US 12,015,626 B2
Rule-based network-threat detection
David K. Ahn, Winston-Salem, NC (US); Keith A. George, Fort Royal, VA (US); Peter P. Geremia, Portsmouth, NH (US); Pierre Mallett, III, Herndon, VA (US); Sean Moore, Hollis, NH (US); Robert T. Perry, Ashburn, VA (US); and Jonathan R. Rogers, Hampton Falls, NH (US)
Assigned to Centripetal Networks, LLC, Portsmouth, NH (US)
Filed by Centripetal Networks, LLC, Portsmouth, NH (US)
Filed on Sep. 8, 2023, as Appl. No. 18/244,133.
Application 18/244,133 is a continuation of application No. 18/200,801, filed on May 23, 2023, granted, now 11,792,220.
Application 18/200,801 is a continuation of application No. 17/232,291, filed on Apr. 16, 2021, granted, now 11,700,273, issued on Jul. 11, 2023.
Application 17/232,291 is a continuation of application No. 17/001,164, filed on Aug. 24, 2020, granted, now 11,012,459, issued on May 18, 2021.
Application 17/001,164 is a continuation of application No. 16/813,220, filed on Mar. 9, 2020, granted, now 10,757,126, issued on Aug. 25, 2020.
Application 16/813,220 is a continuation of application No. 16/706,388, filed on Dec. 6, 2019, granted, now 10,609,062, issued on Mar. 31, 2020.
Application 16/706,388 is a continuation of application No. 16/217,720, filed on Dec. 12, 2018, granted, now 10,567,413, issued on Feb. 18, 2020.
Application 16/217,720 is a continuation of application No. 15/827,477, filed on Nov. 30, 2017, granted, now 10,193,917, issued on Jan. 29, 2019.
Application 15/827,477 is a continuation of application No. 14/690,302, filed on Apr. 17, 2015, granted, now 9,866,576, issued on Jan. 9, 2018.
Prior Publication US 2023/0421590 A1, Dec. 28, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 43/028 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 63/0227 (2013.01); H04L 63/0236 (2013.01); H04L 63/0263 (2013.01); H04L 63/12 (2013.01); H04L 63/1416 (2013.01); H04L 63/1441 (2013.01); H04L 43/028 (2013.01)] 60 Claims
OG exemplary drawing
 
1. A method configured to minimize latency between when a packet corresponding to a network threat crosses a boundary between a protected network and an unprotected network and when the network threat is included in an ordered list of network threats, the method comprising:
receiving, by a packet-filtering device providing an interface across the boundary and from a second device, a plurality of packet-filtering rules to be applied, by the packet-filtering device, to all network traffic traversing the boundary, wherein the plurality of packet-filtering rules were generated based on a plurality of network-threat-intelligence reports supplied by a plurality of independent network-threat-intelligence providers, wherein each network-threat-intelligence report comprises one or more network threat indicators each comprising at least one respective network address that has been previously determined, by one or more of the plurality of independent network-threat-intelligence providers, to be associated with a potential network threat, and wherein a first packet-filtering rule of the plurality of packet-filtering rules specifies one or more first packet-matching criteria corresponding to one or more first network-threat indicators associated with a first potential network threat;
receiving a first packet crossing the boundary between the protected network and the unprotected network;
filtering the first packet based on comparing the first packet to packet-matching criteria specified by the plurality of packet-filtering rules, wherein filtering the first packet comprises determining that the first packet corresponds to the one or more first network-threat indicators associated with the first potential network threat;
responsive to a determination that the filtered first packet matches the first packet-matching criteria of the first packet-filtering rule, and when the filtered first packet corresponding to the first potential network threat is filtered by the packet-filtering device, generating:
a first log entry corresponding to the first potential network threat, and
a first score for the first potential network threat based on information associated with the first potential network threat;
sending, to the second device, the first log entry;
causing the first log entry to be added to the ordered list of network threats, wherein an ordering of the ordered list of network threats is determined based on the first score for the first potential network threat;
receiving, from the second device, an update configured to cause the packet-filtering device to reconfigure the first packet-filtering rule to affect scoring of network threats associated with the first packet-filtering rule;
receiving a second packet crossing the boundary between the protected network and the unprotected network;
filtering the second packet based on the reconfigured first packet-filtering rule, wherein filtering the second packet comprises determining that the second packet corresponds to the one or more first network-threat indicators associated with the first potential network threat;
generating, based on the filtering the second packet and based on the reconfigured first packet-filtering rule:
a second log entry corresponding to the first potential network threat, and
a second score for the first potential network threat different from the first score;
causing a modification to the ordering of the ordered list of network threats based on the first score and the second score; and
causing display of the ordered list of network threats.