Methods and systems for efficient network protection

US 10,333,898 B1
Filed: 07/09/2018
Issued: 06/25/2019
Est. Priority Date: 07/09/2018
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a plurality of packets associated with a network protected by a gateway configured with a plurality of packet filtering rules;

filtering, by the gateway configured with the plurality of packet filtering rules, each one of the plurality of packets;

generating, by the gateway configured with the plurality of packet filtering rules, threat metadata associated with at least a first portion of the plurality of packets;

receiving, by at least one threat analysis device, the first portion of the plurality of packets, the threat metadata associated with the first portion of the plurality of packets, and a configuration signal to configure the least one threat analysis device to perform a particular analysis method;

determining, by the at least one threat analysis device configured according to the configuration signal, based on packet data, and based on the threat metadata associated with the packet data, at least one protection action for at least a second portion of the plurality of packets; and

processing, based on the determined at least one protection action, the second portion of the plurality of packets, wherein the determined at least one protection action is implemented by at least one of the gateway configured with the plurality of packet filtering rules and the at least one threat analysis device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for integrating cyber threat intelligence (CTI), threat metadata, and threat intelligence gateways with analysis systems to form efficient and effective system for active, proactive, and reactive network protection. A network gateway may be composed of multiple stages. A first stage may include a threat intelligence gateway (TIG). A second stage may include one or more cyber analysis systems that ingest TIG-filtered communications and associated threat metadata signals. A third stage may include network protection logic that determines which protective actions. The gateway may be provisioned and configured with rules that specify the network protection policies to be enforced. The gateway may ingest all communications flowing between the protected network and the unprotected network.

Citations

20 Claims

1. A method, comprising:
- receiving a plurality of packets associated with a network protected by a gateway configured with a plurality of packet filtering rules;
  
  filtering, by the gateway configured with the plurality of packet filtering rules, each one of the plurality of packets;
  
  generating, by the gateway configured with the plurality of packet filtering rules, threat metadata associated with at least a first portion of the plurality of packets;
  
  receiving, by at least one threat analysis device, the first portion of the plurality of packets, the threat metadata associated with the first portion of the plurality of packets, and a configuration signal to configure the least one threat analysis device to perform a particular analysis method;
  
  determining, by the at least one threat analysis device configured according to the configuration signal, based on packet data, and based on the threat metadata associated with the packet data, at least one protection action for at least a second portion of the plurality of packets; and
  
  processing, based on the determined at least one protection action, the second portion of the plurality of packets, wherein the determined at least one protection action is implemented by at least one of the gateway configured with the plurality of packet filtering rules and the at least one threat analysis device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the filtering, by the gateway configured with the plurality of packet filtering rules, each one of the plurality of packets comprises comparing, for each one of the plurality of packets, packet data with threat intelligence data based on the plurality of packet filtering rules.
  - 3. The method of claim 1, further comprising forwarding, by the gateway configured with the plurality of packet filtering rules, a third portion of the plurality of packets to their intended destinations, wherein the third portion of the plurality of packets do not match any of the plurality of packet filtering rules.
  - 4. The method of claim 1, wherein the filtering, by the gateway configured with the plurality of packet filtering rules, each one of the plurality of packets comprises:
    - determining, based on at least one of the plurality of packet filtering rules, a packet threat level; and
      
      transmitting, based on a determined low packet threat level, a low threat packet towards its intended destination;
      
      transmitting, based on a determined medium packet threat level, a medium threat packet to the at least one threat analysis device; and
      
      preventing, based on a determined high packet threat level, a high threat packet from proceeding towards its intended destination.
  - 5. The method of claim 4, wherein the transmitting, based on the determined medium packet threat level, the medium threat packet to the at least one threat analysis device comprises:
    - transmitting, based on the determined medium packet threat level, a first copy of the medium threat packet to an intended destination of the medium threat packet;
      
      transmitting, based on the determined medium packet threat level, a second copy of the medium threat packet to the at least one threat analysis device;
      
      determining, by the at least one threat analysis device, that the medium packet threat level is associated with a confirmed threat; and
      
      updating, based on the processing of the at least one threat analysis device, at least one packet filtering rule associated with the medium threat packet to prevent packets associated with the medium threat packet from being transmitted towards their intended destination.
  - 6. The method of claim 4, wherein the transmitting, based on the determined medium packet threat level, the medium threat packet to the at least one threat analysis device comprises:
    - transmitting, based on the determined medium packet threat level, a first copy of the medium threat packet to the intended destination of the medium threat packet;
      
      transmitting, based on the determined medium packet threat level, a second copy of the medium threat packet to the at least one threat analysis device;
      
      determining, by the at least one threat analysis device, that the medium packet threat level is not associated with a threat; and
      
      updating, based on the processing of the at least one threat analysis device, at least one packet filtering rule associated with the medium threat packet to allow packets associated with the medium threat packet to be transmitted towards their intended destination.
  - 7. The method of claim 4, wherein the determining, based on the at least one of the plurality of packet filtering rules, the packet threat level comprises:
    - determining a fidelity of packet filtering threat intelligence data;
      
      assigning a medium packet threat level to packets associated with low fidelity packet filtering threat intelligence data; and
      
