What technology area does this patent fall under?

Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jul 29 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Efficient packet capture for cyber threat analysis

US12375447B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12375447-B2
Application number	US-202318210896-A
Country	US
Kind code	B2
Filing date	Jun 16, 2023
Priority date	Jan 4, 2016
Publication date	Jul 29, 2025
Grant date	Jul 29, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Methods, systems, and computer-readable media for efficiently detecting threat incidents for cyber threat analysis are described herein. In various embodiments, a computing device, which may be located at a boundary between a protected network associated with the enterprise and an unprotected network, may combine one or more threat indicators received from one or more threat intelligence providers; may generate one or more packet capture and packet filtering rules based on the combined threat indicators; and, may capture or filter, on a packet-by-packet basis, at least one packet based on the generated rules. In other embodiments, a computing device may generate a packet capture file comprising raw packet content and corresponding threat context information, wherein the threat context information may comprise a filtering rule and an associated threat indicator that caused the packet to be captured.

First claim

Opening claim text (preview).

What is claimed is: 1. A computing device located at a boundary between a protected network and an unprotected network external to the protected network, the computing device comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the computing device to: receive, from a first network threat intelligence provider external to the protected network, one or more of: a domain name, or a uniform resource identifier; automatically generate, based on the domain name or the uniform resource identifier, one or more packet filtering rules by: generating a first packet filtering rule configured to filter packets matching the domain name or the uniform resource identifier; and assigning a flow capture directive to the first packet filtering rule, wherein the flow capture directive is configured to cause the computing device to: cause storage of one or more packets matching the domain name or the uniform resource identifier; and cause storage, based on a five-tuple field value corresponding to the one or more packets matching the domain name or the uniform resource identifier, of a bidirectional flow of packets subsequent to the one or more packets matching the domain name or the uniform resource identifier; filter, based on the first packet filtering rule, a plurality of packets: determine, based on the filtered plurality of packets, one or more first packets, received by the computing device and corresponding to a first packet flow, that match the domain name of the uniform resource identifier; based on determining that the one or more first packets match the domain name or the uniform resource identifier of the first packet filtering rule: determine a first 5-tuple of the determined one or more first packets; and capture, based on the flow capture directive of the first packet filtering rule and based on the first 5-tuple of the determined one or more first packets matching the five-tuple field value corresponding to the domain name or the uniform resource identifier, the one or more first packets; after capturing the one or more first packets: determine a second 5-tuple of one or more subsequent packets; and capture, based on the flow capture directive of the first packet filtering rule and based on determining that the second 5-tuple of the one or more subsequent packets corresponds to the first 5-tuple, the one or more subsequent packets of the first packet flow; and generate, for the captured one or more subsequent packets of the first packet flow, a packet capture file comprising: raw packet content of the captured one or more first packets and the one or more subsequent packets, and threat context information comprising an indication of the first packet filtering rule. 2. The computing device of claim 1 , wherein the determining that the second 5-tuple of the one or more subsequent packets corresponds to the first 5-tuple comprises determining one or more of: a source value of the first 5-tuple is a destination value of the second 5-tuple, or the second 5-tuple indicates that the one or more first packets are traveling in an opposite direction compared to the one or more subsequent packets. 3. The computing device of claim 1 , wherein the flow capture directive is configured to cause storage of all packets transiting in either direction of the bidirectional flow. 4. The computing device of claim 1 , wherein the instructions, when executed by the one or more processors, cause the computing device to: receive, from a second network threat intelligence provider, a second domain name or uniform resource identifier; and generate a third network threat indicator by combining a first portion of the domain name or the uniform resource identifier and a second portion of the second domain name or uniform resource identifier based on common characteristics of the domain name or the uniform resource identifier and the second domain name or uniform resource identifier, wherein generating the first packet filtering rule configured to filter packets matching the domain name or the uniform resource identifier comprises generating the first packet filtering rule such that the first packet filtering rule is configured to filter packets associated with the third network threat indicator. 5. The computing device of claim 4 , wherein the common characteristics comprise one or more of: a common source address, a common source port, a common destination address, a common destination port, a common protocol type, a common uniform resource identifier (URI), or a common domain name. 6. The computing device of claim 1 , wherein the instructions, when executed by the one or more processors, cause the computing device to: determine whether to log the one or more subsequent packets based on the first packet filtering rule. 7. The computing device of claim 1 , wherein the first packet filtering rule permits packets matching the domain name or the uniform resource identifier to cross the boundary between the protected network and the unprotected network. 8. The computing device of claim 1 , wherein the assigning the flow capture directive to the first packet filtering rule is based on determining that the first packet filtering rule is configured to permit packets matching the domain name or the uniform resource identifier to cross the boundary between the protected network and the unprotected network. 9. The computing device of claim 1 , wherein the assigning the flow capture directive to the first packet filtering rule is based on an indication, from the first network threat intelligence provider, that traffic matching the domain name or the uniform resource identifier should be permitted to cross the boundary between the protected network and the unprotected network. 10. A method comprising: receiving, by a computing device located at a boundary between a protected network and an unprotected network external to the protected network and from a first network threat intelligence provider external to the protected network, one or more of: a domain name, or a uniform resource identifier; automatically generating, based on the domain name or the uniform resource identifier, one or more packet filtering rules by: generating a first packet filtering rule configured to filter packets matching the domain name or the uniform resource identifier; and assigning a flow capture directive to the first packet filtering rule, wherein the flow capture directive is configured to cause the computing device to: cause storage of one or more packets matching the domain name or the uniform resource identifier; and cause storage, based on a five-tuple field value corresponding to the one or more packets matching the domain name or the uniform resource identifier, of a bidirectional flow of packets subsequent to the one or more packets matching the domain name or the uniform resource identifier; filtering, by the computing device and based on the first packet filtering rule, a plurality of packets; determining, based on the filtered plurality of packets, one or more first packets, received by the computing device and corresponding to a first packet flow, that match the domain name or the uniform resource identifier; based on determining that the one or more first packets match the domain name or the uniform resource identifier of the first packet filtering rule: determining a first 5-tuple of the determined one or more first packets; and capturing, by the computing device and based on the flow capture directive of the first packet filtering rule and based on the first 5-tuple of the determined one or more first packets matching the five

Assignees

Centripetal Networks Llc

Inventors

Classifications

H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L63/1408
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
H04L63/0263
Rule management · CPC title
H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title

Patent family

Related publications grouped by family.

View patent family 57822053

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12375447B2 cover?: Methods, systems, and computer-readable media for efficiently detecting threat incidents for cyber threat analysis are described herein. In various embodiments, a computing device, which may be located at a boundary between a protected network associated with the enterprise and an unprotected network, may combine one or more threat indicators received from one or more threat intelligence provid…
Who is the assignee on this patent?: Centripetal Networks Llc
What technology area does this patent fall under?: Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jul 29 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).