US 11,683,401 B2
Correlating packets in communications networks
David K. Ahn, Winston-Salem, NC (US); Peter P. Geremia, Portsmouth, NH (US); Pierre Mallett, III, Herndon, VA (US); Sean Moore, Hollis, NH (US); and Robert T. Perry, Ashburn, VA (US)
Assigned to Centripetal Networks, LLC, Portsmouth, NH (US)
Filed by Centripetal Networks, LLC, Portsmouth, NH (US)
Filed on Feb. 17, 2021, as Appl. No. 17/177,572.
Application 17/177,572 is a continuation of application No. 16/854,094, filed on Apr. 21, 2020, granted, now 10,931,797, issued on Feb. 23, 2021.
Application 16/854,094 is a continuation of application No. 16/554,293, filed on Aug. 28, 2019, granted, now 10,659,573, issued on May 19, 2020.
Application 16/554,293 is a continuation of application No. 15/413,947, filed on Jan. 24, 2017, granted, now 10,530,903, issued on Jan. 7, 2020.
Application 15/413,947 is a continuation of application No. 14/714,207, filed on May 15, 2015, granted, now 9,560,176, issued on Jan. 31, 2017.
Application 14/714,207 is a continuation of application No. 14/618,967, filed on Feb. 10, 2015, granted, now 9,264,370, issued on Feb. 16, 2016.
Prior Publication US 2021/0203761 A1, Jul. 1, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 69/22 (2022.01); H04L 47/2483 (2022.01); H04L 43/04 (2022.01); H04L 45/745 (2022.01); H04L 61/2567 (2022.01); H04L 47/32 (2022.01); H04L 43/026 (2022.01); H04L 43/12 (2022.01); H04L 9/40 (2022.01); H04L 43/106 (2022.01); H04L 43/16 (2022.01); H04L 43/087 (2022.01)
CPC H04L 69/22 (2013.01) [H04L 43/026 (2013.01); H04L 43/04 (2013.01); H04L 43/12 (2013.01); H04L 45/745 (2013.01); H04L 47/2483 (2013.01); H04L 47/32 (2013.01); H04L 61/2567 (2013.01); H04L 63/0263 (2013.01); H04L 43/087 (2013.01); H04L 43/106 (2013.01); H04L 43/16 (2013.01)] 36 Claims
OG exemplary drawing
 
1. A method comprising:
receiving a rule configured to cause generation of one or more log entries upon receipt of one or more packets that satisfy predefined criteria, wherein the predefined criteria include one or more of:
network-layer information,
transport-layer information, and
application-layer information;
identifying a first plurality of packets received, by a first network entity, from a first host in a first network;
generating, based on the rule, one or more first log entries corresponding to the first plurality of packets received by the first network entity;
identifying a second plurality of packets transmitted, by a second network entity, to a second host in a second network;
generating, based on the rule, one or more second log entries corresponding to the second plurality of packets transmitted by the second network entity;
correlating one or more packets of the first plurality of packets with one or more packets of the second plurality of packets by comparing the one or more first log entries with the one or more second log entries based on one or more of:
an ingress identifier,
an egress identifier,
network-layer information,
transport-layer information, and
application-layer information,
determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity;
generating, based on the determining that either or both of the first host and the second host are associated with the malicious entity, one or more new rules configured to perform an action on packets transmitted by either or both of the first host and the second host; and
provisioning one or more packet-filtering devices with the one or more new rules.