Handling network threats

US 10,749,895 B2
Filed: 11/17/2015
Issued: 08/18/2020
Est. Priority Date: 11/17/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for handling network threats, the machine-readable storage medium comprising instructions to cause the hardware processor to:

receive, from a threat detector, threat data associated with a particular client device included in a plurality of client devices;

identify, based on the threat data, a responsive playbook from a plurality of predefined playbooks, wherein each of the plurality of predefined playbooks includes instructions for handling threat data and the responsive playbook specifies a particular analytics operation for assisting with remediation of a threat identified from the threat data;

identify, from the responsive playbook, additional data for performing the particular analytics operation, wherein the additional data is a type of data that the plurality of network devices were not collecting at the time of receipt of the threat data;

reconfigure at least one of a plurality of software defined network devices, the reconfiguration causing each reconfigured device to i) collect the additional data, and ii) provide the additional data to an analytics device;

receive, from the analytics device, particular analytics results from the particular analytics operation;

identify, based on the particular analytics results, a second playbook for addressing the threat when the particular analytics results are insufficient to determine whether the threat is an actual threat, wherein the second playbook is different from the responsive playbook;

reconfigure a second time at least one of the plurality of software defined network devices, wherein the second reconfiguration causes each reconfigured device from the second time to i) collect secondary data specified by the second playbook, and ii) provide the secondary data to the analytics device;

receive second analytics results from the analytics device;

provide a remediation device with instructions to remediate the threat, wherein the instructions are based on the particular analytics results and the second analytics results; and

cause the reconfigured devices to stop the collection of the additional data and secondary data after the threat has been successfully remediated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples relate to handling network threats. In one example, a computing device may: receive, from a threat detector, threat data associated with a particular network device included in a plurality of network devices; identify, based on the threat data, a particular analytics operation for assisting with remediation of a threat associated with the threat data; identify, based on the threat data, additional data for performing the particular analytics operation; cause reconfiguration of at least one of the plurality of network devices, the reconfiguration causing each of the reconfigured network devices to i) collect the additional data, and ii) provide the additional data to an analytics device; and receive, from the analytics device, particular analytics results of the particular analytics operation.

49 Citations

View as Search Results

15 Claims

1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for handling network threats, the machine-readable storage medium comprising instructions to cause the hardware processor to:
- receive, from a threat detector, threat data associated with a particular client device included in a plurality of client devices;
  
  identify, based on the threat data, a responsive playbook from a plurality of predefined playbooks, wherein each of the plurality of predefined playbooks includes instructions for handling threat data and the responsive playbook specifies a particular analytics operation for assisting with remediation of a threat identified from the threat data;
  
  identify, from the responsive playbook, additional data for performing the particular analytics operation, wherein the additional data is a type of data that the plurality of network devices were not collecting at the time of receipt of the threat data;
  
  reconfigure at least one of a plurality of software defined network devices, the reconfiguration causing each reconfigured device to i) collect the additional data, and ii) provide the additional data to an analytics device;
  
  receive, from the analytics device, particular analytics results from the particular analytics operation;
  
  identify, based on the particular analytics results, a second playbook for addressing the threat when the particular analytics results are insufficient to determine whether the threat is an actual threat, wherein the second playbook is different from the responsive playbook;
  
  reconfigure a second time at least one of the plurality of software defined network devices, wherein the second reconfiguration causes each reconfigured device from the second time to i) collect secondary data specified by the second playbook, and ii) provide the secondary data to the analytics device;
  
  receive second analytics results from the analytics device;
  
  provide a remediation device with instructions to remediate the threat, wherein the instructions are based on the particular analytics results and the second analytics results; and
  
  cause the reconfigured devices to stop the collection of the additional data and secondary data after the threat has been successfully remediated.

2. The non-transitory machine-readable storage medium 1, wherein the particular analytics operation includes a determination of a likelihood that the additional data supports a pattern of communications associated with a particular type of malware.

3. The non-transitory machine-readable storage medium 1, wherein the additional data includes one or more of the following:
- a web proxy log, a user activity log, a network sample, or a counter associated with the particular client device.

4. The non-transitory machine-readable storage medium 1, wherein the secondary data includes one or more of the following:
- a web proxy log, a user activity log, a network sample, or a counter associated with another one of the plurality of the client devices.

5. The non-transitory machine-readable storage medium 1, wherein remediation of the threat includes configuration of one of the plurality of software defined network devices to halt outgoing traffic from the particular client device.

6. A computing device for handling network threats, the computing device comprising:
- a hardware processor; and
  
  a data storage device storing instructions that, when executed by the hardware processor, cause the hardware processor to;
  
  receive, from a threat detector, threat data associated with a particular client device included in a plurality of client devices;
  
  identify, based on the threat data, a responsive playbook from a plurality of predefined playbooks, wherein each of the plurality of predefined playbooks includes instructions for handling threat data and the responsive playbook specifies a particular analytics operation for assisting with remediation of a threat identified from the threat data;
  
  identify, from the responsive playbook, additional data for performing the particular analytics operation, wherein the additional data is a type of data that the plurality of network devices were not collecting at the time of receipt of the threat data;
  
  reconfigure at least one of a plurality of software defined network devices, the reconfiguration causing each reconfigured device to i) collect the additional data, and ii) provide the additional data to an analytics device;
  
  receive, from the analytics device, particular analytics results from the particular analytics operation;
  
  identify, based on the particular analytics results, a second playbook for addressing the threat when the particular analytics results are insufficient to determine whether the threat is an actual threat, wherein the second playbook is different from the responsive playbook;
  
  reconfigure a second time at least one of the plurality of software defined network devices, wherein the second reconfiguration causes each reconfigured device from the second time to i) collect secondary data specified by the second playbook, and ii) provide the secondary data to the analytics device;
  
  receive second analytics results from the analytics device;
  
  provide a remediation device with instructions to remediate the threat, wherein the instructions are based on the particular analytics results and the second analytics results; and
  
  cause the reconfigured devices to stop the collection of the additional data and secondary data after the threat has been successfully remediated.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computing device of claim 6, wherein the particular analytics operation includes a determination of a likelihood that the additional data supports a pattern of communications associated with a particular type of malware.
  - 8. The computing device of claim 6, wherein the additional data includes one or more of the following:
    - a web proxy log, a user activity log, a network sample, or a counter associated with the particular client device.
  - 9. The computing device of claim 6, wherein the secondary data includes one or more of the following:
    - a web proxy log, a user activity log, a network sample, or a counter associated with another one of the plurality of the client devices.
  - 10. The computing device of claim 6, wherein remediation of the threat includes configuration of one of the plurality of software defined network devices to halt outgoing traffic from the particular client device.

11. A method for handling network threats, implemented by a hardware processor, the method comprising:
- receiving, from a threat detector, threat data associated with a particular client device included in a plurality of client devices;
  
  identifying, based on the threat data, a responsive playbook from a plurality of predefined playbooks, wherein each of the plurality of predefined playbooks includes instructions for handling threat data and the responsive playbook specifies a particular analytics operation for assisting with remediation of a threat identified from the threat data;
  
  identifying, from the responsive playbook, additional data for performing the particular analytics operation, wherein the additional data is a type of data that the plurality of network devices were not collecting at the time of receipt of the threat data;
  
  reconfiguring at least one of a plurality of software defined network devices, the reconfiguration causing each reconfigured device to i) collect the additional data, and ii) provide the additional data to an analytics device;
  
  receiving, from the analytics device, particular analytics results from the particular analytics operation;
  
  identifying, based on the particular analytics results, a second playbook for addressing the threat when the particular analytics results are insufficient to determine whether the threat is an actual threat, wherein the second playbook is different from the responsive playbook;
  
  reconfiguring a second time at least one of the plurality of software defined network devices, wherein the second reconfiguration causes each reconfigured device from the second time to i) collect secondary data specified by the second playbook, and ii) provide the secondary data to the analytics device;
  
  receiving second analytics results from the analytics device;
  
  providing a remediation device with instructions to remediate the threat, wherein the instructions are based on the particular analytics results and the second analytics results; and
  
  causing the reconfigured devices to stop the collection of the additional data and secondary data after the threat has been successfully remediated.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the particular analytics operation includes a determination of a likelihood that the additional data supports a pattern of communications associated with a particular type of malware.
  - 13. The method of claim 11, wherein the additional data includes one or more of the following:
    - a web proxy log, a user activity log, a network sample, or a counter associated with the particular client device.
  - 14. The method of claim 11, wherein the secondary data includes one or more of the following:
    - a web proxy log, a user activity log, a network sample, or a counter associated with another one of the plurality of the client devices.
  - 15. The method of claim 11, wherein remediation of the threat includes configuration of one of the plurality of software defined network devices to halt outgoing traffic from the particular client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Arnell, Simon Ian, Casassa Mont, Marco, Beresna, Yolanta, Koulouris, Theofrastos, Potter, Jon
Primary Examiner(s)
Lynch, Sharon S

Application Number

US15/777,185
Publication Number

US 20180337943A1
Time in Patent Office

1,736 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/22   Arrangements for preventing...

H04L 41/08   Configuration management of...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Handling network threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Handling network threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links