Malware fingerprinting on encrypted transport layer security (TLS) traffic
US-11140196-B1 · Oct 5, 2021 · US
Efficient management of secure name lookup query messages
US11271903B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11271903-B2 |
| Application number | US-201916661597-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 23, 2019 |
| Priority date | Aug 6, 2019 |
| Publication date | Mar 8, 2022 |
| Grant date | Mar 8, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
One embodiment of the present invention provides a system. During operation, the system determines a first set of ciphers supported by a name server based on a name lookup response message. The system then inserts an entry associated with the name server in a data structure stored in a local storage device. Subsequently, the system identifies a second set of ciphers supported by a local name server in a name lookup query message destined to the name server. The system then selects the name lookup query message for an update operation based on the entry in the data structure. The update operation includes removing ciphers from the name lookup query message except a common cipher, which is present in both the first and second sets of ciphers. The system determines an egress port corresponding to the name server for the updated name lookup query message.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: determining, by a switch, a first set of ciphers supported by a name server based on a name lookup response message; inserting, in a data structure stored in a storage device of the switch, an entry associated with the name server; identifying a second set of ciphers supported by a local name server in a name lookup query message from the local name server, wherein the name lookup query message is destined to the name server; selecting, based on the entry in the data structure, the name lookup query message for an update operation, wherein the update operation includes removing ciphers from the name lookup query message except a common cipher, which is present in both the first and second sets of ciphers; and determining an egress port corresponding to the name server for the updated name lookup query message. 2. The method of claim 1 , wherein the name server is a domain name system (DNS) server, and the name lookup response message is a Domain Name System Security Extensions (DNSSEC) message. 3. The method of claim 1 , further comprising: sending the name lookup query message to a management device capable of configuring the switch; and receiving the updated name lookup query from the management device. 4. The method of claim 3 , wherein the management device is one of: a controller of a software-defined network (SDN); and a control plane manager configured to facilitate control information to the switch. 5. The method of claim 3 , further comprising sending a notification message to the management device, wherein the notification message comprises the first set of ciphers and an identifier of the name server. 6. The method of claim 3 , further comprising: receiving, from the management device, a notification message comprising information associated with a second name server; and inserting, in the data structure, a second entry associated with the second name server. 7. The method of claim 1 , wherein the entry of the data structure comprises one or more of: an identifier of the name server and a time to leave (TTL) value associated with the entry; and the first set of ciphers. 8. The method of claim 1 , further comprising refreshing the entry in response to receiving a second name lookup response message from the name server. 9. The method of claim 1 , wherein selecting the name lookup query message further comprises: looking up an identifier of the name server in the data structure; and in response to identifying the entry in the data structure based on the lookup, selecting the name lookup query message for an update operation. 10. The method of claim 1 , further comprising: selecting the common cipher, which is present in both the first and second sets of ciphers, based on a selection policy; and executing the update operation based on the common cipher. 11. A computer system, comprising: a processor; a storage device; and a memory coupled to the processor and storing instructions, which when executed by the processor cause the processor to perform a method, the method comprising: determining a first set of ciphers supported by a name server based on a name lookup response message; inserting, in a data structure stored in the storage device, an entry associated with the name server; identifying a second set of ciphers supported by a local name server in a name lookup query message from the local name server, wherein the name lookup query message is destined to the name server; selecting, based on the entry in the data structure, the name lookup query message for an update operation, wherein the update operation includes removing ciphers from the name lookup query message except a common cipher, which is present in both the first and second sets of ciphers; and determining an egress port corresponding to the name server for the updated name lookup query message. 12. The computer system of claim 11 , wherein the name server is a domain name system (DNS) server, and the name lookup response message is a Domain Name System Security Extensions (DNSSEC) message. 13. The computer system of claim 11 , wherein the method further comprises: sending the name lookup query message to a management device capable of configuring the computer system; and receiving the updated name lookup query from the management device. 14. The computer system of claim 13 , wherein the management device is one of: a controller of a software-defined network (SDN); and a control plane manager configured to facilitate control information to the computer system. 15. The computer system of claim 13 , wherein the method further comprises sending a notification message to the management device, wherein the notification message comprises the first set of ciphers and an identifier of the name server. 16. The computer system of claim 13 , wherein the method further comprises: receiving, from the management device, a notification message comprising information associated with a second name server; and inserting, in the data structure, a second entry associated with the second name server. 17. The computer system of claim 11 , wherein the entry of the data structure comprises one or more of: an identifier of the name server and a time to leave (TTL) value associated with the entry; and the first set of ciphers. 18. The computer system of claim 11 , wherein the method further comprises refreshing the entry in response to receiving a second name lookup response message from the name server. 19. The computer system of claim 11 , wherein selecting the name lookup query message further comprises: looking up an identifier of the name server in the data structure; and in response to identifying the entry in the data structure based on the lookup, selecting the name lookup query message for an update operation. 20. The computer system of claim 11 , wherein the method further comprises: selecting the common cipher, which is present in both the first and second sets of ciphers, based on a selection policy; and executing the update operation based on the common cipher.
Assignees
Inventors
Classifications
Internet protocol [IP] addresses · CPC title
using domain name system [DNS] · CPC title
Updates performed during online database operations; commit processing · CPC title
received data contents, e.g. message integrity · CPC title
using time-dependent keys, e.g. periodically changing keys (cryptographic mechanisms or cryptographic arrangements for controlling usage of secret information H04L9/088) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11271903B2 cover?
- One embodiment of the present invention provides a system. During operation, the system determines a first set of ciphers supported by a name server based on a name lookup response message. The system then inserts an entry associated with the name server in a data structure stored in a local storage device. Subsequently, the system identifies a second set of ciphers supported by a local name se…
- Who is the assignee on this patent?
- Nutanix Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).