×

Recursive multi-layer examination for computer network security remediation

  • US 10,382,467 B2
  • Filed: 04/21/2017
  • Issued: 08/13/2019
  • Est. Priority Date: 01/29/2016
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:

  • identifying one or more first communications originating from or directed to a first node;

    identifying at least one of a protocol and an application used for each of the one or more first communications;

    examining each of the one or more first communications for malicious behavior using a respective first scanlet of one or more scanlets, the respective first scanlet associated with the at least one of the protocol and the application used for the each of the one or more first communications;

    receiving a first risk score from the respective first scanlet for each of the one or more first communications responsive to the examining of the each of the one or more first communications;

    determining the first risk score associated with one of the one or more first communications exceeds a first predetermined threshold;

    indicating the first node and a second node in communication with the first node via the one or more first communications are malicious;

    identifying one or more second communications originating from or directed to the second node;

    identifying at least one of a protocol and an application used for each of the one or more second communications;

    examining each of the one or more second communications for malicious behavior using a respective second scanlet of the one or more scanlets, the respective second scanlet associated with the at least one of the protocol and the application used for the each of the one or more second communications;

    receiving a second risk score from the respective second scanlet for each of the one or more second communications responsive to the examining of the each of the one or more second communications;

    determining the second risk score associated with one of the one or more second communications exceeds the first predetermined threshold;

    indicating a third node in communication with the second node via the one of the one or more second communications is malicious;

    providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and communications is indicated;

    remediating the security breach;

    assigning a node risk score to an additional second node in which additional second risk scores, for additional second communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional second risk scores; and

    determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×