US 12,335,235 B2
Methods and systems for efficient cybersecurity policy enforcement on network communications
Sean Moore, Hollis, NH (US); Vincent Mutolo, Portsmouth, NH (US); Alexander Chinchilli, Medford, MA (US); Paul Sprague, North Berwick, ME (US); Christopher T. Rodney, New Ipswich, NH (US); and Justin Makoto Leach, Bow, NH (US)
Assigned to Centripetal Networks, LLC, Portsmouth, NH (US)
Filed by Centripetal Networks, LLC, Portsmouth, NH (US)
Filed on Nov. 11, 2024, as Appl. No. 18/943,149.
Application 18/943,149 is a continuation of application No. 18/672,353, filed on May 23, 2024, granted, now 12,177,180.
Claims priority of provisional application 63/547,166, filed on Nov. 3, 2023.
Claims priority of provisional application 63/468,401, filed on May 23, 2023.
Prior Publication US 2025/0071092 A1, Feb. 27, 2025
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/0236 (2013.01) [H04L 63/0263 (2013.01); H04L 63/1425 (2013.01)] 30 Claims
OG exemplary drawing
 
1. A method, for enforcing a cybersecurity policy comprising a plurality of rules, comprising:
receiving, by a packet-filtering appliance, packets transmitted from one or more hosts in a first network to one or more hosts in a second network, wherein each of the plurality of rules comprises a rule identifier and matching criteria that indicate one or more threat indicators associated with packets to which the rule applies, wherein the packet-filtering appliance stores an index data structure associated with the plurality of rules, and wherein, for each of a plurality of internal nodes of the index data structure:
elements of a first bit array of the internal node are mapped to possible values of a k-bit chunk of a search object, each of the first bit array elements storing a value that indicates, for the possible value mapped to the first bit array element, one of: a presence of a corresponding descendant internal node, of the plurality of internal nodes, or an absence of a corresponding descendant internal node,
elements of a second bit array of the internal node are mapped to possible values of the k-bit chunk and to possible values of portions of the k-bit chunk, each of the second bit array elements storing a value that indicates, for the possible value mapped to the second bit array element, one of: the presence of one or more corresponding rule identifiers or an absence of corresponding rule identifiers, and
one or more pointers of the internal node indicate a memory location associated with one or more rule identifiers that correspond to the k-bit chunk;
extracting values from fields of the received packets and searching, using k-bit chunks of search objects based on the extracted values, the index data structure for rule identifiers of rules applicable to the received packets; and
for one or more of the received packets, applying one or more rules, of the plurality of rules, determined based on the searching to be applicable to the one or more of the received packets, wherein the applying comprises one or more of: blocking or dropping a received packet, forwarding a received packet, logging a received packet, capturing a received packet, re-directing or re-routing a received packet, modifying or transforming a received packet, or generating or sending a response to a received packet.