Rule-based network-threat detection
DC CAFCFirst Claim
1. A method comprising:
- receiving, by a packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of threat identifiers from a plurality of network-threat-intelligence providers;
receiving, by the packet-filtering device, a plurality of packets;
responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules;
applying, by the packet-filtering device and to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion;
generating, by the packet-filtering device and for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet;
determining a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and
determining, by the packet-filtering device, at least one score associated with the at least one threat identifier by determining at least a first score based on the determined number of network-threat-intelligence providers;
generating a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and
reconfiguring at least one packet-filtering rule based on at least the generated listing,wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator.
2 Assignments
Litigations
1 Petition
Accused Products
Abstract
A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.
294 Citations
20 Claims
-
1. A method comprising:
-
receiving, by a packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of threat identifiers from a plurality of network-threat-intelligence providers; receiving, by the packet-filtering device, a plurality of packets; responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules; applying, by the packet-filtering device and to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion; generating, by the packet-filtering device and for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet; determining a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and determining, by the packet-filtering device, at least one score associated with the at least one threat identifier by determining at least a first score based on the determined number of network-threat-intelligence providers; generating a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and reconfiguring at least one packet-filtering rule based on at least the generated listing, wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A packet-filtering device, located at a boundary between a protected network and an unprotected network, comprising:
-
at least one processor; and memory storing instructions that when executed by the at least one processor cause the packet-filtering device to; receive a plurality of threat identifiers from a plurality of network-threat-intelligence providers; receive a plurality of packets; responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules; apply, to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion; generate, for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet; determine a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and determine at least one score associated with the at least one threat identifier determining at least a first score based on the determined number of network-threat-intelligence providers; generate a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and reconfigure at least one packet-filtering rule based on user input received via a user interface comprising at least the generated listing, wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator. - View Dependent Claims (12, 13, 14, 15)
-
-
16. One or more non-transitory computer-readable media comprising instructions that, when executed by at least one processor of a packet-filtering device located at a boundary between a protected network and an unprotected network, cause the packet-filtering device to:
-
receive a plurality of threat identifiers from a plurality of network-threat-intelligence providers; receive a plurality of packets; responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules; apply, to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion; generate, for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet; determine a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and determine at least one score associated with the at least one threat identifier by determining at least a first score based on the determined number of network-threat-intelligence providers; generate a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and reconfigure at least one packet-filtering rule based on at least the generated listing, wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator. - View Dependent Claims (17, 18, 19, 20)
-
Specification