Methods and systems for protecting a secured network
US-2015304354-A1 · Oct 22, 2015 · US
Correlating packets in communications networks
US10659573B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10659573-B2 |
| Application number | US-201916554293-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 28, 2019 |
| Priority date | Feb 10, 2015 |
| Publication date | May 19, 2020 |
| Grant date | May 19, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: identifying, by a computing system, a plurality of packets received by a network device from a host located in a first network; generating, by the computing system, a first plurality of log entries corresponding to the plurality of packets received by the network device; identifying, by the computing system, a plurality of encrypted packets transmitted by the network device to a host located in a second network; generating, by the computing system, a second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device; correlating, by the computing system and based on the first plurality of log entries corresponding to the plurality of packets received by the network device and the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device, the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device; and responsive to the correlating of the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device: generating, by the computing system and based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and provisioning a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network. 2. The method of claim 1 , wherein a communication path that interfaces the network device and the first network comprises a first tap, wherein a communication path that interfaces the network device and the second network comprises a second tap, the method comprising: provisioning, by the computing system, the first tap with one or more rules configured to identify the plurality of packets received by the network device; and provisioning, by the computing system, the second tap with one or more rules configured to identify the plurality of encrypted packets transmitted by the network device. 3. The method of claim 1 , wherein correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises: comparing one or more ports indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device. 4. The method of claim 1 , wherein correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises: comparing one or more network-interface identifiers of the network device indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device. 5. The method of claim 1 , wherein correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises: comparing one or more times indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device. 6. The method of claim 1 , wherein: the first plurality of log entries corresponding to the plurality of packets received by the network device comprises a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device; the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device comprises a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of encrypted packets transmitted by the network device; and correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of timestamps indicating times corresponding to receipt with one or more times indicated by the plurality of timestamps indicating times corresponding to transmission. 7. The method of claim 1 , comprising: determining, by the computing system, that the host located in the second network is associated with a malicious entity; and generating, by the computing system, one or more rules configured to cause the first network to drop packets transmitted by the host located in the first network. 8. The method of claim 1 , comprising: generating, by the computing system, a message identifying the host located in the first network; and communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network. 9. A computing device comprising: at least one processor; and memory comprising instructions that, when executed by the at least one processor, cause the computing device to: identify a plurality of packets received by a network device from a host located in a first network; generate a first plurality of log entries corresponding to the plurality of packets received by the network device; identify a plurality of encrypted packets transmitted by the network device to a host located in a second network; generate a second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device; correlate, based on the first plurality of log entries corresponding to the plurality of packets received by the network device and the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device, the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device; and responsive to the correlating of the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device: generate, based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and provision a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network. 10. The computing device of claim 9 , wherein a communication path that interfaces the network device and the first network comprises a first tap, wherein a communication path that interfaces the network device and the second network comprises a second tap, and wherein the memory comprises instructions that, when executed by the at least one processor, further cause the computing device to: provision the first tap with the one or more rules configured to identify the plurality of packets received by the network device; and provision the second tap with one or more rules configured to identify the plurality of encrypted packets transmitted by the network device. 11. The computing device of claim 9 , wherein the instructions, when executed by the at least one processor, cause the computing device to correlate th
Assignees
Inventors
Classifications
Network monitoring probes · CPC title
using flow identification · CPC title
Rule management · CPC title
by discarding or delaying data units, e.g. packets or frames · CPC title
involving identification of individual flows · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10659573B2 cover?
- A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network …
- Who is the assignee on this patent?
- Centripetal Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L43/04. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 19 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).