WO2002037730A2 - A router-based system for providing multi-level data filtering and security services in a broadband environment - Google Patents

A router-based system for providing multi-level data filtering and security services in a broadband environment Download PDF

Info

Publication number
WO2002037730A2
WO2002037730A2 PCT/IL2001/001012 IL0101012W WO0237730A2 WO 2002037730 A2 WO2002037730 A2 WO 2002037730A2 IL 0101012 W IL0101012 W IL 0101012W WO 0237730 A2 WO0237730 A2 WO 0237730A2
Authority
WO
Grant status
Application
Patent type
Prior art keywords
network
system
services
application
ars
Prior art date
Application number
PCT/IL2001/001012
Other languages
French (fr)
Other versions
WO2002037730A3 (en )
Inventor
Alberto Schliserman
Eldad Gefen
Ilan Kander
Original Assignee
Firebit Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic regulation in packet switching networks
    • H04L47/10Flow control or congestion control
    • H04L47/24Flow control or congestion control depending on the type of traffic, e.g. priority or quality of service [QoS]
    • H04L47/2425Service specification, e.g. SLA
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer

Abstract

The present invention relates to a router-based system (50) for providing multi-level data filtering, security services and content related switching services in a broadband environment (13). This system allows the operator of a network, and in particular, a Next Generation Network to provide outsourcing services to its subscribers and ensure performance of such services and Service Level Agreements. These services are executed across multiple layers of the ISO seven-layer model, within or co-operating with Edge Routers (20), at the point of entry to the Internet or network. Services offered by the present invention include security services, selective browsing services and application layer services, which can be used to substantially enhance security, content, management and control in a network.

Description

A ROUTER-BASED SYSTEM FOR PROVIDING MULTI-LEVEL DATA FILTERING AND SECURITY SERVICES IN A BROADBAND ENVIRONMENT

FIELD AND BACKGROUND OF THE INVENTION

The present invention relates to a system that allows the operator of a network, and in particular, a Next Generation Network (hereinafter referred to as NGN), to provide outsourcing services to its subscribers, including security services, selective browsing services and application layer services. This system enables content and data control, enhanced security and filtered navigation for subscribers. These services are executed across multiple layers of the ISO seven-layer model, at the point of entry to the Internet, and enables customized implementation according to the preferences of each user.

The main reasoning for the NGN's improved performance is that it minimizes the number of transformations that traffic undergoes on its way from source to destination. This minimizes bandwidth waste, number and complexity of networking elements, and at the bottom line, cuts costs without loosing quality and functionality.

In order to support the existing and future sendees the NGN has additional functionality that does not exist in today's IP systems:

1) Quality of Service has to be ensured end-to end for real time critical data like Voice and Video.

2) Service Level Agreements have to be offered, assured and monitored to all customers.

3) The network will have to provide subscriber specific services compared with common service for all.

4) Billing will have to be specific per Application, per Bandwidth, per Subscriber, etc. compared with today's billing per time or flat rates.

5) Connection reliability has to meet the levels of today's telephony since critical systems will rely on the network services: telephony, e-commerce, e-learning e-banking and more.

Next Generations operators have different goals: 1) Carriers and ILEC's (incumbent local exchange carrier) building new infrastructure to be able to compete and provide new services.

2) ISP's moving up to provide telephony and new levels of network bandwidth and service reliability.

3) New operators coming on stage to compete with the incumbent operators. NGN networks present huge technological challenges, and standards bodies are collectively working to identify and resolve them. NGN pilot networks have already been deployed, yet the real NGN infrastructure systems are still in development phases.

Next Generation Networks can originate from various operator types and technologies, such as:

ILEC- Incumbent Local Exchange Carrier which builds a new NGN network or upgrades it's old one.

CLEC - Competitive Local Exchange Carrier which build or leases infrastructure to. build a NGN.

ISP - Internet Service Provider which changes it's hub architecture to a new NGN-like network

Cellular Operators building Generation 2.5 and 3 to provide mobile web services.

The NGN architecture presents a new challenge to traditional networking solutions. The network architects, originating in the Enterprise LANWAN environments, have the basic networking tools. Yet these solutions do no support a massive number of customers, nor have they built in "carrier grade" attributes, which are a must for mass-market services. (Compare the amount of MIS personnel per Enterprise worker to the number of employees in a Telecommunications company per subscriber: 1/50-1/100 vs. 1/2000-1/10000 respectively.)

The architects, originating in traditional Switch suppliers, are being forced to replace their hierarchical structures (Services/ATM SDH/Fiber) with flat structures where IP serves as the unifying layer for all services. Accordingly, IP would run directly over fiber (POS -Packet Over SONET, over DWDM- Dense wavelength division multiplexing) or IP/ATM/DWDM. The Networking problems that both these worlds' architects have encountered, have brought them to design very basic connectivity solutions with a minimum amount of services: Fast Internet, VOIP, Unified Messaging. Indeed the Fast Internet hides within it a multitude of services which exist in the Web today, as well as many of those being developed; yet many of the "Services Provided by the Network" have disappeared; they have been replaced by the client-server model of the Internet services.

This client server model assumes not only powerful clients, but also subscribers with highly technical skills (and lots of patience). This does not represent the standard Next Generation Network (NGN) user or the standard Internet subscriber.

In terms of dealing with security concerns and content filtering issues, several systems are used today:

K . Firewall services are provided by Checkpoint (www.chekpoint.com).3COM

(www.3com.com) and others. These services allow content providers and corporations to control who can access their networks, and what data can enter and leave their networks. Firewalls are highly effective for limited bandwidth access, and only if customized and scrupulously maintained. These demands make a firewall expensive to operate and leave question marks on how they will fare in a broadband environment

2. Anti-virus services are offered by Norton (www.norton.com), AUadin www.alladin.com), and others. These services are typically uploaded on company networks, and are highly effective against known viruses and intrusions. However the clear problem with these services is that they can only protect a user or network against known threats. Furthermore, these services require constant updating in order to remain relevant. This makes them expensive to maintain. Such maintenance does not only include regular database and software updates but also urgent updates when "virus epidemics" spread over the Internet via infected, self multiplying e-mails. In the case of urgent updates, every PC owner has to activate the update of his or her anti-virus software.

. There are content based routers currently available, such as those by Arrowpoint

(www.arrowpoint.com'). a subsidiary of Cisco (www.cisco.com). . These routers are able to route packets based on content, however they do not perform application level processes which demand reconstruction of contents from packet streams.

T. In addition there is Shasta's (now Nortel Networks www.nortelnetworks.com

BSN 5000, which is an implementation of a firewall with selective browsing. It does not, however, implement application level services, such as anti-virus checking,

π . Other competing technologies include Red Back - Abatis (www.redback.com),

Cosine Communications (www.cosinecom.com), Juniper (www.juniper.com) and Sofaware (www.sofaware.com). These technologies are able to perform partial processing of the traffic. Certain of these focus on routing, while others are able to perform basic firewall functionality. None of them, however, are able to perform a complete processing at all networking layers, while still maintain real time characteristics of streaming audio, λideo and multimedia

There is thus a widely recognized need for, and it would be highly advantageous to have, a network system that can monitor and control data flow for mass usage, simultaneously filtering and processing data on various network layers or levels concurrently. This system provides holistic security and content solutions from the server side in a broadband environment. Such a system should is transparent to the user, and provides a buffer to security attacks even before the attacks have reached the actual user station. Furthermore this system should be able to mobilize the entire system's resources against security attacks, thereby protecting subscribers and providing a complete range of networking services.

