Recursive multi-layer examination for computer network security remediation

US 9,680,852 B1
Filed: 04/04/2016
Issued: 06/13/2017
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:

receiving a first identifier associated with a first node;

retrieving first metadata using the first identifier;

identifying a second node in communication with the first node using the first metadata, and identifying one or more first communication between the first and second nodes using the first metadata;

ascertaining a first characteristic of each of the one or more first communication, the first characteristic being at least one of a protocol and an application used in the one or more first communication;

examining the each of the one or more first communication for malicious behavior using the first characteristic;

receiving a first risk score for the each of the one or more first communication responsive to the examining;

determining the first risk score associated with one of the one or more first communication exceeds a first predetermined threshold and indicating the first and second nodes are malicious;

retrieving second metadata using a second identifier associated with the second node;

identifying a third node in communication with the second node using the second metadata, and identifying one or more second communication between the second and third nodes using the second metadata;

ascertaining a second characteristic of each of the one or more second communication, the second characteristic being at least one of a protocol and an application used in the one or more second communication;

examining the each of the one or more second communication for malicious behavior using the second characteristic;

receiving a second risk score for the each of the one or more second communication responsive to the examining;

determining the second risk score associated with one of the one or more second communication exceeds the first predetermined threshold and indicating the third node is malicious;

assigning a node risk score to an additional second node in which additional first risk scores, for additional first communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional first risk scores;

determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious;

providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and the communications is indicated; and

remediating the security breach.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods and apparatuses for recursive multi-layer examination for computer network security remediation is provided herein. Exemplary methods may include: receiving a first identifier associated with a first node; retrieving first metadata using the first identifier; identifying a second node in communication with the first node using the first metadata; ascertaining a first characteristic of each first communication between the first and second nodes using the first metadata; examining each first communication for malicious behavior using the first characteristic; receiving a first risk score for each first communication responsive to the examining; determining the first risk score associated with one of the second communications exceeds a first predetermined threshold and indicating the first and second nodes are malicious. Exemplary methods may further include: providing the identified malicious nodes and communications originating from or directed to the malicious nodes.

178 Citations

19 Claims

1. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:
- receiving a first identifier associated with a first node;
  
  retrieving first metadata using the first identifier;
  
  identifying a second node in communication with the first node using the first metadata, and identifying one or more first communication between the first and second nodes using the first metadata;
  
  ascertaining a first characteristic of each of the one or more first communication, the first characteristic being at least one of a protocol and an application used in the one or more first communication;
  
  examining the each of the one or more first communication for malicious behavior using the first characteristic;
  
  receiving a first risk score for the each of the one or more first communication responsive to the examining;
  
  determining the first risk score associated with one of the one or more first communication exceeds a first predetermined threshold and indicating the first and second nodes are malicious;
  
  retrieving second metadata using a second identifier associated with the second node;
  
  identifying a third node in communication with the second node using the second metadata, and identifying one or more second communication between the second and third nodes using the second metadata;
  
  ascertaining a second characteristic of each of the one or more second communication, the second characteristic being at least one of a protocol and an application used in the one or more second communication;
  
  examining the each of the one or more second communication for malicious behavior using the second characteristic;
  
  receiving a second risk score for the each of the one or more second communication responsive to the examining;
  
  determining the second risk score associated with one of the one or more second communication exceeds the first predetermined threshold and indicating the third node is malicious;
  
  assigning a node risk score to an additional second node in which additional first risk scores, for additional first communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional first risk scores;
  
  determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious;
  
  providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and the communications is indicated; and
  
  remediating the security breach.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - retrieving third metadata using a third identifier associated with the third node;
      
      identifying a fourth node in communication with the third node using the third metadata, and identifying one or more third communication between the third and fourth nodes using the third metadata;
      
      ascertaining a third characteristic of each of the one or more third communication, the third characteristic being at least one of a protocol and an application used in the one or more third communication;
      
      examining the each of the one or more third communication for malicious behavior using the third characteristic;
      
      receiving a third risk score for the each of the one or more third communication responsive to the examining; and
      
      determining the third risk score associated with one of the one or more third communication exceeds the first predetermined threshold and indicating the fourth node is malicious responsive to the determining.
  - 3. The method of claim 2, wherein another one of the one or more third communication is not examined when the another one of the one or more third communication is the same as one of the one or more first or second communications.
  - 4. The method of claim 1, wherein each of the first and second nodes is at least one of a physical host, virtual machine, container, client system, and other computing system on a communications network.
  - 5. The method of claim 1, wherein each of the first and second metadata includes information logged by an enforcement point.
  - 6. The method of claim 1, wherein:
    - examining the each of the one or more first communication comprises;
      
      selecting a respective first scanlet of a plurality of scanlets using a respective first characteristic associated with a respective first communication, andapplying the respective first scanlet to the respective first communication; and
      
      examining the each of the one or more second communication comprises;
      
      selecting a respective second scanlet of the plurality of scanlets using a respective second characteristic associated with a respective second communication, andapplying the respective second scanlet to the respective second communication.
  - 7. The method of claim 6, wherein each of the plurality of scanlets detects malicious activity in network communications using at least one of a particular protocol and a particular application.
  - 8. The method of claim 1, wherein each of the first and second risk scores and the first predetermined threshold is a number within a predetermined range of numbers.
  - 9. The method of claim 1, wherein each of the first and second metadata comprises at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication.

10. An analytic engine comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions executable by the processor to perform a method for recursive multi-layer examination for computer network security remediation comprising;
  
  receiving a first identifier associated with a first node;
  
  retrieving first metadata using the first identifier;
  
  identifying a second node in communication with the first node using the first metadata, and identifying one or more first communication between the first and second nodes using the first metadata;
  
  ascertaining a first characteristic of each of the one or more first communication, the first characteristic being at least one of a protocol and an application used in the one or more first communication;
  
  examining the each of the one or more first communication for malicious behavior using the first characteristic;
  
  receiving a first risk score for the each of the one or more first communication responsive to the examining;
  
  determining the first risk score associated with one of the one or more first communication exceeds a first predetermined threshold and indicating the first and second nodes are malicious;
  
  retrieving second metadata using a second identifier associated with the second node;
  
  identifying a third node in communication with the second node using the second metadata, and identifying one or more second communication between the second and third nodes using the second metadata;
  
  ascertaining a second characteristic of each of the one or more second communication, the second characteristic being at least one of a protocol and an application used in the one or more second communication;
  
  examining the each of the one or more second communication for malicious behavior using the second characteristic;
  
  receiving a second risk score for the each of the one or more second communication responsive to the examining;
  
  determining the second risk score associated with one of the one or more second communication exceeds the first predetermined threshold and indicating the third node is malicious;
  
  assigning a node risk score to an additional second node in which additional first risk scores, for additional first communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional first risk scores;
  
  determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious;
  
  providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that progress of a security breach or intrusion through the indicated malicious nodes and the communications is indicated; and
  
  remediating the security breach.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The analytic engine of claim 10 further comprising:
    - retrieving third metadata using a third identifier associated with the third node;
      
      identifying a fourth node in communication with the third node using the third metadata, and identifying one or more third communication between the third and fourth nodes using the third metadata;
      
      ascertaining a third characteristic of each of the one or more third communication, the third characteristic being at least one of a protocol and an application used in the one or more third communication;
      
      examining the each of the one or more third communication for malicious behavior using the third characteristic;
      
      receiving a third risk score for the each of the one or more third communication responsive to the examining; and
      
      determining the third risk score associated with one of the one or more third communication exceeds the first predetermined threshold and indicating the fourth node is malicious responsive to the determining.
  - 12. The analytic engine of claim 11, wherein another one of the one or more third communication is not examined when the another one of the one or more third communication is the same as one of the one or more first or second communications.
  - 13. The analytic engine of claim 10, wherein each of the first and second nodes is at least one of a physical host, virtual machine, container, client system, and other computing system on a communications network.
  - 14. The analytic engine of claim 10, wherein each of the first and second metadata includes information logged by an enforcement point.
  - 15. The analytic engine of claim 10, wherein:
    - examining the each of the one or more first communication comprises;
      
      selecting a respective first scanlet of a plurality of scanlets using a respective first characteristic associated with a respective first communication, andapplying the respective first scanlet to the respective first communication; and
      
      examining the each of the one or more second communication comprises;
      
      selecting a respective second scanlet of the plurality of scanlets using a respective second characteristic associated with a respective second communication, andapplying the respective second scanlet to the respective second communication.
  - 16. The analytic engine of claim 15, wherein each of the plurality of scanlets detects malicious activity in network communications using at least one of a particular protocol and a particular application.
  - 17. The analytic engine of claim 10, wherein each of the first and second risk scores and the first predetermined threshold is a number within a predetermined range of numbers.
  - 18. The analytic engine of claim 10, wherein each of the first and second metadata comprises at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication.

19. A computer-implemented method for recursive multi-layer examination for computer network security remediation comprising:
- receiving a first identifier associated with a first node;
  
  retrieving first metadata using the first identifier, the first metadata comprising at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication;
  
  identifying a second node in communication with the first node using the first metadata, and identifying one or more first communication between the first and second nodes using the first metadata;
  
  ascertaining a first characteristic of each of the one or more first communication, the first characteristic being at least one of a protocol and an application used in the one or more first communication;
  
  selecting a respective first scanlet of a plurality of scanlets using a respective first characteristic associated with a respective first communication;
  
  applying the respective first scanlet to the respective first communication;
  
  receiving a first risk score for the each of the one or more first communication responsive to the applying;
  
  determining the first risk score associated with one of the one or more first communication exceeds a first predetermined threshold and indicating the first and second nodes are malicious;
  
  retrieving second metadata using a second identifier associated with the second node, the second metadata comprising at least one of a source (IP) address and/or hostname, source port, destination (IP) address and/or hostname, destination port, protocol, application, username and/or other credentials used to gain access to computing resources on a network, and number of bytes in a communication;
  
  identifying a third node in communication with the second node using the second metadata, and identifying one or more second communication between the second and third nodes using the second metadata;
  
  ascertaining a second characteristic of each of the one or more second communication, the second characteristic being at least one of a protocol and an application used in the one or more second communication;
  
  selecting a respective second scanlet of the plurality of scanlets using a respective second characteristic associated with a respective second communication;
  
  applying the respective second scanlet to the respective second communication;
  
  receiving a second risk score for the each of the one or more second communication responsive to the applying;
  
  determining the second risk score associated with one of the one or more second communication exceeds the first predetermined threshold and indicating the third node is malicious;
  
  assigning a node risk score to an additional second node in which additional first risk scores, for additional first communications originating from or directed to the additional second node, do not exceed the first predetermined threshold, the node risk score being an average of the additional first risk scores;
  
  determining the node risk score exceeds a second predetermined threshold and indicating the additional second node is malicious;
  
  providing the indicated malicious nodes and communications originating from or directed to the indicated malicious nodes, such that a progress of a security breach or intrusion through the indicated malicious nodes and the communications is indicated; and
  
  remediating the security breach.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Wager, Ryan, Yarochkin, Fyodor, Dahlgren, Zach
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
Nguyen, Trong

Application Number

US15/090,523
Time in Patent Office

435 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Recursive multi-layer examination for computer network security remediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

178 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Recursive multi-layer examination for computer network security remediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links