Technologies for independent service level agreement monitoring
US-2017250892-A1 · Aug 31, 2017 · US
Virtual switch-based threat defense for networks with multiple virtual network functions
US2021126927A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021126927-A1 |
| Application number | US-201916666143-A |
| Country | US |
| Kind code | A1 |
| Filing date | Oct 28, 2019 |
| Priority date | Oct 28, 2019 |
| Publication date | Apr 29, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.
First claim
Opening claim text (preview).
We claim: 1 . A method for network threat detection at a threat aware controller comprising: initiating a threat detection engine in a virtual network switch (vSwitch); providing a threat feed to the threat detection engine; receiving a request to initiate a threat analysis virtual network function (VNF) from the threat detection engine, wherein the request to initiate a threat analysis VNF is transmitted from the threat detection engine upon detection of a threat anomaly; and initiating a threat analysis VNF. 2 . The method of claim 1 , further comprising: updating the threat detection engine with a threat analysis VNF configuration; redirecting network traffic at the vSwitch to the threat analysis VNF; receiving a threat analysis report from the threat detection engine or the threat analysis VNF; wherein the threat analysis report is generated at the threat detection engine or the threat analysis VNF based on a monitored traffic at the threat analysis VNF; and wherein the threat analysis report comprises a detection of malicious operation at the threat analysis VNF. 3 . The method of claim 2 , further comprising: updating the threat feed based on the detection of malicious operation in the threat analysis VNF in the threat analysis report; isolating network traffic associated with the detected malicious operation; and terminating, via the threat aware controller, the threat analysis VNF. 4 . The method of claim 1 , wherein the threat feed comprises one or more threat properties for network traffic, wherein the threat detection engine on the vSwitch uses the one or more threat properties to inspect network traffic and detect threat anomalies. 5 . The method of claim 4 , wherein providing the threat feed comprises: transmitting the threat feed to the threat detection engine via a control-plane function, wherein the control-plane function configures the threat detection engine with the one or more threat properties. 6 . The method of claim 1 , further comprising: receiving telemetry data for network traffic from the threat detection engine; and detecting, at the threat aware controller, a threat anomaly based on the telemetry data. 7 . The method of claim 1 , wherein initiating the threat analysis VNF further comprises: determining that the vSwitch cannot host the threat analysis VNF; selecting an alternate host for the threat analysis VNF; and initiating the threat analysis VNF at the alternate host. 8 . A system, comprising: a processor; and a memory comprising instructions which, when executed on the processor, performs an operation, the operation comprising: initiating a threat detection engine in a virtual network switch (vSwitch); providing a threat feed to the threat detection engine; receiving a request to initiate a threat analysis virtual network function (VNF) request from the threat detection engine, wherein the request to initiate a threat analysis VNF is transmitted from the threat detection engine upon detection of a threat anomaly; initiating a threat analysis VNF; updating the threat detection engine with a threat analysis VNF configuration; redirecting network traffic at the vSwitch to the threat analysis VNF; and receiving a threat analysis report from the threat detection engine or the threat analysis VNF. 9 . The system of claim 8 , wherein the threat analysis report is generated at the threat detection engine or threat analysis VNF based on a monitored operation of the threat analysis VNF; and wherein the threat analysis report comprises a detection of malicious operation at the threat analysis VNF. 10 . The system of claim 9 , further comprising: updating the threat feed based on the detection of malicious operation in the threat analysis VNF in the threat analysis report; isolating network traffic associated with the detected malicious operation; and terminating the threat analysis VNF. 11 . The system of claim 8 , wherein the threat feed comprises one or more threat properties for network traffic, wherein the threat detection engine on the vSwitch uses the one or more threat properties to inspect network traffic and detect threat anomalies. 12 . The system of claim 11 , wherein providing the threat feed comprises: transmitting the threat feed to the threat detection engine via a control-plane function, wherein the control-plane function configures the threat detection engine with the one or more threat properties. 13 . The system of claim 8 , wherein initiating the threat analysis VNF further comprises: determining that the vSwitch cannot host the threat analysis VNF; selecting an alternate host for the threat analysis VNF; and initiating the threat analysis VNF at the alternate host. 14 . A method comprising: receiving, at a threat detection engine on a virtual network switch (vSwitch) a threat feed comprising a plurality of network threat properties from a threat aware controller; inspecting network traffic associated with one or more virtual network functions (VNFs) on the vSwitch; detecting a threat anomaly in the inspected network traffic using the threat properties; transmitting a request to initiate a threat analysis VNF to the threat aware controller; receiving a threat analysis VNF configuration from the threat aware controller upon initiation of a threat analysis VNF; isolating network traffic associated with the threat anomaly to the threat analysis VNF; monitoring traffic at the threat analysis VNF; and generating a threat analysis report based on the monitored traffic; and transmitting the threat analysis report to the threat aware controller. 15 . The method of claim 14 , further comprising: detecting a malicious operation at the threat analysis VNF; dropping network traffic associated with the malicious operation at the threat analysis VNF; and including an identification of malicious operation in the threat analysis report. 16 . The method of claim 14 , further comprising: upon detection of the threat anomaly in the inspected network traffic, dropping network traffic associated with the threat anomaly. 17 . The method of claim 14 , wherein the plurality of network threat properties comprises line rate signatures for known network traffic threats; and wherein inspecting network traffic associated with one or more virtual network functions (VNFs) comprises: comparing the line rate signatures for known network traffic threats to network traffic on the vSwitch. 18 . The method of claim 14 , further comprising: transmitting telemetry data for network traffic to the threat aware controller. 19 . The method of claim 14 , wherein the threat analysis VNF is initiated at an alternate host, wherein the threat detection engine isolates traffic to the threat analysis VNF on the alternate host. 20 . The method of claim 14 , wherein the threat analysis VNF is configured to generate a threat analysis report and transmit traffic to the threat aware controller.
Assignees
Inventors
Classifications
Vulnerability analysis · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Traffic logging, e.g. anomaly detection · CPC title
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
involving long-term monitoring or reporting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021126927A1 cover?
- Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Apr 29 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).