Security threat detection
First Claim
Patent Images
1. A method comprising:
- maintaining, by a network security device, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed within a private network, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources, wherein the features include, for each of the network activities;
(i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
(ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity;
responsive to an event, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and
when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.
10 Citations
20 Claims
-
1. A method comprising:
-
maintaining, by a network security device, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed within a private network, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources, wherein the features include, for each of the network activities;
(i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
(ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity;responsive to an event, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device, causes the one or more processors to perform a method comprising:
-
maintaining a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed within a private network, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources, wherein the features include, for each of the network activities;
(i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
(ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity;responsive to an event, retrospectively scanning a subset of the plurality of entries of the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification