公开(公告)号：US20140289840A1

公开(公告)日：2014-09-25

申请号：US13849485

申请日：2013-03-23

Applicant: FORTINET, INC.

Inventor： Hemant Kumar Jain ,  Venkata Yallapragada ,  Bhavin Shah ,  Radhika Palepu

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0254 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1458 ,  H04L63/162 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168 ,  H04L65/1006 ,  H04L2463/142

Abstract: Methods and systems for an integrated solution to the rate based denial of service attacks targeting the Session Initiation Protocol are provided. According to one embodiment, header, state, rate and content anomalies are prevented and network policy enforcement is provided for session initiation protocol (SIP). A hardware-based apparatus helps identify SIP rate-thresholds through continuous and adaptive learning. The apparatus can determine SIP header and SIP state anomalies and drop packets containing those anomalies. SIP requests and responses are inspected for known malicious contents using a Content Inspection Engine. The apparatus integrates advantageous solutions to prevent anomalous packets and enables a policy based packet filter for SIP.

Abstract translation: 提供了针对针对会话发起协议的基于速率的拒绝服务攻击的集成解决方案和系统。 根据一个实施例，阻止报头，状态，速率和内容异常，并为会话发起协议（SIP）提供网络策略实施。 基于硬件的设备通过连续和自适应学习来帮助识别SIP速率阈值。 该装置可以确定SIP报头和SIP状态异常并丢弃包含这些异常的分组。 使用内容检查引擎检查SIP请求和响应的已知恶意内容。 该设备集成了有利的解决方案，以防止异常数据包，并为SIP启用基于策略的数据包过滤器。

公开(公告)号：US20140237541A1

公开(公告)日：2014-08-21

申请号：US14262593

申请日：2014-04-25

Applicant: Juniper Networks, Inc.

Inventor： Kannan Varadhan ,  Jean-Marc Frailong ,  Anjan Venkatramani

IPC: H04L29/06 ,  H04L12/18

CPC classification number: H04L63/0227 ,  H04L12/18 ,  H04L45/00 ,  H04L45/16 ,  H04L45/30 ,  H04L63/0254 ,  H04L63/104

Abstract: A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.

Abstract translation: 具有组播功能的防火墙允许将防火墙安全策略应用于组播流量。 可组播的防火墙可以集成在路由设备内，从而允许单个设备提供包括组播支持在内的路由功能以及防火墙服务。 路由设备提供一个用户界面，用户通过该用户界面指定一个或多个区域，以便在向组播数据包应用状态防火墙服务时由集成防火墙识别。 用户界面支持语法，允许用户定义与区域相关联的多个接口的子集，并且定义要应用于与多播组相关联的多播会话的单个组播策略。 多播策略标识要应用预复制的常用服务，以及将要复制后应用的其他服务指定给一个或多个区域的多播数据包副本的异常。

公开(公告)号：US08811396B2

公开(公告)日：2014-08-19

申请号：US11440564

申请日：2006-05-24

Applicant: Robert O. Keith, Jr.

Inventor： Robert O. Keith, Jr.

IPC: H04L12/28

CPC classification number: H04L63/0254 ,  H04L47/27 ,  H04L61/6063 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1441 ,  H04L63/1466

Abstract: A system for and method of securing a network are described herein. A receiving device listens for packets with proper credentials. If a transmitting device sends the correct credentials, the receiving device will respond with an acknowledgment and further data is able to be transmitted. However, if the transmitting device does not send a packet with the proper credentials, then the receiving device will drop the packet and not respond. Thus, the transmitting device will be unaware of the presence of the receiving device, in particular when hackers are using scanning software to locate target devices.

Abstract translation: 本文描述了一种用于确保网络的系统和方法。 接收设备侦听具有适当凭据的数据包。 如果发送设备发送正确的凭证，则接收设备将以确认响应并且能够发送进一步的数据。 然而，如果发送设备不发送具有适当凭据的分组，则接收设备将丢弃分组而不响应。 因此，发送设备将不知道接收设备的存在，特别是当黑客正在使用扫描软件来定位目标设备时。

公开(公告)号：US20140189345A1

公开(公告)日：2014-07-03

申请号：US14141652

申请日：2013-12-27

Applicant: THALES

Inventor： Emmanuel Tigrane GUREGHIAN ,  Patrick Duputz ,  Olivier Grisal

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  G06F21/72 ,  G06F2221/2113 ,  H04L63/0254 ,  H04L63/20 ,  H04L63/205

Abstract: A method is provided for defining a filtering module between a first module processing information with a first sensitivity level, and a second module processing information with a second sensitivity level connected, in parallel with the filtering module, by a cryptographic module. The method includes defining a set of filtering rules in a language that can be compiled, defining the properties of messages whereof transmission is allowed between the first and second modules; validation processing the predefined set of rules, validating that a transmission authorization or refusal has in fact been provided by applying the set of rules to any information that may be provided at the input of the filtering module; compiling the predefined set of rules; and integrating the compiled set of rules into a rules database of the filtering module.

Abstract translation: 提供了一种用于在第一模块处理信息与第一灵敏度级别之间定义过滤模块的方法以及具有与过滤模块并联连接的第二灵敏度级别的第二模块处理信息的密码模块。 该方法包括以可编译的语言定义一组过滤规则，定义允许在第一和第二模块之间进行传输的消息的属性; 验证处理预定义的一组规则，通过将该组规则应用于可以在过滤模块的输入端处提供的任何信息来验证传输授权或拒绝是否已被提供; 编译预定义的一组规则; 并将编译的规则集合集成到过滤模块的规则数据库中。

公开(公告)号：US08726016B2

公开(公告)日：2014-05-13

申请号：US13616067

申请日：2012-09-14

Applicant: Nir Zuk

Inventor： Nir Zuk

IPC: H04L29/06

CPC classification number: H04L63/02 ,  H04L63/0209 ,  H04L63/0218 ,  H04L63/0227 ,  H04L63/0254 ,  H04L63/0263 ,  H04L63/12 ,  H04L63/1416 ,  H04L63/1441 ,  H04L69/22

Abstract: Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Abstract translation: 描述了处理数据包的方法，计算机程序产品和装置。 方法包括接收数据分组，检查数据分组，确定与分组相关联的单个流记录，并从单流记录中提取两个或多个设备的流指令。

公开(公告)号：US08724496B2

公开(公告)日：2014-05-13

申请号：US13331542

申请日：2011-12-20

Applicant: Joseph Tardo ,  Duc Hua ,  Nate Hill ,  Stanislas Wolski

Inventor： Joseph Tardo ,  Duc Hua ,  Nate Hill ,  Stanislas Wolski

IPC: H04L12/26

CPC classification number: H04L47/2483 ,  H04L63/0245 ,  H04L63/0254 ,  H04L63/1416

Abstract: A system and method for integrating line-rate application recognition in a switch ASIC. Switching platforms can be built using this feature with a conventional control plane processor rather than a more expensive specialized processor. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine analyzes packets using signature matching state machine and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract translation: 用于在交换机ASIC中集成线路速率应用识别的系统和方法。 可以使用传统的控制平面处理器而不是更昂贵的专用处理器，使用此功能来构建交换平台。 深度分组检测系统可以使用流量跟踪器和签名匹配引擎来体现在交换机ASIC中。 可以在可以观察和记录双向流中的分组的位置处将流量跟踪器定位在开关ASIC的入口部分中。 流量跟踪器生成签名匹配请求，该请求转发到辅助流水线中的签名匹配引擎。 签名匹配引擎使用签名匹配状态机分析数据包，并使用发送到入口流水线的响应数据包将签名匹配结果报告给流量跟踪器。

公开(公告)号：US20140115688A1

公开(公告)日：2014-04-24

申请号：US14143794

申请日：2013-12-30

Applicant: Juniper Networks, Inc.

Inventor： Nir ZUK ,  Kowsik Guruswamy

IPC: H04L29/06

CPC classification number: H04L63/0254 ,  H04L63/0263 ,  H04L63/12 ,  H04L63/1416 ,  H04L63/1441

Abstract: Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Abstract translation: 描述了用于检测和防止网络安全漏洞的系统和方法。 系统和方法提供基于网关的分组转发网络安全解决方案，不仅可以检测安全漏洞，还可以通过直接丢弃可疑的数据包和连接来防止安全漏洞。 系统和方法采用多种技术来检测和防止网络安全漏洞，包括状态签名检测，流量特征检测和协议异常检测。

公开(公告)号：US08688844B1

公开(公告)日：2014-04-01

申请号：US13460392

申请日：2012-04-30

Applicant: Mark Stuart Day ,  Brian Miller ,  Nitin Gupta ,  Alfred Landrum ,  Blanco Zee Leung Lam

Inventor： Mark Stuart Day ,  Brian Miller ,  Nitin Gupta ,  Alfred Landrum ,  Blanco Zee Leung Lam

IPC: G06F15/16 ,  G06F12/00

CPC classification number: H04L67/141 ,  H04L29/08792 ,  H04L41/00 ,  H04L63/0254 ,  H04L63/029 ,  H04L63/164 ,  H04L67/2876 ,  H04L69/04 ,  H04L69/14 ,  H04L69/163 ,  H04W80/06

Abstract: Transparent network devices intercept messages from non-transparent network devices that establish a connection. Transparent network devices modify these messages to establish an inner connection with each other. The transparent network devices mimic at least some of the outer connection messages to establish their inner connection. The mimicked messages and any optional reset messages are intercepted by the transparent network devices to prevent them from reaching the outer connections. Transparent network devices modify network traffic, using error detection data, fragmentation data, or timestamps, so that inner connection network traffic inadvertently received by outer connection devices is rejected or ignored by the outer connection network devices. Transparent network devices may use different sequence windows for inner and outer connection network traffic. To prevent overlapping sequence windows, transparent network devices monitor the locations of the inner and outer connection sequence windows and may rapidly advance the inner connection sequence window as needed.

Abstract translation: 透明网络设备拦截来自建立连接的不透明网络设备的消息。 透明网络设备修改这些消息以建立彼此的内部连接。 透明网络设备模拟至少一些外部连接消息以建立其内部连接。 模拟消息和任何可选的重置消息被透明网络设备拦截，以防止它们到达外部连接。 透明网络设备修改网络流量，使用错误检测数据，碎片数据或时间戳，使外部连接设备无意中接收的内部连接网络流量被外部连接网络设备拒绝或忽略。 透明网络设备可以对内部和外部连接网络流量使用不同的序列窗口。 为了防止重叠序列窗口，透明网络设备监视内部和外部连接序列窗口的位置，并可根据需要快速推进内部连接顺序窗口。

公开(公告)号：US20140053264A1

公开(公告)日：2014-02-20

申请号：US14064597

申请日：2013-10-28

Applicant: SonicWALL, Inc.

Inventor： Aleksandr Dubrovsky ,  John Everett Gmuender ,  Boris Yanovsky ,  Roman Yanovsky ,  Shunhui Zhu

IPC: H04L29/06

CPC classification number: H04L63/0245 ,  H04L12/2874 ,  H04L47/34 ,  H04L47/365 ,  H04L63/0254 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L67/06

Abstract: A method and apparatus for identifying data patterns of a file are described herein. In one embodiment, an exemplary process includes, but is not limited to, receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream, and performing a data pattern analysis on the received data packet to determine whether the received data packet contains a predetermined data pattern, without waiting for a remainder of the data stream to arrive. Other methods and apparatuses are also described.

Abstract translation: 本文描述了用于识别文件的数据模式的方法和装置。 在一个实施例中，示例性过程包括但不限于接收包含源自外部主机并发往局域网（LAN）的受保护主机的文件的文件段的数据流的数据分组， 所述文件通过包含在所述数据流的多个数据分组中的多个文件段进行传输，并且对所接收的数据分组执行数据模式分析，以确定所接收的数据分组是否包含预定的数据模式，而不等待剩余的数据 流到达。 还描述了其它方法和装置。

公开(公告)号：US08650632B2

公开(公告)日：2014-02-11

申请号：US13457319

申请日：2012-04-26

Applicant: Christopher Boscolo ,  Brad Robel-Forrest ,  Bryan Phillippe

Inventor： Christopher Boscolo ,  Brad Robel-Forrest ,  Bryan Phillippe

IPC: G06F7/04

CPC classification number: H04L63/0254 ,  H04L63/123

Abstract: A facility for proxying network traffic between a pair of nodes is described. The facility receives packets traveling between the pair of nodes that together constitute a network connection. For each packet of the connection that is part of a transport protocol setup process, the facility updates a representation of the status of the setup process to reflect the packet, and forwards the packet to its destination without proxying the packet. For each packet of the connection that is subsequent to the setup process, the facility proxies the contents of the packet to the packet's destination.

Abstract translation: 描述了用于在一对节点之间代理网络流量的设施。 该设施接收在一起构成网络连接的一对节点之间行进的分组。 对于作为传输协议建立过程一部分的连接的每个分组，设施更新设置过程的状态的表示以反映分组，并且将分组转发到其目的地而不代理分组。 对于设置过程之后的连接的每个分组，设备将分组的内容代理到分组的目的地。