Rule-based network-threat detection

DC CAFC

US 10,193,917 B2
Filed: 11/30/2017
Issued: 01/29/2019
Est. Priority Date: 04/17/2015
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

receiving, by a packet-filtering device, a plurality of packets;

responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to one or more packet-filtering rules;

applying, by the packet-filtering device and to the first packet, an operator specified by a corresponding packet-filtering rule and configured to cause the packet-filtering device to either prevent the first packet from continuing toward a destination of the first packet or allow the first packet to continue toward the destination of the first packet; and

generating, by the packet-filtering device, a packet log entry comprising at least one threat identifier corresponding to the first packet and data indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the packet to continue toward the destination of the first packet;

updating, by the packet-filtering device and based on the packet log entry, a packet flow entry, corresponding to the generated packet log entry, of packet flow analysis data for a plurality of logged packets, wherein the packet flow analysis data comprises data corresponding to a plurality of packet flow entries, and wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier;

communicating, by the packet-filtering device and to a computing device, the packet flow analysis data; and

causing, based on the communicated packet flow analysis data, display of at least a portion of the packet flow analysis data,wherein the packet flow analysis data comprises at least one threat identifier corresponding to each of the plurality of logged packets, packet time data for packets corresponding to the packet flow entry, and data indicating whether the packet-filtering device prevented packets from continuing toward a respective destination or allowed packets to continue toward the respective destination.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.

206 Citations

20 Claims

1. A method comprising:
- receiving, by a packet-filtering device, a plurality of packets;
  
  responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to one or more packet-filtering rules;
  
  applying, by the packet-filtering device and to the first packet, an operator specified by a corresponding packet-filtering rule and configured to cause the packet-filtering device to either prevent the first packet from continuing toward a destination of the first packet or allow the first packet to continue toward the destination of the first packet; and
  
  generating, by the packet-filtering device, a packet log entry comprising at least one threat identifier corresponding to the first packet and data indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the packet to continue toward the destination of the first packet;
  
  updating, by the packet-filtering device and based on the packet log entry, a packet flow entry, corresponding to the generated packet log entry, of packet flow analysis data for a plurality of logged packets, wherein the packet flow analysis data comprises data corresponding to a plurality of packet flow entries, and wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier;
  
  communicating, by the packet-filtering device and to a computing device, the packet flow analysis data; and
  
  causing, based on the communicated packet flow analysis data, display of at least a portion of the packet flow analysis data,wherein the packet flow analysis data comprises at least one threat identifier corresponding to each of the plurality of logged packets, packet time data for packets corresponding to the packet flow entry, and data indicating whether the packet-filtering device prevented packets from continuing toward a respective destination or allowed packets to continue toward the respective destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein each packet log entry further comprises packet time data, data derived from an associated packet, environmental data of the associated packet, data identifying a corresponding packet-filtering rule, data indicating an operator applied, and at least one corresponding threat identifier.
  - 3. The method of claim 1, wherein the packet flow analysis data comprises a time range of the plurality of packet log entries corresponding to the common threat identifier, and wherein the time range indicates an earliest hit time and a latest time hit.
  - 4. The method of claim 1, wherein the updating the packet flow entry of the packet flow analysis data for the plurality of logged packets further comprises:
    - modifying, for each packet of the plurality of packets, responsive to a determination that each packet corresponds to one or more packet-filtering rules, and based on the packet log entry, an existing packet flow log entry to indicate one or more corresponding packet-filtering rules and whether the packet-filtering device prevented each packet from continuing toward each packet'"'"'s respective destination or allowed each packet to continue toward each packet'"'"'s respective destination.
  - 5. The method of claim 1, wherein:
    - each packet flow entry of the plurality of packet flow entries corresponds to a different threat identifier of a plurality of threat identifiers; and
      
      updating the packet flow entry of the packet flow analysis data comprises updating a packet flow entry, of the plurality of packet flow entries and based on the packet log entry, of a threat identifier that corresponds to the packet log entry.
  - 6. The method of claim 1, wherein the packet flow analysis data further comprises one or more scores, wherein each score is associated with a corresponding packet flow entry, the method further comprising:
    - determining the one or more scores based on a number of packets associated with each packet flow entry and based on times associated with the packets associated with each packet flow entry;
      
      updating the one or more scores based on each packet log entry; and
      
      indicating, in the packet flow analysis data, the one or more scores.
  - 7. The method of claim 6, the method further comprising:
    - updating the one or more scores based on one or more times at which one or more packets of the plurality of logged packets that corresponds to one or more packet-filtering rules were filtered by the packet-filtering device; and
      
      updating the one or more scores based on a number of the plurality of logged packets that correspond to the one or more packet-filtering rules.
  - 8. The method of claim 6, wherein determining the one or more scores further comprises determining the one or more scores based on an identity of one or more network-threat-intelligence providers that provided network-threat indicators associated with a corresponding threat identifier, and a number of network-threat intelligence providers that provided network-threat indicators associated with a corresponding threat identifier.
  - 9. The method of claim 6, wherein determining the one or more scores further comprises determining the one or more scores based on a destination of a packet of the plurality of logged packets that corresponds to the one or more packet-filtering rules.
  - 10. The method of claim 6, wherein determining the one or more scores further comprises determining the one or more scores based on at least one of a type of threat associated with a packet flow entry threat indicator, geographic information, an anonymous proxy associated with the packet flow entry threat indicator, or an actor associated with the packet flow entry threat indicator.

11. A packet-filtering device comprising:
- at least one processor; and
  
  memory storing instructions that when executed by the at least one processor cause the packet-filtering device to;
  
  receive a plurality of packets;
  
  responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to one or more packet-filtering rules;
  
  apply, to the first packet, an operator specified by a corresponding packet-filtering rule and configured to cause the packet-filtering device to either prevent the first packet from continuing toward a destination of the first packet or allow the first packet to continue toward the destination of the first packet; and
  
  generate a packet log entry comprising at least one threat indicator corresponding to the first packet and data indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the packet to continue toward the destination of the first packet;
  
  update, based on the packet log entry, a packet flow entry, corresponding to the generated packet log entry, of packet flow analysis data for a plurality of logged packets, wherein the packet flow analysis data comprises data corresponding to a plurality of packet flow entries, and wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier;
  
  communicate, to a computing device, the packet flow analysis data; and
  
  cause, based on the communicated packet flow analysis data, display of at least a portion of the packet flow analysis data,wherein the packet flow analysis data comprises at least one threat identifier corresponding to each of the plurality of logged packets, packet time data for packets corresponding to the packet flow entry, and data indicating whether the packet-filtering device prevented packets from continuing toward a respective destination or allowed packets to continue toward the respective destination.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The packet-filtering device of claim 11, wherein each packet log entry further comprises packet time data, data derived from an associated packet, environmental data of the associated packet, data identifying a corresponding packet-filtering rule, data indicating an operator applied, and at least one corresponding threat identifier.
  - 13. The packet-filtering device of claim 11, wherein the packet flow analysis data comprises a time range of the plurality of packet log entries corresponding to the common threat identifier, and wherein time range indicates an earliest hit time and a latest time hit.
  - 14. The packet-filtering device of claim 11, wherein the instructions that when executed by the at least one processor further cause the packet-filtering device to update the packet flow entry of the packet flow analysis data for the plurality of logged packets further comprising instructions that when executed by the at least one processor further cause the packet-filtering device to modify, for each packet of the plurality of logged packets, responsive to a determination that each packet corresponds to the one or more packet-filtering rules, and based on the packet log entry, an existing packet flow log entry to indicate the one or more corresponding packet-filtering rules and whether the packet-filtering device prevented each packet from continuing toward each packet'"'"'s respective destination or allowed each packet to continue toward each packet'"'"'s respective destination.
  - 15. The packet-filtering device of claim 11, wherein:
    - each packet flow entry of the plurality of packet flow entries corresponds to a different threat identifier of a plurality of threat identifiers; and
      
      the update of the packet flow entry of the packet flow analysis data further comprises updating a packet flow entry, of the plurality of packet flow entries and based on the packet log entry, of a threat identifier that corresponds to the packet log entry.
  - 16. The packet-filtering device of claim 11, wherein the packet flow analysis data further comprises one or more scores, wherein each score is associated with a corresponding packet flow entry, the memory storing instructions that when executed by the at least one processor further cause the packet-filtering device to:
    - determine the one or more scores based on a number of packets associated with each packet flow entry and based on times associated with the packets associated with each packet flow entry;
      
      update the one or more scores based on each packet log entry; and
      
      indicate, in the packet flow analysis data, the one or more scores.
  - 17. The packet-filtering device of claim 16, wherein the instructions that when executed by the at least one processor further cause the packet-filtering device to:
    - update the one or more scores based on one or more times at which one or more packets of the plurality of logged packets that correspond to the one or more packet-filtering rules were filtered by the packet-filtering device; and
      
      update the one or more scores based on a number of the plurality of logged packets that correspond to the one or more packet-filtering rules.
  - 18. The packet-filtering device of claim 16, wherein the instructions that when executed by the at least one processor further cause the packet-filtering device to determine the one or more scores further comprise instructions that when executed by the at least one processor further cause the packet-filtering device to determine the one or more scores based on an identity of one or more network-threat-intelligence providers that provided network-threat indicators associated with a corresponding threat identifier, and a number of network-threat intelligence providers that provided network-threat indicators associated with a corresponding threat identifier.
  - 19. The packet-filtering device of claim 16, wherein the instructions that when executed by the at least one processor further cause the packet-filtering device to determine the one or more scores further comprise instructions that when executed by the at least one processor further cause the packet-filtering device to determine the one or more scores based on a destination of a packet of the plurality of logged packets that corresponds to the one or more packet-filtering rules.

20. One or more non-transitory computer-readable media comprising instructions that when executed by at least one processor of a packet-filtering device cause the packet-filtering device to:
- receive a plurality of packets;
  
  responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to one or more packet-filtering rules;
  
  apply, to the first packet, an operator specified by a corresponding packet-filtering rule and configured to cause the packet-filtering device to either prevent the first packet from continuing toward a destination of the first packet or allow the first packet to continue toward the destination of the first packet; and
  
  generate a packet log entry comprising at least one threat indicator corresponding to the first packet and data indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the packet to continue toward the destination of the first packet;
  
  update, based on the packet log entry, a packet flow entry, corresponding to the generated packet log entry, of packet flow analysis data for a plurality of logged packets, wherein the packet flow analysis data comprises data corresponding to a plurality of packet flow entries, and wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier;
  
  communicate, to a computing device, the packet flow analysis data; and
  
  cause, based on the communicated packet flow analysis data, display of at least a portion of the packet flow analysis data,wherein the packet flow analysis data comprises at least one threat identifier corresponding to each of the plurality of logged packets, packet time data for packets corresponding to the packet flow entry, and data indicating whether the packet-filtering device prevented packets from continuing toward a respective destination or allowed packets to continue toward the respective destination.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., George, Keith A., Geremia, Peter P., Mallett, III, Pierre, Moore, Sean, Perry, Robert T., Rogers, Jonathan R.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/827,477
Publication Number

US 20180159883A1
Time in Patent Office

425 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Rule-based network-threat detection

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

206 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Rule-based network-threat detection

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others