Recursive multi-layer examination for computer network security remediation

US 10,382,467 B2
Filed: 04/21/2017
Issued: 08/13/2019
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:

identifying one or more first communications originating from or directed to a first node;

identifying at least one of a protocol and an application used for each of the one or more first communications;

examining each of the one or more first communications for malicious behavior using a respective first scanlet of one or more scanlets, the respective first scanlet associated with the at least one of the protocol and the application used for the each of the one or more first communications;

receiving a first risk score from the respective first scanlet for each of the one or more first communications responsive to the examining of the each of the one or more first communications;

determining the first risk score associated with one of the one or more first communications exceeds a first predetermined threshold;

indicating the first node and a second node in communication with the first node via the one or more first communications are malicious;

identifying one or more second communications originating from or directed to the second node;

identifying at least one of a protocol and an application used for each of the one or more second communications;

examining each of the one or more second communications for malicious behavior using a respective second scanlet of the one or more scanlets, the respective second scanlet associated with the at least one of the protocol and the application used for the each of the one or more second communications;

receiving a second risk score from the respective second scanlet for each of the one or more second communications responsive to the examining of the each of the one or more second communications;

determining the second risk score associated with one of the one or more second communications exceeds the first predetermined threshold;

indicating a third node in communication with the second node via the one of the one or more second communications is malicious;

providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and communications is indicated;

remediating the security breach;

assigning a node risk score to an additional second node in which additional second risk scores, for additional second communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional second risk scores; and

determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods and apparatuses for recursive multi-layer examination for computer network security remediation may include: identifying one or more first communications originating from or directed to a first node; identifying at least one of a protocol and an application used for each of the one or more first communications; examining each of the one or more first communications for malicious behavior; receiving a first risk score for each of the one or more first communications responsive to the examining; determining the first risk score associated with one of the one or more first communications exceeds a first predetermined threshold; and indicating the first node and a second node in communication with the first node via the one of the one or more first communications are malicious. Exemplary methods may further include: providing the identified malicious nodes and communications originating from or directed to the malicious nodes.

Citations

18 Claims

1. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:
- identifying one or more first communications originating from or directed to a first node;
  
  identifying at least one of a protocol and an application used for each of the one or more first communications;
  
  examining each of the one or more first communications for malicious behavior using a respective first scanlet of one or more scanlets, the respective first scanlet associated with the at least one of the protocol and the application used for the each of the one or more first communications;
  
  receiving a first risk score from the respective first scanlet for each of the one or more first communications responsive to the examining of the each of the one or more first communications;
  
  determining the first risk score associated with one of the one or more first communications exceeds a first predetermined threshold;
  
  indicating the first node and a second node in communication with the first node via the one or more first communications are malicious;
  
  identifying one or more second communications originating from or directed to the second node;
  
  identifying at least one of a protocol and an application used for each of the one or more second communications;
  
  examining each of the one or more second communications for malicious behavior using a respective second scanlet of the one or more scanlets, the respective second scanlet associated with the at least one of the protocol and the application used for the each of the one or more second communications;
  
  receiving a second risk score from the respective second scanlet for each of the one or more second communications responsive to the examining of the each of the one or more second communications;
  
  determining the second risk score associated with one of the one or more second communications exceeds the first predetermined threshold;
  
  indicating a third node in communication with the second node via the one of the one or more second communications is malicious;
  
  providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and communications is indicated;
  
  remediating the security breach;
  
  assigning a node risk score to an additional second node in which additional second risk scores, for additional second communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional second risk scores; and
  
  determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - identifying one or more third communications originating from or directed to the third node;
      
      identifying at least one of a protocol and an application used for each of the one or more third communications;
      
      examining each of the one or more third communications for malicious behavior using a respective third scanlet of the one or more scanlets, the respective third scanlet associated with the at least one of the protocol and the application used for the each of the one or more third communications;
      
      receiving a third risk score from the respective third scanlet for each of the one or more third communications responsive to the examining of the each of the one or more third communications;
      
      determining the third risk score associated with one of the one or more third communications exceeds the first predetermined threshold; and
      
      indicating a fourth node in communication with the third node via the one of the one or more third communications is malicious.
  - 3. The method of claim 2, wherein another one of the one or more third communications is not examined if the another one of the one or more third communications is the same as one of the one or more first or second communications.
  - 4. The method of claim 1, wherein each of the first and second nodes is at least one of a physical host, virtual machine, container, client system, and other computing system on a communications network.
  - 5. The method of claim 1, wherein the identifying of the one or more first communications uses first metadata retrieved from the first node using a first identifier, and wherein the identifying of the one or more second communications uses second metadata retrieved from the second node using a second identifier.
  - 6. The method of claim 5, wherein each of the first and second metadata includes information logged by an enforcement point.
  - 7. The method of claim 5, wherein each of the first and second metadata comprises at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication.
  - 8. The method of claim 1, wherein each of the one or more scanlets detects malicious activity in network communications using at least one of a particular protocol and a particular application.
  - 9. The method of claim 1, wherein each of the first and second risk scores and the first predetermined threshold is a number within a predetermined range of numbers.

10. An analytic engine comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions executable by the processor to perform the following operations for recursive multi-layer examination for computer network security remediation;
  
  identifying one or more first communications originating from or directed to a first node;
  
  identifying at least one of a protocol and an application used for each of the one or more first communications;
  
  examining each of the one or more first communications for malicious behavior using a respective first scanlet of one or more scanlets, the respective first scanlet associated with the at least one of the protocol and the application used for the each of the one or more first communications;
  
  receiving a first risk score from the respective first scanlet for each of the one or more first communications responsive to the examining of the each of the one or more first communications;
  
  determining the first risk score associated with one of the one or more first communications exceeds a first predetermined threshold;
  
  indicating the first node and a second node in communication with the first node via the one of the one or more first communications are malicious;
  
  identifying one or more second communications originating from or directed to the second node;
  
  identifying at least one of a protocol and an application used for each of the one or more second communications;
  
  examining each of the one or more second communications for malicious behavior using a respective second scanlet of the one or more scanlets, the respective second scanlet associated with the at least one of the protocol and the application used for the each of the one or more second communications;
  
  receiving a second risk score from the respective second scanlet for each of the one or more second communications responsive to the examining of the each of the one or more second communications;
  
  determining the second risk score associated with one of the one or more second communications exceeds the first predetermined threshold;
  
  indicating a third node in communication with the second node via the one of the one or more second communications is malicious;
  
  providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and the communications is indicated;
  
  remediating the security breach;
  
  assigning a node risk score to an additional second node in which additional second risk scores, for additional second communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional second risk scores; and
  
  determining the node risk score exceeds a second predetermined threshold andindicating the additional second node is malicious.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The analytic engine of claim 10, wherein the memory stores further instructions executable by the processor to perform the following operations:
    - identifying one or more third communications originating from or directed to the third node;
      
      identifying at least one of a protocol and an application used for each of the one or more third communications;
      
      examining the each of the one or more third communications for malicious behavior using a respective third scanlet of the one or more scanlets, the respective third scanlet associated with the at least one of the protocol and the application used for the each of the one or more third communications;
      
      receiving a third risk score for the each of the one or more third communications responsive to the examining of the each of the one or more third communications;
      
      determining the third risk score associated with one of the one or more third communications exceeds the first predetermined threshold; and
      
      indicating a fourth node in communication with the third node via the one or more third communications is malicious.
  - 12. The analytic engine of claim 11, wherein another one of the one or more third communications is not examined if the another one of the one or more third communications is the same as one of the one or more first or second communications.
  - 13. The analytic engine of claim 10, wherein each of the first and second nodes is at least one of a physical host, virtual machine, container, client system, and other computing system on a communications network.
  - 14. The analytic engine of claim 10, wherein the identifying of the one or more first communications uses first metadata retrieved from the first node using a first identifier, and wherein the identifying of the one or more second communications uses second metadata retrieved from the second node using a second identifier.
  - 15. The analytic engine of claim 14, wherein each of the first and second metadata includes information logged by an enforcement point.
  - 16. The analytic engine of claim 14, wherein each of the first and second metadata comprises at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication.
  - 17. The analytic engine of claim 10, wherein each of the first and second risk scores and the first predetermined threshold is a number within a predetermined range of numbers.

18. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:
- retrieving first metadata using a first identifier associated with a first node, the first metadata comprising at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication;
  
  identifying one or more first communications originating from or directed to the first node using the first metadata;
  
  ascertaining a first characteristic of each of the one or more first communications using the first metadata;
  
  selecting a respective first scanlet of a plurality of scanlets, the respective first scanlet using the first characteristic of a respective first communication of the one or more first communications;
  
  applying the respective first scanlet to the respective first communication;
  
  receiving a first risk score for each of the one or more first communications responsive to the applying of the respective first scanlet;
  
  determining the first risk score associated with one of the one or more first communications exceeds a first predetermined threshold;
  
  indicating the first node and a second node in communication with the first node via the one of the one or more first communications are malicious;
  
  retrieving second metadata using a second identifier associated with the second node, the second metadata comprising at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication;
  
  identifying one or more second communications originating from or directed to the second node using the second metadata;
  
  ascertaining a second characteristic of each of the one or more second communications using the second metadata;
  
  selecting a respective second scanlet of the plurality of scanlets, the respective second scanlet using the second characteristic of a respective second communication of the one or more second communications;
  
  applying the respective second scanlet to the respective second communication;
  
  receiving a second risk score for each of the one or more second communications responsive to the applying of the respective second scanlet;
  
  determining the second risk score associated with one of the one or more second communications exceeds the first predetermined threshold;
  
  indicating a third node in communication with the second node via the one of the one or more second communications is malicious;
  
  providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and communications is indicated;
  
  remediating the security breach;
  
  assigning a node risk score to an additional second node in which additional second risk scores, for additional second communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional second risk scores; and
  
  determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Wager, Ryan, Yarochkin, Fyodor, Dahlgren, Zach
Primary Examiner(s)
Nguyen, Trong H

Application Number

US15/494,181
Publication Number

US 20170223038A1
Time in Patent Office

844 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Recursive multi-layer examination for computer network security remediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Recursive multi-layer examination for computer network security remediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links