PRESENTATION OF THREAT HISTORY ASSOCIATED WITH NETWORK ACTIVITY

US 20170163673A1
Filed: 02/17/2017
Published: 06/08/2017
Est. Priority Date: 12/12/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a computing device of a private network, threat information in a database comprising one or more of firewall logs and historical threat logs, wherein the threat information includes information regarding security threats detected by one or more network security devices associated with the private network;

receiving one or more threat filtering parameters, by the computing device, wherein the one or more threat filtering parameters are selected from a group comprising a parameter specifying one or more types of threats, a parameter specifying one or more levels of severity of the threats, a parameter specifying a source interface, a parameter specifying a destination interface, a parameter specifying a time period associated with the threats and a parameter specifying a frequency of occurrence of the threats;

extracting, by the computing device, information regarding a plurality of threats from the database based on the one or more threat filtering parameters; and

presenting, by the computing device, the extracted information in a form of a interactive historical graph illustrating a number of threats by type of threat during the time period;

receiving from an administrator of the private network, by the computing device, an indication, via interaction with the interactive historical graph, regarding a selected subset of the time period in which to zoom into for further details; and

responsive to the indication regarding the selected subset, presenting, by the computing device, the further details in a form of a list of the plurality of threats corresponding to the selected subset, wherein the list of threats is grouped by the type of threat and ordered by group in accordance with associated levels of severity of the threats in the list of threats.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for extracting, processing, displaying, and analyzing events that are associated with one or more threats are provided. According to one embodiment, threat information, including information from one or more of firewall logs and historical threat logs, is maintained in a database. Information regarding threat filtering parameters is received. Information regarding threats matching the threat filtering parameters are extracted from the database and is presented in a form of an interactive historical graph. Responsive to receiving from an administrator an indication regarding a selected subset of time in which to zoom into for further details, a list of threats within the selected subset is presented in tabular form.

12 Citations

View as Search Results

18 Claims

1. A method comprising:
- maintaining, by a computing device of a private network, threat information in a database comprising one or more of firewall logs and historical threat logs, wherein the threat information includes information regarding security threats detected by one or more network security devices associated with the private network;
  
  receiving one or more threat filtering parameters, by the computing device, wherein the one or more threat filtering parameters are selected from a group comprising a parameter specifying one or more types of threats, a parameter specifying one or more levels of severity of the threats, a parameter specifying a source interface, a parameter specifying a destination interface, a parameter specifying a time period associated with the threats and a parameter specifying a frequency of occurrence of the threats;
  
  extracting, by the computing device, information regarding a plurality of threats from the database based on the one or more threat filtering parameters; and
  
  presenting, by the computing device, the extracted information in a form of a interactive historical graph illustrating a number of threats by type of threat during the time period;
  
  receiving from an administrator of the private network, by the computing device, an indication, via interaction with the interactive historical graph, regarding a selected subset of the time period in which to zoom into for further details; and
  
  responsive to the indication regarding the selected subset, presenting, by the computing device, the further details in a form of a list of the plurality of threats corresponding to the selected subset, wherein the list of threats is grouped by the type of threat and ordered by group in accordance with associated levels of severity of the threats in the list of threats.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the database is updated by the one or more network security devices in real-time.
  - 3. The method of claim 1, wherein the firewall logs, for one or more network traffic sessions include information regarding one or more of parameters of the network traffic sessions, levels of risk, packet information, source-destination information, host names, infected websites, top destinations for potential threats, top sources of potential threats, origin points of potential threats, event identifiers, types of analysis, bandwidth usage, source Internet Protocol (IP) addresses, destination IP addresses, importance, application details, port information, timestamps, time frames, user details, source device details, destination device details, levels of trust, source operating system details, virus scan levels and schedules.
  - 4. The method of claim 1, wherein the historical threat logs comprise information regarding one or more of a level of severity, the type of threat and source-destination attributes for each of the security threats detected by the one or more network security devices.
  - 5. The method of claim 1, wherein the interactive historical graph comprises one or more of a stacked area graph, a stacked bar chart, a stacked column chart, a line chart, a point chart, a pie chart, a histogram, a line chart, a tree chart, a organizational chart, a timeline chart, a flowchart, a cartogram, a pedigree chart, a waterfall chart, a polar area chart, and a bubble chart.
  - 6. The method of claim 1, further comprising receiving from the administrator presentation parameters according to which the interactive historical graph is to be customized, wherein the presentation parameters include one or more of a parameter specifying a type of graph to be used for display of the plurality of threats, a parameter specifying zoom settings and a parameter specifying drag/select settings.
  - 7. The method of claim 1, wherein said presenting, by the computing device, the extracted information in a form of an interactive historical graph comprises presenting one or more of information regarding trends and suggestions based on the plurality of threats, wherein the information regarding trends indicate one or more of a manner and mode in which the plurality of threats have taken place, and wherein the suggestions provide input regarding potential future threats.
  - 8. The method of claim 1, wherein the interactive historical graph is updated in real-time by continuously extracting information from the database based on the plurality of threat filtering parameters.
  - 9. The method of claim 1, wherein the interactive historical graph is updated at pre-defined intervals by periodically extracting information from the database based on the plurality of threat filtering parameters.

10. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a computer system of a private network, causes the one or more processors to perform a method comprising:
- maintaining threat information in a database comprising one or more of firewall logs and historical threat logs, wherein the threat information includes information regarding security threats detected by one or more network security devices associated with the private network;
  
  receiving one or more threat filtering parameters selected from a group comprising a parameter specifying one or more types of threats, a parameter specifying one or more levels of severity of the threats, a parameter specifying a source interface, a parameter specifying a destination interface, a parameter specifying a time period associated with the threats and a parameter specifying a frequency of occurrence of the threats;
  
  extracting information regarding a plurality of threats from the database based on the one or more threat filtering parameters;
  
  presenting the extracted information in a form of an interactive historical graph illustrating a number of threats by type of threat during the time period; and
  
  receiving from an administrator of the private network, an indication, via interaction with the interactive historical graph, regarding a selected subset of the time period in which to zoom into for further details; and
  
  responsive to the indication regarding the selected subset, presenting the further details in a form of a list of the plurality of threats corresponding to the selected subset, wherein the list of threats is grouped by the type of threat and ordered by group in accordance with associated levels of severity of the threats in the list of threats.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable storage medium of claim 10, wherein the database is updated by the one or more network security devices in real-time.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein the firewall logs, for one or more network traffic sessions include information regarding one or more of parameters of the network traffic sessions, levels of risk, packet information, source-destination information, host names, infected websites, top destinations for potential threats, top sources of potential threats, origin points of potential threats, event identifiers, types of analysis, bandwidth usage, source Internet Protocol (IP) addresses, destination IP addresses, importance, application details, port information, timestamps, time frames, user details, source device details, destination device details, levels of trust, source operating system details, virus scan levels and schedules.
  - 13. The non-transitory computer-readable storage medium of claim 10, wherein the historical threat logs comprise information regarding one or more of a level of severity, the type of threat and source-destination attributes for each of the security threats detected by the one or more network security devices.
  - 14. The non-transitory computer-readable storage medium of claim 10, wherein the interactive historical graph comprises one or more of a stacked area graph, a stacked bar chart, a stacked column chart, a line chart, a point chart, a pie chart, a histogram, a line chart, a tree chart, a organizational chart, a timeline chart, a flowchart, a cartogram, a pedigree chart, a waterfall chart, a polar area chart, and a bubble chart.
  - 15. The non-transitory computer-readable storage medium of claim 10, wherein the method further comprises receiving from the administrator presentation parameters according to which the interactive historical graph is to be customized, wherein the presentation parameters include one or more of a parameter specifying a type of graph to be used for display of the plurality of threats, a parameter specifying zoom settings and a parameter specifying drag/select settings.
  - 16. The non-transitory computer-readable storage medium of claim 10, wherein said presenting the extracted information in a form of an interactive historical graph comprises presenting one or more of information regarding trends and suggestions based on the plurality of threats, wherein the information regarding trends indicate one or more of a manner and mode in which the plurality of threats have taken place, and wherein the suggestions provide input regarding potential future threats.
  - 17. The non-transitory computer-readable storage medium of claim 10, wherein the interactive historical graph is updated in real-time by continuously extracting information from the database based on the plurality of threat filtering parameters.
  - 18. The non-transitory computer-readable storage medium of claim 10, wherein the interactive historical graph is updated at pre-defined intervals by periodically extracting information from the database based on the plurality of threat filtering parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Nantel, Mathieu

Granted Patent

US 9,888,023 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

PRESENTATION OF THREAT HISTORY ASSOCIATED WITH NETWORK ACTIVITY

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

PRESENTATION OF THREAT HISTORY ASSOCIATED WITH NETWORK ACTIVITY

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links