What technology area does this patent fall under?

Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue May 23 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Network traffic analysis to enhance rule-based network security

US9660959B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9660959-B2
Application number	US-201414448705-A
Country	US
Kind code	B2
Filing date	Jul 31, 2014
Priority date	Jul 31, 2013
Publication date	May 23, 2017
Grant date	May 23, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method of interpreting a rule and a rule-interpreting apparatus for rule-based security apparatus, and an apparatus implementing the method. The method includes the following steps: designating a suspicious timeslot; if any packet does not present in the designated timeslot, capturing current incoming packets or capturing other incoming packets in the designated timeslot next time; automatically associating the packets in the designated timeslot to form at least one traffic flow corresponding to a connection or call; analyzing the at least one traffic flow to select at least one suspicious target traffic flow; and outputting the at least one selected suspicious target flow.

First claim

Opening claim text (preview).

What is claimed is: 1. A method of capturing packets applied to a rule-based security apparatus operatively coupled between an external network and an internal network resource and configured to guard against network threats, comprising steps of: designating a suspicious timeslot based on certain abnormal network behaviors in a certain timeslot; responsive to designating the suspicious timeslot, collecting network packets in the designated suspicious timeslot; automatically associating the network packets in the designated suspicious timeslot to form at least one traffic flow comprising the network packets collected in the designated suspicious timeslot and corresponding to a connection to the external network; analyzing the at least one traffic flow to select at least one suspicious target traffic flow comprising at least some of the network packets of the at least one traffic flow by matching the at least one traffic flow with a known pattern group of existing threats to select the at least one suspicious target traffic flow; outputting the at least one selected suspicious target traffic flow to a rule generating module that generates a rule based on the at least one selected suspicious target traffic flow comprising the at least some of the network packets of the at least one traffic flow, wherein the rule generating module generates the rule by comparing known patterns with at least one suspicious target traffic flow received from the external network to identify at least one pattern matching the at least one suspicious target traffic flow and converting the at least one matched pattern matching the at least one suspicious target traffic flow into the rule; applying the rule to the rule-based security apparatus to adopt a protection measure against the at least one suspicious target traffic flow originating from the external network; and blocking at least one packet received from the external network by the rule-based security apparatus using the rule; wherein a detailed extent for analyzing the at least one traffic flow is set according to a requirement, wherein analyzing the at least one traffic flow comprises analyzing, for the network packets in the at least one traffic flow, at least one of an IP layer protocol, a TCP layer protocol or a data format, and wherein the designation of the suspicious timeslot and the selection of the at least one suspicious target traffic flow is determined by a security information and event management (SIEM) technology. 2. The method according to claim 1 , wherein the at least one analyzed traffic flow is filtered to select the at least one suspicious target traffic flow according to a predetermined principle or strategy. 3. A method of generating a rule and applying the rule to a rule-based security apparatus operatively coupled between an external network and an internal network resource and configured to guard against network threats, comprising steps of: designating a suspicious timeslot based on certain abnormal network behaviors in a certain timeslot; responsive to designating the suspicious timeslot, collecting network packets in the designated suspicious timeslot; automatically associating the network packets in the designated suspicious timeslot to form at least one traffic flow comprising the network packets collected in the designated suspicious timeslot and corresponding to a connection to the external network; analyzing the at least one traffic flow to select at least one suspicious target traffic flow comprising at least some of the network packets of the at least one traffic flow by matching the at least one traffic flow with a known pattern group of existing threats to select the at least one suspicious target traffic flow; outputting the at least one selected suspicious target traffic flow to a rule generating module that generates a rule based on the at least one selected suspicious target traffic flow comprising the at least some of the network packets of the at least one traffic flow, wherein the rule generating module generates the rule by comparing known patterns with the at least one suspicious target traffic flow received from the external network to identify at least one pattern matching the at least one suspicious target traffic flow and converting the at least one matched pattern matching the at least one suspicious target traffic flow into the rule; applying the rule to the rule-based security apparatus to adopt a protection measure against the at least one suspicious target traffic flow originating from the external network; and blocking at least one packet received from the external network by the rule-based security apparatus using the rule; wherein a detailed extent for analyzing the at least one traffic flow is set according to a requirement, wherein analyzing the at least one traffic flow comprises analyzing, for the network packets in the at least one traffic flow, at least one of an IP layer protocol, a TCP layer protocol or a data format, and wherein the designation of the suspicious timeslot and the selection of the at least one suspicious target traffic flow is determined by a security information and event management (SIEM) technology. 4. An information appliance, comprising a bus; a memory connected to the bus, wherein the memory comprises a set of instructions; and a processing unit connected to the bus, wherein the processing unit is configured to execute the set of instructions to perform a method of capturing packets applied to a rule-based security apparatus operatively coupled between an external network and an internal network resource and configured to guard against network threats, comprising steps of: designating a suspicious timeslot based on certain abnormal network behaviors in a certain timeslot; responsive to designating the suspicious timeslot, collecting network packets in the designated suspicious timeslot; automatically associating the network packets in the designated suspicious timeslot to form at least one traffic flow comprising the network packets collected in the designated suspicious timeslot and corresponding to a connection to the external network; analyzing the at least one traffic flow to select at least one suspicious target traffic flow comprising at least some of the network packets of the at least one traffic flow by matching the at least one traffic flow with a known pattern group of existing threats to select the at least one suspicious target traffic flow; outputting the at least one selected suspicious target traffic flow to a rule generating module that generates a rule based on the at least one selected suspicious target traffic flow comprising the at least some of the network packets of the at least one traffic flow, wherein the rule generating module generates the rule by comparing known patterns with at least one suspicious target traffic flow received from the external network to identify at least one pattern matching the at least one suspicious target traffic flow and converting the at least one matched pattern matching the at least one suspicious target traffic flow into the rule; applying the rule to the rule-based security apparatus to adopt a protection measure against the at least one suspicious target traffic flow originating from the external network; and blocking at least one packet received from the external network by the rule-based security apparatus using the rule; wherein a detailed extent for analyzing the at least one traffic flow is set according to a requirement, wherein analyzing the at least one traffic flow comprises analyzing, for the network packets in the at least one traffic flow, at least one of an IP layer protocol, a TCP layer protocol or a data format, and wherein the designation of the suspicious timeslot and the selection of the at least one suspicious target traffic flow i

Assignees

Inventors

Classifications

H04L63/0263Primary
Rule management · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L63/0254Primary
Stateful filtering · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title

Patent family

Related publications grouped by family.

View patent family 53019059

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9660959B2 cover?: A method of interpreting a rule and a rule-interpreting apparatus for rule-based security apparatus, and an apparatus implementing the method. The method includes the following steps: designating a suspicious timeslot; if any packet does not present in the designated timeslot, capturing current incoming packets or capturing other incoming packets in the designated timeslot next time; automatica…
Who is the assignee on this patent?: IBM
What technology area does this patent fall under?: Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue May 23 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).