INTEGRATED NETWORK THREAT ANALYSIS

US 20160226903A1
Filed: 04/12/2016
Published: 08/04/2016
Est. Priority Date: 03/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method for correlating network session and file information, the method comprising:

receiving packet data at a receiver module, the packet data comprising a network communication session;

identifying a portion of the packet data representing a file being transferred over the network between a source and a destination;

associating the identified portion of the packet data with the file being transferred;

reassembling the identified portions of the packet data to create a recomposed file;

storing the recomposed file in an electronic data storage device;

analyzing the packet data associated with the file to extract a network communication session parameter associated with the file;

storing in the electronic data storage device, the extracted session parameter;

storing in the electronic data storage device, information identifying the recomposed file;

generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;

calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis; and

wherein the calculated threat score is associated with the recomposed file and the session parameter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventive systems and methods aggregate network information to accompany file information in an indicator and warning environment. This system also provides a user interface to search for files using network attributes or file attributes, such as message digest. The system can include threat scoring functionality that can be configured to calculate a threat score based on a combination of the result of file analysis on one or more files and associated network data capture information.

26 Citations

View as Search Results

20 Claims

1. A method for correlating network session and file information, the method comprising:
- receiving packet data at a receiver module, the packet data comprising a network communication session;
  
  identifying a portion of the packet data representing a file being transferred over the network between a source and a destination;
  
  associating the identified portion of the packet data with the file being transferred;
  
  reassembling the identified portions of the packet data to create a recomposed file;
  
  storing the recomposed file in an electronic data storage device;
  
  analyzing the packet data associated with the file to extract a network communication session parameter associated with the file;
  
  storing in the electronic data storage device, the extracted session parameter;
  
  storing in the electronic data storage device, information identifying the recomposed file;
  
  generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;
  
  calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis; and
  
  wherein the calculated threat score is associated with the recomposed file and the session parameter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising prompting a user to enter a parameter descriptive of a target network communication session;
    - receiving the parameter descriptive of the target network communication session;
      
      executing a query in the electronic data storage device to identify a file associated with the received parameter descriptive of the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter;
      
      returning an identification of the file associated with the received parameter descriptive of the target network communication session;
  - 3. The method of claim 1, further comprising prompting a user to enter a parameter descriptive of a target file transferred over the network;
    - receiving the parameter descriptive of the target file transferred over the network;
      
      executing a query in the electronic data storage device to identify a network communication session associated with the received parameter descriptive of the target file transferred over the network based on the logical link between the information identifying the recomposed file and the extracted session parameter;
      
      returning an identification of the network communication session associated with the received parameter descriptive of the target file transferred over the network.
  - 4. The method of claim 1, further comprising electronically inspecting the recomposed file to determine whether the file poses a risk based on static analysis, dynamic analysis, or anti-virus scanning.
  - 5. The method of claim 1, further comprising:
    - inspecting the recomposed file to determine its file-type; and
      
      preparing the recomposed file for a signature-based threat scan based on the determined file-type.
  - 6. The method of claim 5, wherein the signature is selected from a signature, regular expression match, indicator of compromise, or an intrusion detection system signature.
  - 7. The method of claim 1, further comprising:
    - computing a message digest of the recomposed file;
      
      monitoring the packet data at a receiver module to determine if a second copy of the recomposed file is received;
      
      logging session information associated with the second copy of the recomposed file without storing the second copy of the recomposed file.
  - 8. The method of claim 1, further comprising calculating a weighted threat score based on the extracted network communication session parameter, file reputation information received from a reputation service, and the file.
  - 9. The method of claim 1, wherein the file is an executable program, a document, or an electronic mail message.
  - 10. The method of claim 1, further comprising performing a second threat scan of the file based on information about the file or the network communication session parameter associated with the file.
  - 11. The method of claim 1, wherein a determination is made to perform a second scan of the file based on receipt of new threat signature data or
  - 12. The method of claim 1, wherein a determination is made to perform a second scan of the file based on the receipt of revised threat signature data.
  - 13. The method of claim 1, wherein a determination is made to perform a second scan of the file based on a user request.
  - 14. The method of claim 1, wherein a second scan of the file is performed at a relatively lower processor priority than the first scan.
  - 15. The method of claim 1, wherein a second scan of the file is not performed if the first scan of the file is less than a user-specified amount of time in the past.
  - 16. The method of claim 1, wherein a determination is made to perform a second scan of the file based on a MIME-type or file-type associated with the file.
  - 17. The method of claim 1, further comprising post-processing the packet data to determine protocol type for the packet data, whether the packet data is part of an HTTP or SMTP session, and extract session and, if present, file data.
  - 18. The method of claim 1, wherein the packet data represents an electronic mail message and wherein the method further comprises electronically storing only a header, a link, or a metadata field from the electronic mail message.
  - 19. The method of claim 1, wherein the network communication session parameter is selected from Internet protocol addresses, hashes of files, uniform resource locators, links in electronic messages, header information or any SMTP or HTTP parameters.
  - 20. The method of claim 1, wherein the receiver module is positioned inline between a source address and a destination address, and further comprising issuing a command to reset a connection between the source address and the destination address if a threat score associated with a file or session is higher than a predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InQuest, LLC
Original Assignee
InQuest, LLC
Inventors
Arcamone, Michael, Diehl, Matthew

Granted Patent

US 10,659,480 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

INTEGRATED NETWORK THREAT ANALYSIS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

INTEGRATED NETWORK THREAT ANALYSIS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others