INTEGRATED NETWORK THREAT ANALYSIS
First Claim
Patent Images
1. A method for correlating network session and file information, the method comprising:
- receiving packet data at a receiver module, the packet data comprising a network communication session;
identifying a portion of the packet data representing a file being transferred over the network between a source and a destination;
associating the identified portion of the packet data with the file being transferred;
reassembling the identified portions of the packet data to create a recomposed file;
storing the recomposed file in an electronic data storage device;
analyzing the packet data associated with the file to extract a network communication session parameter associated with the file;
storing in the electronic data storage device, the extracted session parameter;
storing in the electronic data storage device, information identifying the recomposed file;
generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;
calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis; and
wherein the calculated threat score is associated with the recomposed file and the session parameter.
1 Assignment
0 Petitions
Accused Products
Abstract
The inventive systems and methods aggregate network information to accompany file information in an indicator and warning environment. This system also provides a user interface to search for files using network attributes or file attributes, such as message digest. The system can include threat scoring functionality that can be configured to calculate a threat score based on a combination of the result of file analysis on one or more files and associated network data capture information.
26 Citations
20 Claims
-
1. A method for correlating network session and file information, the method comprising:
-
receiving packet data at a receiver module, the packet data comprising a network communication session; identifying a portion of the packet data representing a file being transferred over the network between a source and a destination; associating the identified portion of the packet data with the file being transferred; reassembling the identified portions of the packet data to create a recomposed file; storing the recomposed file in an electronic data storage device; analyzing the packet data associated with the file to extract a network communication session parameter associated with the file; storing in the electronic data storage device, the extracted session parameter; storing in the electronic data storage device, information identifying the recomposed file; generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred; calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis; and wherein the calculated threat score is associated with the recomposed file and the session parameter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification