000 claims abstract description 75
- 238000000034 method Methods 0.000 claims description 52
- 230000015654 memory Effects 0.000 claims description 24
- 238000007689 inspection Methods 0.000 claims description 8
- 238000012546 transfer Methods 0.000 claims description 8
- 230000001131 transforming effect Effects 0.000 claims 1
- 230000000875 corresponding effect Effects 0.000 description 24
- 230000008569 process Effects 0.000 description 22
- 238000001514 detection method Methods 0.000 description 21
- 230000005540 biological transmission Effects 0.000 description 7
- 230000001413 cellular effect Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 7
- 238000013500 data storage Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 230000004044 response Effects 0.000 description 6
- 238000013459 approach Methods 0.000 description 5
- 230000006835 compression Effects 0.000 description 5
- 238000007906 compression Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000006837 decompression Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000004883 computer application Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000014509 gene expression Effects 0.000 description 3
- 230000033001 locomotion Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000009432 framing Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 229910052751 metal Inorganic materials 0.000 description 2
- 230000000246 remedial effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000008595 infiltration Effects 0.000 description 1
- 238000001764 infiltration Methods 0.000 description 1
- 238000012905 input function Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000001404 mediated effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1033—Signalling gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0471—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
- H04L65/401—Support for services or applications wherein the services involve a main real-time session and one or more additional parallel real-time or time sensitive sessions, e.g. white board sharing or spawning of a subconference
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Definitions
- the present disclosure relates to the technical area of computer network security.
- the present disclosure specifically relates to high-performance computer network firewalls with deep content inspection.
- FIG. 1 illustrates an example computing environment with which various embodiments may be practiced.
- FIG. 2A illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where select complex processing, including parallel processing, is offloaded from a lower-performance portion to higher-performance portion.
- FIG. 2B illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where compute-intensive part of higher-level processing is mainly performed by a higher-performance portion instead of a lower-performance portion.
- FIG. 2C illustrates another example configuration of a security gateway system for a cloud computing platform with a corresponding data path where higher-level processing, including complex threat detection, is mainly performed by a higher-performance portion instead of a lower-performance portion.
- FIG. 3 illustrates an example process performed by the security gateway system of implementing a computer security gateway via deep content inspection.
- FIG. 4 is a block diagram that illustrates a computer system upon which an embodiment of the invention may be implemented.
- the security gateway system is programmed to provide a network firewall for a cloud computing platform.
- a cloud computing platform is implemented with hardware components that are more advanced than general-purpose processors, such as an FPGA
- the security gateway system can comprise a higher-performance hardware portion that utilizes such hardware components.
- the security gateway system can also comprise a lower-performance hardware portion, such as one or more x86 processors, to handle lower-level data processing.
- the security gateway system is programmed to enable secure communication between any computer device outside the cloud computing platform and any computer system within the cloud computing platform.
- the security gateway system can also be programmed to enable secure communication between two computer devices within the cloud computing platform, to provide finer segmentation across various application traffic. Such enablement can involve many computation-intensive operations, including advanced detection of incoming security threats or critical data exfiltration through deep content inspection, and the security gateway system is configured to perform as much of the computation via the higher-performance hardware portion as possible to achieve an optimal performance.
- the lower-performance hardware portion of the security gateway system upon receiving a packet from a source computer system ultimately destined for a destination computer system, is programmed to handle lower-level data processing.
- the lower-level processing of a packet can include processing up to the transport layer.
- the processing result is then transmitted to the higher-performance hardware portion of the security gateway system through a communication bus.
- the higher-performance hardware portion is programmed to then handle higher-level data processing.
- the higher-level processing can include processing up to the application level. More specifically, the higher-level processing may include data decryption based on symmetric cryptography, data decompression, session management, other application-level processing under a transfer protocol, such as the HTTP/2 protocol, or detection of incoming security threats or critical data exfiltration.
- the higher-performance hardware portion is programmed to separate the payload from the metadata in the original packet or the data processed so far and evaluate various attributes of the payload and the metadata.
- the evaluation can include determining whether the payload includes a user authorization to share confidential data (e.g., the source computer system may have obtained a user's authorization to bill a specific charge to a credit card) or whether the payload matches specific keywords or patterns (e.g., filenames or file content of known viruses).
- the evaluation can also include determining whether the size of the payload falls in a specific range (e.g., too large or in a range associated with known threats) or whether the packet was sent during a specific period of time (e.g., certain times of the day).
- the higher-performance hardware portion can also be programmed to keep track of a global or at least a broader communication state for careful evaluation of related packets or connections through which multiple packets are transmitted over time.
- the communication state can be maintained at the HTTP session level for monitoring inter-session communications, where the sessions may be correlated to computer applications.
- the higher-performance hardware portion can be programmed to determine whether the frequency of communications (packets, a corresponding higher-level item, etc.) transmitted by the source computer system exceeds a certain threshold, whether the present communication is preceded by one or more communications which involve extensive querying of the APIs provided by the destination computer system, or whether the present communication is followed by one or more communication involving transferring of generally confidentially data to specific data repositories.
- the present communication can be an HTTP request associated with one session that is succeeded by another HTTP request associated with another session for transferring data to a certain data repository.
- the security gateway system produces many technical benefits.
- the security gateway system can be deployed on public or other generic cloud computing platforms without requiring customized hardware often utilized in on-premise data centers.
- the security gateway system can readily provide native, scaled-up firewall capabilities to such cloud computing platforms.
- the security gateway system is configured to perform most of the higher-level data processing in a higher-performance hardware portion.
- Such a processing pipeline substantially increases the overall processing speed from not only the inherent parallelism and other high-performance features of the higher-performance hardware portion but also the reduced data transfer (and the associated overhead) between the lower-performance hardware portion and the higher-performance hardware portion.
- the security gateway system offers advanced, hardware-enabled detection of incoming security threats or critical data exfiltration.
- digital signatures that typically characterize static, single-dimensional data attributes, such as filenames and other keywords
- the security gateway system is programmed to characterize various aspects of all the data being communicated through the security gateway system over an extended period of time.
- the security gateway system is programmed to evaluate a series of communications between a pair of source and destination computer systems (and a corresponding pair of computer applications) in terms of the nature of and the amount of time required to process the communications as well as the relationships among the communications.
- Such advanced security attack detection results in stronger protection of the cloud computing platform.
- the security gateway is able to manage distributed implementation of some of the rich detection mechanisms via different hardware portions, such as multiple FPGAs and/or other microcode-executing processors. Such scale-out provides elasticity to the security solution.
- FIG. 1 illustrates an example computing environment with which various embodiments may be practiced.
- FIG. 1 is shown in simplified, schematic format for purposes of illustrating a clear example and other embodiments may include more, fewer, or different elements.
- the computing environment includes a cloud computing platform 130 , which includes one or more cloud-based service computers 122 and a network security gateway computer 102 (security gateway system), and one or more service consumer computers 112 , which are communicatively coupled directly or indirectly via one or more networks 118 .
- a cloud computing platform 130 which includes one or more cloud-based service computers 122 and a network security gateway computer 102 (security gateway system), and one or more service consumer computers 112 , which are communicatively coupled directly or indirectly via one or more networks 118 .
- the cloud computing platform 130 comprises a pool of configurable system resources, each of which may include one or more of a general-purpose processor, a special-purpose processor, or programmable hardware.
- public cloud computing platforms may include x86 processors, FPGAs, or GPUs.
- the cloud computing platform 130 is typically programmed to provide fundamental computing services and enable rapid deployment of independent, higher-level computing services by one or more enterprises with minimum infrastructure management efforts.
- the components implementing these higher-level computing services then correspond to the one or more cloud-based service computers 122 . These components can run as virtual instances or bare metal (physical) instances.
- a cloud-based service 122 may be a Web server computer managing a Web service of handling account authentication.
- the security gateway system 102 generally includes computers, virtual computing instances or virtual appliances, and/or instances of a server-based application.
- the security gateway system 102 is configured to generally host or execute functions including but not limited to network firewall capabilities for the cloud computing platform 130 . More specifically, the security gateway system 102 is configured to maintain data security not only within the cloud computing platform where the one or more cloud-based service computers 122 operate, but also between the cloud computing platform 130 and the external environment where the one or more service consumer computers 112 operate. Therefore, the security gateway system 102 is programmed to establish a secure communication channel with a cloud-based service 122 or a service consumer 112 .
- the security gateway system 102 can be configured to conform to certain transport-level security protocols and further perform application-level data encryption or decryption for any communication with any other computer system. Furthermore, the security gateway system 102 is programmed to monitor metadata in transmitted packets, payloads in the transmitted packets, and metadata in user session states for security attacks.
- a service consumer computer 112 is programmed to communicate with one or more cloud-based service computers 122 regarding the provided services through the security gateway system 102 . More specifically, the service consumer computer 112 may be configured to transmit input data to a provided service or receive output data from the provided service.
- the service consumer computer 112 may comprise computing facility with sufficient computing power in data processing, data storage, and network communication for the above-described functions.
- the service consumer computer 112 can comprise a desktop computer, laptop computer, tablet computer, smartphone, wearable device, etc.
- the network 118 may be implemented by any medium or mechanism that provides for the exchange of data between the various elements of FIG. 1 .
- Examples of the network 118 include, without limitation, one or more of a cellular network, communicatively coupled with a data connection to the computing devices over a cellular antenna, a near-field communication (NFC) network, a Local Area Network (LAN), a Wide Area Network (WAN), the Internet, a terrestrial or satellite link, etc.
- NFC near-field communication
- LAN Local Area Network
- WAN Wide Area Network
- the Internet a terrestrial or satellite link, etc.
- a service consumer computer 112 is programmed to send a request for a service, such as an HTTP message, to a cloud-based service computer 122 .
- multiple service consumer computers 112 can be programmed to send a request to a cloud-based service computer 122 , or a service consumer computer 112 can be programmed to send multiple requests to multiple cloud-based service computers 122 .
- the security gateway system 102 is programmed to initially receive the request. The security gateway system 102 is programmed to then disassemble the request in order to detect security attacks, such as a distributed denial of service (DDoS). The detection of a security attack includes complex processing that could depend on data related to other communications with the service consumer computer 112 .
- DDoS distributed denial of service
- the security gateway system 102 may comprise a lower-performance hardware portion and a higher-performance hardware portion, as further discussed below, and the processing of the request may flow between the two portions to optimize overall performance of the security gateway system 102 .
- the security gateway system 102 is programmed to take remedial actions.
- the security gateway system 102 is programmed to then send the original request or the processing result to the cloud-based service computer 122 .
- the cloud-based service computer 122 is programmed to perform the requested service and send the outcome of the service to the service consumer computer 112 .
- the security gateway system 102 is programmed to initially receive the outcome of the service.
- the security gateway system 102 is programmed to then disassemble the outcome for detection of any data exfiltration, as discussed above.
- the security gateway system 102 is programmed to then send the original outcome or the corresponding processing result to the service consumer computer 112 .
- the data may undergo various types of processing, which can be classified according to certain conceptual models.
- One such conceptual model is the OSI model, which includes seven layers of increasing abstraction from the physical layer to the application layer. Some of the various types of processing tend to require more computing resources, such as encryption or decryption, compression or decompression, or pattern recognition.
- the highest-level processing corresponding to the highest layers of the conceptual models include processing under the HTTP protocol.
- the security gateway system 102 comprises a lower-performance portion, such as an x86 processor or another general-purpose processor designed for sequential processing, and a higher-performance portion, such as an FPGA, application-specific integrated circuits (ASICs), or other programmable hardware inherently suitable for parallel or other high-performance processing, including high-speed or high-throughput processing.
- the lower-performance portion is generally used for performing lower-level tasks that do not necessarily benefit from implementation in the high-performance portion.
- FIG. 2A illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where select complex processing, including parallel processing, is offloaded from a lower-performance portion to higher-performance portion.
- the lower-performance portion 202 is programmed to manage the main data processing pipeline.
- the data processing pipeline may include a first component 206 that supports lowest-level processing, such as the processing performed by the first layer of the OSI model.
- the first component 206 can be implemented with the Data Plane Development Kit (DPDK).
- the first component 206 can be governed by the protocols corresponding to the OSI physical layer, such as the IEEE 802 . 3 (Ethernet) standard.
- the data processing pipeline may include a second component 208 configured to support lower-level processing, such as the processing performed by the next three layers of the OSI model.
- the second component 208 can be implemented with the Linux Kernel Library (LKL).
- LLL Linux Kernel Library
- the second component 208 can be governed by various protocols corresponding to the OSI data link layer, including the Media Access Control (MAC) layer or the Logical Link Control (LLC) sublayer, protocols corresponding to the OSI network layer, such as the Internet Protocol (IP), or protocols corresponding to the OSI transport layer, such as the Transport Layer Protocol (TCP).
- MAC Media Access Control
- LLC Logical Link Control
- IP Internet Protocol
- TCP Transport Layer Protocol
- the data processing pipeline may also include a third component 210 configured to support higher-level processing, such as the processing performed by the sixth layer of the OSI model.
- the third component 210 can be implemented using the OPENSSL library or be governed by other protocols corresponding to the OSI presentation layer.
- the data processing pipeline may further include a fourth component 212 , a fifth component 214 , and a sixth component 216 configured to support highest-level processing, such as the processing performed by the seventh layer of the OSI model.
- the fourth component 212 can be governed by the HTTP/1 or HTTP/2 protocol
- the fifth component 214 can implement security attack detection
- the sixth component 216 can implement application proxies.
- the security attack detection may be based on existing rules, URL filters, or run time solutions of data loss prevention (DLP).
- DLP data loss prevention
- another component can implement a Web application firewall (WAF) to filter HTTP traffic to and from web applications in addition to the fifth component 214 operating in a streaming mode.
- WAF Web application firewall
- the higher-performance portion 204 is programmed to take over some of the processing from the lower-performance portion 202 .
- the higher-performance portion 204 can include certain components configured to handle party authentication and secure data transmission, which often could have been included in the 3rd component 210 discussed above.
- These components include a seventh component 220 configured to perform operations related to asymmetric cryptography, such as RSA exponential multiplication, ECDHE-ECDSA point multiplication, SHA1, or DRBG.
- the seventh component 220 may be configured to create the Master Secret in a TLS handshake.
- These components also include an eighth component 222 configured to perform operations related to symmetric cryptography, such as AES-GCM, AES-CBC, or ChaCha (Poly).
- the eighth component 222 can be configured to enable subsequent use of session keys to decrypt actual data.
- the higher-performance portion 204 can also include certain components configured to handle efficient data inspection, which often could have been included in the fourth component 212 discussed above.
- These components include a ninth component 224 configured to decompress the application data, such as the payload of an HTTP request compressed by gzip or other compression schemes.
- the higher-performance portion 204 can include certain components configured to find matches of specific digital signatures of malware for detection of incoming security threats or critical data exfiltration, which also could have been included in the fifth component 214 discussed above as part of the HTTP traffic inspection.
- These components include a tenth component 226 configured to find matches of predetermined regular expressions in the data, which may characterize a file name, a uniform resource locator (URL), or a string within the payload from one or more packets within a session, for example.
- any of the seventh through the tenth components 220 , 222 , 224 , and 226 can be implemented using techniques known to someone skilled in the art.
- the security gateway system 102 is programmed to receive data from another device, which can reside on the same cloud computing platform or outside the cloud computing platform.
- the data is initially received by the lower-performance portion 202 .
- Data processing flows through the first component 206 , the second component 208 , and the third component 210 .
- the processing result is then transmitted to the higher-performance portion 204 .
- the third component 210 can be configured to recognize whether the processing result corresponds to data for establishing a secure communication channel instead of data to be transmitted and processed within the secure communication channel.
- data processing occurs in the seventh component 220 .
- the processing result is then transmitted back to the lower-performance portion 202 .
- data processing does not need to reach the fourth clement 212 or succeeding components in the data processing pipeline.
- the processing result corresponds to data to be transmitted and processed within the secure communication channel
- data processing occurs in the eighth component 222 .
- the processing result is then transmitted back to the lower-performance portion 202 .
- Data processing then flows through the third component 210 and the fourth component 212 .
- the processing result is then transmitted to the higher-performance portion 204 , where data processing occurs in the ninth component 224 .
- the processing result is then transmitted back to the lower-performance portion 202 .
- the processing then flows through the fourth component 212 and the fifth component 214 .
- the processing result is then transmitted to the higher-performance portion 204 , where data processing occurs in the tenth component 226 .
- the processing result is then transmitted back to the lower-performance portion 202 .
- the fifth component 214 may be programmed not to continue data processing through the fourth component 212 and the sixth component 216 and optionally start return data processing immediately from the fourth component 212 . Alternatively, data processing can continue along the original path to further handle the security attack.
- data processing then flows through the fifth component 214 , the fourth component 212 , and the sixth component 216 .
- return data processing is necessary as new data (instead of the original packet) needs to be transmitted to the destination, return data processing begins with the fourth component 212 and flows through at least some of the elements in the lower-performance portion 202 .
- the interface between different components in the lower-performance portion 202 can be based on direct memory access (DMA) commands or responses related to memories implemented within the lower-performance portion 202 .
- DMA direct memory access
- the interface between the lower-performance portion 202 and the higher-performance portion 204 can rely on a peripheral component interconnect express (PCIe) or other types of computer bus.
- PCIe peripheral component interconnect express
- the example configuration discussed in this section can be optimized by at least reducing such traversal.
- FIG. 2B illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where compute-intensive part of higher-level processing is mainly performed by a higher-performance portion instead of a lower-performance portion.
- the lower-performance portion 202 is programmed to handle mainly the lower-level data processing, such as most processing for the first four layers of the OSI, while the higher-performance portion 204 is programmed to handle the higher-level processing, such the processing for the application layer of the OSI and additional compute-intensive operations that could benefit from parallelism.
- the lower-performance portion 202 can include similar components as illustrated in FIG. 2A .
- the higher-performance portion 204 can also include similar components as illustrated in FIG. 2A .
- the higher-performance portion 204 can include additional components to enable more advanced higher-level processing.
- the additional components can include an eleventh component 228 configured to handle data packaging corresponding to the transport layer of the OSI.
- the eleventh component 228 can be configured to de-frame TLS messages and accumulate TLS records.
- the additional components can also include a twelfth component 230 configured to perform advanced operations corresponding to the application layer of the OSI.
- the twelfth component 230 can be configured to implement the HTTP/2 protocol, which includes data decoding in the binary framing layer, header decompression via HPACK, association of data to a steam identifier and corresponding stream priority, breaking down the data into individual frames, pushing additional resources into the frames, and interleaving the frames in further delivery.
- the additional components can include a thirteenth component 232 configured to perform complex detection of incoming security threats or critical data exfiltration at the application level, or another component configured to implement an application-level firewall, such as a WAF.
- the security gateway system 102 is programmed to receive data from another device, which can reside on the same cloud computing platform or outside of the cloud computing platform.
- the data is initially received by the lower-performance portion 202 .
- Data processing flows through the first component 206 and the second component 208 .
- the second component 208 can be configured to recognize whether the processing result corresponds to data for establishing a secure communication channel instead of data to be transmitted and processed within the secure communication channel.
- data processing can continue to flow through the third component 210 , the seventh component 220 , and back to the third component 210 , as illustrated in FIG. 2A .
- the processing result corresponds to data to be transmitted and processed within the secure communication channel
- the processing result is transmitted to the higher-performance portion 204 .
- Data processing then flows through the eleventh component 228 , the eighth component 222 , the twelfth component 230 , the ninth component 224 , the twelfth component 230 , the thirteenth component 232 , the tenth component 226 , and the thirteenth component 232 .
- the processing result is transmitted to the lower-performance portion 202 , and data processing continues from the 5 th component 216 , as illustrated in FIG. 2A .
- the interface between different components in the higher—performance portion 204 can be based on operations related to FIFO queues or other memory structures implemented within the higher-performance portion 204 .
- FIG. 2C illustrates another example configuration of a security gateway system for a cloud computing platform with a corresponding data path where higher-level processing, including complex security attack detection, is mainly performed by a higher-performance portion instead of a lower-performance portion.
- the higher-performance portion 204 includes a fourteenth component 240 for complex security attack detection.
- the fourteenth component 240 is configured to work with signatures of malicious hosts that depend on various aspects of the communications between different computer systems (or corresponding computer applications) through the security gateway system.
- Such various aspects may include the states of communication associated with the computer systems, the data being communicated by the computer systems, or statistics, metrics, or patterns related to the states of communication or the communicated data.
- the various aspects may include the states of separate HTTP flows (streams of bidirectional flows of bytes within an established connection) or HTTP sessions in the form of HTTP status codes, the headers or payloads of HTTP messages, application IDs derived from HTTP sessions information, HTTP policy language (reflecting a set of rules required by a cloud-based service, for example), or the numbers of active HTTP flows (indicating how often messages are sent) or incomplete HTTP flows (indicating how long it takes to process the messages) during a specific period of time.
- Some of these various aspects may have been recorded by one or more preceding components in the data pipeline for further analysis by the fourteenth component 240 .
- a security attack may correspond to an operation that is immediately preceded by one or more queries of different APIs of a destination computer system for planning purposes (e.g., how to uncover desired data).
- the APIs provided by Web services that confirm to the Representation State Transfer (REST) architecture might be queried via certain HTTP methods in one or more sessions.
- a security attack may correspond to an operation that is immediately followed by one or more transfers of data (e.g.
- the fourteenth component 240 can be specifically configured to consider the various aspects of the communications between different computer systems through the security gateway system 102 that include the geographic origin of a communication by a computer system, the time when a communication was initiated by a computer system, the nature of the operations involved in the immediately preceding or succeeding communications (by the same computer system, any computer system, the same computer program, or any computer program, etc.), the gap between the present communication and the immediately preceding or succeeding communication, or the size, the compression status, or the content of the present communication.
- some of the computer systems may already have security attack detection mechanisms in place, such as additional patterns or other rules embodied in their HTTP policy.
- the fourteenth component 240 can be configured to also incorporate those security attack detection mechanisms, by parsing the language of the HTTP policy, for example.
- the fourteenth component 240 can be configured to flag an anomaly when the following detection conditions are all satisfied:
- the fourteenth component 240 is configured to analyze all communication data, including communications that comprise security attacks, and further identify specific patterns or signatures of such security attacks using machine learning techniques known to someone skilled in the art, such as neural networks, regression methods, or decision forests.
- machine learning techniques known to someone skilled in the art, such as neural networks, regression methods, or decision forests.
- At least part of such application of machine learning techniques can be implemented by an FPGA, other specific hardware, or specific instruction sets especially suitable for implementing such operation of machine learning techniques.
- specific processors can be used to execute microcode that controls the operation of a finite state machine based on the set of detection conditions, as discussed above.
- FIG. 3 illustrates an example process performed by the security gateway system of implementing a computer security gateway via deep content inspection.
- FIG. 3 is shown in simplified, schematic format for purposes of illustrating a clear example and other embodiments may include more, fewer, or different elements connected in various manners.
- FIG. 3 is intended to disclose an algorithm, plan or outline that can be used to implement one or more computer programs or other software elements which when executed cause performing the functional improvements and technical advances that are described herein.
- the flow diagrams herein are described at the same level of detail that persons of ordinary skill in the art ordinarily use to communicate with one another about algorithms, plans, or specifications forming a basis of software programs that they plan to code or implement using their accumulated skill and knowledge.
- the security gateway system 102 for a cloud computing platform comprises a first, higher-performance hardware portion, such as a commodity FPGA or one or more special-purpose processors, and a second, lower-performance hardware portion, such as one or more general-purpose processors.
- the second hardware portion is programmed to intercept a packet from a source computer system to a destination computer system, one of them being a service consumer computer and the other being a cloud-based service computer. Initially, a packet may be part of the handshake process through which the source computer system and the destination process establish the protocols of their communication and secure the communication channel.
- the second hardware portion is programmed to process the packet but offload the computation-intensive process of exchanging keys via asymmetric cryptography to the first hardware portion.
- a packet my contain actual data, such as input data to the service provided by the cloud-based service computer or output data from the service.
- the second hardware portion is programmed to then apply lower-level processing to the packet. Under the OSI model, for example, such lower-level processing may include processing up to the transport layer.
- the second hardware portion is programmed to then transmit the processing result to the first hardware portion for higher-level processing.
- the first hardware portion is programmed to then receive an item in a transport layer from the second hardware portion through a communication bus.
- the first hardware portion is programmed to apply higher-level processing to the item or a derivative thereof as follows.
- such higher-level processing may include processing up to the application layer. More specifically, the higher-level processing can start with transport-level processing, such as de-framing a TLS record from a TCP byte stream.
- the higher-level processing can comprise decrypting data, such as the TLS record, via symmetric cryptography.
- the higher-level processing can include separate decompression of headers and payloads, such as HTTP/2 headers and HTTP data.
- the higher-level processing can comprise further application-level processing, such as processing under HTTP/2.
- the first hardware portion is programmed to identify a payload in the item received from the first hardware portion.
- the first hardware portion is programmed to determine whether the item forms a security attack based on the payload, the original data, or additional data received from the source computer device before or after the original data was received, including data received from multiple user sessions. More specifically, the first hardware portion can be programmed to determine whether the payload matches specific regular-expression-based signatures, contains an authorization to share personal data, has a specific size, is compressed, or satisfies other criteria regarding the payload.
- the first hardware portion can be programmed to also evaluate the IP address of the source computer system, the time when the item or the original packet was received, or other metadata associated with the payload.
- the first hardware portion can be programmed to analyze data related to additional packets received from the source computer system or corresponding items. More specifically, the first hardware portion may be configured to flag a security anomaly when the payloads in the immediately preceding packets or corresponding items correspond to an exploration of all the APIs of the destination computer system or when the payloads in the immediately succeeding packets corresponding items correspond to one or more transfers or uploads of obtained data to a data repository.
- the first hardware portion can be configured to monitor the number of active HTTP flows or the number of incomplete HTTP flows corresponding to requests or messages received from the source computer system and destined for one or more destination computer systems during a period of time.
- the first hardware portion is programmed to transmit a result of all the higher-level processing, including a result of determining whether the item includes or forms a security attack, to the second hardware portion.
- the second hardware portion is programmed to analyze the result of determining whether the item forms a security attack. In response to the occurrence of a security attack, the second hardware portion can take a remedial action, such as sending a notification to the destination computer system without forwarding the packet or simply discarding the packet. In response to an absence of a security attack, the second hardware portion is programmed to then perform further high-level processing, such as the processing performed by a proxy server. The second hardware portion is then programmed to send the original packet to the destination computer system or subject current processing result to increasingly lower levels of processing for transmission to the destination computer system.
- the techniques described herein are implemented by at least one computing device.
- the techniques may be implemented in whole or in part using a combination of at least one server computer and/or other computing devices that are coupled using a network, such as a packet data network.
- the computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as at least one application-specific integrated circuit (ASIC) or field programmable gate array (FPGA) that is persistently programmed to perform the techniques, or may include at least one general purpose hardware processor programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination.
- ASIC application-specific integrated circuit
- FPGA field programmable gate array
- Such computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the described techniques.
- the computing devices may be server computers, workstations, personal computers, portable computer systems, handheld devices, mobile computing devices, wearable devices, body mounted or implantable devices, smartphones, smart appliances, internetworking devices, autonomous or semi-autonomous devices such as robots or unmanned ground or aerial vehicles, any other electronic device that incorporates hard-wired and/or program logic to implement the described techniques, one or more virtual computing machines or instances in a data center, and/or a network of server computers and/or personal computers.
- FIG. 4 is a block diagram that illustrates an example computer system with which an embodiment may be implemented.
- a computer system 400 and instructions for implementing the disclosed technologies in hardware, software, or a combination of hardware and software are represented schematically, for example as boxes and circles, at the same level of detail that is commonly used by persons of ordinary skill in the art to which this disclosure pertains for communicating about computer architecture and computer systems implementations.
- Computer system 400 includes an input/output (I/O) subsystem 402 which may include a bus and/or other communication mechanism(s) for communicating information and/or instructions between the components of the computer system 400 over electronic signal paths.
- the I/O subsystem 402 may include an I/O controller, a memory controller and at least one I/O port.
- the electronic signal paths are represented schematically in the drawings, for example as lines, unidirectional arrows, or bidirectional arrows.
- At least one hardware processor 404 is coupled to I/O subsystem 402 for processing information and instructions.
- Hardware processor 404 may include, for example, a general-purpose microprocessor or microcontroller and/or a special-purpose microprocessor such as an embedded system or a graphics processing unit (GPU) or a digital signal processor or ARM processor.
- Processor 404 may comprise an integrated arithmetic logic unit (ALU) or may be coupled to a separate ALU.
- ALU arithmetic logic unit
- Computer system 400 includes one or more units of memory 406 , such as a main memory, which is coupled to I/O subsystem 402 for electronically digitally storing data and instructions to be executed by processor 404 .
- Memory 406 may include volatile memory such as various forms of random-access memory (RAM) or other dynamic storage device.
- RAM random-access memory
- Memory 406 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 404 .
- Such instructions when stored in non-transitory computer-readable storage media accessible to processor 404 , can render computer system 400 into a special-purpose machine that is customized to perform the operations specified in the instructions.
- Computer system 400 further includes non-volatile memory such as read only memory (ROM) 408 or other static storage device coupled to I/O subsystem 402 for storing information and instructions for processor 404 .
- the ROM 408 may include various forms of programmable ROM (PROM) such as erasable PROM (EPROM) or electrically erasable PROM (EEPROM).
- a unit of persistent storage 410 may include various forms of non-volatile RAM (NVRAM), such as FLASH memory, or solid-state storage, magnetic disk or optical disk such as CD-ROM or DVD-ROM, and may be coupled to I/O subsystem 402 for storing information and instructions.
- Storage 410 is an example of a non-transitory computer-readable medium that may be used to store instructions and data which when executed by the processor 404 cause performing computer-implemented methods to execute the techniques herein.
- the instructions in memory 406 , ROM 408 or storage 410 may comprise one or more sets of instructions that are organized as modules, methods, objects, functions, routines, or calls.
- the instructions may be organized as one or more computer programs, operating system services, or application programs including mobile apps.
- the instructions may comprise an operating system and/or system software; one or more libraries to support multimedia, programming or other functions; data protocol instructions or stacks to implement TCP/IP, HTTP or other communication protocols; file processing instructions to interpret and render files coded using HTML, XML, JPEG, MPEG or PNG; user interface instructions to render or interpret commands for a graphical user interface (GUI), command-line interface or text user interface; application software such as an office suite, internet access applications, design and manufacturing applications, graphics applications, audio applications, software engineering applications, educational applications, games or miscellaneous applications.
- the instructions may implement a web server, web application server or web client.
- the instructions may be organized as a presentation layer, application layer and data storage layer such as a relational database system using structured query language (SQL) or no SQL, an object store, a graph database, a flat file system or other data storage.
- SQL structured query language
- Computer system 400 may be coupled via I/O subsystem 402 to at least one output device 412 .
- output device 412 is a digital computer display. Examples of a display that may be used in various embodiments include a touch screen display or a light-emitting diode (LED) display or a liquid crystal display (LCD) or an e-paper display.
- Computer system 400 may include other type(s) of output devices 412 , alternatively or in addition to a display device. Examples of other output devices 412 include printers, ticket printers, plotters, projectors, sound cards or video cards, speakers, buzzers or piezoelectric devices or other audible devices, lamps or LED or LCD indicators, haptic devices, actuators or servos.
- At least one input device 414 is coupled to I/O subsystem 402 for communicating signals, data, command selections or gestures to processor 404 .
- input devices 414 include touch screens, microphones, still and video digital cameras, alphanumeric and other keys, keypads, keyboards, graphics tablets, image scanners, joysticks, clocks, switches, buttons, dials, slides, and/or various types of sensors such as force sensors, motion sensors, heat sensors, accelerometers, gyroscopes, and inertial measurement unit (IMU) sensors and/or various types of transceivers such as wireless, such as cellular or Wi-Fi, radio frequency (RF) or infrared (IR) transceivers and Global Positioning System (GPS) transceivers.
- RF radio frequency
- IR infrared
- GPS Global Positioning System
- control device 416 may perform cursor control or other automated control functions such as navigation in a graphical interface on a display screen, alternatively or in addition to input functions.
- Control device 416 may be a touchpad, a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 404 and for controlling cursor movement on display 412 .
- the input device may have at least two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.
- An input device 414 may include a combination of multiple different input devices, such as a video camera and a depth sensor.
