Integrated network threat analysis
First Claim
Patent Images
1. A method implemented at a computer system for correlating network session and file information, the method comprising:
- receiving, at a receiver module, packet data in a network communication session;
identifying a portion of the packet data representing a file being transferred in the network communication session over the network between a source and a destination;
associating the identified portion of the packet data with the file being transferred;
reassembling identified portions of the packet data to create a recomposed file;
storing the recomposed file in an electronic data storage device;
analyzing the packet data associated with the file to extract a network communication session parameter associated with the file and corresponding to the network communication session;
storing in the electronic data storage device, the extracted session parameter;
storing in the electronic data storage device, information identifying the recomposed file;
generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;
calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis, and wherein the calculated threat score is associated with the recomposed file and the session parameter;
prompting, by a user interface of the computer system, a user to enter a parameter indicating a target network communication session;
receiving, at the user interface, the parameter entered by the user;
executing a query in the electronic data storage device to identify a file associated with the received parameter indicating the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter; and
returning, at the user interface, the threat score and an indication of the corresponding target network communication session indicated by the parameter to the user.
1 Assignment
0 Petitions
Accused Products
Abstract
The inventive systems and methods aggregate network information to accompany file information in an indicator and warning environment. This system also provides a user interface to search for files using network attributes or file attributes, such as message digest. The system can include threat scoring functionality that can be configured to calculate a threat score based on a combination of the result of file analysis on one or more files and associated network data capture information.
36 Citations
20 Claims
-
1. A method implemented at a computer system for correlating network session and file information, the method comprising:
-
receiving, at a receiver module, packet data in a network communication session; identifying a portion of the packet data representing a file being transferred in the network communication session over the network between a source and a destination; associating the identified portion of the packet data with the file being transferred; reassembling identified portions of the packet data to create a recomposed file; storing the recomposed file in an electronic data storage device; analyzing the packet data associated with the file to extract a network communication session parameter associated with the file and corresponding to the network communication session; storing in the electronic data storage device, the extracted session parameter; storing in the electronic data storage device, information identifying the recomposed file; generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred; calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis, and wherein the calculated threat score is associated with the recomposed file and the session parameter; prompting, by a user interface of the computer system, a user to enter a parameter indicating a target network communication session; receiving, at the user interface, the parameter entered by the user; executing a query in the electronic data storage device to identify a file associated with the received parameter indicating the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter; and returning, at the user interface, the threat score and an indication of the corresponding target network communication session indicated by the parameter to the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification