Identifying threats based on hierarchical classification
US-2015334125-A1 · Nov 19, 2015 · US
Rule-based network-threat detection
US9866576B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9866576-B2 |
| Application number | US-201514690302-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 17, 2015 |
| Priority date | Apr 17, 2015 |
| Publication date | Jan 9, 2018 |
| Grant date | Jan 9, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination. The packet-filtering device may generate a log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators and indicating whether the packet-filtering device prevented the packet from continuing toward its destination or allowed the packet to continue toward its destination.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, by a packet-filtering device, a plurality of packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to at least one of a plurality of network-threat indicators; receiving, by the packet-filtering device, a plurality of packets, wherein the plurality of packets comprises a first packet and a second packet; responsive to a determination by the packet-filtering device that the first packet corresponds to one or more criteria, specified by a packet-filtering rule of the plurality of packet-filtering rules, that correspond to one or more network-threat indicators of the plurality of network-threat indicators: applying, by the packet-filtering device and to the first packet, an operator specified by the packet-filtering rule and configured to cause the packet-filtering device to either prevent the first packet from continuing toward a destination of the first packet or allow the first packet to continue toward the destination of the first packet; generating, by the packet-filtering device, a packet-log entry comprising information from the packet-filtering rule that identifies the one or more network-threat indicators of the first packet and indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the packet to continue toward the destination of the first packet; generating, by the packet-filtering device and based on the packet-log entry, data indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the first packet to continue toward the destination of the first packet; communicating, by the packet-filtering device and to a user device, the data; and causing, based on the communicated data and in an interface, display of the data indicating whether the packet-filtering device prevented the first packet from continuing toward the destination of the first packet or allowed the first packet to continue toward the destination of the first packet; and determining an ordering of a plurality of network threats; wherein a first network threat of the plurality of network threats corresponds to a first packet-filtering rule, the first packet-filtering rule based on one or more network-threat indicators included in a first portion of the plurality of network-threat-intelligence reports; a second network threat of the plurality of network threats corresponds to a second packet-filtering rule, the second packet-filtering rule based on one or more network-threat indicators included in a second portion of the plurality of network-threat-intelligence reports, and determining the ordering comprises determining an order of the first network threat relative to the second network threat based on a determination of whether the first portion of the plurality of network-threat-intelligence reports was received from a greater number of the one or more network-threat-intelligence providers than the second portion of the plurality of network-threat-intelligence reports. 2. The method of claim 1 , wherein both the first packet and the second packet correspond to one or more particular criteria, specified by a particular packet-filtering rule of the plurality of packet-filtering rules, that correspond to one or more particular network-threat indicators of the plurality of network-threat indicators, the method further comprising: responsive to a determination by the packet-filtering device that the first packet corresponds to the one or more particular criteria, allowing, by the packet-filtering device, the first packet to continue toward the destination of the first packet; and responsive to a determination by the packet-filtering device that the second packet corresponds to the one or more particular criteria, preventing, by the packet-filtering device, the second packet from continuing toward the destination of the second packet. 3. The method of claim 2 , further comprising modifying, by the packet-filtering device, after the determination by the packet-filtering device that the first packet corresponds to the one or more particular criteria, before the determination by the packet-filtering device that the second packet corresponds to the one or more particular criteria, and responsive to an instruction received from the user device, an operator specified by the particular packet-filtering rule to reconfigure the packet-filtering device to prevent further packets corresponding to the one or more particular criteria from continuing toward respective destinations of the further packets. 4. The method of claim 2 , wherein: the packet-filtering device is located at a boundary between a first network and a second network; both the first packet and the second packet are received from a common host in the first network and destined for a common host in the second network; the determination by the packet-filtering device that the first packet corresponds to the one or more particular criteria comprises a determination that the first packet was received from the common host in the first network; the determination by the packet-filtering device that the second packet corresponds to the one or more particular criteria comprises a determination that the second packet was received from the common host in the first network; allowing the first packet to continue toward the destination of the first packet comprises allowing the first packet to continue toward the common host in the second network; and preventing the second packet from continuing toward the destination of the second packet comprises preventing the second packet from continuing toward the common host in the second network. 5. The method of claim 2 , wherein: the packet-filtering device is located at a boundary between a first network and a second network; both the first packet and the second packet are received from a common host in the first network; the first packet is destined for a first host in the second network; the second packet is destined for a second host in the second network; the determination by the packet-filtering device that the first packet corresponds to the one or more particular criteria comprises a determination that the first packet was received from the common host; the determination by the packet-filtering device that the second packet corresponds to the one or more particular criteria comprises a determination that the second packet was received from the common host; allowing the first packet to continue toward the destination of the first packet comprises allowing the first packet to continue toward the first host; and preventing the second packet from continuing toward the destination of the second packet comprises preventing the second packet from continuing toward the second host. 6. The method of claim 2 , wherein: the packet-filtering device is located at a boundary between a first network and a second network; both the first packet and the second packet are destined for a common host in the first network; the first packet is received from a first host in the second network; the second packet is received from a second host in the second network; the determination by the packet-filtering device that the first packet corresponds to the one or more particular criteria comprises a determination that the first packet is destined for the common host; the determination by the packet-filtering device that the second packet corresponds to the one or more particular criteria comprises a determination that the second packet is destined for the common host; allowing the first packet to continue toward the destination of the first packet comprise
Assignees
Inventors
Classifications
Event detection, e.g. attack signature detection · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Rule management · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9866576B2 cover?
- A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-thre…
- Who is the assignee on this patent?
- Centripetal Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 09 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).