- computer system 400 may comprise an internet of things (IoT) device in which one or more of the output device 412 , input device 414 , and control device 416 are omitted.
- the input device 414 may comprise one or more cameras, motion detectors, thermometers, microphones, seismic detectors, other sensors or detectors, measurement devices or encoders and the output device 412 may comprise a special-purpose display such as a single-line LED or LCD display, one or more indicators, a display panel, a meter, a valve, a solenoid, an actuator or a servo.
- IoT internet of things
- input device 414 may comprise a global positioning system (GPS) receiver coupled to a GPS module that is capable of triangulating to a plurality of GPS satellites, determining and generating geo-location or position data such as latitude-longitude values for a geophysical location of the computer system 400 .
- Output device 412 may include hardware, software, firmware and interfaces for generating position reporting packets, notifications, pulse or heartbeat signals, or other recurring data transmissions that specify a position of the computer system 400 , alone or in combination with other application-specific data, directed toward host 424 or server 430 .
- Computer system 400 may implement the techniques described herein using customized hard-wired logic, at least one ASIC or FPGA, firmware and/or program instructions or logic which when loaded and used or executed in combination with the computer system causes or programs the computer system to operate as a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 400 in response to processor 404 executing at least one sequence of at least one instruction contained in main memory 406 . Such instructions may be read into main memory 406 from another storage medium, such as storage 410 . Execution of the sequences of instructions contained in main memory 406 causes processor 404 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.
- Non-volatile media includes, for example, optical or magnetic disks, such as storage 410 .
- Volatile media includes dynamic memory, such as memory 406 .
- Common forms of storage media include, for example, a hard disk, solid state drive, flash drive, magnetic data storage medium, any optical or physical data storage medium, memory chip, or the like.
- Storage media is distinct from but may be used in conjunction with transmission media.
- Transmission media participates in transferring information between storage media.
- transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise a bus of I/O subsystem 402 .
- Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.
- Various forms of media may be involved in carrying at least one sequence of at least one instruction to processor 404 for execution.
- the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer.
- the remote computer can load the instructions into its dynamic memory and send the instructions over a communication link such as a fiber optic or coaxial cable or telephone line using a modem.
- a modem or router local to computer system 400 can receive the data on the communication link and convert the data to be read by computer system 400 .
- a receiver such as a radio frequency antenna or an infrared detector can receive the data carried in a wireless or optical signal and appropriate circuitry can provide the data to I/O subsystem 402 such as place the data on a bus.
- I/O subsystem 402 carries the data to memory 406 , from which processor 404 retrieves and executes the instructions.
- the instructions received by memory 406 may optionally be stored on storage 410 either before or after execution by processor 404 .
- Computer system 400 also includes a communication interface 418 coupled to bus 402 .
- Communication interface 418 provides a two-way data communication coupling to network link(s) 420 that are directly or indirectly connected to at least one communication networks, such as a network 422 or a public or private cloud on the Internet.
- network 418 may be an Ethernet networking interface, integrated-services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of communications line, for example an Ethernet cable or a metal cable of any kind or a fiber-optic line or a telephone line.
- Network 422 broadly represents a local area network (LAN), wide-area network (WAN), campus network, internetwork or any combination thereof.
- Communication interface 418 may comprise a LAN card to provide a data communication connection to a compatible LAN, or a cellular radiotelephone interface that is wired to send or receive cellular data according to cellular radiotelephone wireless networking standards, or a satellite radio interface that is wired to send or receive digital data according to satellite wireless networking standards.
- communication interface 418 sends and receives electrical, electromagnetic or optical signals over signal paths that carry digital data streams representing various types of information.
- Network link 420 typically provides electrical, electromagnetic, or optical data communication directly or through at least one network to other data devices, using, for example, satellite, cellular, Wi-Fi, or BLUETOOTH technology.
- network link 420 may provide a connection through a network 422 to a host computer 424 .
- network link 420 may provide a connection through network 422 or to other computing devices via internetworking devices and/or computers that are operated by an Internet Service Provider (ISP) 426 .
- ISP 426 provides data communication services through a world-wide packet data communication network represented as internet 428 .
- a server computer 430 may be coupled to internet 428 .
- Server 430 broadly represents any computer, data center, virtual machine or virtual computing instance with or without a hypervisor, or computer executing a containerized program system such as DOCKER or KUBERNETES.
- Server 430 may represent an electronic digital service that is implemented using more than one computer or instance and that is accessed and used by transmitting web services requests, uniform resource locator (URL) strings with parameters in HTTP payloads, API calls, app services calls, or other service calls.
- URL uniform resource locator
- Computer system 400 and server 430 may form elements of a distributed computing system that includes other computers, a processing cluster, server farm or other organization of computers that cooperate to perform tasks or execute applications or services.
- Server 430 may comprise one or more sets of instructions that are organized as modules, methods, objects, functions, routines, or calls. The instructions may be organized as one or more computer programs, operating system services, or application programs including mobile apps.
- the instructions may comprise an operating system and/or system software; one or more libraries to support multimedia, programming or other functions; data protocol instructions or stacks to implement TCP/IP, HTTP or other communication protocols; file format processing instructions to interpret or render files coded using HTML, XML, JPEG, MPEG or PNG; user interface instructions to render or interpret commands for a graphical user interface (GUI), command-line interface or text user interface; application software such as an office suite, internet access applications, design and manufacturing applications, graphics applications, audio applications, software engineering applications, educational applications, games or miscellaneous applications.
- Server 430 may comprise a web application server that hosts a presentation layer, application layer and data storage layer such as a relational database system using structured query language (SQL) or no SQL, an object store, a graph database, a flat file system or other data storage.
- SQL structured query language
- Computer system 400 can send messages and receive data and instructions, including program code, through the network(s), network link 420 and communication interface 418 .
- a server 430 might transmit a requested code for an application program through Internet 428 , ISP 426 , local network 422 and communication interface 418 .
- the received code may be executed by processor 404 as it is received, and/or stored in storage 410 , or other non-volatile storage for later execution.
- the execution of instructions as described in this section may implement a process in the form of an instance of a computer program that is being executed, and consisting of program code and its current activity.
- a process may be made up of multiple threads of execution that execute instructions concurrently.
- a computer program is a passive collection of instructions, while a process may be the actual execution of those instructions.
- Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed. Multitasking may be implemented to allow multiple processes to share processor 404 .
- computer system 400 may be programmed to implement multitasking to allow each processor to switch between tasks that are being executed without having to wait for each task to finish.
- switches may be performed when tasks perform input/output operations, when a task indicates that it can be switched, or on hardware interrupts.
- Time-sharing may be implemented to allow fast response for interactive user applications by rapidly performing context switches to provide the appearance of concurrent execution of multiple processes simultaneously.
- an operating system may prevent direct communication between independent processes, providing strictly mediated and controlled inter-process communication functionality.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- The present disclosure relates to the technical area of computer network security. The present disclosure specifically relates to high-performance computer network firewalls with deep content inspection.
- The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
- Today, enterprise computer systems are often built on cloud computing platforms. To protect workloads running on such a cloud computing platform against infiltration and data exfiltration attacks, various security solutions that perform deep content inspection of network traffic streams are applied. Until recently, most public cloud computing platforms are implemented using general-purpose processors (a processor that is not tied to or integrated with a particular language or piece of software), such as Intel 8086 (x86) processors. Now, more public computing platforms are incorporating higher-performance hardware components, such as field-programmable gate arrays (FPGAs) or graphics processing units (GPUs). It would be helpful to take better advantage of such higher-performance implementation to offer stronger security solutions for cloud computing platforms or other similar networked systems.
- In the drawings:
-
FIG. 1 illustrates an example computing environment with which various embodiments may be practiced. -
FIG. 2A illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where select complex processing, including parallel processing, is offloaded from a lower-performance portion to higher-performance portion. -
FIG. 2B illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where compute-intensive part of higher-level processing is mainly performed by a higher-performance portion instead of a lower-performance portion. -
FIG. 2C illustrates another example configuration of a security gateway system for a cloud computing platform with a corresponding data path where higher-level processing, including complex threat detection, is mainly performed by a higher-performance portion instead of a lower-performance portion. -
FIG. 3 illustrates an example process performed by the security gateway system of implementing a computer security gateway via deep content inspection. -
FIG. 4 is a block diagram that illustrates a computer system upon which an embodiment of the invention may be implemented. - In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention.
- Embodiments are described in sections below according to the following outline:
- 1. GENERAL OVERVIEW
- 2. EXAMPLE COMPUTING ENVIRONMENTS
- 3. EXAMPLE COMPUTER CONFIGURATIONS AND DATA PATHS
-
- 3.1. OFFLOADING PROCESSING TO HIGHER-PERFORMANCE PORTION
- 3.2. MANAGING DATA PIPELINE IN HIGHER-PERFORMANCE PORTION
- 3.2.1. IMPLEMENTING APPLICATION-LEVEL PROCESSING
- 3.2.2. IMPLEMENTING ANOMALY DETECTION
- 4. EXAMPLE PROCESSES
- 5. IMPLEMENTATION EXAMPLE—HARDWARE OVERVIEW
- 6. EXTENSIONS AND ALTERNATIVES
- 1. General Overview
- A security gateway system and related methods are disclosed. In some embodiments, the security gateway system is programmed to provide a network firewall for a cloud computing platform. When a cloud computing platform is implemented with hardware components that are more advanced than general-purpose processors, such as an FPGA, the security gateway system can comprise a higher-performance hardware portion that utilizes such hardware components. The security gateway system can also comprise a lower-performance hardware portion, such as one or more x86 processors, to handle lower-level data processing. In providing a network firewall, the security gateway system is programmed to enable secure communication between any computer device outside the cloud computing platform and any computer system within the cloud computing platform. In certain embodiments, the security gateway system can also be programmed to enable secure communication between two computer devices within the cloud computing platform, to provide finer segmentation across various application traffic. Such enablement can involve many computation-intensive operations, including advanced detection of incoming security threats or critical data exfiltration through deep content inspection, and the security gateway system is configured to perform as much of the computation via the higher-performance hardware portion as possible to achieve an optimal performance.
- In some embodiments, upon receiving a packet from a source computer system ultimately destined for a destination computer system, the lower-performance hardware portion of the security gateway system is programmed to handle lower-level data processing. For example, under the Open System Interconnect (OSI) model, after the initial handshake process, the lower-level processing of a packet can include processing up to the transport layer. The processing result is then transmitted to the higher-performance hardware portion of the security gateway system through a communication bus. The higher-performance hardware portion is programmed to then handle higher-level data processing. For example, under the OSI, the higher-level processing can include processing up to the application level. More specifically, the higher-level processing may include data decryption based on symmetric cryptography, data decompression, session management, other application-level processing under a transfer protocol, such as the HTTP/2 protocol, or detection of incoming security threats or critical data exfiltration.
- In some embodiments, to detect security attacks, the higher-performance hardware portion is programmed to separate the payload from the metadata in the original packet or the data processed so far and evaluate various attributes of the payload and the metadata. The evaluation can include determining whether the payload includes a user authorization to share confidential data (e.g., the source computer system may have obtained a user's authorization to bill a specific charge to a credit card) or whether the payload matches specific keywords or patterns (e.g., filenames or file content of known viruses). The evaluation can also include determining whether the size of the payload falls in a specific range (e.g., too large or in a range associated with known threats) or whether the packet was sent during a specific period of time (e.g., certain times of the day). The higher-performance hardware portion can also be programmed to keep track of a global or at least a broader communication state for careful evaluation of related packets or connections through which multiple packets are transmitted over time. For example, the communication state can be maintained at the HTTP session level for monitoring inter-session communications, where the sessions may be correlated to computer applications. More specifically, the higher-performance hardware portion can be programmed to determine whether the frequency of communications (packets, a corresponding higher-level item, etc.) transmitted by the source computer system exceeds a certain threshold, whether the present communication is preceded by one or more communications which involve extensive querying of the APIs provided by the destination computer system, or whether the present communication is followed by one or more communication involving transferring of generally confidentially data to specific data repositories. For example, the present communication can be an HTTP request associated with one session that is succeeded by another HTTP request associated with another session for transferring data to a certain data repository.
- By virtue of the various features described herein, the security gateway system produces many technical benefits. In various embodiments, the security gateway system can be deployed on public or other generic cloud computing platforms without requiring customized hardware often utilized in on-premise data centers. By leveraging advanced, parallel computing features of such cloud computing platforms, the security gateway system can readily provide native, scaled-up firewall capabilities to such cloud computing platforms. In gateway data processing, while current approaches might offload select computations to higher-performance hardware components, the security gateway system is configured to perform most of the higher-level data processing in a higher-performance hardware portion. Such a processing pipeline substantially increases the overall processing speed from not only the inherent parallelism and other high-performance features of the higher-performance hardware portion but also the reduced data transfer (and the associated overhead) between the lower-performance hardware portion and the higher-performance hardware portion. Furthermore, the security gateway system offers advanced, hardware-enabled detection of incoming security threats or critical data exfiltration. In addition to utilizing digital signatures that typically characterize static, single-dimensional data attributes, such as filenames and other keywords, the security gateway system is programmed to characterize various aspects of all the data being communicated through the security gateway system over an extended period of time. In particular, the security gateway system is programmed to evaluate a series of communications between a pair of source and destination computer systems (and a corresponding pair of computer applications) in terms of the nature of and the amount of time required to process the communications as well as the relationships among the communications. Such advanced security attack detection results in stronger protection of the cloud computing platform. In addition, the security gateway is able to manage distributed implementation of some of the rich detection mechanisms via different hardware portions, such as multiple FPGAs and/or other microcode-executing processors. Such scale-out provides elasticity to the security solution.
- 2. Example Computing Environments
-
FIG. 1 illustrates an example computing environment with which various embodiments may be practiced.FIG. 1 is shown in simplified, schematic format for purposes of illustrating a clear example and other embodiments may include more, fewer, or different elements. - In some embodiments, the computing environment includes a
cloud computing platform 130, which includes one or more cloud-basedservice computers 122 and a network security gateway computer 102 (security gateway system), and one or moreservice consumer computers 112, which are communicatively coupled directly or indirectly via one ormore networks 118. - In some embodiments, the
cloud computing platform 130 comprises a pool of configurable system resources, each of which may include one or more of a general-purpose processor, a special-purpose processor, or programmable hardware. For example, public cloud computing platforms may include x86 processors, FPGAs, or GPUs. Thecloud computing platform 130 is typically programmed to provide fundamental computing services and enable rapid deployment of independent, higher-level computing services by one or more enterprises with minimum infrastructure management efforts. The components implementing these higher-level computing services then correspond to the one or more cloud-basedservice computers 122. These components can run as virtual instances or bare metal (physical) instances. For example, a cloud-basedservice 122 may be a Web server computer managing a Web service of handling account authentication. - In some embodiments, some of the configurable system resources are allocated to the
security gateway system 102. Thesecurity gateway system 102 generally includes computers, virtual computing instances or virtual appliances, and/or instances of a server-based application. Thesecurity gateway system 102 is configured to generally host or execute functions including but not limited to network firewall capabilities for thecloud computing platform 130. More specifically, thesecurity gateway system 102 is configured to maintain data security not only within the cloud computing platform where the one or more cloud-basedservice computers 122 operate, but also between thecloud computing platform 130 and the external environment where the one or moreservice consumer computers 112 operate. Therefore, thesecurity gateway system 102 is programmed to establish a secure communication channel with a cloud-basedservice 122 or aservice consumer 112. Thesecurity gateway system 102 can be configured to conform to certain transport-level security protocols and further perform application-level data encryption or decryption for any communication with any other computer system. Furthermore, thesecurity gateway system 102 is programmed to monitor metadata in transmitted packets, payloads in the transmitted packets, and metadata in user session states for security attacks. - In some embodiments, a
service consumer computer 112 is programmed to communicate with one or more cloud-basedservice computers 122 regarding the provided services through thesecurity gateway system 102. More specifically, theservice consumer computer 112 may be configured to transmit input data to a provided service or receive output data from the provided service. Theservice consumer computer 112 may comprise computing facility with sufficient computing power in data processing, data storage, and network communication for the above-described functions. In certain embodiments, theservice consumer computer 112 can comprise a desktop computer, laptop computer, tablet computer, smartphone, wearable device, etc. - The
network 118 may be implemented by any medium or mechanism that provides for the exchange of data between the various elements ofFIG. 1 . Examples of thenetwork 118 include, without limitation, one or more of a cellular network, communicatively coupled with a data connection to the computing devices over a cellular antenna, a near-field communication (NFC) network, a Local Area Network (LAN), a Wide Area Network (WAN), the Internet, a terrestrial or satellite link, etc. - In some embodiments, a
service consumer computer 112 is programmed to send a request for a service, such as an HTTP message, to a cloud-basedservice computer 122. In other embodiments, multipleservice consumer computers 112 can be programmed to send a request to a cloud-basedservice computer 122, or aservice consumer computer 112 can be programmed to send multiple requests to multiple cloud-basedservice computers 122. Thesecurity gateway system 102 is programmed to initially receive the request. Thesecurity gateway system 102 is programmed to then disassemble the request in order to detect security attacks, such as a distributed denial of service (DDoS). The detection of a security attack includes complex processing that could depend on data related to other communications with theservice consumer computer 112. Thesecurity gateway system 102 may comprise a lower-performance hardware portion and a higher-performance hardware portion, as further discussed below, and the processing of the request may flow between the two portions to optimize overall performance of thesecurity gateway system 102. When a security attack is detected, thesecurity gateway system 102 is programmed to take remedial actions. When no security attack is detected, thesecurity gateway system 102 is programmed to then send the original request or the processing result to the cloud-basedservice computer 122. In response to receiving the request, the cloud-basedservice computer 122 is programmed to perform the requested service and send the outcome of the service to theservice consumer computer 112. Similarly, thesecurity gateway system 102 is programmed to initially receive the outcome of the service. Thesecurity gateway system 102 is programmed to then disassemble the outcome for detection of any data exfiltration, as discussed above. Thesecurity gateway system 102 is programmed to then send the original outcome or the corresponding processing result to theservice consumer computer 112. - 3. Example Computer Configurations and Data Paths
- In general, as data is communicated from one device to another, the data may undergo various types of processing, which can be classified according to certain conceptual models. One such conceptual model is the OSI model, which includes seven layers of increasing abstraction from the physical layer to the application layer. Some of the various types of processing tend to require more computing resources, such as encryption or decryption, compression or decompression, or pattern recognition. In certain embodiments, the highest-level processing corresponding to the highest layers of the conceptual models include processing under the HTTP protocol.
- In various embodiments discussed below, the
security gateway system 102 comprises a lower-performance portion, such as an x86 processor or another general-purpose processor designed for sequential processing, and a higher-performance portion, such as an FPGA, application-specific integrated circuits (ASICs), or other programmable hardware inherently suitable for parallel or other high-performance processing, including high-speed or high-throughput processing. The lower-performance portion is generally used for performing lower-level tasks that do not necessarily benefit from implementation in the high-performance portion. - 3.1. Offloading Processing to Higher-Performance Portion
-
FIG. 2A illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where select complex processing, including parallel processing, is offloaded from a lower-performance portion to higher-performance portion. - In some embodiments, the lower-
performance portion 202 is programmed to manage the main data processing pipeline. The data processing pipeline may include afirst component 206 that supports lowest-level processing, such as the processing performed by the first layer of the OSI model. Thefirst component 206 can be implemented with the Data Plane Development Kit (DPDK). Thefirst component 206 can be governed by the protocols corresponding to the OSI physical layer, such as the IEEE 802.3 (Ethernet) standard. The data processing pipeline may include asecond component 208 configured to support lower-level processing, such as the processing performed by the next three layers of the OSI model. Thesecond component 208 can be implemented with the Linux Kernel Library (LKL). Thesecond component 208 can be governed by various protocols corresponding to the OSI data link layer, including the Media Access Control (MAC) layer or the Logical Link Control (LLC) sublayer, protocols corresponding to the OSI network layer, such as the Internet Protocol (IP), or protocols corresponding to the OSI transport layer, such as the Transport Layer Protocol (TCP). - The data processing pipeline may also include a
third component 210 configured to support higher-level processing, such as the processing performed by the sixth layer of the OSI model. Thethird component 210 can be implemented using the OPENSSL library or be governed by other protocols corresponding to the OSI presentation layer. The data processing pipeline may further include afourth component 212, afifth component 214, and asixth component 216 configured to support highest-level processing, such as the processing performed by the seventh layer of the OSI model. For example, thefourth component 212 can be governed by the HTTP/1 or HTTP/2 protocol, thefifth component 214 can implement security attack detection, and thesixth component 216 can implement application proxies. The security attack detection may be based on existing rules, URL filters, or run time solutions of data loss prevention (DLP). For further example, another component can implement a Web application firewall (WAF) to filter HTTP traffic to and from web applications in addition to thefifth component 214 operating in a streaming mode. In some embodiments, the higher-performance portion 204 is programmed to take over some of the processing from the lower-performance portion 202. The higher-performance portion 204 can include certain components configured to handle party authentication and secure data transmission, which often could have been included in the3rd component 210 discussed above. These components include aseventh component 220 configured to perform operations related to asymmetric cryptography, such as RSA exponential multiplication, ECDHE-ECDSA point multiplication, SHA1, or DRBG. For example, theseventh component 220 may be configured to create the Master Secret in a TLS handshake. These components also include aneighth component 222 configured to perform operations related to symmetric cryptography, such as AES-GCM, AES-CBC, or ChaCha (Poly). For example, theeighth component 222 can be configured to enable subsequent use of session keys to decrypt actual data. The higher-performance portion 204 can also include certain components configured to handle efficient data inspection, which often could have been included in thefourth component 212 discussed above. These components include aninth component 224 configured to decompress the application data, such as the payload of an HTTP request compressed by gzip or other compression schemes. Furthermore, the higher-performance portion 204 can include certain components configured to find matches of specific digital signatures of malware for detection of incoming security threats or critical data exfiltration, which also could have been included in thefifth component 214 discussed above as part of the HTTP traffic inspection. These components include atenth component 226 configured to find matches of predetermined regular expressions in the data, which may characterize a file name, a uniform resource locator (URL), or a string within the payload from one or more packets within a session, for example. In certain embodiments, any of the seventh through thetenth components - In some embodiments, the
security gateway system 102 is programmed to receive data from another device, which can reside on the same cloud computing platform or outside the cloud computing platform. The data is initially received by the lower-performance portion 202. Data processing flows through thefirst component 206, thesecond component 208, and thethird component 210. The processing result is then transmitted to the higher-performance portion 204. Thethird component 210 can be configured to recognize whether the processing result corresponds to data for establishing a secure communication channel instead of data to be transmitted and processed within the secure communication channel. When the processing result corresponds to data for establishing a secure communication channel, data processing occurs in theseventh component 220. The processing result is then transmitted back to the lower-performance portion 202. Furthermore, since there is no additional data to process, data processing does not need to reach thefourth clement 212 or succeeding components in the data processing pipeline. On the other hand, when the processing result corresponds to data to be transmitted and processed within the secure communication channel, data processing occurs in theeighth component 222. The processing result is then transmitted back to the lower-performance portion 202. Data processing then flows through thethird component 210 and thefourth component 212. The processing result is then transmitted to the higher-performance portion 204, where data processing occurs in theninth component 224. The processing result is then transmitted back to the lower-performance portion 202. The processing then flows through thefourth component 212 and thefifth component 214. The processing result is then transmitted to the higher-performance portion 204, where data processing occurs in thetenth component 226. The processing result is then transmitted back to the lower-performance portion 202. When a security attack is detected, thefifth component 214 may be programmed not to continue data processing through thefourth component 212 and thesixth component 216 and optionally start return data processing immediately from thefourth component 212. Alternatively, data processing can continue along the original path to further handle the security attack. When no security attack is detected, data processing then flows through thefifth component 214, thefourth component 212, and thesixth component 216. When return data processing is necessary as new data (instead of the original packet) needs to be transmitted to the destination, return data processing begins with thefourth component 212 and flows through at least some of the elements in the lower-performance portion 202. - In some embodiments, the interface between different components in the lower-
performance portion 202 can be based on direct memory access (DMA) commands or responses related to memories implemented within the lower-performance portion 202. The interface between the lower-performance portion 202 and the higher-performance portion 204 can rely on a peripheral component interconnect express (PCIe) or other types of computer bus. As each offload to the higher-performance portion 204 requires a separate traversal of the computer bus, the example configuration discussed in this section can be optimized by at least reducing such traversal. - 3.2. Managing Data Pipeline in Higher-Performance Portion
- 3.2.1. Implementing Application-Level Processing
-
FIG. 2B illustrates an example configuration of a security gateway system for a cloud computing platform with a corresponding data path where compute-intensive part of higher-level processing is mainly performed by a higher-performance portion instead of a lower-performance portion. - In some embodiments, the lower-
performance portion 202 is programmed to handle mainly the lower-level data processing, such as most processing for the first four layers of the OSI, while the higher-performance portion 204 is programmed to handle the higher-level processing, such the processing for the application layer of the OSI and additional compute-intensive operations that could benefit from parallelism. The lower-performance portion 202 can include similar components as illustrated inFIG. 2A . The higher-performance portion 204 can also include similar components as illustrated inFIG. 2A . The higher-performance portion 204 can include additional components to enable more advanced higher-level processing. The additional components can include aneleventh component 228 configured to handle data packaging corresponding to the transport layer of the OSI. For example, theeleventh component 228 can be configured to de-frame TLS messages and accumulate TLS records. The additional components can also include atwelfth component 230 configured to perform advanced operations corresponding to the application layer of the OSI. For example, thetwelfth component 230 can be configured to implement the HTTP/2 protocol, which includes data decoding in the binary framing layer, header decompression via HPACK, association of data to a steam identifier and corresponding stream priority, breaking down the data into individual frames, pushing additional resources into the frames, and interleaving the frames in further delivery. In addition, the additional components can include athirteenth component 232 configured to perform complex detection of incoming security threats or critical data exfiltration at the application level, or another component configured to implement an application-level firewall, such as a WAF. - In some embodiments, the
security gateway system 102 is programmed to receive data from another device, which can reside on the same cloud computing platform or outside of the cloud computing platform. The data is initially received by the lower-performance portion 202. Data processing flows through thefirst component 206 and thesecond component 208. Thesecond component 208 can be configured to recognize whether the processing result corresponds to data for establishing a secure communication channel instead of data to be transmitted and processed within the secure communication channel. When the processing result corresponds to data for establishing a secure communication channel, data processing can continue to flow through thethird component 210, theseventh component 220, and back to thethird component 210, as illustrated inFIG. 2A . Furthermore, since there is no additional data to process, data processing does not need to reach thefourth clement 212 or succeeding components in the data processing pipeline. On the other hand, when the processing result corresponds to data to be transmitted and processed within the secure communication channel, the processing result is transmitted to the higher-performance portion 204. Data processing then flows through theeleventh component 228, theeighth component 222, thetwelfth component 230, theninth component 224, thetwelfth component 230, thethirteenth component 232, thetenth component 226, and thethirteenth component 232. At this point, the processing result is transmitted to the lower-performance portion 202, and data processing continues from the 5thcomponent 216, as illustrated inFIG. 2A . - In some embodiments, the interface between different components in the higher—
performance portion 204 can be based on operations related to FIFO queues or other memory structures implemented within the higher-performance portion 204. - 3.2.2. Implementing Anomaly Detection
-
FIG. 2C illustrates another example configuration of a security gateway system for a cloud computing platform with a corresponding data path where higher-level processing, including complex security attack detection, is mainly performed by a higher-performance portion instead of a lower-performance portion. - In some embodiments, the higher-
performance portion 204 includes afourteenth component 240 for complex security attack detection. In addition to finding matches of predetermined regular expressions in the data, thefourteenth component 240 is configured to work with signatures of malicious hosts that depend on various aspects of the communications between different computer systems (or corresponding computer applications) through the security gateway system. Such various aspects may include the states of communication associated with the computer systems, the data being communicated by the computer systems, or statistics, metrics, or patterns related to the states of communication or the communicated data. For communication under the HTTP protocol, for example, the various aspects may include the states of separate HTTP flows (streams of bidirectional flows of bytes within an established connection) or HTTP sessions in the form of HTTP status codes, the headers or payloads of HTTP messages, application IDs derived from HTTP sessions information, HTTP policy language (reflecting a set of rules required by a cloud-based service, for example), or the numbers of active HTTP flows (indicating how often messages are sent) or incomplete HTTP flows (indicating how long it takes to process the messages) during a specific period of time. Some of these various aspects may have been recorded by one or more preceding components in the data pipeline for further analysis by thefourteenth component 240. - More specifically, some countries might be associated with higher alerts given the historically high volumes of security attacks originating from those countries. Certain security attacks may be known to take place according to a specific schedule, such as every three minutes between the hours of two to four AM in Pacific Standard Time. A security attack may correspond to an operation that is immediately preceded by one or more queries of different APIs of a destination computer system for planning purposes (e.g., how to uncover desired data). For example, the APIs provided by Web services that confirm to the Representation State Transfer (REST) architecture might be queried via certain HTTP methods in one or more sessions. Likewise, a security attack may correspond to an operation that is immediately followed by one or more transfers of data (e.g. desired data that have been uncovered) from the destination computer system to specific data repositories for storage or publication purposes. In addition, certain security attacks may be known to hide their signatures by using varying compression or encryption algorithms. Many security attacks would target identifiable confidential, personal information, such as social security numbers, home addresses, or telephone numbers. Therefore, in some embodiments, the
fourteenth component 240 can be specifically configured to consider the various aspects of the communications between different computer systems through thesecurity gateway system 102 that include the geographic origin of a communication by a computer system, the time when a communication was initiated by a computer system, the nature of the operations involved in the immediately preceding or succeeding communications (by the same computer system, any computer system, the same computer program, or any computer program, etc.), the gap between the present communication and the immediately preceding or succeeding communication, or the size, the compression status, or the content of the present communication. Furthermore, some of the computer systems may already have security attack detection mechanisms in place, such as additional patterns or other rules embodied in their HTTP policy. In some embodiments, thefourteenth component 240 can be configured to also incorporate those security attack detection mechanisms, by parsing the language of the HTTP policy, for example. - For example, the
fourteenth component 240 can be configured to flag an anomaly when the following detection conditions are all satisfied: -
- a. An HTTP request came from an IP address associated with a black-listed country;
- b. The HTTP request was received during a particular time of the day;
- c. The HTTP request was preceded by an HTTP request querying all the APIs of a destination computer system;
- d. The gap between the HTTP request and the immediately preceding or following HTTP request was no less than 5 seconds;
- e. The HTTP request was followed by an HTTP request including a put operation to a data repository offering file hosting service;
- f. The size of the payload of the HTTP request is non-zero;
- g. The payload of the HTTP request is compressed;
- h. The payload of the HTTP request contains user signatures with a security number, a home-address, or a telephone number.
For example, such a set of detection conditions in combination with other predetermined regular expressions can be used to identify an occurrence of an attack that includes an HTTP get request with a PHP session ID and a user agent which can be matched to specific signatures, an application of a compression/encryption method, and a peer-to-peer data transfer under the server message block (SMB) protocol.
- In some embodiments, the
fourteenth component 240 is configured to analyze all communication data, including communications that comprise security attacks, and further identify specific patterns or signatures of such security attacks using machine learning techniques known to someone skilled in the art, such as neural networks, regression methods, or decision forests. At least part of such application of machine learning techniques can be implemented by an FPGA, other specific hardware, or specific instruction sets especially suitable for implementing such operation of machine learning techniques. For example, specific processors can be used to execute microcode that controls the operation of a finite state machine based on the set of detection conditions, as discussed above. - 4. Example Processes
-
FIG. 3 illustrates an example process performed by the security gateway system of implementing a computer security gateway via deep content inspection.FIG. 3 is shown in simplified, schematic format for purposes of illustrating a clear example and other embodiments may include more, fewer, or different elements connected in various manners.FIG. 3 is intended to disclose an algorithm, plan or outline that can be used to implement one or more computer programs or other software elements which when executed cause performing the functional improvements and technical advances that are described herein. Furthermore, the flow diagrams herein are described at the same level of detail that persons of ordinary skill in the art ordinarily use to communicate with one another about algorithms, plans, or specifications forming a basis of software programs that they plan to code or implement using their accumulated skill and knowledge. - In some embodiments, the
security gateway system 102 for a cloud computing platform comprises a first, higher-performance hardware portion, such as a commodity FPGA or one or more special-purpose processors, and a second, lower-performance hardware portion, such as one or more general-purpose processors. The second hardware portion is programmed to intercept a packet from a source computer system to a destination computer system, one of them being a service consumer computer and the other being a cloud-based service computer. Initially, a packet may be part of the handshake process through which the source computer system and the destination process establish the protocols of their communication and secure the communication channel. The second hardware portion is programmed to process the packet but offload the computation-intensive process of exchanging keys via asymmetric cryptography to the first hardware portion. Subsequently, a packet my contain actual data, such as input data to the service provided by the cloud-based service computer or output data from the service. The second hardware portion is programmed to then apply lower-level processing to the packet. Under the OSI model, for example, such lower-level processing may include processing up to the transport layer. The second hardware portion is programmed to then transmit the processing result to the first hardware portion for higher-level processing. - In some embodiments, in step 302, the first hardware portion is programmed to then receive an item in a transport layer from the second hardware portion through a communication bus. In
step 304, the first hardware portion is programmed to apply higher-level processing to the item or a derivative thereof as follows. Under the OSI model, such higher-level processing may include processing up to the application layer. More specifically, the higher-level processing can start with transport-level processing, such as de-framing a TLS record from a TCP byte stream. The higher-level processing can comprise decrypting data, such as the TLS record, via symmetric cryptography. In certain embodiments, the higher-level processing can include separate decompression of headers and payloads, such as HTTP/2 headers and HTTP data. The higher-level processing can comprise further application-level processing, such as processing under HTTP/2. - In some embodiments, in
step 306, as an initial part of the application-level processing, the first hardware portion is programmed to identify a payload in the item received from the first hardware portion. Instep 308, the first hardware portion is programmed to determine whether the item forms a security attack based on the payload, the original data, or additional data received from the source computer device before or after the original data was received, including data received from multiple user sessions. More specifically, the first hardware portion can be programmed to determine whether the payload matches specific regular-expression-based signatures, contains an authorization to share personal data, has a specific size, is compressed, or satisfies other criteria regarding the payload. The first hardware portion can be programmed to also evaluate the IP address of the source computer system, the time when the item or the original packet was received, or other metadata associated with the payload. In addition, the first hardware portion can be programmed to analyze data related to additional packets received from the source computer system or corresponding items. More specifically, the first hardware portion may be configured to flag a security anomaly when the payloads in the immediately preceding packets or corresponding items correspond to an exploration of all the APIs of the destination computer system or when the payloads in the immediately succeeding packets corresponding items correspond to one or more transfers or uploads of obtained data to a data repository. When the number or frequency of the requests received from the source computer system that are destined for the destination computer system exceeds a first threshold or when the amount of time required to process these requests exceeds a second threshold, a conclusion of a security anomaly can also be made. For example, under HTTP/2, the first hardware portion can be configured to monitor the number of active HTTP flows or the number of incomplete HTTP flows corresponding to requests or messages received from the source computer system and destined for one or more destination computer systems during a period of time. Instep 310, the first hardware portion is programmed to transmit a result of all the higher-level processing, including a result of determining whether the item includes or forms a security attack, to the second hardware portion. - In some embodiments, the second hardware portion is programmed to analyze the result of determining whether the item forms a security attack. In response to the occurrence of a security attack, the second hardware portion can take a remedial action, such as sending a notification to the destination computer system without forwarding the packet or simply discarding the packet. In response to an absence of a security attack, the second hardware portion is programmed to then perform further high-level processing, such as the processing performed by a proxy server. The second hardware portion is then programmed to send the original packet to the destination computer system or subject current processing result to increasingly lower levels of processing for transmission to the destination computer system.
- 5. Implementation Example—Hardware Overview
- According to one embodiment, the techniques described herein are implemented by at least one computing device. The techniques may be implemented in whole or in part using a combination of at least one server computer and/or other computing devices that are coupled using a network, such as a packet data network. The computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as at least one application-specific integrated circuit (ASIC) or field programmable gate array (FPGA) that is persistently programmed to perform the techniques, or may include at least one general purpose hardware processor programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination. Such computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the described techniques. The computing devices may be server computers, workstations, personal computers, portable computer systems, handheld devices, mobile computing devices, wearable devices, body mounted or implantable devices, smartphones, smart appliances, internetworking devices, autonomous or semi-autonomous devices such as robots or unmanned ground or aerial vehicles, any other electronic device that incorporates hard-wired and/or program logic to implement the described techniques, one or more virtual computing machines or instances in a data center, and/or a network of server computers and/or personal computers.
-
FIG. 4 is a block diagram that illustrates an example computer system with which an embodiment may be implemented. In the example ofFIG. 4 , acomputer system 400 and instructions for implementing the disclosed technologies in hardware, software, or a combination of hardware and software, are represented schematically, for example as boxes and circles, at the same level of detail that is commonly used by persons of ordinary skill in the art to which this disclosure pertains for communicating about computer architecture and computer systems implementations. -
Computer system 400 includes an input/output (I/O)subsystem 402 which may include a bus and/or other communication mechanism(s) for communicating information and/or instructions between the components of thecomputer system 400 over electronic signal paths. The I/O subsystem 402 may include an I/O controller, a memory controller and at least one I/O port. The electronic signal paths are represented schematically in the drawings, for example as lines, unidirectional arrows, or bidirectional arrows. - At least one
hardware processor 404 is coupled to I/O subsystem 402 for processing information and instructions.Hardware processor 404 may include, for example, a general-purpose microprocessor or microcontroller and/or a special-purpose microprocessor such as an embedded system or a graphics processing unit (GPU) or a digital signal processor or ARM processor.Processor 404 may comprise an integrated arithmetic logic unit (ALU) or may be coupled to a separate ALU. -
Computer system 400 includes one or more units ofmemory 406, such as a main memory, which is coupled to I/O subsystem 402 for electronically digitally storing data and instructions to be executed byprocessor 404.Memory 406 may include volatile memory such as various forms of random-access memory (RAM) or other dynamic storage device.Memory 406 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed byprocessor 404. Such instructions, when stored in non-transitory computer-readable storage media accessible toprocessor 404, can rendercomputer system 400 into a special-purpose machine that is customized to perform the operations specified in the instructions. -
Computer system 400 further includes non-volatile memory such as read only memory (ROM) 408 or other static storage device coupled to I/O subsystem 402 for storing information and instructions forprocessor 404. TheROM 408 may include various forms of programmable ROM (PROM) such as erasable PROM (EPROM) or electrically erasable PROM (EEPROM). A unit ofpersistent storage 410 may include various forms of non-volatile RAM (NVRAM), such as FLASH memory, or solid-state storage, magnetic disk or optical disk such as CD-ROM or DVD-ROM, and may be coupled to I/O subsystem 402 for storing information and instructions.Storage 410 is an example of a non-transitory computer-readable medium that may be used to store instructions and data which when executed by theprocessor 404 cause performing computer-implemented methods to execute the techniques herein. - The instructions in
memory 406,ROM 408 orstorage 410 may comprise one or more sets of instructions that are organized as modules, methods, objects, functions, routines, or calls. The instructions may be organized as one or more computer programs, operating system services, or application programs including mobile apps. The instructions may comprise an operating system and/or system software; one or more libraries to support multimedia, programming or other functions; data protocol instructions or stacks to implement TCP/IP, HTTP or other communication protocols; file processing instructions to interpret and render files coded using HTML, XML, JPEG, MPEG or PNG; user interface instructions to render or interpret commands for a graphical user interface (GUI), command-line interface or text user interface; application software such as an office suite, internet access applications, design and manufacturing applications, graphics applications, audio applications, software engineering applications, educational applications, games or miscellaneous applications. The instructions may implement a web server, web application server or web client. The instructions may be organized as a presentation layer, application layer and data storage layer such as a relational database system using structured query language (SQL) or no SQL, an object store, a graph database, a flat file system or other data storage. -
Computer system 400 may be coupled via I/O subsystem 402 to at least oneoutput device 412. In one embodiment,output device 412 is a digital computer display. Examples of a display that may be used in various embodiments include a touch screen display or a light-emitting diode (LED) display or a liquid crystal display (LCD) or an e-paper display.Computer system 400 may include other type(s) ofoutput devices 412, alternatively or in addition to a display device. Examples ofother output devices 412 include printers, ticket printers, plotters, projectors, sound cards or video cards, speakers, buzzers or piezoelectric devices or other audible devices, lamps or LED or LCD indicators, haptic devices, actuators or servos. - At least one
input device 414 is coupled to I/O subsystem 402 for communicating signals, data, command selections or gestures toprocessor 404. Examples ofinput devices 414 include touch screens, microphones, still and video digital cameras, alphanumeric and other keys, keypads, keyboards, graphics tablets, image scanners, joysticks, clocks, switches, buttons, dials, slides, and/or various types of sensors such as force sensors, motion sensors, heat sensors, accelerometers, gyroscopes, and inertial measurement unit (IMU) sensors and/or various types of transceivers such as wireless, such as cellular or Wi-Fi, radio frequency (RF) or infrared (IR) transceivers and Global Positioning System (GPS) transceivers. - Another type of input device is a
control device 416, which may perform cursor control or other automated control functions such as navigation in a graphical interface on a display screen, alternatively or in addition to input functions.Control device 416 may be a touchpad, a mouse, a trackball, or cursor direction keys for communicating direction information and command selections toprocessor 404 and for controlling cursor movement ondisplay 412. The input device may have at least two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane. Another type of input device is a wired, wireless, or optical control device such as a joystick, wand, console, steering wheel, pedal, gearshift mechanism or other type of control device. Aninput device 414 may include a combination of multiple different input devices, such as a video camera and a depth sensor. - In another embodiment,
computer system 400 may comprise an internet of things (IoT) device in which one or more of theoutput device 412,input device 414, andcontrol device 416 are omitted. Or, in such an embodiment, theinput device 414 may comprise one or more cameras, motion detectors, thermometers, microphones, seismic detectors, other sensors or detectors, measurement devices or encoders and theoutput device 412 may comprise a special-purpose display such as a single-line LED or LCD display, one or more indicators, a display panel, a meter, a valve, a solenoid, an actuator or a servo. - When
computer system 400 is a mobile computing device,input device 414 may comprise a global positioning system (GPS) receiver coupled to a GPS module that is capable of triangulating to a plurality of GPS satellites, determining and generating geo-location or position data such as latitude-longitude values for a geophysical location of thecomputer system 400.Output device 412 may include hardware, software, firmware and interfaces for generating position reporting packets, notifications, pulse or heartbeat signals, or other recurring data transmissions that specify a position of thecomputer system 400, alone or in combination with other application-specific data, directed towardhost 424 orserver 430. -
Computer system 400 may implement the techniques described herein using customized hard-wired logic, at least one ASIC or FPGA, firmware and/or program instructions or logic which when loaded and used or executed in combination with the computer system causes or programs the computer system to operate as a special-purpose machine. According to one embodiment, the techniques herein are performed bycomputer system 400 in response toprocessor 404 executing at least one sequence of at least one instruction contained inmain memory 406. Such instructions may be read intomain memory 406 from another storage medium, such asstorage 410. Execution of the sequences of instructions contained inmain memory 406 causesprocessor 404 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions. - The term “storage media” as used herein refers to any non-transitory media that store data and/or instructions that cause a machine to operation in a specific fashion. Such storage media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical or magnetic disks, such as
storage 410. Volatile media includes dynamic memory, such asmemory 406. Common forms of storage media include, for example, a hard disk, solid state drive, flash drive, magnetic data storage medium, any optical or physical data storage medium, memory chip, or the like. - Storage media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between storage media. For example, transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise a bus of I/
O subsystem 402. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications. - Various forms of media may be involved in carrying at least one sequence of at least one instruction to
processor 404 for execution. For example, the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a communication link such as a fiber optic or coaxial cable or telephone line using a modem. A modem or router local tocomputer system 400 can receive the data on the communication link and convert the data to be read bycomputer system 400. For instance, a receiver such as a radio frequency antenna or an infrared detector can receive the data carried in a wireless or optical signal and appropriate circuitry can provide the data to I/O subsystem 402 such as place the data on a bus. I/O subsystem 402 carries the data tomemory 406, from whichprocessor 404 retrieves and executes the instructions. The instructions received bymemory 406 may optionally be stored onstorage 410 either before or after execution byprocessor 404. -
Computer system 400 also includes acommunication interface 418 coupled tobus 402.Communication interface 418 provides a two-way data communication coupling to network link(s) 420 that are directly or indirectly connected to at least one communication networks, such as anetwork 422 or a public or private cloud on the Internet. For example,communication interface 418 may be an Ethernet networking interface, integrated-services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of communications line, for example an Ethernet cable or a metal cable of any kind or a fiber-optic line or a telephone line.Network 422 broadly represents a local area network (LAN), wide-area network (WAN), campus network, internetwork or any combination thereof.Communication interface 418 may comprise a LAN card to provide a data communication connection to a compatible LAN, or a cellular radiotelephone interface that is wired to send or receive cellular data according to cellular radiotelephone wireless networking standards, or a satellite radio interface that is wired to send or receive digital data according to satellite wireless networking standards. In any such implementation,communication interface 418 sends and receives electrical, electromagnetic or optical signals over signal paths that carry digital data streams representing various types of information. - Network link 420 typically provides electrical, electromagnetic, or optical data communication directly or through at least one network to other data devices, using, for example, satellite, cellular, Wi-Fi, or BLUETOOTH technology. For example,
network link 420 may provide a connection through anetwork 422 to ahost computer 424. - Furthermore,
network link 420 may provide a connection throughnetwork 422 or to other computing devices via internetworking devices and/or computers that are operated by an Internet Service Provider (ISP) 426.ISP 426 provides data communication services through a world-wide packet data communication network represented asinternet 428. Aserver computer 430 may be coupled tointernet 428.Server 430 broadly represents any computer, data center, virtual machine or virtual computing instance with or without a hypervisor, or computer executing a containerized program system such as DOCKER or KUBERNETES.Server 430 may represent an electronic digital service that is implemented using more than one computer or instance and that is accessed and used by transmitting web services requests, uniform resource locator (URL) strings with parameters in HTTP payloads, API calls, app services calls, or other service calls.Computer system 400 andserver 430 may form elements of a distributed computing system that includes other computers, a processing cluster, server farm or other organization of computers that cooperate to perform tasks or execute applications or services.Server 430 may comprise one or more sets of instructions that are organized as modules, methods, objects, functions, routines, or calls. The instructions may be organized as one or more computer programs, operating system services, or application programs including mobile apps. The instructions may comprise an operating system and/or system software; one or more libraries to support multimedia, programming or other functions; data protocol instructions or stacks to implement TCP/IP, HTTP or other communication protocols; file format processing instructions to interpret or render files coded using HTML, XML, JPEG, MPEG or PNG; user interface instructions to render or interpret commands for a graphical user interface (GUI), command-line interface or text user interface; application software such as an office suite, internet access applications, design and manufacturing applications, graphics applications, audio applications, software engineering applications, educational applications, games or miscellaneous applications.Server 430 may comprise a web application server that hosts a presentation layer, application layer and data storage layer such as a relational database system using structured query language (SQL) or no SQL, an object store, a graph database, a flat file system or other data storage. -
Computer system 400 can send messages and receive data and instructions, including program code, through the network(s),network link 420 andcommunication interface 418. In the Internet example, aserver 430 might transmit a requested code for an application program throughInternet 428,ISP 426,local network 422 andcommunication interface 418. The received code may be executed byprocessor 404 as it is received, and/or stored instorage 410, or other non-volatile storage for later execution. - The execution of instructions as described in this section may implement a process in the form of an instance of a computer program that is being executed, and consisting of program code and its current activity. Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. In this context, a computer program is a passive collection of instructions, while a process may be the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed. Multitasking may be implemented to allow multiple processes to share
processor 404. While eachprocessor 404 or core of the processor executes a single task at a time,computer system 400 may be programmed to implement multitasking to allow each processor to switch between tasks that are being executed without having to wait for each task to finish. In an embodiment, switches may be performed when tasks perform input/output operations, when a task indicates that it can be switched, or on hardware interrupts. Time-sharing may be implemented to allow fast response for interactive user applications by rapidly performing context switches to provide the appearance of concurrent execution of multiple processes simultaneously. In an embodiment, for security and reliability, an operating system may prevent direct communication between independent processes, providing strictly mediated and controlled inter-process communication functionality. - 6.0. Extensions and Alternatives
- In the foregoing specification, embodiments of the disclosure have been described with reference to numerous specific details that may vary from implementation to implementation. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. The sole and exclusive indicator of the scope of the disclosure, and what is intended by the applicants to be the scope of the disclosure, is the literal and equivalent scope of the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction.
Claims (21)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/019,539 US10516649B1 (en) | 2018-06-27 | 2018-06-27 | High-performance computer security gateway for cloud computing platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/019,539 US10516649B1 (en) | 2018-06-27 | 2018-06-27 | High-performance computer security gateway for cloud computing platform |
Publications (2)
Publication Number | Publication Date |
---|---|
US10516649B1 US10516649B1 (en) | 2019-12-24 |
US20200007501A1 true US20200007501A1 (en) | 2020-01-02 |
Family
ID=68979788
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/019,539 Active US10516649B1 (en) | 2018-06-27 | 2018-06-27 | High-performance computer security gateway for cloud computing platform |
Country Status (1)
Country | Link |
---|---|
US (1) | US10516649B1 (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11936562B2 (en) * | 2018-07-19 | 2024-03-19 | Vmware, Inc. | Virtual machine packet processing offload |
US11212083B2 (en) * | 2018-09-07 | 2021-12-28 | A10 Networks, Inc. | Slave secure sockets layer proxy system |
US11057478B2 (en) * | 2019-05-23 | 2021-07-06 | Fortinet, Inc. | Hybrid cluster architecture for reverse proxies |
US11671483B2 (en) * | 2019-10-30 | 2023-06-06 | Telefonaktiebolaget Lm Ericsson (Publ) | In-band protocol-based in-network computation offload framework |
CN111339030B (en) * | 2020-02-23 | 2023-06-06 | 苏州浪潮智能科技有限公司 | Cloud file system based on FPGA and data processing method thereof |
CN113556364B (en) * | 2021-09-18 | 2021-12-07 | 浙江大学 | DPDK-based DDoS real-time defense system |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7203740B1 (en) * | 1999-12-22 | 2007-04-10 | Intel Corporation | Method and apparatus for allowing proprietary forwarding elements to interoperate with standard control elements in an open architecture for network devices |
US7490350B1 (en) * | 2004-03-12 | 2009-02-10 | Sca Technica, Inc. | Achieving high assurance connectivity on computing devices and defeating blended hacking attacks |
JP4978006B2 (en) * | 2006-01-05 | 2012-07-18 | 日本電気株式会社 | Data processing apparatus and data processing method |
KR101042729B1 (en) * | 2009-04-09 | 2011-06-20 | 삼성에스디에스 주식회사 | System-on-chip and asic based malware detecting apparatus in mobile device |
US8307418B2 (en) * | 2010-03-16 | 2012-11-06 | Genband Inc. | Methods, systems, and computer readable media for providing application layer firewall and integrated deep packet inspection functions for providing early intrusion detection and intrusion prevention at an edge networking device |
US9910705B1 (en) * | 2015-02-18 | 2018-03-06 | Altera Corporation | Modular offloading for computationally intensive tasks |
US10171423B1 (en) * | 2015-05-21 | 2019-01-01 | Juniper Networks, Inc. | Services offloading for application layer services |
-
2018
- 2018-06-27 US US16/019,539 patent/US10516649B1/en active Active
Also Published As
Publication number | Publication date |
---|---|
US10516649B1 (en) | 2019-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11457047B2 (en) | Managing computer security services for cloud computing platforms | |
US10516649B1 (en) | High-performance computer security gateway for cloud computing platform | |
US12088561B2 (en) | Application-layer service traffic communication using datacenter network fabric as proxy | |
JP6496404B2 (en) | Proxy server in the computer subnetwork | |
US10498771B1 (en) | Protocol agnostic security by using out-of-band health check | |
US11652610B2 (en) | Multi-layer ledgers for multi-party secure data governance | |
US10630702B1 (en) | Protocol agnostic security by using out-of-band health checks | |
US11909845B2 (en) | Methods and systems for managing applications of a multi-access edge computing environment | |
US11366892B2 (en) | Detecting compromised credentials by improved private set intersection | |
US10491584B2 (en) | Role-based resource access control | |
WO2020081465A1 (en) | Tenant-specific encryption of packets carried in multi-cloud networks | |
US11233823B1 (en) | Efficient implementation of honeypot devices to detect wide-scale network attacks | |
US20220107845A1 (en) | Integrated edge cloud architecture | |
CN115865950A (en) | Storage node recruitment in information-centric networks | |
US10999262B1 (en) | High assurance tactical cross-domain hub | |
US20230214283A1 (en) | Decentralized data centers | |
US11568078B2 (en) | Obfuscation of queries and responses in a security data search system | |
CN106355101A (en) | Transparent file encryption and decryption system and method for simple storage services | |
US20240291831A1 (en) | Telemetry-driven automatic identity-based micro-segmentation recommendations and runtime enforcement | |
Cusack | Enabling Application-Specific Programmable Compute Infrastructure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: VALTIX, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHANDER, VIJAY;JAIN, VISHAL;PATNALA, PRAVEEN;SIGNING DATES FROM 20180615 TO 20180625;REEL/FRAME:046212/0149 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: VALTIX LLC, CALIFORNIA Free format text: CHANGE OF NAME;ASSIGNOR:VALTIX, INC.;REEL/FRAME:064573/0814 Effective date: 20230404 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
FEPP | Fee payment procedure |
Free format text: SURCHARGE FOR LATE PAYMENT, LARGE ENTITY (ORIGINAL EVENT CODE: M1554); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |