Network traffic filtering and routing for threat analysis

US 9,654,445 B2
Filed: 05/13/2015
Issued: 05/16/2017
Est. Priority Date: 11/13/2013
Status: Active Grant

First Claim

Patent Images

1. One or more tangible computer-readable storage media encoding computer-executable instructions for executing a computer process that facilitates shattering and dynamic redirection of network traffic for threat investigation, wherein the computer-readable storage media is not a carrier wave or propagating signal and the computer process further comprises the computer process comprising:

receiving, at a first processing module, a subset of a network traffic stream;

identifying a potential security threat in the subset received at the first processing module;

based on the identification of the potential security threat, identifying a requested portion of the network traffic stream that includes information for investigating the potential security threat, wherein the requested portion is not currently included in the subset of the network traffic stream received at the first processing module;

communicating a delivery request to a plurality of other processing modules, each of the other processing modules simultaneously receiving and processing data of the network traffic stream, wherein the delivery request defines the requested portion of the network traffic stream and requests specific data defined by layer VII of the open systems interconnection (OSI) model;

responsive to the delivery request, employing shattering logic to reassemble the requested portion from a raw data storage repository and routing the requested portion of the network traffic stream to the first processing module; and

processing the requested portion upon receipt at the first processing module to determine whether the potential threat identified in the subset of the network traffic stream is an actual threat.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.

67 Citations

View as Search Results

17 Claims

1. One or more tangible computer-readable storage media encoding computer-executable instructions for executing a computer process that facilitates shattering and dynamic redirection of network traffic for threat investigation, wherein the computer-readable storage media is not a carrier wave or propagating signal and the computer process further comprises the computer process comprising:
- receiving, at a first processing module, a subset of a network traffic stream;
  
  identifying a potential security threat in the subset received at the first processing module;
  
  based on the identification of the potential security threat, identifying a requested portion of the network traffic stream that includes information for investigating the potential security threat, wherein the requested portion is not currently included in the subset of the network traffic stream received at the first processing module;
  
  communicating a delivery request to a plurality of other processing modules, each of the other processing modules simultaneously receiving and processing data of the network traffic stream, wherein the delivery request defines the requested portion of the network traffic stream and requests specific data defined by layer VII of the open systems interconnection (OSI) model;
  
  responsive to the delivery request, employing shattering logic to reassemble the requested portion from a raw data storage repository and routing the requested portion of the network traffic stream to the first processing module; and
  
  processing the requested portion upon receipt at the first processing module to determine whether the potential threat identified in the subset of the network traffic stream is an actual threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more computer-readable storage media of claim 1, wherein routing the requesting portion of the replayed network stream further comprises reassembling the requested portion from a raw data storage repository.
  - 3. The one or more computer-readable storage media of claim 1, wherein the first processing module and at least one of the other processing modules process different subsets of the network traffic stream in parallel with one another.
  - 4. The one or more computer-readable storage media of claim 1, wherein the first processing module and at least one of the other processing modules process partially-overlapping subsets of the network traffic stream.
  - 5. The one or more computer-readable storage media of claim 1, wherein the network traffic stream is generated by filtering an original network traffic stream according to a filtering policy of an ingest server and replaying the filtered network traffic stream outside of an enterprise network.
  - 6. The one or more computer-readable storage media of claim 5, further comprising:
    - altering the filtering policy responsive to publication of the delivery request.
  - 7. The one or more computer-readable storage media of claim 1, wherein the delivery request is a request for specific data defined by layer VII of the open systems interconnection (OSI) model.
  - 8. The one or more computer-readable storage media of claim 1, further comprising:
    - receiving, at the first processing module, information defining a new threat type discovered exclusively outside of an enterprise network supplying the network traffic stream.
  - 9. The one or more computer-readable storage media of claim 8, wherein the potential security threat is of the new threat type.
  - 10. The one or more computer-readable storage media of claim 1, wherein the requested portion of the network traffic stream includes information identified as important in investigating the potential security threat.

11. A threat analysis and detection system comprising:
- memory;
  
  a processor;
  
  a first processing module stored in the memory and executable by the processor configured to;
  
  identify a potential security threat in a received subset of a network traffic stream;
  
  responsive to the identification, identify a requested portion of the network traffic stream that includes information for investigating the potential security threat,wherein the requested portion is not currently included in the received subset of the network traffic stream; and
  
  communicate a delivery request to a plurality of other processing modules of a managed security service, the delivery request specifying the requested portion of the network traffic stream and requests specific data defined by layer VII of the open systems interconnection(OSI) model;
  
  and a second processing module stored in the memory that responds to the delivery request with a confirmation of current receipt of the requested portion of the network traffic stream; and
  
  shattering logic including instructions for routing the requested portion of the network traffic stream to the first processing module responsive to the confirmation from the second processing module, wherein the first processing module is further configured to employ the shattering logic to reassemble the requested portion from a raw data storage repository andprocess the requested portion upon receipt to determine whether the potential threat identified in the subset of the network traffic stream is an actual threat.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The threat analysis and detection system of claim 11 further comprising:
    - wherein the potential security threat is of the new threat type discovered exclusively outside of an enterprise network supplying the network traffic stream.
  - 13. The system of claim 11, wherein the first processing module employs the shattering logic to reassemble the requested portion from a raw data storage repository.
  - 14. The system of claim 11, wherein the first processing module and the second processing module process different subsets of the network traffic stream in parallel with one another.
  - 15. The system of claim 11, wherein the first processing module and the second processing module process partially-overlapping subsets of the network traffic stream.
  - 16. The system of claim 11, wherein the network traffic stream is generated by filtering an original network traffic stream according to a filtering policy and exporting the filtered network traffic stream outside of an enterprise network.
  - 17. The system of claim 11, further comprising:
    - altering the filtering policy responsive to receipt of the delivery request at an ingest server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
ProtectWise, Inc. (Verizon Communications Inc.)
Inventors
Stevens, IV, Eugene B., Stevens, Eric J., Kornmeier, Benjamin E., Hollander, Joshua J., Papadogiannakis, Antonis
Primary Examiner(s)
Sholeman, Abu

Application Number

US14/711,584
Publication Number

US 20150244678A1
Time in Patent Office

734 Days
Field of Search

726 3, 726 13, 726 25
US Class Current
CPC Class Codes

H04L 45/70   Routing based on monitoring...

H04L 47/20   Traffic policing

H04L 63/0227   Filtering policies mail mes...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 69/329   in the application layer [O...

Network traffic filtering and routing for threat analysis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Network traffic filtering and routing for threat analysis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others