Network traffic filtering and routing for threat analysis
First Claim
1. One or more tangible computer-readable storage media encoding computer-executable instructions for executing a computer process that facilitates shattering and dynamic redirection of network traffic for threat investigation, wherein the computer-readable storage media is not a carrier wave or propagating signal and the computer process further comprises the computer process comprising:
- receiving, at a first processing module, a subset of a network traffic stream;
identifying a potential security threat in the subset received at the first processing module;
based on the identification of the potential security threat, identifying a requested portion of the network traffic stream that includes information for investigating the potential security threat, wherein the requested portion is not currently included in the subset of the network traffic stream received at the first processing module;
communicating a delivery request to a plurality of other processing modules, each of the other processing modules simultaneously receiving and processing data of the network traffic stream, wherein the delivery request defines the requested portion of the network traffic stream and requests specific data defined by layer VII of the open systems interconnection (OSI) model;
responsive to the delivery request, employing shattering logic to reassemble the requested portion from a raw data storage repository and routing the requested portion of the network traffic stream to the first processing module; and
processing the requested portion upon receipt at the first processing module to determine whether the potential threat identified in the subset of the network traffic stream is an actual threat.
3 Assignments
0 Petitions
Accused Products
Abstract
Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.
67 Citations
17 Claims
-
1. One or more tangible computer-readable storage media encoding computer-executable instructions for executing a computer process that facilitates shattering and dynamic redirection of network traffic for threat investigation, wherein the computer-readable storage media is not a carrier wave or propagating signal and the computer process further comprises the computer process comprising:
-
receiving, at a first processing module, a subset of a network traffic stream;
identifying a potential security threat in the subset received at the first processing module;based on the identification of the potential security threat, identifying a requested portion of the network traffic stream that includes information for investigating the potential security threat, wherein the requested portion is not currently included in the subset of the network traffic stream received at the first processing module; communicating a delivery request to a plurality of other processing modules, each of the other processing modules simultaneously receiving and processing data of the network traffic stream, wherein the delivery request defines the requested portion of the network traffic stream and requests specific data defined by layer VII of the open systems interconnection (OSI) model; responsive to the delivery request, employing shattering logic to reassemble the requested portion from a raw data storage repository and routing the requested portion of the network traffic stream to the first processing module; and processing the requested portion upon receipt at the first processing module to determine whether the potential threat identified in the subset of the network traffic stream is an actual threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A threat analysis and detection system comprising:
- memory;
a processor;a first processing module stored in the memory and executable by the processor configured to;
identify a potential security threat in a received subset of a network traffic stream;responsive to the identification, identify a requested portion of the network traffic stream that includes information for investigating the potential security threat, wherein the requested portion is not currently included in the received subset of the network traffic stream; and communicate a delivery request to a plurality of other processing modules of a managed security service, the delivery request specifying the requested portion of the network traffic stream and requests specific data defined by layer VII of the open systems interconnection(OSI) model; and a second processing module stored in the memory that responds to the delivery request with a confirmation of current receipt of the requested portion of the network traffic stream; and shattering logic including instructions for routing the requested portion of the network traffic stream to the first processing module responsive to the confirmation from the second processing module, wherein the first processing module is further configured to employ the shattering logic to reassemble the requested portion from a raw data storage repository and process the requested portion upon receipt to determine whether the potential threat identified in the subset of the network traffic stream is an actual threat. - View Dependent Claims (12, 13, 14, 15, 16, 17)
- memory;
Specification