CPC H04L 69/22 (2013.01) [H04L 43/026 (2013.01); H04L 43/04 (2013.01); H04L 43/12 (2013.01); H04L 45/745 (2013.01); H04L 47/2483 (2013.01); H04L 47/32 (2013.01); H04L 61/2567 (2013.01); H04L 63/0263 (2013.01); H04L 43/087 (2013.01); H04L 43/106 (2013.01); H04L 43/16 (2013.01)] | 36 Claims |
1. A method comprising:
receiving a rule configured to cause generation of one or more log entries upon receipt of one or more packets that satisfy predefined criteria, wherein the predefined criteria include one or more of:
network-layer information,
transport-layer information, and
application-layer information;
identifying a first plurality of packets received, by a first network entity, from a first host in a first network;
generating, based on the rule, one or more first log entries corresponding to the first plurality of packets received by the first network entity;
identifying a second plurality of packets transmitted, by a second network entity, to a second host in a second network;
generating, based on the rule, one or more second log entries corresponding to the second plurality of packets transmitted by the second network entity;
correlating one or more packets of the first plurality of packets with one or more packets of the second plurality of packets by comparing the one or more first log entries with the one or more second log entries based on one or more of:
an ingress identifier,
an egress identifier,
network-layer information,
transport-layer information, and
application-layer information,
determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity;
generating, based on the determining that either or both of the first host and the second host are associated with the malicious entity, one or more new rules configured to perform an action on packets transmitted by either or both of the first host and the second host; and
provisioning one or more packet-filtering devices with the one or more new rules.
|