SECURITY THREAT DETECTION

US 20160277431A1
Filed: 03/19/2015
Published: 09/22/2016
Est. Priority Date: 03/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a network security device, a network traffic log, wherein the network traffic log includes information associated with network activities observed within a private network;

responsive to an event, retrospectively scanning, by the network security device, the network traffic log in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities; and

when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.

Citations

17 Claims

1. A method comprising:
- maintaining, by a network security device, a network traffic log, wherein the network traffic log includes information associated with network activities observed within a private network;
  
  responsive to an event, retrospectively scanning, by the network security device, the network traffic log in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities; and
  
  when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the event comprises receipt by the network security device of updated signature database information for use by the network security device in connection with performing signature-based scanning
  - 3. The method of claim 2, wherein said retrospectively scanning comprises applying the updated signature database information to the network traffic log by performing a signature-based scan on one or more of information contained within the network traffic log and one or more network resources or files associated therewith.
  - 4. The method of claim 1, wherein the event comprises receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning.
  - 5. The method of claim 4, wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing a reputation-based scan on one or more of information contained within the network traffic log and one or more Uniform Resource Identifiers (URIs) or Internet Protocol (IP) addresses associated therewith.
  - 6. The method of claim 1, wherein the event comprises a predetermined or configurable scheduled timer event.
  - 7. The method of claim 1, wherein the network traffic log includes one or more entries each including information regarding one or more features of a potential threat identified during the previous signature-based scan or the previous reputation-based scan.
  - 8. The method of claim 7, wherein the one or more entries comprise one or more ofa first file hash representing a result of a cryptographic hash of a file;
    - a second file hash representing a result of a fuzzy hash of the file;
      
      an IP address of traffic associated with the identified potential threat;
      
      a URI of a web resource associated with the identified potential threat;
      
      one or more data packets of the traffic; and
      
      a URI hash representing a result of the cryptographic hash of URI of the web resource.
  - 9. The method of claim 7, wherein the one or more entries contain contextual information regarding the identified potential threat.
  - 10. The method of claim 9, wherein the contextual information includes one or more ofa time stamp of network traffic associated with the identified potential threat;
    - a source IP addresses of the network traffic;
      
      a destination IP addresses of the network traffic;
      
      a user mapped to the destination IP address.
  - 11. The method of claim 1, wherein the network traffic log resides within the private network.
  - 12. The method of claim 1, wherein the network traffic log represents information collected by a plurality of other network security devices.
  - 13. The method of claim 1, wherein said retrospectively scanning comprises scanning entries within the network traffic log that are within a predetermined time period associated with the threat.
  - 14. The method of claim 1, said retrospectively scanning comprises scanning entries within the network traffic log that are associated with a predetermined type of network traffic.
  - 15. The method of claim 1, wherein the preventive action comprises an action seeking to prevent potential damage resulting form the threat or to seeking to defend against the threat.
  - 16. The method of claim 15, wherein the preventative action includes one or more ofincreasing security scrutiny for a source associated with the threat;
    - decreasing a security reputation score of the source;
      
      blocking the source; and
      
      blocking of other potential threats that share significant features with the threat.
  - 17. The method of claim 1, wherein the remedial action comprises one or more of:
    - notifying a user mapped to the threat;
      
      notifying an administrator of the network security device;
      
      increasing security scrutiny for a destination associated with the threat;
      
      deceasing a security reputation score of the destination; and
      
      blocking the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Yu, Qianyong

Granted Patent

US 9,602,527 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

SECURITY THREAT DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY THREAT DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links