Session slicing of mirrored packets
US-12184680-B2 · Dec 31, 2024 · US
System and method for threat-driven security policy controls
US2016294875A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016294875-A1 |
| Application number | US-201615008298-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jan 27, 2016 |
| Priority date | Mar 30, 2015 |
| Publication date | Oct 6, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.
First claim
Opening claim text (preview).
What is claimed is: 1 . A system comprising: a source machine; a destination machine; a policy compiler; and an enforcement point communicatively coupled via a network to the source machine, the destination machine, and the policy compiler, the enforcement point including a processor and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method including: acquiring a firewall security policy from the policy compiler; receiving network traffic originating from the source machine and directed to the destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping the network traffic according to the firewall security policy; and redirecting one or more network packets of the network traffic according to the security policy. 2 . The system of claim 1 , wherein the method further comprises: accumulating the network traffic and metadata associated with the network traffic; and initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and metadata. 3 . The system of claim 2 wherein the initiating the update to the firewall security policy by the policy compiler comprises: receiving information associated with the source machine and the destination machine from an external system of record; weighting one or more of a redirected network packet, further network traffic, the metadata, and the received information; statistically analyzing the weighted one or more of the redirected network packet, the further network traffic, the metadata, and the received information to calculate an updated risk score; and providing the updated risk score to the policy compiler, such that the policy compiler produces an updated firewall security policy. 4 . The system of claim 3 wherein the method further comprises: applying the updated firewall security policy to another packet. 5 . The system of claim 2 wherein the policy compiler produces the updated firewall security policy using at least a conditional declarative policy, the metadata, and the updated risk score. 6 . The system of claim 1 further comprising: a surveillance node communicatively coupled to the source machine via the network, wherein the redirecting is to the surveillance node. 7 . The system of claim 6 wherein the source machine communicates with the surveillance node as if the surveillance node were the destination machine. 8 . The system of claim 7 wherein the surveillance node is a honeypot. 9 . The system of claim 1 wherein the forwarding or dropping the network traffic according to the firewall security policy uses at least one of an address associated with the source machine, a port associated with the source machine, an address associated with the destination machine, a port associated with the destination machine, and a protocol associated with the packet. 10 . The system of claim 1 wherein the source machine is at least one of a first physical host and a first virtual machine and wherein the destination machine is at least one of a second physical host and a second virtual machine. 11 . A method for operating an enforcement point comprising: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the firewall security policy; and redirecting one or more network packets of the network traffic according to the security policy. 12 . The method of claim 11 , further comprising: accumulating the network traffic and metadata associated with the network traffic; and initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and metadata. 13 . The method of claim 12 wherein the initiating the update to the firewall security policy by the policy compiler comprises: receiving information associated with the source machine and the destination machine from an external system of record; weighting one or more of a redirected network packet, further network traffic, the metadata, and the received information; statistically analyzing the weighted one or more of the redirected network packet, further network traffic, the metadata, and the received information to calculate an updated risk score; and providing the updated risk score to the policy compiler, such that the policy compiler produces an updated firewall security policy. 14 . The method of claim 13 further comprising: applying the updated firewall security policy to another packet. 15 . The method of claim 12 wherein the policy compiler produces the updated firewall security policy using at least a conditional declarative policy, the metadata, and the updated risk score. 16 . The method of claim 11 wherein the redirecting is to a surveillance node, the surveillance node being communicatively coupled to the source machine via a network. 17 . The method of claim 16 wherein the source machine communicates with the surveillance node as if the surveillance node were the destination machine. 18 . The method of claim 17 wherein the surveillance node is a honeypot. 19 . The method of claim 11 wherein the forwarding or dropping each of the network traffic according to the firewall security policy uses at least one of an address associated with the source machine, a port associated with the source machine, an address associated with the destination machine, a port associated with the destination machine, and a protocol associated with the packet. 20 . The method of claim 11 wherein the source machine is at least one of a first physical host and a first virtual machine and wherein the destination machine is at least one of a second physical host and a second virtual machine. 21 . A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping the network traffic according to the firewall security policy; accumulating the network traffic and metadata associated with the network traffic; and initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and the metadata.
Assignees
Inventors
Classifications
Filtering policies (mail message filtering H04L51/212) · CPC title
Monitoring or debugging support · CPC title
Hypervisor-specific management and integration aspects · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
for separating internal from external traffic, e.g. firewalls · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016294875A1 cover?
- Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the s…
- Who is the assignee on this patent?
- Varmour Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Oct 06 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).