Correlating packets in communications networks

DC CAFC

US 9,264,370 B1
Filed: 02/10/2015
Issued: 02/16/2016
Est. Priority Date: 02/10/2015
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

provisioning, by a computing system, a first tap with one or more rules configured to identify a plurality of packets received by a network device from a host located in a first network, wherein a communication path that interfaces the network device and the first network comprises the first tap;

provisioning, by the computing system, a second tap with one or more rules configured to identify a plurality of packets transmitted by the network device to a host located in a second network, wherein a communication path that interfaces the network device and the second network comprises the second tap;

provisioning, by the computing system, the first tap and the second tap with one or more rules specifying a set of network addresses and configured to cause the computing system to log packets destined for one or more network addresses in the set of network addresses;

identifying, by the computing system, the plurality of packets received by the network device;

generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the network device;

identifying, by the computing system, the plurality of packets transmitted by the network device;

generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device;

correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and

responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;

generating, by the computing system, data identifying the host located in the first network; and

communicating, by the computing system and to a device located in the first network, the data identifying the host located in the first network.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.

78 Citations

View as Search Results

207 Claims

1. A method comprising:
- provisioning, by a computing system, a first tap with one or more rules configured to identify a plurality of packets received by a network device from a host located in a first network, wherein a communication path that interfaces the network device and the first network comprises the first tap;
  
  provisioning, by the computing system, a second tap with one or more rules configured to identify a plurality of packets transmitted by the network device to a host located in a second network, wherein a communication path that interfaces the network device and the second network comprises the second tap;
  
  provisioning, by the computing system, the first tap and the second tap with one or more rules specifying a set of network addresses and configured to cause the computing system to log packets destined for one or more network addresses in the set of network addresses;
  
  identifying, by the computing system, the plurality of packets received by the network device;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identifying, by the computing system, the plurality of packets transmitted by the network device;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generating, by the computing system, data identifying the host located in the first network; and
  
  communicating, by the computing system and to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, comprising:
    - determining, by the first tap, that the plurality of packets received by the network device are destined for a network address associated with the host located in the second network;
      
      determining, by the first tap, that the network address associated with the host located in the second network is in the set of network addresses;
      
      determining, by the second tap, that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network; and
      
      determining, by the second tap, that the network address associated with the host located in the second network is in the set of network addresses.
  - 3. The method of claim 2, comprising:
    - generating, by the computing system, a plurality of log entries comprising data indicating that the plurality of packets received by the network device are destined for the network address associated with the host located in the second network; and
      
      generating, by the computing system, a plurality of log entries comprising data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network.
  - 4. The method of claim 3, comprising correlating, by the computing system, each log entry of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with one or more log entries of the plurality of log entries comprising the data indicating that the plurality of packets received by the network device are destined for the network address associated with the host located in the second network.
  - 5. The method of claim 3, comprising generating, by the computing system, a plurality of log entries comprising data indicating that a portion of the plurality of packets received by the network device were received from a network address associated with the host located in the first network.
  - 6. The method of claim 5, wherein generating the data identifying the host located in the first network comprises generating data comprising the network address associated with the host located in the first network.
  - 7. The method of claim 5, wherein the network device is configured to perform network address translation (NAT) for a plurality of network addresses associated with the first network, wherein the plurality of network addresses associated with the first network comprises the network address associated with the host located in the first network and a network address associated with a different host located in the first network, the method comprising generating, by the computing system, a plurality of log entries comprising data indicating that a portion of the plurality of packets received by the network device were received from the network address associated with the different host located in the first network.
  - 8. The method of claim 7, comprising:
    - correlating, by the computing system, a first portion of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with the plurality of log entries comprising the data indicating that the portion of the plurality of packets received by the network device were received from the network address associated with the host located in the first network; and
      
      correlating, by the computing system, a second portion of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with the plurality of log entries comprising the data indicating that the portion of the plurality of packets received by the network device were received from the network address associated with the different host located in the first network.
  - 9. The method of claim 1, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 10. The method of claim 1, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 11. The method of claim 1, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 12. The method of claim 1, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 13. The method of claim 1, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 14. The method of claim 13, wherein:
    - generating the plurality of log entries corresponding to the plurality of packets received by the network device comprises generating a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device; and
      
      generating the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprises generating a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device.
  - 15. The method of claim 14, comprising determining, by the computing system and for each timestamp of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than a threshold latency value for the network device.
  - 16. The method of claim 14, comprising:
    - determining, by the computing system, a plurality of latency values for the network device, wherein determining the plurality of latency values comprises determining, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
      
      determining, by the computing system and based on the plurality of latency values, an updated threshold latency value for the network device; and
      
      determining, by the computing system and for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the updated threshold latency value for the network device.
  - 17. The method of claim 1, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 18. The method of claim 1, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 19. The method of claim 1, wherein the host located in the second network is associated with a malicious entity, the method comprising generating, by the computing system, data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 20. The method of claim 1, wherein the communication path that interfaces the network device and the first network comprises a packet-filtering device, the method comprising:
    - generating, by the computing system, one or more rules configured to identify packets received from the host located in the first network;
      
      provisioning, by the computing system, the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network;
      
      identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the host located in the first network.
  - 21. The method of claim 1, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

22. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  provision a device in a communication link interfacing a network device and a first network with one or more rules configured to identify a plurality of packets received by the network device from a host located in the first network;
  
  provision a device in a communication link interfacing the network device and a second network with one or more rules configured to identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  provision the device in the communication link interfacing the network device and the first network and the device in the communication link interfacing the network device and the second network with one or more rules specifying a set of network addresses and configured to cause the system to log packets destined for one or more network addresses in the set of network addresses;
  
  configure the device in the communication link interfacing the network device with the first network to;
  
  identify the plurality of packets received by the network device;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device; and
  
  communicate, to the system, the plurality of log entries corresponding to the plurality of packets received by the network device;
  
  configure the device in the communication link interfacing the network device with the second network to;
  
  identify the plurality of packets transmitted by the network device;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device; and
  
  communicate, to the system, the plurality of log entries corresponding to the plurality of packets transmitted by the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 23. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to:
    - configure the device in the communication link interfacing the network device with the first network to;
      
      determine that the plurality of packets received by the network device are destined for a network address associated with the host located in the second network; and
      
      determine that the network address associated with the host located in the second network is in the set of network addresses; and
      
      configure the device in the communication link interfacing the network device with the second network to;
      
      determine that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network; and
      
      determine that the network address associated with the host located in the second network is in the set of network addresses.
  - 24. The system of claim 23, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a plurality of log entries comprising data indicating that the plurality of packets received by the network device are destined for the network address associated with the host located in the second network; and
      
      generate a plurality of log entries comprising data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network.
  - 25. The system of claim 24, wherein the instructions, when executed by the at least one processor, cause the system to correlate, each log entry of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with one or more log entries of the plurality of log entries comprising the data indicating that the plurality of packets received by the network device are destined for the network address associated with the host located in the second network.
  - 26. The system of claim 24, wherein the instructions, when executed by the at least one processor, cause the system to generate a plurality of log entries comprising data indicating that a portion of the plurality of packets received by the network device were received from a network address associated with the host located in the first network.
  - 27. The system of claim 26, wherein the data identifying the host located in the first network comprises the network address associated with the host located in the first network.
  - 28. The system of claim 26, wherein the network device is configured to perform network address translation (NAT) for a plurality of network addresses associated with the first network, wherein the plurality of network addresses associated with the first network comprises the network address associated with the host located in the first network and a network address associated with a different host located in the first network, and wherein the instructions, when executed by the at least one processor, cause the system to generate a plurality of log entries comprising data indicating that a portion of the plurality of packets received by the network device were received from the network address associated with the different host located in the first network.
  - 29. The system of claim 28, wherein the instructions, when executed by the at least one processor, cause the system to:
    - correlate a first portion of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with the plurality of log entries comprising the data indicating that the portion of the plurality of packets received by the network device were received from the network address associated with the host located in the first network; and
      
