US 11,736,440 B2
Methods and systems for efficient adaptive logging of cyber threat incidents
John Fenton, Ashburn, VA (US); Peter Geremia, Portsmouth, NH (US); Richard Goodwin, York, ME (US); Sean Moore, Hollis, NH (US); Vincent Mutolo, Portsmouth, NH (US); Jess P. Parnell, Grayson, GA (US); and Jonathan R. Rogers, Hampton Falls, NH (US)
Assigned to Centripetal Networks, LLC, Portsmouth, NH (US)
Filed by Centripetal Networks, LLC, Portsmouth, NH (US)
Filed on Dec. 5, 2022, as Appl. No. 18/75,121.
Application 18/075,121 is a continuation of application No. 17/838,478, filed on Jun. 13, 2022, granted, now 11,539,664, issued on Dec. 27, 2022.
Application 17/838,478 is a continuation of application No. 17/380,519, filed on Jul. 20, 2021, granted, now 11,362,996, issued on Jun. 14, 2022.
Claims priority of provisional application 63/106,166, filed on Oct. 27, 2020.
Prior Publication US 2023/0095306 A1, Mar. 30, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/0236 (2013.01) [H04L 63/1425 (2013.01); H04L 63/1458 (2013.01)] 24 Claims
OG exemplary drawing
 
1. A packet-filtering device comprising:
one or more processors; and
memory storing instructions that, when executed by the one or more processors, cause the packet-filtering device to perform:
receiving a plurality of packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to at least one of a plurality of threat indicators, wherein the plurality of packet-filtering rules was generated based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses;
receiving a first plurality of packets in a first plurality of flows;
based on determining that the first plurality of packets each match at least one of the plurality of packet-filtering rules, determining first flow log data for at least some of the first plurality of flows;
sending the first flow log data;
determining an incident associated with at least some of the first plurality of flows;
receiving a second plurality of packets in a second plurality of flows;
based on determining that the second plurality of packets each match at least one of the plurality of packet-filtering rules and that the second plurality of flows is associated with the incident, determining incident log data associated with at least some of the second plurality of flows;
determining connection information indicating a quantity of one or more transmission control protocol (TCP) connections that were made via at least one of the second plurality of flows during the incident and which one or more Internet Protocol (IP) addresses and ports allowed the one or more TCP connections; and
sending:
the incident log data in lieu of second flow log data for at least some of the second plurality of flows; and
the connection information.