Rule-based network-threat detection

DC CAFC

US 10,567,413 B2
Filed: 12/12/2018
Issued: 02/18/2020
Est. Priority Date: 04/17/2015
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

receiving, by a packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of threat identifiers from a plurality of network-threat-intelligence providers;

receiving, by the packet-filtering device, a plurality of packets;

responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules;

applying, by the packet-filtering device and to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion;

generating, by the packet-filtering device and for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet;

determining a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and

determining, by the packet-filtering device, at least one score associated with the at least one threat identifier by determining at least a first score based on the determined number of network-threat-intelligence providers;

generating a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and

reconfiguring at least one packet-filtering rule based on at least the generated listing,wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.

294 Citations

20 Claims

1. A method comprising:
- receiving, by a packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of threat identifiers from a plurality of network-threat-intelligence providers;
  
  receiving, by the packet-filtering device, a plurality of packets;
  
  responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules;
  
  applying, by the packet-filtering device and to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion;
  
  generating, by the packet-filtering device and for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet;
  
  determining a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and
  
  determining, by the packet-filtering device, at least one score associated with the at least one threat identifier by determining at least a first score based on the determined number of network-threat-intelligence providers;
  
  generating a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and
  
  reconfiguring at least one packet-filtering rule based on at least the generated listing,wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein applying the first operator specified by the first packet-filtering rule allows the first packet to continue toward a destination of the first packet, and wherein reconfiguring the at least one packet-filtering rule comprises:
    - updating the first packet-filtering rule corresponding to the first packet matching criterion to specify a second operator; and
      
      responsive to a determination by the packet-filtering device that a second packet of the plurality of packets corresponds to the first packet matching criterion specified by an updated first packet-filtering rule, applying, by the packet-filtering device and to the second packet, the second operator specified by the updated first packet-filtering rule corresponding to the first packet matching criterion,wherein applying the second operator specified by the updated first packet-filtering rule prevents the second packet from continuing toward a destination of the second packet.
  - 3. The method of claim 1, wherein determining the at least one score further comprises determining the at least one score based on at least one of:
    - a type of threat associated with the at least one threat identifier, geographic information, an anonymous proxy associated with the at least one threat identifier, or an actor associated with the at least one threat identifier.
  - 4. The method of claim 1, further comprising:
    - updating, by the packet-filtering device and based on the generated packet log entry, a packet flow log entry corresponding to the at least one threat identifier, wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier,wherein determining that least one score associated with the at least one threat identifier comprises updating a second score associated with the packet flow log entry corresponding to the at least one threat identifier.
  - 5. The method of claim 1, wherein determining the at least one score associated with the at least one threat identifier further comprises determining the at least one score based on a number of the plurality of packets that correspond to the at least one threat identifier.
  - 6. The method of claim 1, the method further comprising:
    - updating the at least one score based on one or more times at which one or more packets of a plurality of logged packets that corresponds to one or more packet-filtering rules were filtered by the packet-filtering device; and
      
      updating the at least one score based on a number of the plurality of logged packets that correspond to the one or more packet-filtering rules.
  - 7. The method of claim 1, wherein determining the at least one score further comprises determining the at least one score based on an identity of one or more network-threat-intelligence providers that provided network-threat indicators associated with a corresponding threat identifier.
  - 8. The method of claim 1, wherein determining the at least one score further comprises determining the at least one score based on a destination of a packet of a plurality of logged packets that corresponds to the plurality of packet-filtering rules.
  - 9. The method of claim 1, wherein the listing comprises multiple threat identifiers, and wherein each identifier of the multiple threat identifiers is associated with a different score.
  - 10. The method of claim 1, wherein reconfiguring the at least one packet-filtering rule is based on user input received via a user interface comprising at least the generated listing.

11. A packet-filtering device, located at a boundary between a protected network and an unprotected network, comprising:
- at least one processor; and
  
  memory storing instructions that when executed by the at least one processor cause the packet-filtering device to;
  
  receive a plurality of threat identifiers from a plurality of network-threat-intelligence providers;
  
  receive a plurality of packets;
  
  responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules;
  
  apply, to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion;
  
  generate, for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet;
  
  determine a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and
  
  determine at least one score associated with the at least one threat identifier determining at least a first score based on the determined number of network-threat-intelligence providers;
  
  generate a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and
  
  reconfigure at least one packet-filtering rule based on user input received via a user interface comprising at least the generated listing,wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The packet-filtering device of claim 11, wherein applying the first operator specified by the first packet-filtering rule allows the first packet to continue toward a destination of the first packet, wherein instructions cause the packet-filtering device to reconfigure the at least one packet-filtering rule by causing the packet-filtering device to:
    - update the first packet-filtering rule corresponding to the first packet matching criterion to specify a second operator; and
      
      responsive to a determination by the packet-filtering device that a second packet of the plurality of packets corresponds to the first packet matching criterion specified by an updated first packet-filtering rule, apply, to the second packet, the second operator specified by the updated first packet-filtering rule corresponding to the first packet matching criterion,wherein applying the second operator specified by the updated first packet-filtering rule prevents the second packet from continuing toward a destination of the second packet.
  - 13. The packet-filtering device of claim 11, wherein the instructions cause the packet-filtering device to determine the at least one score by causing the packet-filtering device to determine the at least one score based on at least one of:
    - a type of threat associated with the at least one threat identifier, geographic information, an anonymous proxy associated with the at least one threat identifier, or an actor associated with the at least one threat identifier.
  - 14. The packet-filtering device of claim 11, wherein the instructions cause the packet-filtering device to:
    - update, based on the generated packet log entry, a packet flow log entry corresponding to the at least one threat identifier, wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier,wherein determining the at least one score associated with the at least one threat identifier comprises updating a second score associated with the packet flow log entry corresponding to the at least one threat identifier.
  - 15. The packet-filtering device of claim 11, wherein the instructions cause the packet-filtering device to determine the at least one score by causing the packet-filtering device to determine the at least one score based on an identity of one or more network-threat-intelligence providers that provided network-threat indicators associated with a corresponding threat identifier.

16. One or more non-transitory computer-readable media comprising instructions that, when executed by at least one processor of a packet-filtering device located at a boundary between a protected network and an unprotected network, cause the packet-filtering device to:
- receive a plurality of threat identifiers from a plurality of network-threat-intelligence providers;
  
  receive a plurality of packets;
  
  responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules;
  
  apply, to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion;
  
  generate, for the first packet, a packet log entry comprising at least one threat identifier, of the plurality of threat identifiers, corresponding to the first packet;
  
  determine a number of network-threat-intelligence providers, of the plurality of network-threat-intelligence providers, from which the at least one threat identifier corresponding to the first packet was received; and
  
  determine at least one score associated with the at least one threat identifier by determining at least a first score based on the determined number of network-threat-intelligence providers;
  
  generate a listing of at least a portion of the plurality of threat identifiers, comprising the at least one threat identifier, wherein a position of the at least one threat identifier in the listing is based on the determined first score; and
  
  reconfigure at least one packet-filtering rule based on at least the generated listing,wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more non-transitory computer-readable media of claim 16, wherein applying the first operator specified by the first packet-filtering rule allows the first packet to continue toward a destination of the first packet, and wherein the instructions cause the packet-filtering device to reconfigure the at least one packet-filtering rule by causing the packet-filtering device to:
    - update the first packet-filtering rule corresponding to the first packet matching criterion to specify a second operator; and
      
      responsive to a determination by the packet-filtering device that a second packet of the plurality of packets corresponds to the first packet matching criterion specified by an updated first packet-filtering rule, apply, to the second packet, the second operator specified by the updated first packet-filtering rule corresponding to the first packet matching criterion,wherein applying the second operator specified by the updated first packet-filtering rule prevents the second packet from continuing toward a destination of the second packet.
  - 18. The one or more non-transitory computer-readable media of claim 16, wherein the instructions cause the packet-filtering device to determine the at least one score by causing the packet-filtering device to determine the at least one score based on at least one of:
    - a type of threat associated with the at least one threat identifier, geographic information, an anonymous proxy associated with the at least one threat identifier, or an actor associated with the at least one threat identifier.
  - 19. The one or more non-transitory computer-readable media of claim 16, wherein the instructions further cause the packet-filtering device to:
    - update, based on the generated packet log entry, a packet flow log entry corresponding to the least one threat identifier, wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier,wherein determining the at least one score associated with the at least one threat identifier comprises updating a second score associated with the packet flow log entry corresponding to the at least one threat identifier.
  - 20. The one or more non-transitory computer-readable media of claim 16, wherein the instructions cause the packet-filtering device to determine the at least one score by causing the packet-filtering device to determine the at least one score based on an identity of one or more network-threat-intelligence providers that provided network-threat indicators associated with a corresponding threat identifier.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., George, Keith A., Geremia, Peter P., Mallett, III, Pierre, Moore, Sean, Perry, Robert T., Rogers, Jonathan R.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US16/217,720
Publication Number

US 20190238577A1
Time in Patent Office

433 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Rule-based network-threat detection

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

294 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based network-threat detection

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

294 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links