Method and apparatus for distributed intrusion protection system for ultra high bandwidth networks

Abstract

A method for providing security to a network having a data stream with a plurality of portions of data, each having differing levels of sensitivity. The data stream is interrogated to determine the presence of predetermined characteristics associated with at least one of the portions of data within the data stream. At least one of the portions of data is then characterized, based upon the portion of data exhibiting a predetermined combination of characteristics, wherein the predetermined combination of characteristics is related to the sensitivity of the portion of data. The portions of the data stream are then distributed into a plurality of different channels, each of the channels associated with different level of sensitivity.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The following detailed description of the embodiments of the invention will be more readily understood when taken in conjunction with the following drawings, wherein:

FIG. 1 is a schematic diagram of one embodiment of the present invention.

FIG. 2 is a schematic diagram which illustrates the control channels.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

For the purposes of promoting an understanding of the principles of the invention, a schematic diagram of the AHPDM system of the present invention is shown in FIG. 1. In the description of FIG. 1, which follows, the following terms are defined below.

As used here in, the term “Descriptor Tags” refers to data which describes traffic characteristics, contains information observed or learned about source and destination of traffic, contains information observed or learned about content of traffic, and combinations thereof.

As used here in, the term “Channel Tags” refers to data that contains routing information on traffic flow, identifies desired channel and combinations thereof. “Channel Tags” may be encoded as a binary tag at front of packet or as a specific radio frequency or lambda of light.

As used here in, the term “Label Switch” refers to a hardware or software device which acts on Channel Tags to direct traffic to a given Channel, load balances traffic to different channels of the same type, adds or removes channel tags, and combinations thereof. In a preferred embodiment, and not meant to be limiting, “Label Switches” typically will not add or remove descriptor tags and/or modify traffic. Label switches can be selected as optical cross connects, copper switches, component modules, software and combinations thereof.

As used here in, the term “Label Router” refers to a hardware or software device which may integrate with internal and external information sources to characterize data and/or use data analysis or characterization tools and which may add, remove, and/or modify descriptor and channel tags on data packages. In a preferred embodiment, and not meant to be limiting, “Label Routers” typically will not block, restrict or drop packets or balance loads on the network.

As used here in, the term “Policy Enforcement Device” refers to a hardware or software device which blocks, restricts, directs and shapes traffic flows by applying policy to channel tags and descriptor tags. As such, “Policy Enforcement Devices” may change channel tags. In a preferred embodiment, and not meant to be limiting, “Policy Enforcement Devices” typically will not block, restrict or drop packets, balance loads on the network, or modify, add or remove Descriptor tags.

As shown in the Figure, traffic from the internet 1 first encounters policy enforcement devices 100. These policy enforcement devices 100 interrogate the data stream on the network to determine the presence of predetermined characteristics associated with the sensitivity of each of the portions of data within the data stream. The policy enforcement devices 100 are the outer edge of a border policy domain 70 in which policies are enforced for traffic entering the intranet 61 from the Internet 1.

Policy enforcement devices 100 may then either quarantine the data, discard the data, or route the data to one or more label edge routers 200. Label routers 200 include system analysis tools 201, which may be integrated intrusion detection systems (IDS), statistical analysis tools or combinations there of. System analysis tools 201 characterize at least one of the portions of data, based upon the portion of data exhibiting a predetermined combination of characteristics, wherein a predetermined combination of characteristics is related to the sensitivity of the portion of data.

Data is then passed from the label edge routers 200 to one or more label switches 300. The label switches direct the traffic based on the tags applied by the label routers 200. If additional analysis has been deemed necessary by the label routers 200 then the label switches 300 send the data to one or more additional label routers 400 that may apply additional analysis if required or pass data through without modification to tags. Additional analysis is done through the use of either internally integrated or externally integrated data analysis tools 401, which may be but not necessarily the same as system analysis tools 201. As shown in FIG. 2, in addition to passing data, label routers 200 are connected to label routers 400 by control channels 420, which allows exchange of control information between label routers 200 and label routers 400, thus enabling dynamic generation of characteristic combinations within both label routers 200 and label routers 400.

Data is then passed by label routers 400 to policy enforcement devices 500 in a plurality of different channels, wherein each of the channels is associated with different levels of sensitivity. Policy enforcement devices 500 may then either quarantine the data, discard the data, or route the data out of the policy domain 70 to the intranet core 61. The policy enforcement devices 500 determine if the data is allowed to enter the Intranet core 61 based on the information supplied by the label routers 400 and 200.

Label switches 60 inside the Intranet core 61 interprets the tags and channels of the network traffic and, based on this interpretation, sends the network traffic either to the Internet policy domain 70 or the computer systems policy domain 80.

Policy Enforcement devices 600 in the computer systems policy domain 80 interpret the tags and channels associated with the data flows and, based on the policy for the policy domain, determines if the network traffic is allowed from the intranet core 61.

Policy enforcement devices 600 either allow or deny the traffic from the label switches 60. If allowed the data is sent to label routers 700. If not allowed by the policy enforcement devices 600, the traffic is either dropped or quarantined. Label routers 700 may apply additional analysis on the data flows through the use of security analysis tools 701 before passing traffic out of the computer system policy domain 80 to traditional network switches. Security analysis tools 701 may be the same as but not necessarily the same as data analysis tools 401 and/or system analysis tools 201.

If Label router 700 is attached to a traditional ethernet switch 800 it will strip all tags or channel information that had been previously applied to network traffic and send traffic to the traditional Ethernet switch 800. The Ethernet switch 800 then directs the traffic accordingly to computer systems 801.

If traffic is destined for label aware equipment, label router 700 sends it traffic to label switch 810. Label Switch 810 directs the traffic to label aware computer systems 811 that are capable of interpreting the labels and tags that had been applied by label routers 200, 400, and 700.

Computer systems 811 then may apply their own individual policies based on the analysis and information that has been provided in the form of tags, labels or channel information.

Continuing with FIG. 1, the data labeling that is applied to the network traffic is shown on the right hand side of the figure. Each step corresponds to operations shown to the left as previously described above.

As shown in FIG. 1, the traffic received from the internet is contained in a data package 8. If data package 8 does not internally contain any descriptors 10 it is passed to the Label routers 200 for analysis and labeling. As data passed through label routers the data package 8 is given an additional tags, channel id tags 9 and descriptor tags 10. Initially descriptor tags 10 may include trust level and information about the data package.

Label edge routers 200 add a descriptor based on enforcement of policy for policy domain 70. These descriptors 10 indicate the sensitivity of that data package. Based on the analysis, the label router applies a channel ID 11 to the data package. This channel ID 11 may be a digital tag that represents a channel number which result in the traffic being routed in the form of a different wave length or a specific physical channel of a physical medium.

The label switches 300 interpret the channel ID tags and direct the data packet to additional label routers 400 if necessary or to the policy enforcement device 500. If additional analysis is required then label router 400 may modify the channel ID 11 and descriptors 12 to reflect the outcome of its analysis. As such as descriptors 12 typically will contain the same information as descriptors 10 except descriptors 12 will have tags encoding the additional analysis.

The traffic is then sent to policy enforcement devices 500 which then enforce policies based on descriptors 12 and channel id 11. Based on the enforcement of policy it may reassign a new channel ID 13 and add additional information about its enforcement of the policy by modification of the descriptors 14. As such as descriptors 14 typically will contain the same information as descriptors 10 and/or descriptors 12, except descriptors 14 will have tags encoding the additional analysis.

Data is directed through the internet core 61 by the label switches 60 based on the channel ID 13. Policy enforcement devices 600 receive the traffic and apply the policy from policy domain 80 to the traffic based on their interpretation of the channel ID 13 and the descriptors 14. Based on their interpretation policy enforcement devices 600 will modify the channel ID 15 and the descriptors 14 before sending the data to the label routers 700.

Label routers 700 will determine if they the destination of the data is label aware or only data package aware. If the data destination is a non-label aware computer system 801 then it will remove channel ID 15 and descriptors 14 before it sends the packet 20 to the network switch 800.

If Label routers 700 determine that they data is destined to a label aware device or computer system 811 then they may modify channel ID 15 to and descriptors 14 to reflect any additional analysis before sending packet 30 to the label switch 810. Label switch 810 interprets the channel ID 15 and sends the data to the correct label aware system 811.

While a preferred embodiment of the present invention has been shown and described, it will be apparent to those skilled in the art that many changes and modifications may be made without departing from the invention in its broader aspects. The appended claims are therefore intended to cover all such changes and modifications as fall within the true spirit and scope of the invention.

Claims

1) A method for providing security to a network comprising the steps of: a. examining a data stream on said network, the data stream having a plurality of portions of data, each having differing levels of sensitivity, to determine the presence of predetermined characteristics associated with at least one of the portions of data within the data stream,b. characterizing at least one of the portions of data, based upon the portion of data exhibiting a predetermined combination of characteristics, wherein the predetermined combination of characteristics is related to the sensitivity of the portion of data, andc. distributing the portions of the data stream into a plurality of different channels, each of the channels associated with different levels of sensitivity.

2) The method of claim 1 wherein the combinations of the characteristics are determined statically, dynamically, and combinations thereof.

3) The method of claim 2 wherein said combinations are dynamically constructed based on feedback about the portions of data generated downstream of the channels.

4) The method of claim 2 wherein the dynamic determination of combinations of the characteristics includes self learning systems.

5) The method of claim 3 wherein the feedback is provided by sensors, external data feeds, changes in risk tolerance, and combinations thereof.

6) The method of claim 1 wherein one of said channels is a quarantine channel.

7) The method of claim 1 wherein said channels are different wavelengths of light in an optical transmission medium

8) The method of claim 1 wherein the selection of said channels is determined by tags attached to said portions of said data.

9) The method of claim 8 wherein the tags are selected from the group 802.1 VLAN, GMPLS, MPLS, light tags, data tags, overall level of trust tags, protocol tags, sensitivity tags, data value tags, component specific tags, and combinations thereof.

10) The method of claim 1 wherein the method is performed in at least one appliance interfaced with a network.

11) The method of claim 1 wherein the characteristics are selected from the group of trusted source, trusted destination, protocol type, conversation behavior, system history, data flow sensitivity, and value of data flow, and combinations thereof.

12) Media encoded with digital instructions for providing security to a network comprising the steps of: a. interrogating a data stream on said network, the data stream having a plurality of portions of data, each having differing levels of sensitivity, to determine the presence of predetermined characteristics associated with at least one of the portions of data within the data stream,b. characterizing at least one of the portions of data, based upon the portion of data exhibiting a predetermined combination of characteristics, wherein the predetermined combination of characteristics is related to the sensitivity of the portion of data, andc. distributing the portions of the data stream into a plurality of different channels, each of the channels associated with different levels of sensitivity.

13) The media of claim 12 wherein the combinations of the characteristics are determined statically, dynamically, and combinations thereof.

14) The media of claim 13 wherein said combinations are dynamically constructed based on feedback about the portions of data generated downstream of the channels.

15) The media of claim 14 wherein the dynamic determination of combinations of the characteristics includes self learning systems.

16) The media of claim 15 wherein the feedback is provided by sensors, external data feeds, changes in risk tolerance, and combinations thereof.

17) The media of claim 12 wherein one of said channels is a quarantine channel.

18) The media of claim 12 wherein said channels are different wavelengths of light in an optical transmission medium

19) The media of claim 12 wherein said channels are defined by tags attached to said portions of said data.

20) The media of claim 19 wherein the tags are selected from the group 802.1 VLAN, GMPLS, MPLS, light tags, data tags, overall level of trust tags, protocol tags, sensitivity tags, data value tags, component specific tags, and combinations thereof.

21) The media of claim 12 wherein the media is contained within in at least one appliance interfaced with a network.

22) The media of claim 12 wherein the media is contained within in a computing device interfaced with a network.

23) The media of claim 12 wherein the characteristics are selected from the group of trusted source, trusted destination, protocol type, conversation behavior, system history, data flow sensitivity, and value of data flow, and combinations thereof.

24) A computer configured to provide security to a network by performing the steps of: a. interrogating a data stream on said network, the data stream having a plurality of portions of data, each having differing levels of sensitivity, to determine the presence of predetermined characteristics associated with at least one of the portions of data within the data stream,b. characterizing at least one of the portions of data, based upon the portion of data exhibiting a predetermined combination of characteristics, wherein the predetermined combination of characteristics is related to the sensitivity of the portion of data, andc. distributing the portions of the data stream into a plurality of different channels, each of the channels associated with different levels of sensitivity.

25) The computer of claim 24 wherein the combinations of the characteristics are determined statically, dynamically, and combinations thereof.

26) The computer of claim 25 wherein said combinations are dynamically constructed based on feedback about the portions of data generated downstream of the channels.

27) The computer of claim 26 wherein the dynamic determination of combinations of the characteristics includes self learning systems.

28) The computer of claim 27 wherein the feedback is provided by sensors, external data feeds, changes in risk tolerance, and combinations thereof.

29) The computer of claim 24 wherein one of said channels is a quarantine channel.

30) The computer of claim 24 wherein said channels are different wavelengths of light in an optical transmission medium

31) The computer of claim 24 wherein said channels are defined by tags attached to said portions of said data.

32) The computer of claim 31 wherein the tags are selected from the group 802.1 VLAN, GMPLS, MPLS, light tags, data tags, overall level of trust tags, protocol tags, sensitivity tags, data value tags, component specific tags, and combinations thereof.

33) The computer of claim 24 wherein the media is contained within in at least one appliance interfaced with a network.

34) The computer of claim 24 wherein the media is contained within in a computing device interfaced with a network.

35) The computer of claim 24 wherein the characteristics are selected from the group of trusted source, trusted destination, protocol type, conversation behavior, system history, data flow sensitivity, and value of data flow, and combinations thereof.