Rule-based network-threat detection

DC CAFC

US 10,542,028 B2
Filed: 08/28/2019
Issued: 01/21/2020
Est. Priority Date: 04/17/2015
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

receiving, by a packet filtering device, a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers;

receiving, by the packet filtering device, a plurality of packets that comprises a first packet and a second packet;

responsive to a determination by the packet filtering device that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule;

applying, by the packet filtering device and to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and

communicating, by the packet filtering device, information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet;

receiving, by the packet filtering device, an update to at least one packet filtering rule;

modifying, by the packet filtering device and based on the received update to the at least one packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and

responsive to a determination by the packet filtering device that the second packet satisfies the first packet filtering rule;

preventing, by the packet filtering device and based on the modified at least one operator specified by the first packet filtering rule, the second packet from continuing toward a destination of the second packet; and

communicating, by the packet filtering device, data indicative that the second packet was prevented from continuing toward the destination of the second packet.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.

270 Citations

21 Claims

1. A method comprising:
- receiving, by a packet filtering device, a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers;
  
  receiving, by the packet filtering device, a plurality of packets that comprises a first packet and a second packet;
  
  responsive to a determination by the packet filtering device that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule;
  
  applying, by the packet filtering device and to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and
  
  communicating, by the packet filtering device, information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet;
  
  receiving, by the packet filtering device, an update to at least one packet filtering rule;
  
  modifying, by the packet filtering device and based on the received update to the at least one packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and
  
  responsive to a determination by the packet filtering device that the second packet satisfies the first packet filtering rule;
  
  preventing, by the packet filtering device and based on the modified at least one operator specified by the first packet filtering rule, the second packet from continuing toward a destination of the second packet; and
  
  communicating, by the packet filtering device, data indicative that the second packet was prevented from continuing toward the destination of the second packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - causing, by the packet filtering device and in a user interface, display of data indicative that the first packet was allowed to continue toward the destination of the first packet; and
      
      causing, by the packet filtering device and in the user interface, display of second data indicative that the second packet was prevented from continuing toward the destination of the second packet.
  - 3. The method of claim 1, further comprising:
    - generating, by the packet filtering device and responsive to the determination by the packet filtering device that the first packet satisfies the first packet filtering rule, a packet log entry comprising a first threat identifier corresponding to the first packet and data indicating that the packet filtering device allowed the first packet to continue toward the destination of the first packet.
  - 4. The method of claim 3, further comprising:
    - updating, by the packet filtering device and responsive to the determination by the packet filtering device that the first packet satisfies the first packet filtering rule, a packet flow entry corresponding to the generated packet log entry,wherein the packet flow entry consolidates a plurality of packet log entries commonly corresponding to the first threat identifier.
  - 5. The method of claim 1, wherein each of the plurality of network-threat indicators corresponds to a respective network threat of a plurality of network threats, the method further comprising:
    - for each packet of the plurality of packets and responsive to a determination by the packet filtering device that a packet satisfies a packet filtering rule;
      
      generating, by the packet filtering device, a packet log entry comprising information from the packet filtering rule, wherein the information identifies;
      
      the packet filtering rule, andwhether the packet filtering device prevented the packet from continuing toward a destination of the packet or allowed the packet to continue toward the destination of the packet; and
      
      updating, by the packet filtering device and based on the packet log entry, a packet flow log to indicate;
      
      the determination that the packet satisfies the packet filtering rule, andwhether the packet filtering device prevented the packet from continuing toward a destination of the packet or allowed the packet to continue toward the destination of the packet.
  - 6. The method of claim 5, further comprising:
    - determining, by the packet filtering device and based on data of the packet flow log, an ordering of the plurality of network threats; and
      
      communicating, by the packet filtering device, data indicative of the ordering of the plurality of network threats.
  - 7. The method of claim 6, wherein determining the ordering comprises, for each network threat of the plurality of network threats, at least one of:
    - determining a number of packets corresponding to the network threat that were allowed by the packet filtering device to continue toward their respective destinations;
      
      determining a number of packets corresponding to the network threat that were prevented by the packet filtering device from continuing toward their respective destinations;
      
      determining a time indicated by the data stored in the packet flow log at which the packet filtering device last identified a packet corresponding to the network threat;
      
      ordetermining a number of network-threat-intelligence reports corresponding to the network threat.

8. A packet filtering device comprising:
- at least one processor; and
  
  memory comprising instructions that, when executed by the at least one processor, cause the packet filtering device to;
  
  receive a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers;
  
  receive a plurality of packets that comprises a first packet and a second packet;
  
  responsive to a determination that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule;
  
  apply, to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and
  
  communicate information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet;
  
  receive an update to at least one packet filtering rule;
  
  modify, based on the received update to the at least one packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and
  
  responsive to a determination that the second packet satisfies the first packet filtering rule;
  
  based on the modified at least one operator specified by the first packet filtering rule, prevent the second packet from continuing toward a destination of the second packet; and
  
  communicate data indicative that the second packet was prevented from continuing toward the destination of the second packet.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The packet filtering device of claim 8, wherein the memory stores instructions that, when executed by the at least one processor, further cause the packet filtering device to:
    - cause, in a user interface, display of data indicative that the first packet was allowed to continue toward the destination of the first packet; and
      
      cause, in the user interface, display of second data indicative that the second packet was prevented from continuing toward the destination of the second packet.
  - 10. The packet filtering device of claim 8, wherein the memory stores instructions that, when executed by the at least one processor, further cause the packet filtering device to:
    - generate, responsive to the determination that the first packet satisfies the first packet filtering rule, a packet log entry comprising a first threat identifier corresponding to the first packet and data indicating that the packet filtering device allowed the first packet to continue toward the destination of the first packet.
  - 11. The packet filtering device of claim 10, wherein the memory stores instructions that, when executed by the at least one processor, further cause the packet filtering device to:
    - update, responsive to the determination that the first packet satisfies the first packet filtering rule, a packet flow entry corresponding to the generated packet log entry,wherein the packet flow entry consolidates a plurality of packet log entries commonly corresponding to the first threat identifier.
  - 12. The packet filtering device of claim 8, wherein each of the plurality of network-threat indicators corresponds to a respective network threat of a plurality of network threats, wherein the memory stores instructions that, when executed by the at least one processor, further cause the packet filtering device to:
    - for each packet of the plurality of packets and responsive to a determination by the packet filtering device that a packet satisfies a packet filtering rule;
      
      generate a packet log entry comprising information from the packet filtering rule, wherein the information identifies;
      
      the packet filtering rule, andwhether the packet filtering device prevented the packet from continuing toward a destination of the packet or allowed the packet to continue toward the destination of the packet; and
      
      update, based on the packet log entry, a packet-flow log to indicate;
      
      the determination that the packet satisfies the packet filtering rule, andwhether the packet filtering device prevented the packet from continuing toward a destination of the packet or allowed the packet to continue toward the destination of the packet.
  - 13. The packet filtering device of claim 12, wherein the memory stores instructions that, when executed by the at least one processor, further cause the packet filtering device to:
    - determine, based on data of the packet flow log, an ordering of the plurality of network threats; and
      
      communicate data indicative of the ordering of the plurality of network threats.
  - 14. The packet filtering device of claim 13, wherein the memory stores instructions for determining the ordering that, when executed by the at least one processor, further cause the packet filtering device to, for each network threat of the plurality of network threats, at least one of:
    - determine a number of packets corresponding to the network threat that were allowed by the packet filtering device to continue toward their respective destinations;
      
      determine a number of packets corresponding to the network threat that were prevented by the packet filtering device from continuing toward their respective destinations;
      
      determine a time indicated by the data stored in the packet flow log at which the packet filtering device last identified a packet corresponding to the network threat;
      
      ordetermine a number of network-threat-intelligence reports corresponding to the network threat.

15. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a packet filtering device, cause the packet filtering device to:
- receive a plurality of packet filtering rules configured to cause the packet filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators, wherein the plurality of network-threat indicators are associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers;
  
  receive a plurality of packets that comprises a first packet and a second packet;
  
  responsive to a determination that the first packet satisfies a first packet filtering rule, of the plurality of packet filtering rules, based on one or more network-threat indicators, of the plurality of network-threat indicators, specified by the first packet filtering rule;
  
  apply, to the first packet, an operator specified by the first packet filtering rule and configured to cause the packet filtering device to allow the first packet to continue toward a destination of the first packet; and
  
  communicate information that identifies the one or more network-threat indicators and data indicative that the first packet was allowed to continue toward the destination of the first packet;
  
  receive an update to at least on packet filtering rule;
  
  modify, based on the received update to the at least on packet filtering rule, at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets corresponding to the one or more network-threat indicators from continuing toward their respective destinations; and
  
  responsive to a determination that the second packet satisfies the first packet filtering rule;
  
  based on the modified at least one operator specified by the first packet filtering rule, prevent the second packet from continuing toward a destination of the second packet; and
  
  communicate data indicative that the second packet was prevented from continuing toward the destination of the second packet.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The one or more non-transitory computer-readable media of claim 15, further comprising instructions that, when executed by the one or more processors of the packet filtering device, cause the packet filtering device to:
    - cause, in a user interface, display of data indicative that the first packet was allowed to continue toward the destination of the first packet; and
      
      cause, in the user interface, display of second data indicative that the second packet was prevented from continuing toward the destination of the second packet.
  - 17. The one or more non-transitory computer-readable media of claim 15, further comprising instructions that, when executed by the one or more processors of the packet filtering device, cause the packet filtering device to:
    - generate, responsive to the determination that the first packet satisfies the first packet filtering rule, a packet log entry comprising a first threat identifier corresponding to the first packet and data indicating that the packet filtering device allowed the first packet to continue toward the destination of the first packet.
  - 18. The one or more non-transitory computer-readable media of claim 17, further comprising instructions that, when executed by the one or more processors of the packet filtering device, cause the packet filtering device to:
    - update, responsive to the determination that the first packet satisfies the first packet filtering rule, a packet flow entry corresponding to the generated packet log entry,wherein the packet flow entry consolidates a plurality of packet log entries commonly corresponding to the first threat identifier.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein each of the plurality of network-threat indicators corresponds to a respective network threat of a plurality of network threats, further comprising instructions that, when executed by the one or more processors of the packet filtering device, cause the packet filtering device to:
    - for each packet of the plurality of packets and responsive to a determination that a packet satisfies a packet filtering rule;
      
      generate a packet log entry comprising information from the packet filtering rule, wherein the information identifies;
      
      the packet filtering rule, andwhether the packet filtering device prevented the packet from continuing toward a destination of the packet or allowed the packet to continue toward the destination of the packet; and
      
      update, based on the packet log entry, a packet flow log to indicate;
      
      the determination that the packet satisfies the packet filtering rule, andwhether the packet filtering device prevented the packet from continuing toward a destination of the packet or allowed the packet to continue toward the destination of the packet.
  - 20. The one or more non-transitory computer-readable media of claim 19, further comprising instructions that, when executed by the one or more processors of the packet filtering device, cause the packet filtering device to:
    - determine, based on data of the packet flow log, an ordering of the plurality of network threats; and
      
      communicate data indicative of the ordering of the plurality of network threats.
  - 21. The one or more non-transitory computer-readable media of claim 20, wherein the instructions that cause the packet filtering device to determine the ordering further comprise instructions that, when executed by the one or more processors of the packet filtering device, cause the packet filtering device to, for each network threat of the plurality of network threats, at least one of:
    - determine a number of packets corresponding to the network threat that were allowed by the packet filtering device to continue toward their respective destinations;
      
      determine a number of packets corresponding to the network threat that were prevented by the packet filtering device from continuing toward their respective destinations;
      
      determine a time indicated by the data stored in the packet flow log at which the packet filtering device last identified a packet corresponding to the network threat;
      
      ordetermine a number of network-threat-intelligence reports corresponding to the network threat.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., George, Keith A., Geremia, Peter P., Mallett, III, Pierre, Moore, Sean, Perry, Robert T., Rogers, Jonathan R.
Primary Examiner(s)
Gracia, Gary S

Application Number

US16/554,252
Publication Number

US 20190387013A1
Time in Patent Office

146 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Rule-based network-threat detection

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

270 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based network-threat detection

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

270 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links