Handling network threats

  • US 10,749,895 B2
  • Filed: 11/17/2015
  • Issued: 08/18/2020
  • Est. Priority Date: 11/17/2015
  • Status: Active Grant
First Claim
Patent Images

1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for handling network threats, the machine-readable storage medium comprising instructions to cause the hardware processor to:

  • receive, from a threat detector, threat data associated with a particular client device included in a plurality of client devices;

    identify, based on the threat data, a responsive playbook from a plurality of predefined playbooks, wherein each of the plurality of predefined playbooks includes instructions for handling threat data and the responsive playbook specifies a particular analytics operation for assisting with remediation of a threat identified from the threat data;

    identify, from the responsive playbook, additional data for performing the particular analytics operation, wherein the additional data is a type of data that the plurality of network devices were not collecting at the time of receipt of the threat data;

    reconfigure at least one of a plurality of software defined network devices, the reconfiguration causing each reconfigured device to i) collect the additional data, and ii) provide the additional data to an analytics device;

    receive, from the analytics device, particular analytics results from the particular analytics operation;

    identify, based on the particular analytics results, a second playbook for addressing the threat when the particular analytics results are insufficient to determine whether the threat is an actual threat, wherein the second playbook is different from the responsive playbook;

    reconfigure a second time at least one of the plurality of software defined network devices, wherein the second reconfiguration causes each reconfigured device from the second time to i) collect secondary data specified by the second playbook, and ii) provide the secondary data to the analytics device;

    receive second analytics results from the analytics device;

    provide a remediation device with instructions to remediate the threat, wherein the instructions are based on the particular analytics results and the second analytics results; and

    cause the reconfigured devices to stop the collection of the additional data and secondary data after the threat has been successfully remediated.

View all claims

    Thank you for your feedback