Who is the assignee on this patent?

Shieh Choung-Yaw Michael, Varmour Networks Inc

What technology area does this patent fall under?

Primary CPC classification H04L63/1408. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Apr 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for distributed threat detection in a computer network

US9621568B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9621568-B2
Application number	US-201414480318-A
Country	US
Kind code	B2
Filing date	Sep 8, 2014
Priority date	Feb 11, 2014
Publication date	Apr 11, 2017
Grant date	Apr 11, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method and apparatus for distributed threat detection in a computer network is described. The method may include receiving, by a threat detection system of a first computer network, a request for a service from a threat sensor of a second computer network, the service requested of the threat sensor within the second computer network from a network element of the second computer network. The method may also include emulating the service identified in the request to generate a response to the request, and sending the response to the threat sensor for forwarding to the network element within the second computer network. Furthermore, the method may include analyzing one or more communications between the threat detection system and the network element during emulation of the service requested by the network element to determine whether the network element is a threat to the second network.

First claim

Opening claim text (preview).

We claim: 1. A computer-implemented method comprising: receiving, by a threat detection system of a first computer network, a request for a service forwarded to the threat detection system by a threat sensor sitting on both the first computer network and a second computer network, wherein the threat sensor is a virtual network element that does not provide services in the second computer network, and wherein the service is requested of the threat sensor within the second computer network in an unsolicited request received from a network element of the second computer network, and wherein the network element and the service requested by the network element are identified by the threat sensor and the threat detection system using a combination of identification data including one or more internet protocol (IP) addresses associated with the network element, one or more port numbers associated with the service request, and one or more protocols associated with the communication of the service request; emulating the service identified in the request forwarded from the threat sensor to the threat detection system to generate a response to the request by the threat detection system in the first computer network; sending the response from the threat detection system to the threat sensor, the threat sensor to forward the response generated by the threat detection system to the network element within the second computer network based on the combination of identification data; sending and receiving, by the threat detection system through the threat sensor, one or more communications exchanged with the network element in connection with the emulation of the service by the threat detection system, wherein the threat sensor coordinates the exchange of the one or more communications using the combination of identification data; and analyzing the one or more communications between the threat detection system and the network element during emulation of the service requested by the network element to determine whether the network element is a threat to the second network. 2. The method of claim 1 , wherein the threat sensor and the network element are collocated between the first and the second computer networks, and the first computer network and the second computer network are different computer networks isolated from one another. 3. The computer-implemented method of claim 1 , further comprising: receiving a request for a second service from a second network element of a third computer network by a second threat sensor sitting between the third network and the second computer network, the second threat sensor encapsulates the request packets with an IP header of the second computer network and forwards a tunneling packet within the second computer network to the threat detection system in the first computer network, wherein the first computer network, the second computer network and the third computer network are different computer networks, and wherein the threat detection system analyzes communications with the threat sensor and the second threat sensor for potential threats to their respective computer networks in parallel. 4. The method of claim 3 , wherein the first computer network, the second computer network, and the third computer network are different physical computer networks isolated from one another. 5. The method of claim 3 , wherein the second computer network and the third computer network are different logical overlay computer networks deployed within the same physical computer network. 6. The method of claim 1 , wherein the threat detection system is executed by a server computer system within the first computer network. 7. The method of claim 1 , wherein the network element is determined to be a threat to the second network when the communications exchanged between the threat detection system and the threat sensor during emulation of the services requested by the network element are indicative of one or more of an attempt to distribute malicious network content or an attempt to disrupt a computer network service. 8. An article of manufacture having one or more non-transitory computer readable storage media storing executable instructions thereon which when executed cause a system to perform a method comprising: receiving, by a threat detection system of a first computer network, a request for a service forwarded to the threat detection system by a threat sensor sitting on both the first computer network and a second computer network, wherein the threat sensor is a virtual network element that does not provide services in the second computer network and the service is requested of the threat sensor within the second computer network in an unsolicited request received from a network element of the second computer network, and wherein the network element and the service requested by the network element are identified by the threat sensor and the threat detection system using a combination of identification data including one or more internet protocol (IP) addresses associated with the network element, one or more port numbers associated with the service request, and one or more protocols associated with the communication of the service request; emulating the service identified in the request forwarded from the threat sensor to the threat detection system to generate a response to the request by the threat detection system in the first computer network; sending the response from the threat detection system to the threat sensor, the threat sensor to forward the response generated by the threat detection system to the network element within the second computer network based on the combination of identification data; sending and receiving, by the threat detection system through the threat sensor, one or more communications exchanged with the network element in connection with the emulation of the service by the threat detection system, wherein the threat sensor coordinates the exchange of the one or more communications using the combination of identification data; and analyzing the one or more communications between the threat detection system and the network element during emulation of the service requested by the network element to determine whether the network element is a threat to the second network. 9. The article of manufacture of claim 8 , wherein the threat sensor and the network element are collocated between the first and second computer networks, and the first computer network and the second computer network are different computer networks isolated from one another. 10. The article of manufacture of claim 8 , further comprising: receiving a request for a second service from a second network element of a third computer network received by a second threat sensor sitting between the third network and the second computer network, the second threat sensor encapsulates the request packets with an IP header of the second computer network and forwards a tunneling packet within the second computer network to the threat detection system in the first computer network, wherein the first computer network, the second computer network and the third computer network are different computer networks, and wherein the threat detection system analyzes communications with the threat sensor and the second threat sensor for potential threats to their respective computer networks in parallel. 11. The article of manufacture of claim 10 , wherein the first computer network, the second computer network, and the third computer network are different physical computer networks isolated from one another. 12. The article of manufacture of claim 10 , wherein the second computer network and the third compu

Assignees

Inventors

Shieh Choung-Yaw Michael

Classifications

H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
H04L63/1433
Vulnerability analysis · CPC title
H04L63/1491
using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment · CPC title

Patent family

Related publications grouped by family.

View patent family 53776000

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9621568B2 cover?: A method and apparatus for distributed threat detection in a computer network is described. The method may include receiving, by a threat detection system of a first computer network, a request for a service from a threat sensor of a second computer network, the service requested of the threat sensor within the second computer network from a network element of the second computer network. The m…
Who is the assignee on this patent?: Shieh Choung-Yaw Michael, Varmour Networks Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1408. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Apr 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).