      correlate a second portion of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with the plurality of log entries comprising the data indicating that the portion of the plurality of packets received by the network device were received from the network address associated with the different host located in the first network.
  - 30. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 31. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 32. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 33. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 34. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 35. The system of claim 34, wherein the plurality of log entries corresponding to the plurality of packets received by the network device comprises a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device, and wherein the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprises a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device.
  - 36. The system of claim 35, wherein the instructions, when executed by the at least one processor, cause the system to determine, for each timestamp of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than a threshold latency value for the network device.
  - 37. The system of claim 35, wherein the instructions, when executed by the at least one processor, cause the system to:
    - determine a plurality of latency values for the network device, wherein the plurality of latency values comprises, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
      
      determine, based on the plurality of latency values, an updated threshold latency value for the network device; and
      
      determine, for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the updated threshold latency value for the network device.
  - 38. The system of claim 22, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 39. The system of claim 22, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 40. The system of claim 22, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the at least one processor, cause the system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 41. The system of claim 22, wherein the communication link that interfaces the network device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 42. The system of claim 22, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

43. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- provision a device in a communication link interfacing a network device and a first network with one or more rules configured to identify a plurality of packets received by the network device from a host located in the first network;
  
  provision a device in a communication link interfacing the network device and a second network with one or more rules configured to identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  provision the device in the communication link interfacing the network device and the first network and the device in the communication link interfacing the network device and the second network with one or more rules specifying a set of network addresses and configured to cause the computing system to log packets destined for one or more network addresses in the set of network addresses;
  
  configure the device in the communication link interfacing the network device with the first network to;
  
  identify the plurality of packets received by the network device;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device; and
  
  communicate, to the computing system, the plurality of log entries corresponding to the plurality of packets received by the network device;
  
  configure the device in the communication link interfacing the network device with the second network to;
  
  identify the plurality of packets transmitted by the network device;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device; and
  
  communicate, to the computing system, the plurality of log entries corresponding to the plurality of packets transmitted by the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 44. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to:
    - configure the device in the communication link interfacing the network device with the first network to;
      
      determine that the plurality of packets received by the network device are destined for a network address associated with the host located in the second network; and
      
      determine that the network address associated with the host located in the second network is in the set of network addresses; and
      
      configure the device in the communication link interfacing the network device with the second network to;
      
      determine that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network; and
      
      determine that the network address associated with the host located in the second network is in the set of network addresses.
  - 45. The one or more non-transitory computer-readable media of claim 44, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a plurality of log entries comprising data indicating that the plurality of packets received by the network device are destined for the network address associated with the host located in the second network; and
      
      generate a plurality of log entries comprising data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network.
  - 46. The one or more non-transitory computer-readable media of claim 45, wherein the instructions, when executed by the computing system, cause the computing system to correlate, each log entry of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with one or more log entries of the plurality of log entries comprising the data indicating that the plurality of packets received by the network device are destined for the network address associated with the host located in the second network.
  - 47. The one or more non-transitory computer-readable media of claim 45, wherein the instructions, when executed by the computing system, cause the computing system to generate a plurality of log entries comprising data indicating that a portion of the plurality of packets received by the network device were received from a network address associated with the host located in the first network.
  - 48. The one or more non-transitory computer-readable media of claim 47, wherein the data identifying the host located in the first network comprises the network address associated with the host located in the first network.
  - 49. The one or more non-transitory computer-readable media of claim 47, wherein the network device is configured to perform network address translation (NAT) for a plurality of network addresses associated with the first network, wherein the plurality of network addresses associated with the first network comprises the network address associated with the host located in the first network and a network address associated with a different host located in the first network, and wherein the instructions, when executed by the computing system, cause the computing system to generate a plurality of log entries comprising data indicating that a portion of the plurality of packets received by the network device were received from the network address associated with the different host located in the first network.
  - 50. The one or more non-transitory computer-readable media of claim 49, wherein the instructions, when executed by the computing system, cause the computing system to:
    - correlate a first portion of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with the plurality of log entries comprising the data indicating that the portion of the plurality of packets received by the network device were received from the network address associated with the host located in the first network; and
      
      correlate a second portion of the plurality of log entries comprising the data indicating that the plurality of packets transmitted by the network device are destined for the network address associated with the host located in the second network with the plurality of log entries comprising the data indicating that the portion of the plurality of packets received by the network device were received from the network address associated with the different host located in the first network.
  - 51. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 52. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 53. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 54. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 55. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 56. The one or more non-transitory computer-readable media of claim 55, wherein the plurality of log entries corresponding to the plurality of packets received by the network device comprises a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device, and wherein the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprises a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device.
  - 57. The one or more non-transitory computer-readable media of claim 56, wherein the instructions, when executed by the computing system, cause the computing system to determine, for each timestamp of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than a threshold latency value for the network device.
  - 58. The one or more non-transitory computer-readable media of claim 56, wherein the instructions, when executed by the computing system, cause the computing system to:
    - determine a plurality of latency values for the network device, wherein the plurality of latency values comprises, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
      
      determine, based on the plurality of latency values, an updated threshold latency value for the network device; and
      
      determine, for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the updated threshold latency value for the network device.
  - 59. The one or more non-transitory computer-readable media of claim 43, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 60. The one or more non-transitory computer-readable media of claim 43, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 61. The one or more non-transitory computer-readable media of claim 43, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the computing system, cause the computing system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 62. The one or more non-transitory computer-readable media of claim 43, wherein the communication link that interfaces the network device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 63. The one or more non-transitory computer-readable media of claim 43, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

64. A method comprising:
- identifying, by a computing system, a plurality of packets received by a network device from a host located in a first network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the network device, the plurality of log entries corresponding to the plurality of packets received by the network device comprising a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
  
  identifying, by the computing system, a plurality of packets transmitted by the network device to a host located in a second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprising a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device;
  
  determining, by the computing system and for each timestamp of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than a threshold latency value for the network device;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generating, by the computing system, data identifying the host located in the first network; and
  
  communicating, by the computing system and to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
- - 65. The method of claim 64, comprising:
    - determining, by the computing system, a plurality of latency values for the network device, wherein determining the plurality of latency values comprises determining, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
      
      determining, by the computing system and based on the plurality of latency values, an updated threshold latency value for the network device; and
      
      determining, by the computing system and for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the updated threshold latency value for the network device.
  - 66. The method of claim 64, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 67. The method of claim 64, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 68. The method of claim 64, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 69. The method of claim 64, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 70. The method of claim 64, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 71. The method of claim 64, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 72. The method of claim 64, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 73. The method of claim 64, wherein the host located in the second network is associated with a malicious entity, the method comprising generating, by the computing system, data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 74. The method of claim 64, wherein a communication path that interfaces the network device and the first network comprises a packet-filtering device, the method comprising:
    - generating, by the computing system, one or more rules configured to identify packets received from the host located in the first network;
      
      provisioning, by the computing system, the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network;
      
      identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the host located in the first network.
  - 75. The method of claim 64, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

76. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device, the plurality of log entries corresponding to the plurality of packets received by the network device comprising a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
  
  identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprising a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device;
  
  determine, for each timestamp of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than a threshold latency value for the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87)
- - 77. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to:
    - determine a plurality of latency values for the network device, wherein the plurality of latency values comprises, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
      
      determine, based on the plurality of latency values, an updated threshold latency value for the network device; and
      
      determine, for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the updated threshold latency value for the network device.
  - 78. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 79. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 80. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 81. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 82. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 83. The system of claim 76, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 84. The system of claim 76, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 85. The system of claim 76, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the at least one processor, cause the system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 86. The system of claim 76, wherein a communication link that interfaces the network device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 87. The system of claim 76, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

88. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device, the plurality of log entries corresponding to the plurality of packets received by the network device comprising a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
  
  identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprising a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device;
  
  determine, for each timestamp of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than a threshold latency value for the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99)
- - 89. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to:
    - determine a plurality of latency values for the network device, wherein the plurality of latency values comprises, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
      
      determine, based on the plurality of latency values, an updated threshold latency value for the network device; and
      
      determine, for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the updated threshold latency value for the network device.
  - 90. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 91. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 92. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 93. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 94. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 95. The one or more non-transitory computer-readable media of claim 88, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 96. The one or more non-transitory computer-readable media of claim 88, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 97. The one or more non-transitory computer-readable media of claim 88, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the computing system, cause the computing system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 98. The one or more non-transitory computer-readable media of claim 88, wherein a communication link that interfaces the network device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 99. The one or more non-transitory computer-readable media of claim 88, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

100. A method comprising:
- identifying, by a computing system, a plurality of packets received by a network device from a host located in a first network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the network device, the plurality of log entries corresponding to the plurality of packets received by the network device comprising a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
  
  identifying, by the computing system, a plurality of packets transmitted by the network device to a host located in a second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprising a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device;
  
  determining, by the computing system, a plurality of latency values for the network device, wherein determining the plurality of latency values comprises determining, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
  
  determining, by the computing system and based on the plurality of latency values, a threshold latency value for the network device;
  
  determining, by the computing system and for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the threshold latency value for the network device;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generating, by the computing system, data identifying the host located in the first network; and
  
  communicating, by the computing system and to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (101, 102, 103, 104, 105, 106, 107, 108, 109, 110)
- - 101. The method of claim 100, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 102. The method of claim 100, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 103. The method of claim 100, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 104. The method of claim 100, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 105. The method of claim 100, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 106. The method of claim 100, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 107. The method of claim 100, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 108. The method of claim 100, wherein the host located in the second network is associated with a malicious entity, the method comprising generating, by the computing system, data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 109. The method of claim 100, wherein a communication path that interfaces the network device and the first network comprises a packet-filtering device, the method comprising:
    - generating, by the computing system, one or more rules configured to identify packets received from the host located in the first network;
      
      provisioning, by the computing system, the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network;
      
      identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the host located in the first network.
  - 110. The method of claim 100, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

111. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device, the plurality of log entries corresponding to the plurality of packets received by the network device comprising a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
  
  identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprising a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device;
  
  determine a plurality of latency values for the network device, wherein the plurality of latency values comprises, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
  
  determine, based on the plurality of latency values, a threshold latency value for the network device;
  
  determine, for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the threshold latency value for the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (112, 113, 114, 115, 116, 117, 118, 119, 120, 121)
- - 112. The system of claim 111, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 113. The system of claim 111, wherein the instructions, when executed by the at least one processor, cause the system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 114. The system of claim 111, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 115. The system of claim 111, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 116. The system of claim 111, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 117. The system of claim 111, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 118. The system of claim 111, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 119. The system of claim 111, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the at least one processor, cause the system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 120. The system of claim 111, wherein a communication link that interfaces the network device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 121. The system of claim 111, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

122. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device, the plurality of log entries corresponding to the plurality of packets received by the network device comprising a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
  
  identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprising a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device;
  
  determine a plurality of latency values for the network device, wherein the plurality of latency values comprises, for each timestamp of a first portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device, a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device;
  
  determine, based on the plurality of latency values, a threshold latency value for the network device;
  
  determine, for each timestamp of a second portion of the plurality of timestamps indicating the times corresponding to transmission of the plurality of packets transmitted by the network device that a difference between a time indicated by the timestamp and a time indicated by a timestamp of the plurality of timestamps indicating the times corresponding to receipt of the plurality of packets received by the network device is less than the threshold latency value for the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (123, 124, 125, 126, 127, 128, 129, 130, 131, 132)
- - 123. The one or more non-transitory computer-readable media of claim 122, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 124. The one or more non-transitory computer-readable media of claim 122, wherein the instructions, when executed by the computing system, cause the computing system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 125. The one or more non-transitory computer-readable media of claim 122, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 126. The one or more non-transitory computer-readable media of claim 122, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 127. The one or more non-transitory computer-readable media of claim 122, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 128. The one or more non-transitory computer-readable media of claim 122, wherein:
    - the network device comprises a proxy configured to;
      
      receive requests, for data from the host located in the second network, transmitted by the host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the network device, the data from the host located in the second network; and
      
      the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network.
  - 129. The one or more non-transitory computer-readable media of claim 122, wherein:
    - the network device comprises a gateway configured to;
      
      receive, from the host located in the first network, data destined for the host located in the second network; and
      
      generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network; and
      
      the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network.
  - 130. The one or more non-transitory computer-readable media of claim 122, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the computing system, cause the computing system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 131. The one or more non-transitory computer-readable media of claim 122, wherein a communication link that interfaces the network device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 132. The one or more non-transitory computer-readable media of claim 122, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

133. A method comprising:
- identifying, by a computing system, a plurality of packets received by a proxy device from a host located in a first network, the proxy device being configured to receive requests, for data from a host located in a second network, transmitted by the host located in the first network, and the proxy device being configured to generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the proxy device, the data from the host located in the second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the proxy device;
  
  identifying, by the computing system, a plurality of packets transmitted by the proxy device to the host located in the second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the proxy device;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the proxy device, the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device, and a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network, the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device; and
  
  responsive to correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device;
  
  generating, by the computing system, data identifying the host located in the first network; and
  
  communicating, by the computing system and to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (134, 135, 136, 137, 138, 139, 140, 141)
- - 134. The method of claim 133, wherein correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 135. The method of claim 133, wherein correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 136. The method of claim 133, wherein correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 137. The method of claim 133, wherein correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device comprises comparing one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 138. The method of claim 133, wherein correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device comprises comparing one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 139. The method of claim 133, wherein the host located in the second network is associated with a malicious entity, the method comprising generating, by the computing system, data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 140. The method of claim 133, wherein a communication path that interfaces the proxy device and the first network comprises a packet-filtering device, the method comprising:
    - generating, by the computing system, one or more rules configured to identify packets received from the host located in the first network;
      
      provisioning, by the computing system, the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network;
      
      identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the host located in the first network.
  - 141. The method of claim 133, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

142. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  identify a plurality of packets received by a proxy device from a host located in a first network, the proxy device being configured to receive requests, for data from a host located in a second network, transmitted by the host located in the first network, and the proxy device being configured to generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the proxy device, the data from the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the proxy device;
  
  identify a plurality of packets transmitted by the proxy device to the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the proxy device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the proxy device, the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device, and a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network, the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device; and
  
  responsive to correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (143, 144, 145, 146, 147, 148, 149, 150)
- - 143. The system of claim 142, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 144. The system of claim 142, wherein the instructions, when executed by the at least one processor, cause the system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 145. The system of claim 142, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 146. The system of claim 142, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 147. The system of claim 142, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 148. The system of claim 142, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the at least one processor, cause the system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 149. The system of claim 142, wherein a communication link that interfaces the proxy device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 150. The system of claim 142, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

151. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- identify a plurality of packets received by a proxy device from a host located in a first network, the proxy device being configured to receive requests, for data from a host located in a second network, transmitted by the host located in the first network, and the proxy device being configured to generate requests corresponding to the requests transmitted by the host located in the first network and configured to cause the host located in the second network to transmit, to the proxy device, the data from the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the proxy device;
  
  identify a plurality of packets transmitted by the proxy device to the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the proxy device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the proxy device, the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device, and a comparison of data from the requests transmitted by the host located in the first network with data from the requests corresponding to the requests transmitted by the host located in the first network, the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device; and
  
  responsive to correlating the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (152, 153, 154, 155, 156, 157, 158, 159)
- - 152. The one or more non-transitory computer-readable media of claim 151, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 153. The one or more non-transitory computer-readable media of claim 151, wherein the instructions, when executed by the computing system, cause the computing system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 154. The one or more non-transitory computer-readable media of claim 151, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 155. The one or more non-transitory computer-readable media of claim 151, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 156. The one or more non-transitory computer-readable media of claim 151, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the proxy device with the plurality of packets received by the proxy device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the proxy device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the proxy device.
  - 157. The one or more non-transitory computer-readable media of claim 151, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the computing system, cause the computing system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 158. The one or more non-transitory computer-readable media of claim 151, wherein a communication link that interfaces the proxy device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 159. The one or more non-transitory computer-readable media of claim 151, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

160. A method comprising:
- identifying, by a computing system, a plurality of packets received by a gateway device from a host located in a first network, the gateway device being configured to receive, from the host located in the first network, data destined for a host located in a second network, and the gateway device being configured to generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the gateway device;
  
  identifying, by the computing system, a plurality of packets transmitted by the gateway device to the host located in the second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the gateway device;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the gateway device, the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device, and a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network, the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device; and
  
  responsive to correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device;
  
  generating, by the computing system, data identifying the host located in the first network; and
  
  communicating, by the computing system and to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (161, 162, 163, 164, 165, 166, 167, 168)
- - 161. The method of claim 160, wherein correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 162. The method of claim 160, wherein correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 163. The method of claim 160, wherein correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 164. The method of claim 160, wherein correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device comprises comparing one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 165. The method of claim 160, wherein correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device comprises comparing one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 166. The method of claim 160, wherein the host located in the second network is associated with a malicious entity, the method comprising generating, by the computing system, data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 167. The method of claim 160, wherein a communication path that interfaces the gateway device and the first network comprises a packet-filtering device, the method comprising:
    - generating, by the computing system, one or more rules configured to identify packets received from the host located in the first network;
      
      provisioning, by the computing system, the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network;
      
      identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the host located in the first network.
  - 168. The method of claim 160, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

169. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  identify a plurality of packets received by a gateway device from a host located in a first network, the gateway device being configured to receive, from the host located in the first network, data destined for a host located in a second network, and the gateway device being configured to generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the gateway device;
  
  identify a plurality of packets transmitted by the gateway device to the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the gateway device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the gateway device, the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device, and a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network, the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device; and
  
  responsive to correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (170, 171, 172, 173, 174, 175, 176, 177)
- - 170. The system of claim 169, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 171. The system of claim 169, wherein the instructions, when executed by the at least one processor, cause the system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 172. The system of claim 169, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 173. The system of claim 169, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 174. The system of claim 169, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 175. The system of claim 169, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the at least one processor, cause the system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 176. The system of claim 169, wherein a communication link that interfaces the gateway device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 177. The system of claim 169, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

178. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- identify a plurality of packets received by a gateway device from a host located in a first network, the gateway device being configured to receive, from the host located in the first network, data destined for a host located in a second network, and the gateway device being configured to generate one or more packets, destined for the host located in the second network, encapsulating the data destined for the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the gateway device;
  
  identify a plurality of packets transmitted by the gateway device to the host located in the second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the gateway device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the gateway device, the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device, and a comparison of at least a portion of the data destined for the host located in the second network with data from the one or more packets encapsulating the data destined for the host located in the second network, the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device; and
  
  responsive to correlating the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device;
  
  generate data identifying the host located in the first network; and
  
  communicate, to a device located in the first network, the data identifying the host located in the first network.
- View Dependent Claims (179, 180, 181, 182, 183, 184, 185, 186)
- - 179. The one or more non-transitory computer-readable media of claim 178, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 180. The one or more non-transitory computer-readable media of claim 178, wherein the instructions, when executed by the computing system, cause the computing system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 181. The one or more non-transitory computer-readable media of claim 178, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 182. The one or more non-transitory computer-readable media of claim 178, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more network-interface identifiers indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 183. The one or more non-transitory computer-readable media of claim 178, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the gateway device with the plurality of packets received by the gateway device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the gateway device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the gateway device.
  - 184. The one or more non-transitory computer-readable media of claim 178, wherein the host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the computing system, cause the computing system to generate data configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 185. The one or more non-transitory computer-readable media of claim 178, wherein a communication link that interfaces the gateway device and the first network comprises a packet-filtering device, and wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate one or more rules configured to identify packets received from the host located in the first network;
      
      provision the packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
      
      responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
  - 186. The one or more non-transitory computer-readable media of claim 178, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

187. A method comprising:
- identifying, by a computing system, a plurality of packets received by a network device from a host located in a first network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identifying, by the computing system, a plurality of packets transmitted by the network device to a host located in a second network;
  
  generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generating, by the computing system, one or more rules configured to identify packets received from the host located in the first network; and
  
  provisioning, by the computing system, a packet-filtering device in a communication path that interfaces the network device and the first network with the one or more rules configured to identify packets received from the host located in the first network; and
  
  identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
  
  responsive to identifying the at least one packet received from the host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the host located in the first network.
- View Dependent Claims (188, 189, 190, 191, 192, 193)
- - 188. The method of claim 187, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 189. The method of claim 187, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 190. The method of claim 187, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 191. The method of claim 187, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 192. The method of claim 187, wherein correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 193. The method of claim 187, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

194. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate one or more rules configured to identify packets received from the host located in the first network;
  
  provision a packet-filtering device in a communication path that interfaces the network device and the first network with the one or more rules configured to identify packets received from the host located in the first network; and
  
  configure the packet-filtering device to;
  
  identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
  
  responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
- View Dependent Claims (195, 196, 197, 198, 199, 200)
- - 195. The system of claim 194, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 196. The system of claim 194, wherein the instructions, when executed by the at least one processor, cause the system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 197. The system of claim 194, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 198. The system of claim 194, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 199. The system of claim 194, wherein the instructions, when executed by the at least one processor, cause the system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 200. The system of claim 194, wherein the instructions, when executed by the at least one processor, cause the system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

201. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identify a plurality of packets transmitted by the network device to a host located in a second network;
  
  generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device;
  
  correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate one or more rules configured to identify packets received from the host located in the first network;
  
  provision a packet-filtering device in a communication path that interfaces the network device and the first network with the one or more rules configured to identify packets received from the host located in the first network; and
  
  configure the packet-filtering device to;
  
  identify, based on the one or more rules configured to identify packets received from the host located in the first network, at least one packet received from the host located in the first network; and
  
  responsive to identifying the at least one packet received from the host located in the first network, drop the at least one packet received from the host located in the first network.
- View Dependent Claims (202, 203, 204, 205, 206, 207)
- - 202. The one or more non-transitory computer-readable media of claim 201, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 203. The one or more non-transitory computer-readable media of claim 201, wherein the instructions, when executed by the computing system, cause the computing system to correlate one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 204. The one or more non-transitory computer-readable media of claim 201, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 205. The one or more non-transitory computer-readable media of claim 201, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 206. The one or more non-transitory computer-readable media of claim 201, wherein the instructions, when executed by the computing system, cause the computing system to correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the plurality of packets transmitted by the network device.
  - 207. The one or more non-transitory computer-readable media of claim 201, wherein the instructions, when executed by the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., Geremia, Peter P., Moore, Sean, Mallett, Pierre III, Perry, Robert T.
Primary Examiner(s)
Huq, Obaidul

Application Number

US14/618,967
Time in Patent Office

371 Days
Field of Search

370/241, 370/351, 370/352, 370/356, 370/389, 370/395.1, 370/395.3, 370/395.31, 370/464, 370/474
US Class Current

1/1
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/087   Jitter

H04L 43/106   using time related informat...

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 45/745   Address table lookup; Addre...

H04L 47/2483   involving identification of...

H04L 47/32   by discarding or delaying d...

H04L 61/2567   for reachability, e.g. inqu...

H04L 63/0263   Rule management

H04L 69/22   Parsing or analysis of headers

Correlating packets in communications networks

First Claim

4 Assignments

Litigations

0 Petitions

Accused Products

Abstract

78 Citations

207 Claims

Specification

Use Cases

Quick Links

Others

Correlating packets in communications networks

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

207 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others