Security threat detection
First Claim
Patent Images
1. A method comprising:
- maintaining, by a network security device associated with a private network, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed by the network security device, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources;
responsive to one or more events, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a security threat that was not identified as such by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe, wherein the one or more events comprise receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning and wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features; and
when the security threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action to address the security threat.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.
-
Citations
16 Claims
-
1. A method comprising:
-
maintaining, by a network security device associated with a private network, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed by the network security device, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources; responsive to one or more events, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a security threat that was not identified as such by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe, wherein the one or more events comprise receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning and wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features; and when the security threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action to address the security threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device associated with a private network, causes the one or more processors to perform a method comprising:
-
maintaining a network traffic log containing therein a plurality of entries each including features associated with one of a plurality of network activities observed by the network security device, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources; responsive to one or more events, wherein the one or more events comprise receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning and wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features, retrospectively scanning a subset of the plurality of entries of the network traffic log in an attempt to identify a security threat that was not identified as such by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and when the security threat is identified as a result of said retrospectively scanning, then performing one or more of a remedial action and a preventive action to address the security threat. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification