Methods and systems for efficient network protection
First Claim
1. A method, comprising:
- receiving a plurality of packets associated with a network protected by a gateway configured with a plurality of packet filtering rules;
filtering, by the gateway configured with the plurality of packet filtering rules, each one of the plurality of packets;
generating, by the gateway configured with the plurality of packet filtering rules, threat metadata associated with at least a first portion of the plurality of packets;
receiving, by at least one threat analysis device, the first portion of the plurality of packets, the threat metadata associated with the first portion of the plurality of packets, and a configuration signal to configure the least one threat analysis device to perform a particular analysis method;
determining, by the at least one threat analysis device configured according to the configuration signal, based on packet data, and based on the threat metadata associated with the packet data, at least one protection action for at least a second portion of the plurality of packets; and
processing, based on the determined at least one protection action, the second portion of the plurality of packets, wherein the determined at least one protection action is implemented by at least one of the gateway configured with the plurality of packet filtering rules and the at least one threat analysis device.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are disclosed for integrating cyber threat intelligence (CTI), threat metadata, and threat intelligence gateways with analysis systems to form efficient and effective system for active, proactive, and reactive network protection. A network gateway may be composed of multiple stages. A first stage may include a threat intelligence gateway (TIG). A second stage may include one or more cyber analysis systems that ingest TIG-filtered communications and associated threat metadata signals. A third stage may include network protection logic that determines which protective actions. The gateway may be provisioned and configured with rules that specify the network protection policies to be enforced. The gateway may ingest all communications flowing between the protected network and the unprotected network.
-
Citations
20 Claims
-
1. A method, comprising:
-
receiving a plurality of packets associated with a network protected by a gateway configured with a plurality of packet filtering rules; filtering, by the gateway configured with the plurality of packet filtering rules, each one of the plurality of packets; generating, by the gateway configured with the plurality of packet filtering rules, threat metadata associated with at least a first portion of the plurality of packets; receiving, by at least one threat analysis device, the first portion of the plurality of packets, the threat metadata associated with the first portion of the plurality of packets, and a configuration signal to configure the least one threat analysis device to perform a particular analysis method; determining, by the at least one threat analysis device configured according to the configuration signal, based on packet data, and based on the threat metadata associated with the packet data, at least one protection action for at least a second portion of the plurality of packets; and processing, based on the determined at least one protection action, the second portion of the plurality of packets, wherein the determined at least one protection action is implemented by at least one of the gateway configured with the plurality of packet filtering rules and the at least one threat analysis device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A network security system comprising:
-
a gateway, comprising at least one processor and memory, configured to filter a plurality of packets received by the network security system, wherein the gateway is configured to filter the plurality of packets based on a plurality of packet filtering rules, wherein the filtering comprises forwarding a first portion of the plurality of packets to their intended destinations, wherein the gateway is further configured to generate, based on the plurality of packet filtering rules, threat metadata associated with at least a second portion of the plurality of packets; a plurality of threat analysis devices, each comprising at least one processor and memory, configured to receive the second portion of the plurality of packets, associated threat metadata generated by the gateway, and configuration signals to configure each threat analysis device to perform a particular analysis method, wherein the plurality of threat analysis devices perform at least two different types of threat analysis processes based on the received configuration signals, and each packet of the second portion of the plurality of packets is assigned to one of the plurality of threat analysis devices; and a processing device, comprising at least one processor and memory, configured to process a third portion of the plurality of packets received from the plurality of threat analysis devices based on threat metadata generated by the gateway and threat metadata generated by at least one of the plurality of threat analysis devices. - View Dependent Claims (19, 20)
-
Specification