Rule-based network-threat detection
DC CAFCFirst Claim
1. A method comprising:
- receiving, by a packet filtering device, a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers;
receiving, by the packet filtering device, a plurality of packets that comprises a first packet and a second packet;
responsive to a determination by the packet filtering device that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule;
applying, by the packet filtering device and to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and
communicating, by the packet filtering device, information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet;
receiving, by the packet filtering device, an update to at least one packet filtering rule;
modifying, by the packet filtering device and based on the received update to the at least one packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and
responsive to a determination by the packet filtering device that the second packet satisfies the first packet filtering rule;
preventing, by the packet filtering device and based on the modified at least one operator specified by the first packet filtering rule, the second packet from continuing toward a destination of the second packet; and
communicating, by the packet filtering device, data indicative that the second packet was prevented from continuing toward the destination of the second packet.
2 Assignments
Litigations
1 Petition
Accused Products
Abstract
A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.
-
Citations
21 Claims
-
1. A method comprising:
-
receiving, by a packet filtering device, a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers; receiving, by the packet filtering device, a plurality of packets that comprises a first packet and a second packet; responsive to a determination by the packet filtering device that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule; applying, by the packet filtering device and to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and communicating, by the packet filtering device, information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet; receiving, by the packet filtering device, an update to at least one packet filtering rule; modifying, by the packet filtering device and based on the received update to the at least one packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and responsive to a determination by the packet filtering device that the second packet satisfies the first packet filtering rule; preventing, by the packet filtering device and based on the modified at least one operator specified by the first packet filtering rule, the second packet from continuing toward a destination of the second packet; and communicating, by the packet filtering device, data indicative that the second packet was prevented from continuing toward the destination of the second packet. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A packet filtering device comprising:
-
at least one processor; and memory comprising instructions that, when executed by the at least one processor, cause the packet filtering device to; receive a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers; receive a plurality of packets that comprises a first packet and a second packet; responsive to a determination that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule; apply, to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and communicate information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet; receive an update to at least one packet filtering rule; modify, based on the received update to the at least one packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and responsive to a determination that the second packet satisfies the first packet filtering rule; based on the modified at least one operator specified by the first packet filtering rule, prevent the second packet from continuing toward a destination of the second packet; and communicate data indicative that the second packet was prevented from continuing toward the destination of the second packet. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a packet filtering device, cause the packet filtering device to:
-
receive a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers; receive a plurality of packets that comprises a first packet and a second packet; responsive to a determination that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule; apply, to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and communicate information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet; receive an update to at least on packet filtering rule; modify, based on the received update to the at least on packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and responsive to a determination that the second packet satisfies the first packet filtering rule; based on the modified at least one operator specified by the first packet filtering rule, prevent the second packet from continuing toward a destination of the second packet; and communicate data indicative that the second packet was prevented from continuing toward the destination of the second packet. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification