Targeted attack discovery
US-2016094565-A1 · Mar 31, 2016 · US
Targeted attack discovery
US9954887B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9954887-B2 |
| Application number | US-201615396059-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 30, 2016 |
| Priority date | Sep 29, 2014 |
| Publication date | Apr 24, 2018 |
| Grant date | Apr 24, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A device may receive usage information, associated with a group of client networks, including particular usage information associated with a particular client network. The device may receive threat information, associated with the group of client networks, including particular threat information associated with the particular client network. The device may determine a baseline based on the usage information. The device may determine a normalization function, associated with the particular client network, based on the baseline and the particular usage information. The device may determine normalized threat information, associated with the particular client network, based on the normalization function and the particular threat information. The device may determine overall normalized threat information associated with the group of client networks. The device may compare the normalized threat information and the overall normalized threat information. The device may provide information associated with comparing the normalized threat information and the overall normalized threat information.
First claim
Opening claim text (preview).
What is claimed is: 1. A device, comprising: one or more processors to: receive usage information associated with a group of client networks and a same particular time period, the usage information including particular usage information associated with a particular client network of the group of client networks; receive threat information associated with the group of client networks, the threat information including particular threat information associated with the particular client network; determine a usage baseline for the group of client networks over the same particular time period based on respective usage information, of the usage information, over the same particular time period for each client network included in the group of client networks; determine a normalization function, associated with the particular client network, based on the usage baseline for the group of client networks and the particular usage information associated with the particular client network; determine normalized threat information, associated with the particular client network over the same particular time period, based on the normalization function and the particular threat information; determine overall normalized threat information associated with the group of client networks over the same particular time period based on the usage information, where the one or more processors, when determining the overall normalized threat information, are to: determine a group of normalization functions, the group of normalization functions including the normalization function, determine group normalized threat information, associated with the group of client networks, based on the group of normalization functions and the threat information, compute mean normalized threat information based on the group normalized threat information associated with the group of client networks, and determine the overall normalized threat information as a value equal to the mean normalized threat information; and provide a threat assessment associated with the particular client network based on the normalized threat information, associated with the particular client network, and the overall normalized threat information associated with the group of client networks. 2. The device of claim 1 , where the one or more processors, when determining the usage baseline, are to: compute a mean usage metric value, associated with the group of client networks, based on the usage information associated with the group of client networks; and determine the usage baseline as a value equal to the mean usage metric value. 3. The device of claim 1 , where the one or more processors, when determining the normalization function, are to: divide the usage baseline, for the group of client networks, by a usage metric value, associated with the particular client network, to determine a normalization factor based on the usage baseline and the usage metric value associated with the particular client network, the usage metric value being included in the particular usage information, and determine the normalization function based on the normalization factor and the usage metric value. 4. The device of claim 1 , where the threat assessment indicates that the particular client network detected a higher level of malicious activity, during a particular period of time, relative to the group of client networks. 5. The device of claim 1 , where the threat assessment includes information associated with at least one of: a quantity of malicious objects, one or more types of the malicious objects, one or more levels of severity associated with the malicious objects, or one or more attack vectors associated with the malicious objects. 6. The device of claim 1 , where the threat information comprises at least one of: information associated with a port scanning event, information associated with a repeated login failure event, information associated with a blacklisted request, information associated with an exploit signature match, or information associated with an increase in traffic. 7. The device of claim 1 , where the threat assessment includes information associated with a comparison of the normalized threat information, associated with the particular client network, and the overall normalized threat information. 8. A non-transitory computer-readable medium for storing instructions, the instructions comprising: a plurality of instructions which, when executed by one or more processors associated with one or more devices, cause the one or more processors to: receive usage information associated with a group of client networks and a same particular time period, the usage information including particular usage information associated with a particular client network of the group of client networks; receive threat information associated with the group of client networks, the threat information including particular threat information associated with the particular client network; determine a usage baseline for the group of client networks over the same particular time period based on respective usage information, of the usage information, over the same particular time period for each client network included in the group of client networks; determine a normalization function, associated with the particular client network, based on the usage baseline for the group of client networks and the particular usage information associated with the particular client network; determine normalized threat information, associated with the particular client network over the same particular time period, based on the normalization function and the particular threat information; determine overall normalized threat information associated with the group of client networks over the same particular time period based on the usage information, where the plurality of instructions, that cause the one or more processors to determine the overall normalized threat information, cause the one or more processors to: determine a group of normalization functions, the group of normalization functions including the normalization function associated with the particular client network, determine group normalized threat information, associated with the group of client networks, based on the group of normalization functions and the threat information, compute mean normalized threat information based on the group normalized threat information associated with the group of client networks, and determine the overall normalized threat information as a value equal to the mean normalized threat information; and provide a threat assessment associated with the particular client network based on the normalized threat information, associated with the particular client network, and the overall normalized threat information associated with the group of client networks. 9. The non-transitory computer-readable medium of claim 8 , where the plurality of instructions, that cause the one or more processors to determine the usage baseline, cause the one or more processors to: compute a mean usage metric value, associated with the group of client networks, based on the usage information associated with the group of client networks; and determine the usage baseline as a value equal to the mean usage metric value. 10. The non-transitory computer-readable medium of claim 8 , where the plurality of instructions, that cause the one or more processors to determine the normalization function, cause the one or more processors to: divide the usage baseline, for the group of client networks, by a usage metric value, associated with the particular client network, to determine a normalization facto
Assignees
Inventors
Classifications
Assessing vulnerabilities and evaluating computer system security · CPC title
- H04L63/1433Primary
Vulnerability analysis · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Traffic logging, e.g. anomaly detection · CPC title
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9954887B2 cover?
- A device may receive usage information, associated with a group of client networks, including particular usage information associated with a particular client network. The device may receive threat information, associated with the group of client networks, including particular threat information associated with the particular client network. The device may determine a baseline based on the usag…
- Who is the assignee on this patent?
- Juniper Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 24 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).