| 摘要 |
This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis. |
| 主权项 |
1. An apparatus comprising instructions stored on non-transitory computer readable storage, the apparatus adapted to receive a query having at least one field having an identifier of a possible network security threat, the instructions when executed operable to cause a computer having fast access memory:
to determine whether the query is of a first type, that requires response within a predetermined period of time, or a second type, that does not require response within the predetermined period of time; if the query is determined to be of the first type, to determine whether data responsive to the query is stored in the fast access memory by attempting to match the identifier with at least one data record stored in the fast access memory, and
if the data is stored in the fast access memory, to automatically transmit the data to a source of the query via packet-based wide area network transmission within the period of time;if the data is not stored in the fast access memory, to
transmit an indication to the source of the query that the data is not stored in the fast access memory, via packet-based wide area transmission, within the period of time, andgenerate a first request, transmit the first request to at least one other network data source to retrieve data responsive to the query, receive one or more responses to the first request, and asynchronously update the fast access memory to reflect data responsive to the first request; and if the query is determined to be of the second type, to generate a second request, transmit the second request to at least one other network data source to retrieve data responsive to the query, to receive one or more responses to second request, and to automatically transmit data responsive to the second request to a source of the query via packet-based wide area network transmission in a manner not constrained to be within the predetermined period of time relative to the query. |
