US 12,218,959 B2
Efficient threat context-aware packet filtering for network protection
Sean Moore, Hollis, NH (US); Jonathan R. Rogers, Hampton Falls, NH (US); Vincent Mutolo, Portsmouth, NH (US); and Peter P. Geremia, Portsmouth, NH (US)
Assigned to Centripetal Networks, LLC, Portsmouth, NH (US)
Filed by Centripetal Networks, LLC, Portsmouth, NH (US)
Filed on Oct. 13, 2023, as Appl. No. 18/380,016.
Application 18/380,016 is a continuation of application No. 18/084,366, filed on Dec. 19, 2022, granted, now 11,824,875.
Application 18/084,366 is a continuation of application No. 17/866,208, filed on Jul. 15, 2022, granted, now 11,552,970, issued on Jan. 10, 2023.
Application 17/866,208 is a continuation of application No. 17/695,047, filed on Mar. 15, 2022, granted, now 11,444,963, issued on Sep. 13, 2022.
Application 17/695,047 is a continuation of application No. 17/508,596, filed on Oct. 22, 2021, granted, now 11,316,876, issued on Apr. 26, 2022.
Application 17/508,596 is a continuation of application No. 17/235,544, filed on Apr. 20, 2021, granted, now 11,159,546, issued on Oct. 26, 2021.
Prior Publication US 2024/0154977 A1, May 9, 2024
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/0245 (2013.01); H04L 63/1425 (2013.01); H04L 63/1466 (2013.01); H04L 63/166 (2013.01)] 30 Claims
OG exemplary drawing
 
1. A packet-filtering appliance comprising:
one or more processors; and
memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to:
receive a plurality of packet-filtering rules each indicating one or more packet-matching criteria and one or more actions to be performed, wherein:
the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses, and
a first packet-filtering rule, of the plurality of packet-filtering rules, indicates a first directive and is associated with a disposition that is to be determined after an in-transit packet matching first one or more packet-matching criteria of the first packet-filtering rule is received;
receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network;
based on determining that the first in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule:
determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance;
determine, based on the first threat context information, a first disposition;
selectively apply, based on the first disposition and to the first in-transit packet, the first directive of the first packet-filtering rule; and
apply the first disposition to the first in-transit packet;
receive, from the first network and at a second time, a second in-transit packet destined to at least one location in the second network; and
based on determining that the second in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule:
determine second threat context information associated with receipt of the second in-transit packet by the packet-filtering appliance, wherein the second threat context information has at least one value different from the first threat context information;
determine, based on the second threat context information and independently from the determining the first disposition, a second disposition different from the first disposition; and
selectively apply, based on the second disposition and to the second in-transit packet, the first directive of the first packet-filtering rule; and
apply the second disposition to the second in-transit packet.