System and method for threat detection and response
First Claim
Patent Images
1. A method for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
- (a) comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
(b) comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
(c) comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data;
(d) comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
(e) comparing the packet data to a predetermined set of permissions;
(f) determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
(g) taking at least of one of a plurality of actions in response to the existing network threat.
5 Assignments
0 Petitions
Accused Products
Abstract
In accordance with varying embodiments of the invention, systems, devices and methods for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats are disclosed.
-
Citations
47 Claims
-
1. A method for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
-
(a) comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
(b) comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
(c) comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data;
(d) comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
(e) comparing the packet data to a predetermined set of permissions;
(f) determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
(g) taking at least of one of a plurality of actions in response to the existing network threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A network threat detection and response system for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
-
(a) a first portion adapted for comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
(b) a second portion adapted for comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
(c) a third portion adapted for comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data;
(d) a fourth portion adapted for comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
(e) a fifth portion adapted for comparing the packet data to a predetermined set of permissions;
(f) a sixth portion adapted for determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
(g) a seventh portion adapted for taking at least of one of a plurality of actions in response to the existing network threat. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A method for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
-
(a) comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
determining that the packet data includes at least one of the protocol anomalies from the predetermined set of protocol anomalies;
(b) comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
determining that the packet data includes at least one of the threat signatures from the predetermined set of threat signatures;
(c) utilizing the packet data to generate a first port weighting for the network resource;
determining that the network packet is associated with a first port scan based on a comparison of the first port weighting to a default port weighting;
(d) utilizing the packet data to generate a first source weighting for the remote source;
determining that the network packet is associated with a denial of service attack based on a comparison of the first source weighting to a default source weighting;
(e) comparing the packet data to a predetermined set of permissions;
determining that the packet data fails to demonstrate that the remote source has a requisite permission for connection to the network resource;
(f) associating the network packet with an existing network threat based on at least one of the determining that the packet data includes at least one of the protocol anomalies from the predetermined set of protocol anomalies, determining that the packet data includes at least one of the threat signatures from the predetermined set of threat signatures, determining that the network packet is associated with a first port scan, determining that the network packet is associated with a denial of service attack, determining that the packet data fails to demonstrate that the remote source has a requisite permission for connection to the network resource; and
(g) taking one of a plurality of actions in response to the existing network threat.
-
-
44. A device for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
-
(a) a first portion adapted for comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
(b) a second portion adapted for comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
(c) a third portion adapted for comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data;
(d) a fourth portion adapted for comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
(e) a fifth portion adapted for comparing the packet data to a predetermined set of permissions;
(f) a sixth portion adapted for determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
(g) a seventh portion adapted for taking at least of one of a plurality of actions in response to the existing network threat. - View Dependent Claims (45, 46, 47)
-
Specification