The present invention, hereinafter referred to as Firex 1 , provides solutions for many of the above stated limitations. The present invention enables a network provider or NGN operator to recapture the role of a REAL network service provider, by controlling all network services. With the present invention the operator provides its subscribers not only a more dependable service, but also relieves customer concerns that prevent them from really exploiting the NGN. The operator is able to monitor and control services such as anti-virus software updates, application of browsing filters, shopping authentication, network access, application updates, system resources monitoring etc. Summary

According to the present invention there is provided a router-based system for allowing the operator of a network, for example a Next Generation Network, to provide and manage network services on a customized basis to its subscribers. These services, which include security services, selective browsing services and application layer services, can be used to substantially enhance security, content, management and control in the network, as they operate across multiple layers of the OSI seven-layer model (layers 3-7), at the entry points to the Internet or network.

The services the NGN operator is able to offer under the present invention include services that are ordinarily both expensive to purchase and problematic to maintain, such as configuring, updating and changing system settings in response to new software releases of applications or PC changes. The present invention offers individually innovative services plus a basket of services that are not available in any known inventions or technologies.

For the network operator, the system of the present invention generates not only a stream of income but also more customer satisfaction, better network image by the market as well as less chum. Customers for the outsourcing services are not limited to individual subscribers, but may include small business/home business (SOHO) or even medium size enterprises that do not want to invest in MIS personnel nor want to rely on multiple "Consultants" for the setup and maintenance of the Intemet/Intranet/Extranet activities. For this layer of customers the present invention provides all the tools for the NGN operator to outsource the whole activity (over high-speed access). This includes VPN, Firewall, Load sharing, web hosting and all the standard Internet services (mail, file archives etc.). This layer of clients is already accustomed to outsourcing their MIS activities to many outsourcing bodies. These outsourcing entities can buy a set of l w s/w installation, configuration, and maintenance of all the required MIS support for each client. This system is able to support many clients, without having to setup dedicated networking devices for every client. Maintenance is centralized so that the highly expensive MIS workforce is optimized.

The system architecture implements a multi level router system, such that Internet traffic to and from subscribers is checked by a hierarchy of processing elements from layer 3 up to layer 7 of the OSI seven-layer model. At each level the real time characteristics of the traffic are preserved so that the processing is transparent to the subscriber; The system allows the operator of a broadband Internet network to create a "sterile" Internet. Sterility is achieved by filtering incoming traffic and cleaning it from viruses, hackers and other malicious activities. The user benefits from a more dependable, secure and customized Internet.

A primary way this invention operates is in the form of a system that serves the subscribers of the broadband Internet by performing a variety of security related tasks, without any intervention of the subscriber. These services include firewalls, anti -virus checks, hacker activity detection and prevention, and selective browsing control to prevent subscribers from accessing pre-defined sites.

According to the present invention there is provided a system for filtering and processing data traffic in a Network, comprising:

i. An Application Router System for analyzing and processing data at the gateway of a network;

ii. An Application Server for r rforming pseudo real time sendees; and

iii. A Service and Network Management System for managing the overall data control and application control of said application routers and said application servers in a network-

According to the present invention there is further provided a router-based system for enabling multi-leveled security in a network environment, comprising:

i. A network layer management suite for management of network-wide processes; and

ii . A senice layer management suite for supporting service delivery and maintenance from each customer to all the system elements.

According to the present invention there is further provided a:

• System for implementing application level services as part of the router functionality in a Network .

• A multiple level router system for controlling Internet traffic between users in a network.

• A method for creating a senices enabling platform in a Network • A method for enabling multi-leveled security in a network environment

• A method for ensuring a clean network environment by filtering and processing incoming and outgoing data at the borders of the network

• A method for filtering Internet navigation for limiting the Web sites that can be seen by a user.

Brief Description of the Drawings:

The invention is herein described, by way of example only, with reference to the accompanying drawings, wherein:

Figure 1 illustrates a NGN (Next Generation Network), including Edge

Routers.

Figure 2 illustrates where the ARS (Application Router System) in ISP and

Next Generation Network Architectures operates in relation to existing and future Internet components.

Figure 3 represents the Packet/session/ Application Processing Hierarchy according to the present invention.

Figure 4 illustrates the distributed security system according to the present invention.

Figure 5 illustrates the system elements according to the present invention.

Detailed Description of the Preferred Embodiment:

The preferred embodiment of the present invention is located next to or replaces the Edge Router, or the point of entry router in a network. This positioning of the system enables efficient overall control and analysis of data entering a network, as all data entering and exiting a network passes through the Edge Routers. In this way the present invention executes vital functions for network users, while remaining fundamentally transparent to these users. The technical execution, monitoring and updating of security, browsing and other services are taken care of by the Network or Next Generation Network (NGN) operators. For example, the present invention may be operated by the ISP's with no involvement on the part of the users. The system of the present invention provides such capabilities according to the following designs: a) The implementation of Application Routers with powerful system-on-chip technologies, to perform the role of a wire-speed-edge-router. This allows intelligent processing of Layers 2/3/4 with hardware that analyzes all header fields This system-on-chip technology is added to Service level intelligence to enable subscriber specific services. The same hardware provides filtering, blocking, duplication and redirection, based on parameters of the media stream (IP Addresses, Ports, Protocol type, URL, SSL, Cookie etc.). This implementation results in the functioning of Application Router Systems, or Edge Routers, that have the capacity to filter and process data when it enters or exits a network. This includes the capacity to monitor and manage data passing between networks of any size, even before the data passes through the ISP servers. b) The present invention includes an in-line filtering capability that serves the kernel of the operation that is performed on a data stream from the packet level to the session level (Layers 2/3/4/5). A multiple level router system is provided for controlling Internet traffic between users in a network, comprising a hierarchy of processing elements for multiple layer data processing. This multiple layer data processing is executed on layers 3-7 of the OSI seven-layer model. The OSI model includes the following seven levels: Physical layer. Data link layer. Network layer. Transport layer, Session layer, Presentation layer and Application layer. The present invention can perform the above functions according to any Internet protocol models, and is not limited by the scope of the OSI seven-layer model. With this kernel, each client may have packet filters, access lists, firewall, VPN, selective browsing and even virus checking for mail and files.

c) An implementation of a Senice Router that performs all operations without affecting Real Time media streams of Voice and Video. . d) Provision of a comprehensive suite of Network Layer and Service Layer Management, for completing the service offering of the NGN operator. These suites are software means or mechanisms for controlling and managing network and service operations, such as service provisioning, fault management, elements configuration, network elements administration and security. These suites, furthermore, can execute management over one or more Application Router Systems. The service layer also contains a "Subscriber Self-Care Management over the Internet" feature. The Subscriber Self Care is achieved by automating the whole subscriber service cycle within the system as well as collaborating in the service cycle (Billing Customer Relations and Operation Support System). For the subscriber, all he or she has to do is choose the requested services (out of predefined services and bundles of senices) via web access, and apply the requested ordering and payment mechanism. From this point on, the systems' Service and Network Management subsystem takes care of connecting to peer systems at the operator and actualization of the requested service. This allows fast deployment and marketing of the services. e) The system of the present invention allows the operator of the Next Generation Network (ILEC, CLEC, ISP, ASP, MSP, G2.5 and G3 Cellular etc.) to provide outsourcing services to it's subscribers. The services offered to the subscribers include: i. Security Services: VPN, Firewall, Anti-Virus Scanning, Hacker Counter-Measures. ii. Selective Browsing Services: The subscriber is able to restrict browsing according to his or her profile or preferences, iii. Application layer services: Load Balancing, Virtual POP's, Data duplication, redirection backup and sharing.

These senices are specific to customers. Every customer is able to subscribe and select the features out of predefined profiles, via Internet access.

The present invention shall now be described with reference to the drawings, showing an embodiment of the invention.

Referring to Figure 1, a Next Generation Network (NGN) identifies a family of solutions aimed at converging today's Internet, Telephony and Data services together with future Multimedia services over one infrastructure.

The common infrastructure will usually be IP-centric i.e. all types of traffic will be carried as IP packets via IP based networking elements. Sections of the NGN (Access or backbones) can rely on "older" technologies for transport e.g. ATM (asynchronous transfer mode) or SDH (Synchronous Digital Hierarchy), however newly built networks will usually be IP-Centric with Optical DWDM (Dense wavelength division multiplexing) transport, Terabit routers backbone 12, and Edge Routers 11 at the periphery of the Internet cloud, connecting to the access points with DSL 14, Cable 15 or wireless access networks. With further reference to Figure 1, Edge Routers 11 are the first routing elements (Level 3 Routing) on the path of the traffic from source to destination. Edge routers 11 are located above the Broadband Internet Aggregators (DSLAM, CMTS, Wireless etc.). These Edge Routers receive the IP traffic and execute services on it. The following table presents the differences between a "simple router" and the edge router:

Figure imgf000012_0001

The Edge Router 11 is a new functionality that absorbs many of the capabilities once owned by the telephony switch: customer service selectivity, billing records generation and many more. The reason for this is that it is located at the last point (before the "internet cloud") where all the traffic from the subscriber can be identified, measured and processed before it is scattered in the "broadband web" 13. The "broadband web" 13 is the combination of the data transfers between the multitude of Terrabit Routers 12 and Edge Routers 11 in a network.

Referring to Figure 2, the present invention is initially executed in an ARS (Application Router System) 20, 21. The ARS is an advanced Router application that is placed in a network environment and is able to filter and control data on a customized basis to multiple users. This router system is constructed using a combination of:

• programmable hardware components

• filtering processes that compare incoming parameters with predefined masks and comparison results that are running on dedicated Network Processors, and

• real-time emebedded software running on CPU. The ARS controls the following functions:

- Packet classification: source, destination, protocol, type etc.

- Packet filtering - by comparing parameters with predefined masks.

- Packet data extraction - e.g. URL extraction - Packet re-assembly to application level - e.g. collection of packets to application level for further processing. Each ARS can handle approximately 30,000 users in a broadband environment, including types of data traffic such as video, voice etc.

As can be seen in Figure 2, the present invention is positioned according to two models. In the first model, the predominant Internet model, the present invention 20 is placed between the ISP 22 and the users 23- 26. In this way the ISP 22 is able to monitor and filter traffic in their network, for their subscribers. In this model, the ARS technology is actually placed within regular routers used by the ISP 22. In the second model, that of the NGN, the ARS 21 of the present invention is situated at the point of entry in the broadband Internet environment, between the Internet cloud and the network providers, such as Telco's 24, Cable Companies 25 and Wireless Providers 26. Data traffic does not necessarily flow through ISP's 23, and what distinguishes the second model from the first is that it is therefore necessary to be able to control traffic between hosts, before the level of the ISP's 23. In this way, all data transferred betrween hosts or corporate networks is subject to the analysis, processing and control of the present invention. As an Edge Router in the above two models, the system performs the following functions:

1. Routing (with QOS, DiffServ, MPLS) - Routing priorities and questions are managed to provide the adequate quality of senice to the users. MPLS is processed both for labeled traffic as well as adding labels to unlabeled traffic.

2. Policies and policing is performed per subscriber according to the client's Service Level Agreement.

3. QOS (Quality of service) Stamping is achieved whereby the system serves as a gateway for Quality of service stamping. The Type of Service field in the packet header is analyzed and according to results it can by propagated as is or replaced.

4. Generation of billing records in various formats to allow detailed billing according to actual use of the bandwidth.

5. Support session management activities (e.g. PPPoE, which is Point-to-Point Protocol Over Ethernet, and DHCP, which is Dynamic Host Configuration Protocol), which are needed to set up the broadband connection . 6. The system is accompanied with a management system that allows immediate deployment and fast services introduction to the market.

The system has an open architecture duality. Accordingly, the Service Layer Application Protocol Interfaces (API's) provides an open architecture, which allows the services to be developed by third party vendors. The services are able to be deployed over other vendors' hardware which support the set of capabilities required via open Application Protocol Interfaces.

Standard broadband interfaces (ATM and Ethernet) allow the system to be deployed in various architectures of Next Generation Networks (NGN), including: Wireline access networks with XDSL 24. Cable TV access networks 25

Wireless networks with LMDS or Wideband local loop 26 G3 Cellular Internet networks

The overall management of the present invention is executed by the Service and Network Management Systems 28. These management systems are situated above the ARS's, in order to analyze activity in at least one ARS and provide Fault, Configuration, Accounting, Provisioning and Security (FCAPS) for subscribers in a network. The Services Layer Management provides thorough senices management by the operator together with a controlled Subscriber Self-Care Service Management over the Internet. The management suites are thereby able to control data coming into and leaving a network, and are able to filter and control data in various networks, by coordinating the activities of a multitude of ARS's. For example, if hacker activity is diagnosed in a network, the management suites send the relevant warning information to other ARS's in order to prepare for and counter similar activity.

The system contains carrier grade qualities, including:

Embedded redundancy - redundancy is provided for downstream interfaces as well as upstream interfaces. Redundancy ensures no single point of failure by utilizing

1+1 and N+1 mechanisms. High Reliability - High reliability is embedded in hardware and software designs through extensive quality and testing mechanisms.

NEBS compliant - to meet the requiremnts of Central Office Equipment. Thoroughly checked software: Qualified Hardware and Software development Methodologies. Meets CALEA (Communications Assistance for Law Enforcement Agencies)) requirements for data collection and analysis.

For the Network Operator, the present invention is a turnkey solution in order to sell valuable services. This may increase revenues and maintain customer loyalty to minimize churn.

For the subscriber, the services mean a more dependable Internet or Intranet, with increased security on his or her PC or LAN, without the need to install and maintain special equipment at his or her premises. The subscriber receives centrally managed updates with no effort on his or her side.

1. System Services

The present invention provides a new concept of Internet services. The majority of Internet services are based on the Client-Server model, according to which the clients are PC's or future Internet appliances at the subscribers' premises. The Applications, according to the client-sener model, usually reside at ISP sites or web hosts. The Internet plays the role of passive networking cloud between these two entities.

Next Generation Networks, on the other hand, are intended to replace the Internet network and provide more reliable broadband networking infrastructure. Yet first generation solutions for NGN, which utilize systems adapted from the enterprise Datacomms world , provide architectures which continue the client-server mode of providing services (e.g. H323/H.GCP VOIP telephony services, Voice/Video Streaming, Unified Messaging, e-commerce etc.).

The present invention enables new Network Based Services which are implemented by the wire-speed Application Router System (ARS) 20, which serves as conventional broadband edge routers or operates as a service besides an existing edge router. ARS 20 is placed at the point of entry into a network, and is aware of the application being provided to every subscriber of the network. With this Application Awareness ARS 20 is able to enact predefined actions on the application, from layer 3 (IP) packets through Layer 7 applications.

As can be seen in Figure 3, incoming packets 30 can be analyzed sequentially at each of the following levels:

- Packet Classifier 31

- Packet Processor 32

- NETWORK PROCESSOR-CPU 33

- Application Server 34, and finally the Senice

- The Network Management System 35 is responsible for the configuration of the processing elements mentioned above. At each stage the system may accept a packet 30 as being appropriate for a particular user or network, and transfer the packet out 40 of the system, to be forwarded to the user.

Incoming packets 30 enter the ARS via the Packet Classifier 31. The packet classifier compares header parameters with a pre-defined flow control table. Packets are then forwarded to the Packet Processor where they are analyzed by fiirther inspection of headers and packet content inspection.

Packet that are identified as part of application level service are assembled and passed to the NP-CPU 33. The NP-CPU 33 creates a connection with the application Sener 34 and passes the data on to it. The application sener performs the applicable processes and sends data back to the Packet Classifier 31 allowing it to continue on it's original way as Packets Out 40.

Actions at layers 3 and 4 include:

• Transparent transfer

• Redirection i.e. Destination Address change

• Source hiding i.e. source address change

• Duplication to new address • Multicast based on predefined source-destination combinations

• Blocking

Actions on incoming packets at layers 5-7 include:

» URL sensitive routing per customer (transfer, redirect, block)

» Media filtering through proxy seners to perform Virus, hacking, and sensitive content detection.

» Actions performed at session layer will presene the relevant real-time attributes of the application.

The components are as follows:

The Packet Classifier 31 is a hardware chip that sits in the ARS and is able to simultaneously filter thousands of packet streams based on layer 3 and 4 parameters, and combinations of parameters. The packet classifier 31 performs filtering of the traffic based on predefined parameters. The parameters include any practical combination of the Layer 3 and Layer 4 headers. Packet classification is implemented in hardware.

The Packet Processor 32 is a hardware chip with a software program that sits in the ARS and is able to process the data in packets. The packets are examined by software processes that check headers and data fields. The NP-CPU 33 is a standard CPU with a software program that sits in the ARS and performs high level processing, mainly establishing application connectivity and transfer of assembled data to the Application Sener 34. The Packet Processor 32 implements per packet processes at wire speed. The delay per packet is up to 10 microseconds. This latency is applied to Real Time Interactive processes e.g. VOIP RTP streams and Video over IP RTP streams. With this latency the present invention processes are transparent to the user at the application layer. The Packet Processor 32 is part of the ARS Network Processor (NP) Chip. PS (Packet Processor) 32 is also responsible for transferring the packets to a NP-CPU 33, for further processing at slower than wire-speed rates.

The Network Processor-CPU 33 is responsible for processes from the single packet layer to the complete session level processes. NP-CPU 33 receives the packets from the NP and activates many packets as a single packet, or performs a session reconstruction operation. After section reconstruction, the NP-CPU 33 performs analysis of the reconstructed data

In some applications NP-CPU 33 may decide to transfer a single packet or a reconstructed packet for processing by an Application Sener Processor 34. NP-CPU 33 is part of the NP chip, in ARS.

The Application Sener 34 is a software program that is collocated with the ARS and performs application level processes. The Application Sener 34 performs application level processes which are not done by lower elements in the system e.g. reassembly and antivirus check of e-mails, chat messages, files, active code etc.

The Senice and Network Management System 35 is a software device, including a database, that is connected to at least one ARS and monitors overall system functioning, and manages the network elements and the senices provided by the network. The SNMS 35 also takes part in the Packet Session/Application processing; in addition to its management tasks. The SNMS 35 is involved in processes that demand coordination of the whole Fire l system. An example of this level of participation is the measures taken to counter a Distributed Denial of Service (DDOS) attack.

It can also be seen in Figure 3 how application viruses, such as email, can be noticed 38, eradicated 39, and fonvarded 40.

2. Security Services

As the value of content inside Hosts, seners, Clients and appliances, which are connected to the Internet, increases, these devices become targets for various kinds of hackers, crackers and sophisticated thieves. Security Services are highly important in the proposed basket of senices. For the NGN subscriber (personal, SOHO or Enterprise) these security services provide a relief to one of the most painful aspects of the Internet.

In ordinary circumstances, to get a minimal level of security, the user has to 1 ) Purchase hardware (Firewalls)

2) Install software (FW software, anti-virus s/w)

3) Define and configure policies

4) Maintain and update the security devices

The present invention provides a wholesale platform that allows for outsourcing these activities, while maintaining the private subscriber policies. The present invention introduces a new capability, called Distributed Security. According to the prior art, Internet users used to protect themselves at the gate to their private systems (Firewall in front of the LAN or the PC etc.).

This outsourcing, according to the present invention, does not demand any installation at the subscriber premises since all is done in the network. One ARS senes many subscribers with the same hardware i.e. there is no need to install separate hardware per subscriber.

With the present invention, security is distributed to the whole "Managed Internet Cloud" if the Firex system is set up as the edge routers. The distributed security may be demonstrated by the following Firex services:

1. Firex Firewalling capabilities block malicious activities before these activities enter the "cloud".

2. Firex identifies and deletes Viruses contained in messages before the viruses enter the "cloud".

3. Firex blocks Spam e-mails before the messages enter the cloud.

Figure 4: Distributed Network Security - Counter DDOS demonstrates how the distributed security system functions, for example in preventing Denial of Service attacks. These attacks are removed from the "Cloud" before entering it, thus allowing the attacked sites to continue servicing their client. This is accomplished by blocking the attacking traffic at it's origin or it's entry point . Hackers sitting directly on the cloud (41 and 42) or on the public Internet (43) are identified. Identification of the problem is done by the ARS (40) which processes the incoming traffic by analyzing source IP addresses which are illegal or by the destination ARS (45) which intercepts the suspected traffic and compares it to known patterns of hackers. The ARS at the destination (45) reports on the malicious activities to the SNMS. The SNMS coordinates network-wide operation by alerting all ARS's in a network. The ARS's (40) will then recognize traffic belonging to malicious activities by checking all traffic destined to the attacked site (44). Traffic with malicious pattern which is destined to the attacked site will be prevented from entering the "managed Internet" Cloud..

The present invention provides the following security services to subscribers:

2.1 Basic Firewall Services including:

Access Control List- traffic is allowed to pass according to header parameters or combinations of header parameters (layers 3 and 4). Parameters include:

ff : Source Address, Destination Address, Protocol ID and TOS

TCP: Source Port No., Destination Port No.

UDP: Source Port No., Destination Port No.

SMTP: Filter emails according to: From list, To list, Subject, attachments and embedded documents.

ICMP - prevent hacker queries from reching the victim hosts.

FTP - Allow only legal and pre-negotiated traffic to enter the PC.

Deny Hacker patterns of attack.

Monitor other "over IP Protocols" to minimze vulnerability of attacks: VOIP, Unified Messaging, chat, etc.

2.2 Generalized Stateful Protocol Inspection

The term, "Stateful inspection for IP traffic, defines a session level of packet filtering for certain "over IP" protocols. The present invention generalizes the concept to cover not only additional protocols but also additional layers of the connection, i.e. States are inspected up to the layer application.

23 Counter Hacker Warfare As can be seen in Figure 4, counter hacker warfare is enabled by the different layers of the system, and by the overall, network wide management in real time of the system. This process synchronizes all system elements against specific hacker activity. Therefore a hacker is prevented from entering the network from every potential entry channel.

2.3.1 Basic Hacker Counter-Measures include:

Spam Detection: SPAM can be detected based on the following parameters: Illegal Source addresses originating in defined network ingress points, and the rate of SPAM

Spam Blocking: SPAM differentiation, SPAM-like messages rate reduction

2.3.2 Advanced Hacker Counter-Measures

Denial of Service detection: Denial of senice activity is detected by the ARS. The ARS runs counters on suspicious packet traffic, and thresholds are set to alert the system that DOS activity has begun.

Denial of service prevention: Once DOS is detected, the network Management System will notify all ARS systems in the network to block new incoming DOS attacks. This will prevent Traffic from reaching its target victim.

This method is preferred to the method of blocking DOS traffic the victim's firewall, since blocking at the λictim's firewall only begins operating once saturation of the bandwidth to the seners has already occurred. In order to deny the DOS objective, the attack must be neutralized before reaching the victim sener.

2.4 Virtual Private Network (VPN)

The present invention provides Virtual VPN Services (WPN). Virtual VPN Seners provide the management of the VPN in real time, wherein an encryption co-processor performs the encryption activities as required by the VPN. Each subscriber is able to define the type and performance requirements of the VPN. Performing the VPN at the Edges of the IP Cloud enables checking of the traffic before it gets to the Customer Premises. This method therefore solves the inherent problem of VPN, which allows hackers to infiltrate firewall defenses by compromising VPN remote access to clients PC's.

Encryption is done in two stages: At the access: by the access protocols e.g. DOCSIS 1.1; and in the Internet Cloud - where encryption is executed as defined by the customer.

2.5 Anti-Virus Processing

The anti-virus activity of the present invention provides a generic solution to the problem. The system not only checks, detects and cleans traffic containing viruses, it also performs network-wide deletion of malignant traffic. If required, the infected files are transferred to applications seners for the detection and handling processes. Viruses, Java code, Cookies, Macro's, Trojan Horses etc. are processed in this way.

Checks are performed on the following types of traffic:

e-mail, Chat files, FTP Files, and other PC to PC traffic e.g.: MP3 transfers and application software.

3. Selective Browsing Services

The present invention also enables Network (NGN) operators to provide personalized browsing senices. Subscribers to the Selective Browsing Services (SBS) are able to choose from a variety of profiles what type of browsing they allow and/or deny from the users of the web, or alternatively specify particular file types or names to be prohibited.

3.1 Basic SBS

The present invention presents various choices for the customer to select.

1) Selective Browsing based on pre-configured customer profiles will allow the subscriber

- to browse a specific set of site types. - To prevent browsing at a specific set of site types.

- Combination of above.

After the system receives customer definitions of the required senices, the system is configured to track any traffic requests originating from the subscriber. Web browising requests are intercepted, and the destination URL or IP are compared with the data base required. If the action is permitted, the rest of the session continues uninterrupted. Alternatively, the subscriber receives a message telling him or her that the the browsing has been stopped.

2) The user may configure the system to allow selective incoming information. For example, the subscriber is able to block unwanted trafBc from reaching his or her PC, such as Push mail , Push advertisement and SPAM mail filtering.

3.2 Advanced SBS

Advanced Browsing Senices include services that improve the subscribers' browsing experience. These services include:

- Optimization of source of content: e.g. receive content from a local subsidiary' instead of distant headquarters. This implements a "Distributed Cache Manager".

: Allow/prevent content from reaching the subscriber based not on destination address but on the content arriving from it. E.g. check specific words or images to block content.

4. Edge Routing Services

The present invention also performs the lower level routing operation required as an Edge Router.

4.1 Basic Routing Services

The present invention can execute routing senices using the following Routing Protocols: RIP, OSPF, BGP, MPLS, QOS and DiffServ. The routing protocols are performed by the software processes and supported by the hardware in the ARS. 42 Advanced Routing Services

Based on pre-configured database per packet, the present invention can execute:

1. Redirection - this allows "IP Address Portability" and free chum among senice providers.

2. Duplication - This allows conformance to CALEA requirements.

3. Multicast - This allows distribution of multicast traffic

4. Blocking Cache redirection

5. Load Balancing based on cookies, SSL...

6. Per Packet Billing

7. Session Service billing record generation

8. Reporting and logging of security related incidents

5. System Description

Referring to Figure 5, the present invention is built from three system entities:

1 ) An Application Router System (ARS) 50

2) -An Application Sener System (APSS) 56

3) A Service and Network Management System (SNMS) 58

More specifically: At the packet level the processing, that is executed by the ARS database 53, 55, covers both headers and data sections of packets. At the application level this processing, executed by the APSS database 57, includes reconstruction of data to application level and application of rules to check and identify the correct handling mechanisms. At the service, network and element levels, this processing is carried out by the SNMS database 59.

ARS 50 processes packets 58 that have been collected by a Broadband Access Multiplexer 48 (DSLAM, CMTS, LMDS). In ARS 50, the packets are classified and where appropriate forwarded to a backbone 61. For example, if the user specified that no sex sites be allowed to enter, then having determined that the site in question is a non-sex site, the data representing the site will immediately be forwarded to the user. Other packets, subject to more complicated services and requests, are subsequently processed at wire-speed by Packet Processors (PS) 52. Processed packets are stored in the ARS proxy database, which is made up of both a NP-CPU proxy database 55 and a PP proxy database 53. The PS 52 also diverts packet stream/session for slower processes by ARS 50 to a Processor-CPU 54, according to packet attributes and predefined configuration. The NP-CPU 54 performs the slower processes on packet streams and sessions, storing the results in a NP-CPU proxy database 57. An Application Sener 56 performs the services at the application layer: URL classification, Antivirus checks, Hacker Pattern Recognition etc. SNMS 58 is responsible for overall management of the system. The SNMS 58 also stores relevant data in a SNMS proxy database 59. It also contains applications which coordinate the overall elements in the network.. The function of these databases is to allow detection of network wide malicious activity, e.g. Distributed Denial of Senice, and coordinate countermeasures. The databases are designed to facilitate maximum speed processing, by allocating proxy databases to contain recently used information.

5.1 Media Processing

The System implements a Hierarchy of Media Processing Elements (HMPE). These processing elements allocate the required processing power to achieve transparency towards the external world.

The allocation of resources is dynamic from the packet level, through sessions, to service level.

The HMPE is built from the following components: Packet Classifier 51, Packet Processor 52, NP-CPU 54, Application Sener 56, and the Senice and Network Management System (SNMS) 58

5.2 Application Router System Application Router System 50 implements the critical real time parts of the packet and session processing. ARS 50 relates to a subscriber feature set, as identified by the IP Source Address. This database contains the fields that are applicable to the senices of specific subscribers. These fields are checked and packet operations are performed on the packets.

If services demand session reconstruction or analysis of a sequence of packets, the packet information is condensed and accumulated for further processing by the Session processor.

53 Application Server System

The Application Server 56 is a Software system that performs the pseudo real time senices, which are networking senices that the client expects to execute in real time. For example, anti virus checks, URL filtering etc. ARS 50 transfers the seners' request for senice in a client sener mode. The following application seners may be utilized:

1) Selective Browsing Sener

2) NAT sener

3) Firewall sener

4) Anti-virus Server

5) CALEA Sener

The Application sener 56 also performs reconstruction of specific subscribers communications, and performs packaging of information for transfer to Law Enforcement Agencies.

5.4 Services and Network Management System

The system contains a built in capability to autonomously manage the whole network and its senices. SNMS 58 makes the system a turnkey solution from the operator perspective. The network operator is able to manage the network and deploy services to subscribers without having to rely on integration with third parties. The network management also has peering capabilities with peer NMS systems. This allows for smooth integration with existing NMS systems. The Services and Application management allows immediate service deployment as an autonomous system. It also supports interfaces to peer SMS if such SMS exists.

5.4.1 Network Management 58 Network management 58 is responsible for the following activities: Network Elements configuration, NE fault monitoring, and NE S/W updates.

5.4.2 Applications and Services Management

Application and Services management provides the following capabilities:

Service provision by operator

Service self-care for provisioning by the subscriber over the Internet

Subscriber partitioned view

Trouble ticketing

Interfaces to billing systems

Operations Support senices allowing chum management and usage management.

5.5 Services Databases

Senices databases contain the information required during the processes in the system. The databases reside on all levels of the system: packet processor, NP-CPU, Application seners and management system.

5.5.1 Databases in the system

5.5.1.1 Subscriber Profile

The Subscriber profile database contains the list of subscribers with Firexl senices. This profile also includes subscribers who do not have special senices, and includes CALEA information in case the subscriber is relevant for CALEA activities. This profile senes for the wire speed processing of the traffic from the subscriber.

5.5.1.2 URL- Allowed access - contains the list ofsites by URL or IP ADDRESS that belong to a pre-qualified list ofsites that are allowed to be accessed (e.g. for schools, closed communities etc.)

5.5.1.3 URL- Blocked Access - Contain the list ofsites, with different categories which have been qualified as malicious sites and access to them will not be allowed from subscribers' hosts.

Claims

What is claimed is:
1. A system for filtering and processing traffic in a Network, comprising:
i. At least one Application Router System for analyzing and processing data at the point of entry of a network; ii. At least one Application Sener for performing pseudo real time services; ϋi. A Service and Network Management System for managing the overall data control and application control of said application router and said application sener in the network.
2. The system of claim 1, wherein said Application Router further comprises powerful system-on-chip technologies for real time processing of multimedia traffic.
3. The system of claim 1, wherein said network is aNext Generation Network.
4. The system of claim 1 , wherein said Application Router System further comprises:
iv. a packet classifier for classifying and filtering incoming packets for applicability according to predefined parameters; v. a packet processor for processing applicable packets at wire-speed; and vi. a network processor-CPU for an alternative means of processing of packet streams.
5. The system of claim 4, wherein components iv, v and vi each have a proxy database for storing and usage of relevant data.
6. The system of claim 1 , wherein said Application Sener further comprises executing pseudo real time services for the group of seners consisting of Selective Browsing Servers, NAT servers, Firewall servers, Anti-virus Seners and CALEA Seners.
7. The system of claim 1 , wherein said Service and Network Management System further comprises:
(a) a network management engine for performing network level management tasks; and
(b) a SNMS database for managing the data flow through said network.
8. A router-based system for enabling multi-leveled security in a network environment, comprising: i. A network layer management mechanism for management of network-wide processes; and ii. A service layer management mechanism for supporting service delivery and maintenance .
9. The system of claim 8, wherein said service layer suite further comprises a subscriber self-care management feature for fast deployment of services.
10. The router-based system of claim 8, wherein said network layer management mechanism operates in aNext Generation Network.
11. The router-based system of claim 10, wherein said network layer management mechanism enables distributed security across the entire network.
12. The router-based system of claim 8, wherein said service layer management suite enables a network operator to manage security applications for at least one user, by executing application level security processors while maintaining real time traffic processing characteristics.
13. A system for implementing application level services as part of a router functionality in a Network , comprising:
i. At least one Application Router System (ARS) for processing packets; ii. At least one Application Sener System (APSS) for performing secondary processing on packet streams and sessions received from said ARS; and ϋi. A Service and Network Management System (SNMS) for overall management of said ARS and said APSS.
14. The system of claim 13, wherein said components are accompanied by proxy databases, including:
i. ARS database for processing traffic at the packet level; ii. APSS database for performing the application level processes; and iii. SNMS database for end to end management of the whole network at service, network and element levels.
15. The system of claim 14 wherein said ARS senes aplurality of servers, including the group consisting of selective browsing seners, NAT seners, Firewall seners, Anti-virus servers and CALEA servers.
16. A method for filtering and processing traffic in a network , comprising the steps of:
i. providing Application Routers to perform the roles of wire-speed-edge-routers; ii. In-line filtering of the operation kernel from the packet level to the session level; iii. providing a Service Router that performs all operations while maintaining Real Time media streams of Voice, animation and/orVideo; iv. Providing a suite of Network Layer and Service Layer Management, for use by the NGN operator; and v. providing outsourcing services to service subscribers.
17. The method of claim 16, wherein said filtering and processing of data traffic further comprises the steps of simultaneous data analysis, filtering and execution on multiple levels of all incoming and outgoing data
18. The method of claim 17, wherein said multiple level filtering and processing is executed on levels 3 through 7 of the OSI seven-layer model for all incoming and outgoing data
19. The method of claim 16, wherein said Application Routers are placed at the gateways of the network, for controlling all incoming and outgoing data traffic from the Network
20. The method of claim 16, wherein said Application Routers are placed next to the seners of an ISP.
21. The method of claim 16, wherein said outsourcing methods include:
i. Providing Security Services, and ii. Providing Application layer services
22. A method for enabling multi-leveled security in a network environment comprising the following steps of:
i. placing at least one application router system (ARS) at a minimum of one gateway to the network; ϋ. classifying packets upon arrival to said ARS; iii. passing packets through packet processor of said ARS; iv. passing packets through Network Processor-CPU of said ARS; v. passing said packets through application sener;
23. The method of claim 22, wherein a plurailiry of said ARS are coordinated to provide multi-leveled distributed security.
24. The method of claim 22, wherein said ARS serves a multitude of servers which perform security related checks on data traffic before it reaches a user.
25. The method of claim 22, further comprising the step of applying separate security policy for every user.
26. The method of claim 22, wherein said security policies include:
(a) checking for viruses;
(b) checking for active code; and
(c) checking for hacking activity.
27. A method for censoring Internet navigation for limiting the Web sites that can be seen by a user, comprising the steps of:
i. filtering incoming packets according to IP addresses thereof; ii. filtering Web site content for pre-defined rules; and iii. forwarding packets that match with pre-defined rules.
28. A method for blocking the spread of email viruses, comprising the steps of:
i. data interception at edge router of network; ii. reassembly of said data; and iii. application of virus detection mechanisms to said data
29. A method for preventing a denial of service (DOS) attack before the attack reaches a target, comprising the steps of: i. detecting denial of service activity by an Application Router System (ARS); ii. running counters on suspicious packet traffic; iii. alerting said ARS at given thresholds that DOS activity has begun; and iv. notifying other ARS in a network to block said DOS activity.
30. A method for preventing hacker activity, comprising the steps of:
i. Detecting Spam based on Illegal Source addresses originating in defined network ingress points, and the rate of SPAM.; and ii. Blocking Spam including the steps of: iii. SPAM differentiation; and ϋ.ii. SPAM like messages rate reduction
PCT/IL2001/001012 2000-10-31 2001-10-31 A router-based system for providing multi-level data filtering and security services in a broadband environment WO2002037730A3 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US69943800 true 2000-10-31 2000-10-31
US09/699,438 2000-10-31

