A method for acquiring and disseminating network node characteristics to enable policy decisions including receiving a resolution request from one or more clients in a network environment. Information, for example, network address, is then acquired front one or more sources regarding a specific location in a network, for example, a network node. A list of the network addresses is then generated and ranked based on one or more parameters that merit making traffic handling decisions. The network addresses are then associated with a host name on at least one directory server and then propagated to the one or more clients.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE48159
Priority
Aug 23 2006
Filed
Aug 28 2017
Issued
Aug 11 2020
Expiry
Aug 23 2027

TERM.DISCL.
Inventors
Byrnes, To…
Assg.orig
BRIGHTCLOU…
Assg.curr
ThreatSTOP…
Entity
Small
Referenced by
0
References
38
Maint.:
currently ok
RELATED APPLICATION
0. 57. A method comprising:
instantiating a name of a network security policy as a single multi-host lookup value, wherein a plurality of ip values include a first subset of ip values associated with a first hostname and a second subset of ip values associated with a second hostname;
creating an exploit or vulnerability weighted list using the plurality of ip values;
including or excluding one or more of the plurality of ip values when creating the exploit or vulnerability weighted list;
querying a domain name system (dns) using the network security policy name associated with the network security policy based on the exploit or vulnerability weighted list;
receiving a response from the dns that includes the exploit or vulnerability weighted list containing one or more of the plurality of ip values that are reprioritized for a specific user;
applying the network security policy based on the exploit or vulnerability weighted list to traffic associated with at least one of the plurality of ip values.
0. 65. A method for implementing network security comprising:
creating a network security policy to apply to network traffic, wherein a plurality of ip values are elements of the network security policy;
creating protocol specific lists including or excluding filters based on needs derived from resolving of a current configuration of a user against the plurality of ip values;
configuring a domain name system (dns) server to resolve a dns query to the network security policy based on the protocol specific lists;
receiving a name-to-ip value mapping request from a network device, wherein a name of the network security policy is a name for which name-to-ip value mapping is requested;
resolving the network security policy name to the plurality of ip values at the dns server;
propagating the network security policy to the network device by transmitting the plurality of ip values to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize one or more of the plurality of ip values when applying network security to the network traffic at the network device.
0. 41. A method for implementing network security comprising:
creating a network security policy to apply to network traffic, wherein a plurality of ip values are elements of the network security policy;
creating, using the plurality of ip values, zones with filters based on weights depending upon a characteristic of a source of network traffic, the zones and the weights being specified by a user based on a single multi-host address mapping record;
configuring a domain name system (dns) server to resolve a dns query to the network security policy;
receiving a name-to-ip value mapping request for name-to-ip value mapping in one of the zones from a network device, wherein a name of the network security policy is a name for which name-to-ip value mapping is requested;
resolving the network security policy name to the plurality of ip values at the dns server;
propagating at least part of the network security policy corresponding to the one of the zones to the network device by transmitting at least part of the plurality of ip values to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize the at least part of the plurality of ip values when applying network security to the network traffic at the network device.
0. 73. A system for propagating network policy comprising:
a security server configured to create a network security policy to apply to a network traffic, wherein a plurality of ip values conform to the network security policy;
a domain name system (dns) server configured to resolve a network security policy name to the plurality of ip values that conform to the network security policy;
wherein, in operation, the security server creates protocol specific lists including or excluding filters based on needs derived from resolving of a current configuration of a user against the plurality of ip values;
wherein, in operation, the dns server:
receives a name-to-ip value mapping request from a network device, wherein the network security policy name is a name for which name-to-ip value mapping is requested;
resolves the network security policy name to the plurality of ip values at the dns server based on the protocol specific lists;
propagates the network security policy to a network device by transmitting the plurality of ip values that conform to the network security policy to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize one or more of the plurality of ip values when applying network security to the network traffic at the network device.
0. 49. A system for propagating network policy comprising:
a security server configured to create a network security policy to apply to a network traffic, wherein a plurality of ip values conform to the network security policy;
a domain name system (dns) server configured to resolve a network security policy name to the plurality of ip values that conform to the network security policy;
wherein, in operation, the security server creates zones with filters based on weights depending upon a characteristic of a source of network traffic, the zones and the weights being specified by a user based on a single multi-host address mapping record;
wherein, in operation, the dns server:
receives a name-to-ip value mapping request for name-to-ip value mapping in one of the zones from a network device, wherein the network security policy name is a name for which name-to-ip value mapping is requested;
resolves the network security policy name to the plurality of ip values at the dns server;
propagates at least part of the network security policy corresponding to the one of the zones to a network device by transmitting at least part of the plurality of ip values that conform to the at least part of the network security policy to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize the at least part of the plurality of ip values when applying network security to the network traffic at the network device.
0. 1. A method for implementing network security comprising:
creating a network security policy to apply to network traffic, wherein a plurality of ip values are elements of the network security policy;
creating, using the plurality of ip values, user-specified zones with filters based on user-specified weights depending upon a characteristic of a source of network traffic;
configuring a domain name system (dns) server to resolve a dns query to the network security policy;
receiving a name-to-ip value mapping request from a network device, wherein a name of the network security policy is a name for which name-to-ip value mapping is requested;
resolving the network security policy name to the plurality of ip values at the dns server;
propagating the network security policy to the network device by transmitting the plurality of ip values to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize one or more of the plurality of ip values when applying network security to network traffic at the network device.
0. 2. The method of claim 1, further comprising configuring an allow list or a deny list of the plurality of ip values, wherein the allow list contains ip values indicative of network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of network traffic that should be denied under the network security policy.
0. 3. The method of claim 1, further comprising configuring the network security policy at the dns server with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 4. The method of claim 1, wherein the network security policy involves blocking network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 5. The method of claim 1, wherein the network security policy involves prioritizing network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 6. The method of claim 1, wherein the network security policy involves redirecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 7. The method of claim 1, wherein the network security policy involves inspecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
0. 8. The method of claim 1, further comprising acquiring at least one of the plurality of ip values from a network security source on a network.
0. 9. A system for propagating network policy comprising:
a security server configured to create a network security policy to apply to network traffic, wherein a plurality of ip values conform to the network security policy;
a domain name system (dns) server configured to resolve a network security policy name to the plurality of ip values that conform to the network security policy;
wherein, in operation, the security server creates, using the plurality of ip values, user-specified zones with filters based on user-specified weights depending upon a characteristic of a source of network traffic;
wherein, in operation, the dns server:
receives a name-to-ip value mapping request from a network device, wherein the network security policy name is a name for which name-to-ip value mapping is requested;
resolves the network security policy name to the plurality of ip values at the dns server;
propagates the network security policy to a network device by transmitting the plurality of ip values that conform to the network security policy to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize one or more of the plurality of ip values when applying network security to network traffic at the network device.
0. 10. The system of claim 9, further comprising a list server for configuring an allow list or a deny list of ip values, wherein the allow list contains ip values indicative of network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of network traffic that should be denied under the network security policy.
0. 11. The system of claim 9, further comprising an acquisition server configured to acquire at least one of the plurality of ip values from a network security source on a network.
0. 12. The system of claim 9, the security server further configured to associate the network security policy with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 13. The system of claim 9, wherein the network security policy involves blocking network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 14. The system of claim 9, wherein the network security policy involves prioritizing network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 15. The system of claim 9, wherein the network security policy involves redirecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or inure of the plurality of ip values is redirected.
0. 16. The system of claim 9, wherein the network security policy involves inspecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
0. 17. A method comprising:
instantiating a name of a network security policy as a single multi-host lookup value, wherein a plurality of ip values include a first subset of ip values associated with a first hostname and a second subset of ip values associated with a second hostname;
creating an exploit or vulnerability weighted list using the plurality of ip values;
including or excluding one or more of the plurality of ip values when creating the exploit or vulnerability weighted list;
querying a domain name system (dns) using the network security policy name associated with the network security policy;
receiving a response from the dns that includes the plurality of ip values;
applying the network security policy to traffic associated with at least one of the plurality of ip values.
0. 18. The method of claim 17, wherein applying the network security policy to traffic associated with the at least one of the plurality of ip values includes using the plurality of ip values as a white list.
0. 19. The method of claim 17, further comprising reprioritizing one or more of the plurality of ip values within the exploit or vulnerability weighted list.
0. 20. The method of claim 17, wherein the ip values are associated with domain names.
0. 21. The method of claim 17, wherein the ip values include an ip address.
0. 22. The method of claim 17, wherein the ip values include a subnet.
0. 23. The method of claim 17, wherein the dns includes a private directory server, further comprising establishing a communications link with the private directory server.
0. 24. The method of claim 23, further comprising configuring a network device to establish the communication link with the private directory server.
0. 25. A method for implementing network security comprising:
creating a network security policy to apply to network traffic, wherein a plurality of ip values are elements of the network security policy;
de-conflicting a current configuration against the plurality of ip values;
creating protocol specific lists including or excluding filters based on needs derived from the de-conflicting;
configuring a domain name system (dns) server to resolve a dns query to the network security policy;
receiving a name-to-ip value mapping request from a network device, wherein a name of the network security policy is a name for which name-to-ip value mapping is requested;
resolving the network security policy name to the plurality of ip values at the dns server;
propagating the network security policy to the network device by transmitting the plurality of ip values to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize one or more of the plurality of ip values when applying network security to network traffic at the network device.
0. 26. The method of claim 25, further comprising configuring an allow list or a deny list of the plurality of ip values, wherein the allow list contains ip values indicative of network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of network traffic that should be denied under the network security policy.
0. 27. The method of claim 25, further comprising configuring the network security policy at the dns server with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 28. The method of claim 25, wherein the network security policy involves blocking network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 29. The method of claim 25, wherein the network security policy involves prioritizing network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 30. The method of claim 25, wherein the network security policy involves redirecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 31. The method of claim 25, wherein the network security policy involves inspecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
0. 32. The method of claim 25, further comprising acquiring at least one of the plurality of ip values from a network security source on a network.
0. 33. A system for propagating network policy comprising:
a security server configured to create a network security policy to apply to network traffic, wherein a plurality of ip values conform to the network security policy;
a domain name system (dns) server configured to resolve a network security policy name to the plurality of ip values that conform to the network security policy;
wherein, in operation, the security server:
de-conflicts a current configuration against the plurality of ip values;
creates protocol specific lists including or excluding filters based on needs derived from the de-conflicting;
wherein, in operation, the dns server:
receives a name-to-ip value mapping request from a network device, wherein the network security policy name is a name for which name-to-ip value mapping is requested;
resolves the network security policy name to the plurality of ip values at the dns server;
propagates the network security policy to a network device by transmitting the plurality of ip values that conform to the network security policy to the network device in response to the name-to-ip value mapping request, thereby allowing the network device to utilize one or more of the plurality of ip values when applying network security to network traffic at the network device.
0. 34. The system of claim 33, further comprising a list server for configuring an allow list or a deny list of ip values, wherein the allow list contains ip values indicative of network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of network traffic that should be denied under the network security policy.
0. 35. The system of claim 33, further comprising an acquisition server configured to acquire at least one of the plurality of ip values from a network security source on a network.
0. 36. The system of claim 33, the security server further configured to associate the network security policy with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 37. The system of claim 33, wherein the network security policy involves blocking network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 38. The system of claim 33, wherein the network security policy involves prioritizing network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 39. The system of claim 33, wherein the network security policy involves redirecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 40. The system of claim 33, wherein the network security policy involves inspecting network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
0. 42. The method of claim 41, further comprising configuring an allow list or a deny list of the plurality of ip values, wherein the allow list contains ip values indicative of the network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of the network traffic that should be denied under the network security policy.
0. 43. The method of claim 41, further comprising configuring the network security policy at the dns server with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 44. The method of claim 41, wherein the network security policy involves blocking the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 45. The method of claim 41, wherein the network security policy involves prioritizing the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 46. The method of claim 41, wherein the network security policy involves redirecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 47. The method of claim 41, wherein the network security policy involves inspecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
0. 48. The method of claim 41, further comprising acquiring at least one of the plurality of ip values from a network security source on a network.
0. 50. The system of claim 49, further comprising a list server for configuring an allow list or a deny list of ip values, wherein the allow list contains ip values indicative of the network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of the network traffic that should be denied under the network security policy.
0. 51. The system of claim 49, further comprising an acquisition server configured to acquire at least one of the plurality of ip values from a network security source on a network.
0. 52. The system of claim 49, the security server further configured to associate the network security policy with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 53. The system of claim 49, wherein the network security policy involves blocking the network traffic, and wherein network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 54. The system of claim 49, wherein the network security policy involves prioritizing the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 55. The system of claim 49, wherein the network security policy involves redirecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 56. The system of claim 49, wherein the network security policy involves inspecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
0. 58. The method of claim 57, wherein applying the network security policy to the traffic associated with the at least one of the plurality of ip values includes using the plurality of ip values as a white list.
0. 59. The method of claim 57, further comprising reprioritizing one or more of the plurality of ip values within the exploit or vulnerability weighted list.
0. 60. The method of claim 57, wherein one or more of the plurality of ip values are associated with domain names.
0. 61. The method of claim 57, wherein one or more of the plurality of ip values include an ip address.
0. 62. The method of claim 57, wherein one or more of the plurality of ip values include a subnet.
0. 63. The method of claim 57, wherein the dns includes a private directory server, further comprising establishing a communications link with the private directory server.
0. 64. The method of claim 63, further comprising configuring a network device to establish the communication link with the private directory server.
0. 66. The method of claim 65, further comprising configuring an allow list or a deny list of the plurality of ip values, wherein the allow list contains ip values indicative of the network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of the network traffic that should be denied under the network security policy.
0. 67. The method of claim 65, further comprising configuring the network security policy at the dns server with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 68. The method of claim 65, wherein the network security policy involves blocking the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 69. The method of claim 65, wherein the network security policy involves prioritizing the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 70. The method of claim 65, wherein the network security policy involves redirecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 71. The method of claim 65, wherein the network security policy involves inspecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value so that references the one or more of the plurality of ip values is inspected.
0. 72. The method of claim 65, further comprising acquiring at least one of the plurality of ip values from a network security source on a network.
0. 74. The system of claim 73, further comprising a list server for configuring an allow list or a deny list of ip values, wherein the allow list contains ip values indicative of the network traffic that should be allowed under the network security policy, and wherein the deny list contains ip values indicative of the network traffic that should be denied under the network.
0. 75. The system of claim 73, further comprising an acquisition server configured to acquire at least one of the plurality of ip values from a network security source on a network.
0. 76. The system of claim 73, the security server further configured to associate the network security policy with a record time to live, the record time to live functioning as a time period of validity for the network security policy.
0. 77. The system of claim 73, wherein the network security policy involves blocking the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is blocked.
0. 78. The system of claim 73, wherein the network security policy involves prioritizing the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is prioritized over other network traffic.
0. 79. The system of claim 73, wherein the network security policy involves redirecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is redirected.
0. 80. The system of claim 73, wherein the network security policy involves inspecting the network traffic, and wherein the network traffic having a source ip value or a destination ip value that references the one or more of the plurality of ip values is inspected.
RELATED APPLICATION

This application
FROM ANY TO<list to block>DENY
Or
FROM<list to allow>TO ANY ALLOW
FROM ANY TO<list to allow>ALLOW
After the rules are formulated the rules are then ready in the final step 3005 to be enabled, for example, by evaluating against the rule as illustrated in the description of FIG. 4 below.

FIG. 4 is a block diagram of an exemplary procedure for evaluating the rules to be implemented in a network device. In one embodiment, the rules are formulated at a server and installed at the network device. This procedure is initiated in step 4001 when a rule is applied. A decision is then made in step 4002 to determine whether IP values for the domain names used in the formulated rules are available. If the IP value for the domain names used in the formulated rules is available, an evaluation is made in step 4004 to determine whether the source or destination of the IP value is referenced in the rules. If the source or destination of the IP value is referenced in the formulated rules, then in step 4006 the formulated rules are applied, otherwise a default rule is applied in step 4005.

Alternatively if in step 4002 it is determined that the IP value for the names used in the rules is unavailable, a directory query for domain name resolution is sent to a directory server in step 4003. The response to the query provides the IP addresses. The process then continues to step 4004 where an evaluation is made to determine whether the source or destination of the IP value is referenced in the formulated rules which now include the list of IP addresses. The process then continues to step 4005 and 4006 as previously described. The enabling process can occur automatically, for example, when the first packet is received that triggers the evaluation of the rule. Alternatively the process of enabling the formulated rules can occur on either the expiration of the record time to live (TTL), as configured by the server or some locally defined refresh timer or rule (such as when it ages resolved IPs to free memory).

FIG. 5 is a block diagram of exemplary system configured in accordance with aspects of the disclosure. In one embodiment of the system, a DISS server 10 acquires IP addresses and/or IP subnets from various sources and groups them by characteristic or reputation. The characteristic or reputation is based on at least one parameter relating to traffic to or from the at least one specific location in a network, where the parameters merit making traffic handling decisions. This process can be manual, automated via software or a combination of both. For example, the process can be automated through software that visits or crawls web pages that are known to list IP addresses and or IP subnets of spammers. Additionally, customers, subscribers or volunteers to the system can send in IP addresses and subnets via log transmission 15. Each list is then associated with a host name on one or more DNS or other directory servers, for example, private directory servers 20, with one or more connections to a network (e.g., the Internet). A request or directory query 30 received by the private directory servers 20 to resolve a host domain name will result in it being resolved to an associated list of IP addresses or subnets. The requests are received from clients 40 via the network 16 described in FIG. 1. The associated lists can then be propagated to clients or client elements (client/user device) 40 as host lookups in a directory service. The list propagation can also be accomplished using other protocols or systems that resolve names to IP addresses or IP Subnets.

Propagating a list of IP addresses/subnets associated with directory names through a standard name to address resolution where the addresses supplied are not the mapping of the name (e.g., a host name) in the normal sense allows the described systems and methods to make use of standard name to address resolution protocols and systems to achieve the delivery of a list of addresses. This allows users/client devices 40 to be easily programmed to take action(s) based on that name with the end result being that the action is taken for every address on the list.

In one example, a DNS server 20 is configured so that a selected name will resolve to selected (one or more) IP addresses and/or subnets when queried. This selected name can be a “fake” name in the sense that it is not being used in the typical manner for a name to address resolution. The DNS server 20 resolves the selected name to a list of selected IP addresses (e.g., a list of IP addresses to block) and not to one or more IP addresses associated with the selected name in the typical sense.

As an example, the service can propagate the top 10 attackers listed on, for example, a DShield web page, via a selected domain name, for example, dshield-top.diss.byrneit.net. In this example, DShield is an example of a community-based collaborative firewall log correlation system. It receives logs from volunteers world wide and uses them to analyze attack trends. On the DNS server 20 this selected domain name is a multi-A record in a DNS zone and the DNS server 20 returns the IP addresses of the top 10 attackers as currently reported by Dshield in response to a directory query for that selected domain name.

Network filtering and forwarding rules can be defined at the client device 40. The filtering and forwarding rules can be accomplished in, switches, routers, firewalls, load balancers, and other equipment generally indicated as network/client device 40 that use the selected names, instead of locally configured lists of IP addresses and subnets. The system can propagate highly dynamic lists of IP addresses and subnets, such as the current list of most active attackers, without requiring reconfiguration of equipment, or expensive and complex central management consoles. The system includes a list of selected names with each selected name having an associated list of IP addresses and subnets with certain characteristics. For example some of the selected names cart have associated lists of addresses that a user would want to block and other selected names can have associated lists of addresses that a user would want to forward. The desired selected name or names are put in place of the traditional IP address and subnet mask, or address list entry, in the rule base. In one embodiment, an automated script on a workstation that is capable of resolving the IP addresses and turning them into rules on the network elements may be used.

In one embodiment the system propagates host records that are not the real names of the hosts, but that indicate their reputation or other characteristics that merit making traffic handling decisions on, and therefore allow network operators to use much simpler sets of rules, and little or no additional equipment, to manage dynamic lists of IP addresses. This can be used to solve the problem of configuring dynamic rules to meet dynamic network conditions, without the need for complex, expensive, and typically single-platform specific, management systems. The choice of DNS in one embodiment is due to its ubiquity, but the longer term view holds that any widely enough used directory system that resolves names to IP addresses can be used in this manner. Nor is the system limited to being used for blocking. Since all that is being propagated is characteristics of a given address or group of addresses, the system could just as easily be used for white listing, traffic prioritization, or other special handling (such as CALEA (Communications Assistance for Law Enforcement Act of 1994) wiretapping).

The system allows for automatic updates from a central point of all devices in the user network to control inbound and outbound connections to threat sources, for example. This relieves users of the effort required to react to evolving threats in a timely manner. Additionally, the implementation can require no special hardware or traffic re-routing and can be wholly managed through a web service.

Various embodiments may also be implemented primarily in hardware using, for example, components such as application specific integrated circuits (“ASICs”), or field programmable gate arrays (“FPGAs”). Implementation of a hardware state machine capable of performing the functions described herein will also be apparent to those skilled in the relevant art. Various embodiments may also be implemented using a combination of both hardware and software.

Furthermore, those of skill in the art will appreciate that the various illustrative logical blocks, modules, circuits, and method steps described in connection with the above described figures and the embodiments disclosed herein can often be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled persons can implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the invention. In addition, the grouping of functions within a module, block, circuit or step is for ease of description. Specific functions or steps can be moved from one module, block or circuit to another without departing from the invention.

Moreover, the various illustrative logical blocks, modules, and methods described in connection with the embodiments disclosed herein can be implemented or performed with a general purpose processor, a digital signal processor (“DSP”), an ASIC, FPGA or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor can be a microprocessor, but in the alternative, the processor can be any processor, controller, microcontroller, or state machine. A processor can also be implemented as a combination of computing devices, for example, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

Those of skill in the art will appreciate that the various illustrative system elements and method steps described in the figures and the embodiments and examples disclosed herein can often be implemented as electronic hardware, software, firmware or combinations of the foregoing. To clearly illustrate this interchangeability of hardware and software, various illustrative modules and method steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled persons can implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the invention. In addition, the grouping of functions within a system element or step is for ease of description. Specific functions can be moved, from one element or step to another without departing from the invention.

A software module can reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium including a network storage medium. An exemplary storage medium can be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium can be integral to the processor. The processor and the storage medium can also reside in an ASIC.

Although the steps/operations of the method(s) herein are shown and described in a particular order, the order of the steps/operations of each method may be altered so that certain steps/operations may be performed in an inverse order or so that certain steps/operations may be performed, at least in part, concurrently with other operations. In another embodiment, instructions or sub-operations of distinct operations may be in an intermittent and/or alternating manner.

The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles described herein can be applied to other embodiments without departing from the spirit or scope of the invention. Thus, it is to be understood that the description and drawings presented herein represent a presently preferred embodiment of the invention and are therefore representative of the subject matter which is broadly contemplated by the present invention. It is further understood that the scope of the present invention fully encompasses other embodiments that may become obvious to those skilled in the art and that the scope of the present invention is accordingly limited by nothing other than the appended claims.

INVENTORS:

Byrnes, Tomas L.

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5987606, Mar 19 1997 Bascom Global Internet Services, Inc. Method and system for content filtering information retrieved from an internet computer network
6574737, Dec 23 1998 CA, INC System for penetrating computer or computer network
6769031, Sep 29 2000 WEB COM GROUP, INC Dynamically incorporating updates to active configuration information
6920116, Dec 16 1999 Telefonaktiebolaget LN Ericsson System and method for automatically configuring network service entity identifiers utilizing a Gb-over-IP interface in a GPRS network
6973488, Mar 31 2000 Intel Corporation Providing policy information to a remote device
7095738, May 07 2002 Cisco Technology, Inc. System and method for deriving IPv6 scope identifiers and for mapping the identifiers into IPv6 addresses
7389532, Nov 26 2003 Microsoft Technology Licensing, LLC Method for indexing a plurality of policy filters
7451488, Apr 29 2003 Musarubra US LLC Policy-based vulnerability assessment
7472421, Sep 30 2002 VALTRUS INNOVATIONS LIMITED Computer model of security risks
7478427, May 05 2003 Alcatel-Lucent USA Inc Method and apparatus for providing adaptive VPN to enable different security levels in virtual private networks (VPNs)
7496662, May 12 2003 Cisco Technology, Inc Systems and methods for determining characteristics of a network and assessing confidence
7574508, Aug 07 2002 AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE LIMITED Canonical name (CNAME) handling for global server load balancing
7627123, Feb 07 2005 Juniper Networks, Inc Wireless network having multiple security interfaces
7917647, Jun 16 2000 JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT Method and apparatus for rate limiting
7937353, Jan 15 2007 WRP IP MANAGEMENT, LLC Method and system for determining whether to alter a firewall configuration
8117339, Oct 29 2004 Go Daddy Operating Company, LLC Tracking domain name related reputation
8898734, Aug 20 2005 RIVERBED TECHNOLOGY LLC Analyzing security compliance within a network
20020103903,
20020141378,
20030005157,
20030065762,
20040047349,
20040193709,
20040268147,
20050021980,
20050198125,
20050198299,
20050204050,
20060143703,
20060235997,
20060242313,
20070078936,
20070283028,
20090055929,
20140007241,
20140053248,
20140165128,
20150172294,
ASSIGNMENT RECORDS    Assignment records on the USPTO
///
Executed onAssignorAssigneeConveyanceFrameReelDoc
Aug 21 2008BYRNES, TOMAS L BRIGHTCLOUD, INC ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0508940411 pdf
Jul 29 2009BRIGHTCLOUD, INC THREATSTOP, INC ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0508940457 pdf
Aug 28 2017ThreatSTOP, Inc.(assignment on the face of the patent)
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Aug 28 2017BIG: Entity status set to Undiscounted (note the period is included in the code).
Aug 31 2017SMAL: Entity status set to Small.
Mar 10 2021M2552: Payment of Maintenance Fee, 8th Yr, Small Entity.


Date Maintenance Schedule
Aug 11 20234 years fee payment window open
Feb 11 20246 months grace period start (w surcharge)
Aug 11 2024patent expiry (for year 4)
Aug 11 20262 years to revive unintentionally abandoned end. (for year 4)
Aug 11 20278 years fee payment window open
Feb 11 20286 months grace period start (w surcharge)
Aug 11 2028patent expiry (for year 8)
Aug 11 20302 years to revive unintentionally abandoned end. (for year 8)
Aug 11 203112 years fee payment window open
Feb 11 20326 months grace period start (w surcharge)
Aug 11 2032patent expiry (for year 12)
Aug 11 20342 years to revive unintentionally abandoned end. (for year 12)