What technology area does this patent fall under?

Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Mar 31 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Targeted attack discovery

US2016094565A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016094565-A1
Application number	US-201414500181-A
Country	US
Kind code	A1
Filing date	Sep 29, 2014
Priority date	Sep 29, 2014
Publication date	Mar 31, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A device may receive usage information, associated with a group of client networks, including particular usage information associated with a particular client network. The device may receive threat information, associated with the group of client networks, including particular threat information associated with the particular client network. The device may determine a baseline based on the usage information. The device may determine a normalization function, associated with the particular client network, based on the baseline and the particular usage information. The device may determine normalized threat information, associated with the particular client network, based on the normalization function and the particular threat information. The device may determine overall normalized threat information associated with the group of client networks. The device may compare the normalized threat information and the overall normalized threat information. The device may provide information associated with comparing the normalized threat information and the overall normalized threat information.

First claim

Opening claim text (preview).

What is claimed is: 1 . A device, comprising: one or more processors to: receive usage information associated with a group of client networks, the usage information including particular usage information associated with a particular client network of the group of client networks; receive threat information associated with the group of client networks, the threat information including particular threat information associated with the particular client network; determine a usage baseline based on the usage information associated with the group of client networks; determine a normalization function, associated with the particular client network, based on the usage baseline and the particular usage information; determine normalized threat information, associated with the particular client network, based on the normalization function and the particular threat information; determine overall normalized threat information associated with the group of client networks; compare the normalized threat information, associated with the particular client network, and the overall normalized threat information associated with the group of client networks; and provide information associated with comparing the normalized threat information, associated with the particular client network, and the overall normalized threat information associated with the group of client networks. 2 . The device of claim 1 , where the usage information, associated with the group of client networks, and the threat information, associated with the group of client networks, are associated with a particular period of time. 3 . The device of claim 1 , where the one or more processors, when determining the usage baseline, are to: compute a mean usage metric value, associated with the group of client networks, based on the usage information associated with the group of client networks; and determine the usage baseline as a value equal to the mean usage metric value. 4 . The device of claim 1 , where the one or more processors, when determining the normalization function, are to: divide the usage baseline by a usage metric value associated with the particular client network to determine a normalization factor, the usage metric value being included in the particular usage information; and determine the normalization function as a function associated with applying the normalization factor to the usage metric value. 5 . The device of claim 4 , where the one or more processors, when determining the normalized threat information associated with the particular client network, are to: multiply the particular threat information by the normalization factor; and determine the normalized threat information as a value equal to a result of multiplying the particular threat information by the normalization factor. 6 . The device of claim 1 , where the one or more processors, when determining the overall normalized threat information, are to: determine a group of normalization functions, a normalization function, of the group of normalization functions, corresponding to a client network of the group of client networks; determine group normalized threat information, associated the group of client networks, based on the group of normalization functions and the threat information; and compute mean normalized threat information based on the group normalized threat information associated with the group of client networks; and determine the overall normalized threat information as a value equal to the mean normalized threat information. 7 . The device of claim 1 , where the one or more processors, when providing the information associated with comparing the normalized threat information and the overall normalized threat information, are to: provide a threat assessment associated with the particular client network, the threat assessment indicating that the particular client network detected a high level of malicious activity, during a particular period of time, relative to the group of client networks. 8 . A computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: obtain usage information, the usage information being associated with a group of networks, and the usage information including particular usage information associated with a particular network of the group of networks; obtain threat information, the threat information being associated with the group of networks, and the threat information including particular threat information associated with the particular network; determine a usage baseline based on the usage information associated with the group of networks; compute a normalization factor based on the usage baseline and the particular usage information, the normalization factor corresponding to the particular network; determine normalized threat information based on the normalization factor and the particular threat information, the normalized threat information corresponding to the particular network; determine overall normalized threat information, the overall normalized threat information being associated with the group of networks; compare the normalized threat information and the overall normalized threat information; and provide a threat assessment that is based on comparing the normalized threat information and the overall normalized threat information. 9 . The computer-readable medium of claim 8 , where the usage information, associated with the group of networks, and the threat information, associated with the group of networks, are associated with a particular period of time. 10 . The computer-readable medium of claim 8 , where the one or more instructions, that cause the one or more processors to determine the usage baseline, cause the one or more processors to: compute a median usage metric value, associated with the group of networks, based on the usage information associated with the group of networks; and determine the usage baseline as a value equal to the median usage metric value. 11 . The computer-readable medium of claim 8 , where the one or more instructions, that cause the one or more processors to compute the normalization factor, cause the one or more processors to: divide the usage baseline by a usage metric value associated with the particular network, the usage metric value being included in the particular usage information; and determine the normalization factor as a value equal to a result of dividing the usage baseline by the usage metric value. 12 . The computer-readable medium of claim 8 , where the one or more instructions, that cause the one or more processors to determine the normalized threat information associated with the particular network, cause the one or more processors to: multiply the particular threat information by the normalization factor; and determine the normalized threat information as a value equal to a result of multiplying the particular threat information by the normalization factor. 13 . The computer-readable medium of claim 8 , where the one or more instructions, that cause the one or more processors to determine the overall normalized threat information, cause the one or more processors to: compute a group of normalization factors, a normalization factor, of the group of normalization factors, corresponding to a network of the group of networks; determine group normalized threat information, associated the group of networks, based on the group of normalization factors and the threat information; and compute

Assignees

Juniper Networks Inc

Inventors

Classifications

H04L63/1416
Event detection, e.g. attack signature detection · CPC title
G06F21/577
Assessing vulnerabilities and evaluating computer system security · CPC title
H04L63/1433Primary
Vulnerability analysis · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
H04L63/145Primary
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title

Patent family

Related publications grouped by family.

View patent family 52810961

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016094565A1 cover?: A device may receive usage information, associated with a group of client networks, including particular usage information associated with a particular client network. The device may receive threat information, associated with the group of client networks, including particular threat information associated with the particular client network. The device may determine a baseline based on the usag…
Who is the assignee on this patent?: Juniper Networks Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Mar 31 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).