System and method for identifying infected networks and systems from unknown attacks

US 9,392,007 B2
Filed: 11/03/2014
Issued: 07/12/2016
Est. Priority Date: 11/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method of managing security on network infrastructure, comprising:

receiving, by a log collector configured on a processor of a network security monitor via a first computer network, a plurality of logs of a second computer network, the plurality of logs indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network;

generating, by a log indexer configured on the network security monitor, indexed logs from the plurality of logs based on log format;

retrieving, by the network security monitor, a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network, the plurality of threat indicators including at least one of an internet protocol (IP) address, a malware code sample, a malicious code sample, or an intrusion prevention system (IPS) signature;

comparing, by a log correlation engine configured on the network security monitor, the list of threat indicators with the indexed logs; and

generating, by a report engine configured on the network security monitor, a report based on the comparing to identify a threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method of the present disclosure are directed to a network security monitor. The monitor can receive logs of a second computer network indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network. The monitor can generate indexed logs from the logs based on log format. The monitor can retrieving a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network. The monitor can compare the list of threat indicators with the indexed logs. The monitor can generate a report based on the comparing to identify a threat.

31 Citations

View as Search Results

20 Claims

1. A method of managing security on network infrastructure, comprising:
- receiving, by a log collector configured on a processor of a network security monitor via a first computer network, a plurality of logs of a second computer network, the plurality of logs indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network;
  
  generating, by a log indexer configured on the network security monitor, indexed logs from the plurality of logs based on log format;
  
  retrieving, by the network security monitor, a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network, the plurality of threat indicators including at least one of an internet protocol (IP) address, a malware code sample, a malicious code sample, or an intrusion prevention system (IPS) signature;
  
  comparing, by a log correlation engine configured on the network security monitor, the list of threat indicators with the indexed logs; and
  
  generating, by a report engine configured on the network security monitor, a report based on the comparing to identify a threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - receiving, by an aggregator of the network security monitor, one or more threat indicators from a plurality of heterogeneous sources via the first computer network; and
      
      using, by a normalizer of the network security monitor, the schema to transform the one or more threat indicators to the list of threat indicators, the list of threat indicators comprising structured information configured for use by the log correlation engine.
  - 3. The method of claim 1, further comprising:
    - obtaining, by an aggregator of the network security monitor, a first configuration for accessing a first repository via the first computer network;
      
      obtaining, by the aggregator, a second configuration for accessing a second repository via the first computer network;
      
      using, by the aggregator, the first configuration to establish a first connection with the first repository via the first computer network;
      
      using, by the aggregator, the second configuration to establish a second connection with the second repository via the first computer network; and
      
      updating, by the network security monitor, based on the schema, the list of threat indicators based on a threat indicator received from at least one of the first repository or the second repository.
  - 4. The method of claim 1, further comprising:
    - receiving, by the network security monitor via the first computer network, a first threat indicator from a first repository in a first format;
      
      receiving, by the network security monitor via the first computer network, a second threat indicator from a second repository in a second format, the first repository different from the second repository, the first format different from the second format; and
      
      transforming, by the network security monitor, the first threat indicator and the second threat indicator to the list of threat indicators based on the schema.
  - 5. The method of claim 1, further comprising:
    - initiating, by the network security monitor, responsive to receiving at least one of an update to the list of threat indicators or a new log of the second computer network, the comparing by the log correlation engine.
  - 6. The method of claim 1, further comprising:
    - searching, by the log correlation engine, for a correlation between the indexed logs of the second computer network; and
      
      identifying, by the log correlation engine, a match based on the correlation between the indexed logs and the list of threat indicators.
  - 7. The method of claim 1, further comprising:
    - identifying, by the log correlation engine, a portion of the plurality of logs as corresponding to a first type of the log format;
      
      identifying, by the log correlation engine, a threat indicator of the list of the threat indicators corresponding to the first type; and
      
      comparing, by the log correlation engine, the portion of the plurality of logs with the threat indicator to identify a match.
  - 8. The method of claim 1, further comprising:
    - comparing, by the log correlation engine, historical logs and current logs with the one or more threat indicators to identify a match.
  - 9. The method of claim 1, further comprising:
    - initiating, by the log correlation engine responsive to identifying a match based on the comparing, the report engine to generate the report.
  - 10. The method of claim 1, wherein the second computer network is a secure network configured to block unauthorized access.
  - 11. The method of claim 1, wherein:
    - the plurality of logs include a compilation of logs generated by the monitoring agent, the monitoring agent including at least one of an antivirus tool, a network security element, an intrusion prevention system, or an intrusion detection system; and
      
      the plurality of logs include at least one of a general system log, a network security log, an intrusion prevention system log, an intrusion detection system log, or an antivirus application log.
  - 12. The method of claim 1, wherein the log format includes at least two of a threat log mapping, a traffic log mapping, an email log mapping, a performance log mapping, an AAA log mapping, a VPN log mapping, or an access control log mapping.
  - 13. The method of claim 1, further comprising:
    - inputting, by the network security monitor via an interface, the indexed logs in memory configured with a data structure corresponding to the indexed logs.
  - 14. The method of claim 1, further comprising:
    - transmitting, by the network security monitor, the report via the first computer network to an administrator device associated with the second computer network.

15. A system for management of security on network infrastructure, comprising:
- a network security monitor comprising a hardware processor and memory;
  
  a log collector configured on the network security monitor to receive, via a first computer network, a plurality of logs of a second computer network, the plurality of logs indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network;
  
  a log indexer configured on the network security monitor to generate indexed logs from the plurality of logs based on types of threat indicators;
  
  the network security monitor configured to retrieve a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network, the plurality of threat indicators including at least one of an internet protocol (IP) address, a malware code sample, a malicious code sample, or an intrusion prevention system (IPS) signature;
  
  a log correlation engine configured with a heuristic technique on the network security monitor to perform a comparison of the list of threat indicators with the indexed logs; and
  
  a report engine configured on the network security monitor to generate a report based on the comparison.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising:
    - an aggregator of the network security monitor configured to receive one or more threat indicators from a plurality of heterogeneous sources via the first computer network; and
      
      a normalizer of the network security monitor configured to use the schema to transform the one or more threat indicators to the list of threat indicators, the list of threat indicators comprising structured information configured for use by the log correlation engine.
  - 17. The system of claim 15, further comprising:
    - an aggregator of the network security monitor configured to;
      
      obtain a first configuration for accessing a first repository via the first computer network;
      
      obtain a second configuration for accessing a second repository via the first computer network;
      
      use the first configuration to establish a first connection with the first repository via the first computer network; and
      
      use the second configuration to establish a second connection with the second repository via the first computer network; and
      
      the network security monitor further configured to update, based on the schema, the list of threat indicators based on one or more threat indicators received from at least one of the first repository or the second repository.
  - 18. The system of claim 15, wherein the network security monitor is further configured to:
    - receive, via the first computer network, a first threat indicator from a first repository in a first format;
      
      receive, via the first computer network, a second threat indicator from a second repository in a second format, the first repository different from the second repository, the first format different from the second format; and
      
      transform the first threat indicator and the second threat indicator to the list of threat indicators based on the schema.
  - 19. The system of claim 15, wherein the log correlation engine is further configured to:
    - identify a portion of the plurality of logs as corresponding to a first type of the log format;
      
      identify one or more threat indicators of the list of the threat indicators corresponding to the first type; and
      
      compare the portion of the plurality of logs with the one or more threat indicators to identify a match.
  - 20. The system of claim 15, wherein the log correlation engine is further configured to:
    - initiate responsive to identifying a match based on the comparing, the report engine to generate the report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crypteia Networks S.A. (PCCW Limited)
Original Assignee
Crypteia Networks S.A. (PCCW Limited)
Inventors
Giokas, Ioannis
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US14/531,450
Publication Number

US 20150128274A1
Time in Patent Office

617 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for identifying infected networks and systems from unknown attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying infected networks and systems from unknown attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links