Security threat detection

US 9,602,527 B2
Filed: 03/19/2015
Issued: 03/21/2017
Est. Priority Date: 03/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a network security device, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed within a private network, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources, wherein the features include, for each of the network activities;

(i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);

(ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity;

responsive to an event, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and

when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.

10 Citations

View as Search Results

20 Claims

1. A method comprising:
- maintaining, by a network security device, a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed within a private network, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources, wherein the features include, for each of the network activities;
  
  (i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
  
  (ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity;
  
  responsive to an event, retrospectively scanning, by the network security device, a subset of the plurality of entries of the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and
  
  when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the event comprises receipt by the network security device of updated signature database information for use by the network security device in connection with performing signature-based scanning.
  - 3. The method of claim 2, wherein said retrospectively scanning comprises applying the updated signature database information to the network traffic log by performing the signature-based scanning based on one or more of the features.
  - 4. The method of claim 1, wherein the event comprises receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning.
  - 5. The method of claim 4, wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features.
  - 6. The method of claim 1, wherein the event comprises a predetermined or configurable scheduled timer event.
  - 7. The method of claim 1, wherein the network traffic log resides within the private network.
  - 8. The method of claim 1, wherein the network traffic log includes information collected by a plurality of other network security devices.
  - 9. The method of claim 1, said retrospectively scanning is further limited to scanning only those of the plurality of entries within the network traffic log that were flagged by the previous real-time signature-based scan or the previous real-time reputation-based scan as being a potential security threat.
  - 10. The method of claim 1, wherein the preventive action comprises an action seeking to prevent potential damage resulting from the threat or seeking to defend against the threat.
  - 11. The method of claim 10, wherein the preventative action includes one or more ofincreasing security scrutiny for a source associated with the threat;
    - decreasing a security reputation score of the source;
      
      blocking the source; and
      
      blocking of other potential threats that share significant features with the threat.
  - 12. The method of claim 1, wherein the remedial action comprises one or more of:
    - notifying a user mapped to the threat;
      
      notifying an administrator of the network security device;
      
      increasing security scrutiny for a destination associated with the threat;
      
      decreasing a security reputation score of the destination; and
      
      blocking the destination.
  - 13. The method of claim 2, wherein the particular timeframe has a starting point defined by a first time at which the threat was first detected by a network security community and an ending point defined by a second time at which a signature was created for detecting the threat.

14. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device, causes the one or more processors to perform a method comprising:
- maintaining a network traffic log, wherein the network traffic log includes a plurality of entries each including features associated with one of a plurality of network activities observed within a private network, wherein the network activities include a plurality of interactions, including requests and responses relating to web resources, between hosts associated with the private network and external servers hosting the web resources, wherein the features include, for each of the network activities;
  
  (i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
  
  (ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a user within the private network associated with the network activity;
  
  responsive to an event, retrospectively scanning a subset of the plurality of entries of the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries includes only those entries of the plurality of entries corresponding to those of the network activities observed within a particular timeframe; and
  
  when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device, one or more of a remedial action and a preventive action with respect to the threat.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the event comprises receipt by the network security device of updated signature database information for use by the network security device in connection with performing signature-based scanning.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein said retrospectively scanning comprises applying the updated signature database information to the network traffic log by performing the signature-based scanning based on one or more of the features.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the event comprises receipt by the network security device of updated reputation database information for use by the network security device in connection with performing reputation-based scanning.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein said retrospectively scanning comprises applying the updated reputation database information to the network traffic log by performing the reputation-based scanning based on one or more of the features.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the remedial action comprises one or more of:
    - notifying a user mapped to the threat;
      
      notifying an administrator of the network security device;
      
      increasing security scrutiny for a destination associated with the threat;
      
      decreasing a security reputation score of the destination; and
      
      blocking the destination.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the particular timeframe has a starting point defined by a first time at which the threat was first detected by a network security community and an ending point defined by a second time at which a signature was created for detecting the threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Yu, Qianyong
Primary Examiner(s)
Mehrmanesh, Amir
Assistant Examiner(s)
TAYLOR, SAKINAH W

Application Number

US14/662,456
Publication Number

US 20160277431A1
Time in Patent Office

733 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

Security threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links