Publications (2)

Publication Number Publication Date
WO2002037730A2 true true WO2002037730A2 (en) 2002-05-10
WO2002037730A3 true WO2002037730A3 (en) 2002-08-22

Family

ID=24809329

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2001/001012 WO2002037730A3 (en) 2000-10-31 2001-10-31 A router-based system for providing multi-level data filtering and security services in a broadband environment

Country Status (1)

Country Link
WO (1) WO2002037730A3 (en)

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1484886A2 (en) * 2003-06-06 2004-12-08 Microsoft Corporation Method and framework for integrating a plurality of network policies
JP2004362581A (en) * 2003-06-06 2004-12-24 Microsoft Corp Multilayer firewall architecture
WO2005025154A1 (en) * 2003-09-03 2005-03-17 Teknovus, Inc. Method and apparatus for dynamically allocating upstream bandwidth in passive optical networks
EP1557982A1 (en) * 2004-01-26 2005-07-27 STMicroelectronics S.r.l. Method and system for admission control in communication networks
WO2006026913A1 (en) * 2004-09-06 2006-03-16 Huawei Technologies Co., Ltd. A method and system for implementing a service in the transport layer of an ngn network
WO2006063002A2 (en) 2004-12-07 2006-06-15 Cisco Technology, Inc. Performing security functions on a message payload in a network element
EP1484887A3 (en) * 2003-06-06 2007-01-10 Microsoft Corporation A multi-layer based method for implementing network firewalls
WO2007014506A1 (en) * 2005-07-30 2007-02-08 Huawei Technologies Co., Ltd. A method and system for controlling the selection of the transmitting path for the media flow in the next generation network
EP1839160A2 (en) * 2004-12-07 2007-10-03 Cisco Technology, Inc. Network and application attack protection based on application layer message inspection
EP1843624A1 (en) 2006-04-04 2007-10-10 Huawei Technologies Co., Ltd. Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board
CN100459609C (en) 2003-09-25 2009-02-04 华为技术有限公司 Media access control address learning method of digital user's line access multiplexer
US7962582B2 (en) 2005-06-21 2011-06-14 Cisco Technology, Inc. Enforcing network service level agreements in a network element
US7987272B2 (en) 2004-12-06 2011-07-26 Cisco Technology, Inc. Performing message payload processing functions in a network element on behalf of an application
US8082304B2 (en) 2004-12-10 2011-12-20 Cisco Technology, Inc. Guaranteed delivery of application layer messages by a network element
US8266327B2 (en) 2005-06-21 2012-09-11 Cisco Technology, Inc. Identity brokering in a network element
US8799403B2 (en) 2004-11-23 2014-08-05 Cisco Technology, Inc. Caching content and state data at a network element
US8964540B2 (en) 2003-09-15 2015-02-24 Broadcom Corporation Method and apparatus for dynamically allocating upstream bandwidth in passive optical networks
US9166994B2 (en) 2012-08-31 2015-10-20 Damballa, Inc. Automation discovery to identify malicious activity
US9306969B2 (en) 2005-10-27 2016-04-05 Georgia Tech Research Corporation Method and systems for detecting compromised networks and/or computers
US9516058B2 (en) 2010-08-10 2016-12-06 Damballa, Inc. Method and system for determining whether domain names are legitimate or malicious
US9525699B2 (en) 2010-01-06 2016-12-20 Damballa, Inc. Method and system for detecting malware
US9680861B2 (en) 2012-08-31 2017-06-13 Damballa, Inc. Historical analysis to identify malicious activity
US9686291B2 (en) 2011-02-01 2017-06-20 Damballa, Inc. Method and system for detecting malicious domain names at an upper DNS hierarchy
US9894088B2 (en) 2012-08-31 2018-02-13 Damballa, Inc. Data mining to identify malicious activity
US9930065B2 (en) 2015-03-25 2018-03-27 University Of Georgia Research Foundation, Inc. Measuring, categorizing, and/or mitigating malware distribution paths
US9948671B2 (en) 2010-01-19 2018-04-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US10027688B2 (en) 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US10050986B2 (en) 2013-06-14 2018-08-14 Damballa, Inc. Systems and methods for traffic classification

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5845267A (en) * 1996-09-06 1998-12-01 At&T Corp System and method for billing for transactions conducted over the internet from within an intranet
US5845070A (en) * 1996-12-18 1998-12-01 Auric Web Systems, Inc. Security system for internet provider transaction
US5881234A (en) * 1996-04-26 1999-03-09 Schwob; Pierre R. Method and system to provide internet access to users via non-home service providers
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6249820B1 (en) * 1995-07-12 2001-06-19 Cabletron Systems, Inc. Internet protocol (IP) work group routing
US6359886B1 (en) * 1998-08-17 2002-03-19 Compaq Computer Corporation Method and apparatus for filtering and routing communications frames

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6249820B1 (en) * 1995-07-12 2001-06-19 Cabletron Systems, Inc. Internet protocol (IP) work group routing
US5881234A (en) * 1996-04-26 1999-03-09 Schwob; Pierre R. Method and system to provide internet access to users via non-home service providers
US5845267A (en) * 1996-09-06 1998-12-01 At&T Corp System and method for billing for transactions conducted over the internet from within an intranet
US5845070A (en) * 1996-12-18 1998-12-01 Auric Web Systems, Inc. Security system for internet provider transaction
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6359886B1 (en) * 1998-08-17 2002-03-19 Compaq Computer Corporation Method and apparatus for filtering and routing communications frames

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101026635B1 (en) * 2003-06-06 2011-04-04 마이크로소프트 코포레이션 Multi-layered firewall architecture
JP2004362581A (en) * 2003-06-06 2004-12-24 Microsoft Corp Multilayer firewall architecture
KR101026558B1 (en) 2003-06-06 2011-03-31 마이크로소프트 코포레이션 A multi-layer based method for implementing network firewalls
EP1484886A2 (en) * 2003-06-06 2004-12-08 Microsoft Corporation Method and framework for integrating a plurality of network policies
EP1484884A3 (en) * 2003-06-06 2006-08-02 Microsoft Corporation Multi-layered firewall architecture
EP1484887A3 (en) * 2003-06-06 2007-01-10 Microsoft Corporation A multi-layer based method for implementing network firewalls
US7436765B2 (en) 2003-09-03 2008-10-14 Teknovus, Inc. Method and apparatus for dynamically allocating upstream bandwidth in passive optical networks
WO2005025154A1 (en) * 2003-09-03 2005-03-17 Teknovus, Inc. Method and apparatus for dynamically allocating upstream bandwidth in passive optical networks
US8964540B2 (en) 2003-09-15 2015-02-24 Broadcom Corporation Method and apparatus for dynamically allocating upstream bandwidth in passive optical networks
CN100459609C (en) 2003-09-25 2009-02-04 华为技术有限公司 Media access control address learning method of digital user's line access multiplexer
EP1557982A1 (en) * 2004-01-26 2005-07-27 STMicroelectronics S.r.l. Method and system for admission control in communication networks
US7471629B2 (en) 2004-01-26 2008-12-30 Stmicroelectronics S.R.L. Method and system for admission control in communication networks, related network and computer program product therefor
US7778236B2 (en) 2004-09-06 2010-08-17 Huawei Technologies, Co., Ltd. Method and system for implementing transport service of next generation network
WO2006026913A1 (en) * 2004-09-06 2006-03-16 Huawei Technologies Co., Ltd. A method and system for implementing a service in the transport layer of an ngn network
US8799403B2 (en) 2004-11-23 2014-08-05 Cisco Technology, Inc. Caching content and state data at a network element
US7996556B2 (en) 2004-12-06 2011-08-09 Cisco Technology, Inc. Method and apparatus for generating a network topology representation based on inspection of application messages at a network device
US8549171B2 (en) 2004-12-06 2013-10-01 Cisco Technology, Inc. Method and apparatus for high-speed processing of structured application messages in a network device
US9380008B2 (en) 2004-12-06 2016-06-28 Cisco Technology, Inc. Method and apparatus for high-speed processing of structured application messages in a network device
US7987272B2 (en) 2004-12-06 2011-07-26 Cisco Technology, Inc. Performing message payload processing functions in a network element on behalf of an application
US8312148B2 (en) 2004-12-06 2012-11-13 Cisco Technology, Inc. Performing message payload processing functions in a network element on behalf of an application
EP1839160A2 (en) * 2004-12-07 2007-10-03 Cisco Technology, Inc. Network and application attack protection based on application layer message inspection
EP1820294A2 (en) * 2004-12-07 2007-08-22 Cisco Technology, Inc. Performing security functions on a message payload in a network element
EP1839160A4 (en) * 2004-12-07 2010-12-29 Cisco Tech Inc Network and application attack protection based on application layer message inspection
EP1820294A4 (en) * 2004-12-07 2011-01-05 Cisco Tech Inc Performing security functions on a message payload in a network element
WO2006063002A2 (en) 2004-12-07 2006-06-15 Cisco Technology, Inc. Performing security functions on a message payload in a network element
US8082304B2 (en) 2004-12-10 2011-12-20 Cisco Technology, Inc. Guaranteed delivery of application layer messages by a network element
US8090839B2 (en) 2005-06-21 2012-01-03 Cisco Technology, Inc. XML message validation in a network infrastructure element
US8266327B2 (en) 2005-06-21 2012-09-11 Cisco Technology, Inc. Identity brokering in a network element
US7962582B2 (en) 2005-06-21 2011-06-14 Cisco Technology, Inc. Enforcing network service level agreements in a network element
US8458467B2 (en) 2005-06-21 2013-06-04 Cisco Technology, Inc. Method and apparatus for adaptive application message payload content transformation in a network infrastructure element
WO2007014506A1 (en) * 2005-07-30 2007-02-08 Huawei Technologies Co., Ltd. A method and system for controlling the selection of the transmitting path for the media flow in the next generation network
CN100521622C (en) 2005-07-30 2009-07-29 华为技术有限公司 Control system and method for media stream choosing forwarding path in next generation network
US9306969B2 (en) 2005-10-27 2016-04-05 Georgia Tech Research Corporation Method and systems for detecting compromised networks and/or computers
US10044748B2 (en) 2005-10-27 2018-08-07 Georgia Tech Research Corporation Methods and systems for detecting compromised computers
EP1843624A1 (en) 2006-04-04 2007-10-10 Huawei Technologies Co., Ltd. Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board
US7680066B2 (en) 2006-04-04 2010-03-16 Huawei Technologies Co., Ltd. Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board
US10027688B2 (en) 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US9525699B2 (en) 2010-01-06 2016-12-20 Damballa, Inc. Method and system for detecting malware
US9948671B2 (en) 2010-01-19 2018-04-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US9516058B2 (en) 2010-08-10 2016-12-06 Damballa, Inc. Method and system for determining whether domain names are legitimate or malicious
US9686291B2 (en) 2011-02-01 2017-06-20 Damballa, Inc. Method and system for detecting malicious domain names at an upper DNS hierarchy
US9894088B2 (en) 2012-08-31 2018-02-13 Damballa, Inc. Data mining to identify malicious activity
US9680861B2 (en) 2012-08-31 2017-06-13 Damballa, Inc. Historical analysis to identify malicious activity
US9166994B2 (en) 2012-08-31 2015-10-20 Damballa, Inc. Automation discovery to identify malicious activity
US10050986B2 (en) 2013-06-14 2018-08-14 Damballa, Inc. Systems and methods for traffic classification
US9930065B2 (en) 2015-03-25 2018-03-27 University Of Georgia Research Foundation, Inc. Measuring, categorizing, and/or mitigating malware distribution paths

Also Published As

Publication number Publication date Type
WO2002037730A3 (en) 2002-08-22 application

Similar Documents

Publication Publication Date Title
Crowcroft Net neutrality: the technical side of the debate: a white paper
US6910134B1 (en) Method and device for innoculating email infected with a virus
US6741595B2 (en) Device for enabling trap and trace of internet protocol communications
US7778194B1 (en) Examination of connection handshake to enhance classification of encrypted network traffic
US7058974B1 (en) Method and apparatus for preventing denial of service attacks
US7032031B2 (en) Edge adapter apparatus and method
US7207062B2 (en) Method and apparatus for protecting web sites from distributed denial-of-service attacks
US7159031B1 (en) Remote customer management of virtual routers allocated to the customer
Clark et al. New arch: Future generation internet architecture
US7765309B2 (en) Wireless provisioning device
US6654373B1 (en) Content aware network apparatus
US7428590B2 (en) Systems and methods for reflecting messages associated with a target protocol within a network
US7536715B2 (en) Distributed firewall system and method
US20110055921A1 (en) Protecting against distributed network flood attacks
US7054930B1 (en) System and method for propagating filters
US20040088423A1 (en) Systems and methods for authentication of target protocol screen names
US7120934B2 (en) System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network
US20100281539A1 (en) Detecting malicious network software agents
US7209473B1 (en) Method and apparatus for monitoring and processing voice over internet protocol packets
US7114008B2 (en) Edge adapter architecture apparatus and method
US20040103318A1 (en) Systems and methods for implementing protocol enforcement rules
US20030149787A1 (en) Policy based routing system and method for caching and VPN tunneling
US20070094729A1 (en) Secure self-organizing and self-provisioning anomalous event detection systems
US20050083955A1 (en) Methods and apparatus to support routing of information
US7733891B2 (en) Methods and apparatus to support dynamic allocation of traffic management resources in a network element

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69 EPC (EPO FORM 1205A OF 161003)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP