Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020223147 - METHODS AND SYSTEMS FOR EFFICIENT PACKET FILTERING

Publication Number WO/2020/223147
Publication Date 05.11.2020
International Application No. PCT/US2020/030044
International Filing Date 27.04.2020
IPC
H04L 29/06 2006.01
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
29Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/-H04L27/136
02Communication control; Communication processing
06characterised by a protocol
H04L 12/721 2013.01
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
12Data switching networks
70Packet switching systems
701Routing or path finding
721Routing procedures, e.g. shortest path routing, source routing, link state routing or distance vector routing
H04L 29/12 2006.01
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
29Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/-H04L27/136
12characterised by the data terminal
CPC
H04L 47/20
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
47Traffic regulation in packet switching networks
10Flow control or congestion control
20Policing
H04L 47/2483
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
47Traffic regulation in packet switching networks
10Flow control or congestion control
24depending on the type of traffic, e.g. priority or quality of service [QoS]
2483Flow identification
H04L 61/1511
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
61Network arrangements or network protocols for addressing or naming
15Directories; Name-to-address mapping
1505involving standard directories or standard directory access protocols
1511using domain name system [DNS]
H04L 61/305
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
61Network arrangements or network protocols for addressing or naming
30Arrangements for managing names, e.g. use of aliases or nicknames
303Name structure
305containing special prefixes
H04L 63/02
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
63Network architectures or network communication protocols for network security
02for separating internal from external traffic, e.g. firewalls
H04L 63/0236
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
63Network architectures or network communication protocols for network security
02for separating internal from external traffic, e.g. firewalls
0227Filtering policies
0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
Applicants
  • CENTRIPETAL NETWORKS, INC. [US]/[US]
Inventors
  • MOORE, Sean
  • ROGERS, Jonathan R.
  • ROGERS, Steven
Agents
  • WRIGHT, Bradley C.
Priority Data
16/399,70030.04.2019US
Publication Language English (EN)
Filing Language English (EN)
Designated States
Title
(EN) METHODS AND SYSTEMS FOR EFFICIENT PACKET FILTERING
(FR) PROCÉDÉS ET SYSTÈMES POUR UN FILTRAGE DE PAQUETS EFFICACE
Abstract
(EN)
A packet gateway may protect TCP/IP networks by enforcing security policies on in-transit packets that are crossing network boundaries. The policies may include packet filtering rules derived from cyber threat intelligence (CTI). The rapid growth in the volume of CTI and in the size of associated CTI-derived policies, coupled with ever-increasing network link speeds and network traffic volume, may cause the costs of sufficient computational resources to be prohibitive. To efficiently process packets, a packet gateway may be provided with at least one probabilistic data structure, such as a Bloom filter, for testing packets to determine if packet data may match a packet filtering rule. Packet filtering rules may be grouped into subsets of rules, and a data structure may be provided for determining a matching subset of rules associated with a particular packet.
(FR)
Selon l'invention, une passerelle de données par paquets peut protéger des réseaux TCP/IP en appliquant des politiques de sécurité sur des paquets en transit qui franchissent des limites de réseau. Les politiques peuvent comprendre des règles de filtrage de paquets dérivées de l'analyse de la menace (Cyber Threat Intelligence, CTI). La croissance rapide du volume de CTI et de la taille de politiques associées dérivées de la CTI, combinées à des vitesses de liaison de réseau et à un volume de trafic de réseau en constante augmentation, peuvent provoquer une explosion des coûts de ressources de calcul suffisantes. Pour traiter efficacement des paquets, une passerelle de données par paquets peut comprendre au moins une structure de données probabiliste, telle qu'un filtre de Bloom, pour tester des paquets et déterminer si des données de paquet peuvent correspondre à une règle de filtrage de paquets. Des règles de filtrage de paquets peuvent être groupées en sous-ensembles de règles, et une structure de données peut être fournie pour déterminer un sous-ensemble correspondant de règles associées à un paquet particulier.
Latest bibliographic data on file with the International Bureau