RULE-BASED NETWORK-THREAT DETECTION
2 Assignments
0 Petitions
Accused Products
Abstract
A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.
0 Citations
21 Claims
-
1. (canceled)
-
2. A method comprising:
-
receiving, by a packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of packets; responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules; applying, by the packet-filtering device and to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion; generating, by the packet-filtering device and for the first packet, a packet log entry comprising at least one threat identifier corresponding to the first packet; and determining, by the packet-filtering device, at least one score associated with the at least one threat identifier; and communicating, by the packet-filtering device, the at least one score associated with the at least one threat identifier, wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A packet-filtering device comprising:
-
at least one processor; and memory storing instructions that when executed by the at least one processor cause the packet-filtering device to; receive, by the packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of packets; responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules; apply, to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion; generate, for the first packet, a packet log entry comprising at least one threat identifier corresponding to the first packet; and determine at least one score associated with the at least one threat identifier; and communicate the at least one score associated with the at least one threat identifier, wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator. - View Dependent Claims (13, 14, 15, 16)
-
-
17. One or more non-transitory computer-readable media comprising instructions that, when executed by at least one processor of a packet-filtering device, cause the packet-filtering device to:
-
receive, by a packet-filtering device located at a boundary between a protected network and an unprotected network, a plurality of packets; responsive to a determination by the packet-filtering device that a first packet of the plurality of packets corresponds to a first packet matching criterion specified by a first packet-filtering rule of a plurality of packet-filtering rules; apply, to the first packet, a first operator specified by the first packet-filtering rule corresponding to the first packet matching criterion; generate, for the first packet, a packet log entry comprising at least one threat identifier corresponding to the first packet; and determine at least one score associated with the at least one threat identifier; and communicate the at least one score associated with the at least one threat identifier, wherein each of the plurality of packet-filtering rules specifies at least one packet matching criterion and at least one operator. - View Dependent Claims (18, 19, 20, 21)
-
Specification