Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020223147 - METHODS AND SYSTEMS FOR EFFICIENT PACKET FILTERING

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

What is claimed is:

1. A method comprising:

receiving, by a packet gateway located at a boundary between a protected network and an unprotected network, a plurality of packets;

determining, for each packet of the plurality of packets, at least one packet matching criterion associated with the packet;

testing, for each packet of plurality of packets, at least one policy probabilistic data structure for the at least one packet matching criterion;

based on a determination that a first packet of the plurality of packets does not match at least one packet matching criterion of the at least one policy probabilistic data structure, forwarding the first packet towards its intended destination;

based on a determination that a second packet of the plurality of packets matches at least one packet matching criterion associated with the at least one policy probabilistic data structure, determining at least one of a plurality of policy subset probabilistic data structures associated with at least one packet matching criterion of the second packet;

testing a determined at least one of the plurality of policy subset probabilistic data structures associated with at least one packet matching criterion of the second packet; and

based on a determination that the second packet of the plurality of packets matches at least one packet matching criterion associated with the determined at least one of the plurality of policy subset probabilistic data structures, performing a rule action associated with the determined at least one of the plurality of policy subset probabilistic data structures.

2. The method of claim 1 , wherein the at least one policy probabilistic data structure and each of the policy subset probabilistic data structures are Bloom filters or Cuckoo filters.

3. The method of claim 1, wherein the at least one policy probabilistic data structure has a higher false positive rate than any of the policy subset probabilistic data structures.

4. The method of claim 1, wherein a policy subset probabilistic data structure associated with an action to prevent packet transmission has a lower false positive rate than a policy subset probabilistic data structure associated with an action to allow packet transmission to proceed.

5. The method of claim 1, further comprising:

receiving, by the packet gateway, a plurality of packet filtering rales, wherein each of the packet filtering rales comprises at least one packet matching criterion;

generating at least one policy probabilistic data structure representing the plurality of packet filtering rales;

partitioning the plurality of packet filtering rules into a plurality of rale subsets, wherein each of the plurality of rule subsets is associated with a common rale action; and

generating a plurality of policy subset probabilistic data structures, wherein each of the plurality of policy subset probabilistic data structures is associated with one of the plurality of rale subsets, wherein each of the policy subset probabilistic data structures is associated with the common rule action associated with associated rale subset

6. The method of claim 5, wherein generating a plurality of policy subset probabilistic data structures comprises:

partitioning the plurality of packet filtering rules based on an associated common packet matching criterion type to determine common packet matching criterion type rule groups;

partitioning each of the common packet matching criterion type rale groups based on an associated common rule action to determine the rale subsets; and

generating a policy subset probabilistic data structure corresponding to each rale subset with the associated common rule action and the associated common packet matching criterion type.

7. The method of claim 1, wherein testing a determined at least one of the plurality of policy subset probabilistic data structures associated with at least one packet matching criterion of the second packet comprises:

determining a plurality of packet matching criterion types associated with the second packet;

determining at least one subset probabilistic data structure corresponding to the determined plurality of packet matching criterion types associated with the second packet; and

testing each subset probabilistic data structure corresponding to the determined plurality of packet matching criterion types until a match is determined.

8. The method of claim 1, further comprising:

receiving, by the packet gateway, at least one new rule, wherein the at least one new rule comprises at least one new packet matching criterion;

updating the at least one policy probabilistic data structure to represent the at least one new rule;

determining, by the packet gateway, a rule subset to be updated based on the at least one new packet matching criterion; and

updating a policy subset probabilistic data structure corresponding to the rule subset to be updated based on the at least one new packet matching criterion of the at least one new rule.

9. The method of claim 1, wherein generating the plurality of policy subset probabilistic data structures comprises applying an indicator encoding algorithm to each of a plurality of packet matching criteria associated with each rule subset to populate a subset probabilistic data structure corresponding to the rule subset.

10. A method comprising:

receiving, by a packet gateway located at a boundary between a protected network and an unprotected network, a plurality of packets;

testing, by the packet gateway and for each packet of the plurality of packets, at least one policy probabilistic data structure representing a security policy to determine whether each packet of the plurality of packets is associated with at least one rule of the security policy, wherein the security policy comprises a plurality of packet filtering rules; and

based on a determination that a first packet of the plurality of packets matches at least one packet matching criterion associated with the at least one policy probabilistic data structure, filtering the first packet based on the plurality of packet filtering rules.

11. The method of claim 10, further comprising:

based on a determination that a second packet of the plurality of packets does not match at least one packet matching criterion associated with the at least one policy probabilistic data structure, forwarding the second packet to its intended destination.

12. The method of claim 10, further comprising:

based on the determination that the first packet of the plurality of packets matches at least one packet matching criterion associated with the at least one policy probabilistic data structure, determining at least one of a plurality of policy subset probabilistic data structures associated with at least one packet matching criterion of the first packet; and

performing a rule action on the first packet based on a test of the determined at least one of the plurality of policy subset probabilistic data structures associated with at least one packet matching criterion of the first packet.

13. The method of claim 12, wherein filtering the first packet based on a test of the determined at least one of the plurality of policy subset probabilistic data structures associated with at least one packet matching criterion of the first packet comprises:

searching a rule set associated with the determined at least one of the plurality of policy subset probabilistic data structures; and

performing rule action associated with a rule matching the at least one packet matching criterion of the first packet.

14. The method of claim 10, further comprising:

based on a determination that a second packet of the plurality of packets matches at least one packet matching criterion associated with at least one of a plurality of policy subset

probabilistic data structures, performing a rule action corresponding to a matching policy subset probabilistic data structure on the second packet

15. The method of claim 14, wherein the rule action corresponding to the matching policy subset probabilistic data structure is one of a block action and a monitor action.

16. The method of claim 10, further comprising:

receiving, by the packet gateway, at least one new rule, wherein the at least one new rule comprises at least one corresponding packet matching criterion; and

updating the at least one policy probabilistic data structure to represent the at least one new rule.

17. The method of claim 10, wherein testing the at least one policy probabilistic data structure comprises using an encryption key to test an encoded policy probabilistic data structure.

18. A method comprising:

receiving, by a packet gateway, a plurality of packets;

determining, based on packet header information, whether each of the plurality of packets comprises a Domain Name System (DNS) query request;

based on a determination that a first packet of the plurality of packets comprises a first DNS query request, testing a DNS probabilistic data structure to determine if the first DNS query request is associated with a legitimate DNS query request; and

based on a determination that the first packet of the plurality of packets does not comprise a legitimate DNS query request, dropping the first DNS query request.

19. The method of claim 18, further comprising:

based on a determination that a second packet of the plurality of packets comprises a second DNS query request, testing the DNS probabilistic data structure to determine if the second DNS query request is associated with a legitimate DNS query request; and

based on a determination that the second packet of the plurality of packets comprises a legitimate DNS query request, transmitting the second packet towards a DNS server.

20. The method of claim 18, wherein dropping the first DNS query request comprises transmitting a message to a source of the first DNS query request.