      assigning a high packet threat level to packets associated with high fidelity packet filtering threat intelligence data.
  - 8. The method of claim 4, further comprising configuring the gateway, based on threat metadata associated with the determined high packet threat level, with high-fidelity packet filtering rules generated bases on the threat metadata associated with the determined high packet threat level.
  - 9. The method of claim 1, further comprising determining, by a broker and based on threat metadata associated with at least the first portion of the plurality of packets, one of a plurality of threat analysis devices to process the first portion of the plurality of packets.
  - 10. The method of claim 1, further comprising:
    - generating a log of the first portion of the plurality of packets and the threat metadata associated with the first portion of the plurality of packets; and
      
      transmitting the log to a system administrator.
  - 11. The method of claim 1, further comprising:
    - updating a log based on threat metadata generated by the at least one threat analysis device, wherein the updated log comprises both threat metadata generated by the gateway and the threat metadata generated by the at least one threat analysis device.
  - 12. The method of claim 1, wherein the determining, by the at least one threat analysis device, based on the packet data, and based on the threat metadata associated with the packet data, at least one protection action for at least the second portion of the plurality of packets comprises:
    - determining, based on the threat metadata generated by the gateway and based on threat metadata generated by the at least one threat analysis device, the at least one protection action for at least the second portion of the plurality of packets.
  - 13. The method of claim 1, wherein the processing, based on the determined at least one protection action, of the second portion of the plurality of packets comprises:
    - determining, based on threat metadata generated by the gateway and based on threat metadata generated by the at least one threat analysis device, at least one of active protective processing, proactive protective processing, and reactive protective processing, for at least one determined threat packet,wherein active protective processing comprises reconfiguring the gateway to block packets associated with a same packet flow as the at least one determined threat packet,wherein proactive protective processing comprises extracting threat intelligence data from the at least one determined threat packet and reconfiguring the gateway based on the extracted threat intelligence data from the at least one determined threat packet, andwherein reactive protective processing comprises transmitting, to a management device, metadata associated with the at least one determined threat packet.
  - 14. The method of claim 1, further comprising:
    - transmitting, to a system administrator, log files including metadata related to at least one threat;
      
      receiving, from the system administrator, updated rule information; and
      
      updating, based on the updated rule information received from the system administrator, at least one of the plurality of packet filtering rules of the gateway.
  - 15. The method of claim 1, further comprising determining, based on the threat metadata associated with at least a first portion of the plurality of packets, one of a plurality of threat analysis devices to be used to further process the first portion of the plurality of packets.
  - 16. The method of claim 1, wherein the at least one threat analysis device comprises at least two of a network intrusion detection device, a network intrusion protection device, a network signature detection device, a monitoring device, a sandbox analysis device, and a malware analysis device.
  - 17. The method of claim 1, wherein the processing, based on the determined at least one protection action, the second portion of the plurality of packets comprises at least one of:
    - blocking further communications associated with the second portion of the plurality of packets;
      
      extracting threat intelligence data from the second portion of the plurality of packets and generating rules based on the extracted threat intelligence data;
      
      quarantining an infected host device associated with the second portion of the plurality of packets; and
      
      forwarding logs associated with the second portion of the plurality of packets to a management device.

18. A network security system comprising:
- a gateway, comprising at least one processor and memory, configured to filter a plurality of packets received by the network security system, wherein the gateway is configured to filter the plurality of packets based on a plurality of packet filtering rules, wherein the filtering comprises forwarding a first portion of the plurality of packets to their intended destinations, wherein the gateway is further configured to generate, based on the plurality of packet filtering rules, threat metadata associated with at least a second portion of the plurality of packets;
  
  a plurality of threat analysis devices, each comprising at least one processor and memory, configured to receive the second portion of the plurality of packets, associated threat metadata generated by the gateway, and configuration signals to configure each threat analysis device to perform a particular analysis method, wherein the plurality of threat analysis devices perform at least two different types of threat analysis processes based on the received configuration signals, and each packet of the second portion of the plurality of packets is assigned to one of the plurality of threat analysis devices; and
  
  a processing device, comprising at least one processor and memory, configured to process a third portion of the plurality of packets received from the plurality of threat analysis devices based on threat metadata generated by the gateway and threat metadata generated by at least one of the plurality of threat analysis devices.
- View Dependent Claims (19, 20)
- - 19. The network security system of claim 18, further comprising:
    - a broker, comprising at least one processor and memory, communicably coupled to receive metadata associated with at least a second portion of the plurality of packets from the gateway and configured to determine one of a plurality of threat analysis devices.
  - 20. The network security system of claim 18, further comprising:
    - a security management interface configured to transmit, to a system administrator, log files including metadata related to at least one threat, configured to receive, from the system administrator, updated rule information, and configured to transmit, based on the updated rule information received from the from the system administrator, the updated rule information to the gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean, Parnell, Jess, Rogers, Jonathan R.
Primary Examiner(s)
Dinh, Minh

Application Number

US16/030,374
Time in Patent Office

351 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 69/16   Implementation or adaptatio...

Methods and systems for efficient network protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for efficient network protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links