Security threat detection

US 10,057,284 B2
Filed: 02/18/2017
Issued: 08/21/2018
Est. Priority Date: 03/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a network security device associated with a private network, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed by the network security device, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources;

responsive to one or more events, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a security threat that was not identified as such by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe, wherein the one or more events comprise receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning and wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features; and

when the security threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action to address the security threat.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.

Citations

16 Claims

1. A method comprising:
- maintaining, by a network security device associated with a private network, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed by the network security device, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources;
  
  responsive to one or more events, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a security threat that was not identified as such by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe, wherein the one or more events comprise receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning and wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features; and
  
  when the security threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action to address the security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the features include, for each of the network activities:
    - (i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
      
      (ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity.
  - 3. The method of claim 1, wherein the one or more events comprise receipt by the network security device of updated signature database information for use by the network security device in connection with performing signature-based scanning.
  - 4. The method of claim 3, wherein said retrospectively scanning comprises applying the updated signature database information to the network traffic log by performing the signature-based scanning based on one or more of the features.
  - 5. The method of claim 1, wherein the one or more events comprise a predetermined or configurable scheduled timer event.
  - 6. The method of claim 1, said retrospectively scanning is further limited to scanning only those of the plurality of entries within the network traffic log that were flagged by the previous real-time signature-based scan or the previous real-time reputation-based scan as being a potential security threat.
  - 7. The method of claim 1, wherein the preventive action comprises an action seeking to prevent potential damage resulting from the security threat or seeking to defend against the security threat.
  - 8. The method of claim 7, wherein the preventative action includes one or more ofincreasing security scrutiny for a source associated with the security threat;
    - decreasing a security reputation score of the source;
      
      blocking the source; and
      
      blocking of other potential threats that share significant features with the security threat.
  - 9. The method of claim 1, wherein the remedial action comprises one or more of:
    - notifying a user mapped to the security threat;
      
      notifying an administrator of the network security device;
      
      increasing security scrutiny for a destination associated with the security threat;
      
      deceasing a security reputation score of the destination; and
      
      blocking the destination.
  - 10. The method of claim 3, wherein the particular timeframe has a starting point defined by a first time at which the security threat was first detected by a network security community and an ending point defined by a second time at which a signature was created for detecting the security threat.

11. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device associated with a private network, causes the one or more processors to perform a method comprising:
- maintaining a network traffic log containing therein a plurality of entries each including features associated with one of a plurality of network activities observed by the network security device, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources;
  
  responsive to one or more events, wherein the one or more events comprise receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning and wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features, retrospectively scanning a subset of the plurality of entries of the network traffic log in an attempt to identify a security threat that was not identified as such by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and
  
  when the security threat is identified as a result of said retrospectively scanning, then performing one or more of a remedial action and a preventive action to address the security threat.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein the features include, for each of the network activities:
    - (i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
      
      (ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein the one or more events comprise receipt by the network security device of updated signature database information for use by the network security device in connection with performing signature-based scanning.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein said retrospectively scanning comprises applying the updated signature database information to the network traffic log by performing the signature-based scanning based on one or more of the features.
  - 15. The non-transitory computer-readable storage medium of claim 11, wherein the preventative action includes one or more ofincreasing security scrutiny for a source associated with the security threat;
    - decreasing a security reputation score of the source;
      
      blocking the source; and
      
      blocking of other potential threats that share significant features with the security threat.
  - 16. The non-transitory computer-readable storage medium of claim 11, wherein the remedial action comprises one or more of:
    - notifying a user mapped to the security threat;
      
      notifying an administrator of the network security device;
      
      increasing security scrutiny for a destination associated with the security threat;
      
      deceasing a security reputation score of the destination; and
      
      blocking the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Yu, Qianyong
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Taylor, Sakinah White

Application Number

US15/436,798
Publication Number

US 20170163674A1
Time in Patent Office

549 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

Security threat detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links