Determining trusted file awareness via loosely connected events and file attributes
US-2024364713-A1 · Oct 31, 2024 · US
Network threat prediction and blocking
US10686759B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10686759-B2 |
| Application number | US-201514745637-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 22, 2015 |
| Priority date | Jun 22, 2014 |
| Publication date | Jun 16, 2020 |
| Grant date | Jun 16, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of predicting network threats, the method comprising: identifying a threat vector from network activity log data using one or more computing devices; determining, based at least upon relationship data for the threat vector, a first online object having a first type and a second online object having a second type different from the first type, wherein the relationship data identifies a first association between the threat vector and the first online object and a second association between the threat vector and the second online object; identifying the first online object as a predictive network threat based at least upon the first association between the threat vector and the first online object; and providing data regarding the threat vector as an identified network threat and the first online object as the predictive network threat to a firewall device using the one or more computing devices, wherein the firewall device blocks network activity associated with the threat vector as the identified network threat and the first online object as the predictive network threat. 2. The method of claim 1 , wherein the first type and the second type are one of: an internet protocol address, a file, a uniform resource locator, and a software application. 3. The method of claim 1 , wherein identifying the threat vector from the network activity log data comprises: receiving network activity log event data including at least one network event; sending a request to a reputation management system; and receiving a response from the reputation management system indicating whether the network event is a threat. 4. The method of claim 3 , wherein the response from the reputation management system contains the results of an investigation conducted by the reputation management system to evaluate whether the network event is a threat. 5. The method of claim 1 , wherein determining the first online object comprises: sending a request to a relationship management system, the request identifying the threat vector; and receiving a response from the relationship management system identifying the first online object. 6. The method of claim 5 , further comprising determining a third online object having a third type, wherein the relationship data identifies a third association between the first online object and the third online object. 7. The method of claim 6 , wherein determining the third online object comprises: sending a subsequent request to the relationship management system, the subsequent request identifying the first online object; and receiving a response from the relationship management system identifying the third online object. 8. The method of claim 6 , wherein the third online object has no more than three degrees of separation from the threat vector. 9. The method of claim 1 , further comprising adding the threat vector and the first online object to a block list of the firewall device, and operating the firewall device to block network traffic associated with the block list. 10. A computing system comprising: at least one processing device; and at least one computer readable storage device storing data instructions that, when executed by the at least one processing device, cause the at least one processing device to: identify an online element associated with network activity; determine that the online element is associated with a malicious reputation as an identified threat; determine, based at least upon relationship data for the online element, a first online object having a first type and a second online object having a second type different from the first type, wherein the relationship data identifies a first association between a threat vector and the first online object and a second association between a threat vector and the second online object; identify the first online object as a predictive threat based at least upon the first association between the online element and the first online object; and sending data describing the online element as an identified threat and the first online object as the predictive threat to a firewall so that the firewall can block network activity associated with the online element and the first online object. 11. The computing system of claim 10 , wherein the first type and the second type are one of: an internet protocol address, a file, a uniform resource locator, and a software application. 12. The computing system of claim 10 , wherein determining that the online element is associated with the malicious reputation comprises: receiving the network activity including at least one network event; sending a request to a reputation management system; and receiving a response from the reputation management system indicating whether the network event is a threat. 13. The computing system of claim 12 , wherein the response from the reputation management system contains the results of an investigation conducted by the reputation management system to evaluate whether the network event is a threat. 14. The computing system of claim 10 , wherein determining the first online object comprises: sending a request to a relationship management system, the request identifying the online element; and receiving a response from the relationship management system identifying the first online object. 15. The computing system of claim 10 , wherein the computer readable storage device storing data instructions that, when executed by the at least one processing device, cause the at least one processing device to: determine a third online object having a third type, wherein the relationship data identifies a third association between the first online object and the third online object. 16. The computing system of claim 15 , wherein determining the third online object comprises: sending a subsequent request to the relationship management system, the subsequent request identifying the third online object; and receiving a response from the relationship management system identifying the third online object. 17. The computing system of claim 15 , wherein the third online object has no more than three degrees of separation from the online element. 18. A method of predicting network threats, the method comprising: receiving at a computing device a request including an identifier associated with an online element; determining that the online element has a malicious reputation based on a comparison between the identifier associated with the online element and data in a reputation database; sending by the computing device a response indicating that the online element has the malicious reputation as an identified network threat; receiving at the computing device a request for known relationships to the online element; searching a relationship database to identify a first online object and a second online object that also have the malicious reputation, using the computing device, the first online object having a first type and the second online object having a second type different from the first type, wherein there is a first association between the first online object and the online element and a second association between a second online object and the online element; and sending from the computing device one or more identifiers for the first online object and the second online object as predictive network threats. 19. The method of claim 18 , wherein the first association and the second association are each no more than three degrees of separation from the onlin
Assignees
Inventors
Classifications
using logs of notifications; Post-processing of notifications · CPC title
for detecting or protecting against malicious traffic · CPC title
- H04L63/0227Primary
Filtering policies (mail message filtering H04L51/212) · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10686759B2 cover?
- A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include th…
- Who is the assignee on this patent?
- Webroot Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0227. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).