Integrated network threat analysis

US 10,659,480 B2
Filed: 04/12/2016
Issued: 05/19/2020
Est. Priority Date: 03/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented at a computer system for correlating network session and file information, the method comprising:

receiving, at a receiver module, packet data in a network communication session;

identifying a portion of the packet data representing a file being transferred in the network communication session over the network between a source and a destination;

associating the identified portion of the packet data with the file being transferred;

reassembling identified portions of the packet data to create a recomposed file;

storing the recomposed file in an electronic data storage device;

analyzing the packet data associated with the file to extract a network communication session parameter associated with the file and corresponding to the network communication session;

storing in the electronic data storage device, the extracted session parameter;

storing in the electronic data storage device, information identifying the recomposed file;

generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;

calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis, and wherein the calculated threat score is associated with the recomposed file and the session parameter;

prompting, by a user interface of the computer system, a user to enter a parameter indicating a target network communication session;

receiving, at the user interface, the parameter entered by the user;

executing a query in the electronic data storage device to identify a file associated with the received parameter indicating the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter; and

returning, at the user interface, the threat score and an indication of the corresponding target network communication session indicated by the parameter to the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventive systems and methods aggregate network information to accompany file information in an indicator and warning environment. This system also provides a user interface to search for files using network attributes or file attributes, such as message digest. The system can include threat scoring functionality that can be configured to calculate a threat score based on a combination of the result of file analysis on one or more files and associated network data capture information.

36 Citations

View as Search Results

20 Claims

1. A method implemented at a computer system for correlating network session and file information, the method comprising:
- receiving, at a receiver module, packet data in a network communication session;
  
  identifying a portion of the packet data representing a file being transferred in the network communication session over the network between a source and a destination;
  
  associating the identified portion of the packet data with the file being transferred;
  
  reassembling identified portions of the packet data to create a recomposed file;
  
  storing the recomposed file in an electronic data storage device;
  
  analyzing the packet data associated with the file to extract a network communication session parameter associated with the file and corresponding to the network communication session;
  
  storing in the electronic data storage device, the extracted session parameter;
  
  storing in the electronic data storage device, information identifying the recomposed file;
  
  generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;
  
  calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis, and wherein the calculated threat score is associated with the recomposed file and the session parameter;
  
  prompting, by a user interface of the computer system, a user to enter a parameter indicating a target network communication session;
  
  receiving, at the user interface, the parameter entered by the user;
  
  executing a query in the electronic data storage device to identify a file associated with the received parameter indicating the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter; and
  
  returning, at the user interface, the threat score and an indication of the corresponding target network communication session indicated by the parameter to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising prompting a user to enter a parameter descriptive of a target file transferred over the network;
    - receiving the parameter descriptive of the target file transferred over the network;
      
      executing a query in the electronic data storage device to identify a network communication session associated with the received parameter descriptive of the target file transferred over the network based on the logical link between the information identifying the recomposed file and the extracted session parameter;
      
      returning an identification of the network communication session associated with the received parameter descriptive of the target file transferred over the network.
  - 3. The method of claim 1, further comprising electronically inspecting the recomposed file to determine whether the file poses a risk based on static analysis, dynamic analysis, or anti-virus scanning.
  - 4. The method of claim 1, further comprising:
    - inspecting the recomposed file stored in the electronic data storage device to determine a file-type of the recomposed file, the file type associated with one or more subroutines; and
      
      executing the one or more subroutines on the recomposed file to create a post-processed version of the recomposed file for analysis by a signature-based threat scanner, wherein the threat score is calculated based on the weighted analysis of the recomposed file and the post-processed version of the recomposed file.
  - 5. The method of claim 4, wherein the signature is selected from a signature, regular expression match, indicator of compromise, or an intrusion detection system signature.
  - 6. The method of claim 4, wherein calculating the threat score comprises:
    - scanning, by the signature-based threat scanner, the recomposed file and the post-processed version of the recomposed file to generate a list of signature alerts, wherein the threat score is calculated based on the list of signature alerts.
  - 7. The method of claim 1, further comprising:
    - computing a message digest of the recomposed file;
      
      monitoring the packet data at a receiver module to determine if a second copy of the recomposed file is received;
      
      logging session information associated with the second copy of the recomposed file without storing the second copy of the recomposed file.
  - 8. The method of claim 1, further comprising calculating a weighted threat score based on the extracted network communication session parameter, file reputation information received from a reputation service, and the file.
  - 9. The method of claim 1, wherein the file is an executable program, a document, an electronic mail message, a picture file, an image file, a ROM file, or a compressed file.
  - 10. The method of claim 1, further comprising performing a second threat scan of the file based on information about the file or the network communication session parameter associated with the file.
  - 11. The method of claim 1, wherein a determination is made to perform a second scan of the file based on receipt of new threat signature data.
  - 12. The method of claim 1, wherein a determination is made to perform a second scan of the file based on the receipt of revised threat signature data.
  - 13. The method of claim 1, wherein a determination is made to perform a second scan of the file based on a user request.
  - 14. The method of claim 1, wherein a second scan of the file is performed at a relatively lower processor priority than the first scan.
  - 15. The method of claim 1, wherein a second scan of the file is not performed if the first scan of the file is less than a user-specified amount of time in the past.
  - 16. The method of claim 1, wherein a determination is made to perform a second scan of the file based on a MIME-type or file-type associated with the file.
  - 17. The method of claim 1, further comprising post-processing the packet data to determine protocol type for the packet data, whether the packet data is part of an HTTP or SMTP or TCP session, and extract session and, if present, file data.
  - 18. The method of claim 1, wherein the packet data represents an electronic mail message and wherein the method further comprises electronically storing only a header, a link, or a metadata field from the electronic mail message.
  - 19. The method of claim 1, wherein the network communication session parameter is selected from Internet protocol addresses, hashes of files, uniform resource locators, links in electronic messages, header information or any SMTP or HTTP or TCP parameters.
  - 20. The method of claim 1, wherein the receiver module is positioned inline between a source address and a destination address, and further comprising issuing a command to reset a connection between the source address and the destination address if a threat score associated with a file or session is higher than a predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InQuest, LLC
Original Assignee
InQuest, LLC
Inventors
Arcamone, Michael, Diehl, Matthew
Primary Examiner(s)
Henning, Matthew T

Application Number

US15/097,241
Publication Number

US 20160226903A1
Time in Patent Office

1,498 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Integrated network threat analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Integrated network threat analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others