TREA

Preemptive threat detection for an information system

Follow

Information

  • Patent Grant
  • 12267299
  • Patent Number
    12,267,299
  • Date Filed
    Wednesday, January 12, 2022
    3 years ago
  • Date Issued
    Tuesday, April 1, 2025
    a month ago
Information
Abstract
A device configured to receive a data sample about a configuration for one or more network devices in a public network. The device is further configured to compare one or more threat indicators to the data sample where each threat indicator is associated with a configuration setting. The device is further configured to identify a first network device in the public network that comprises a configuration that matches a threat indicator and to generate a bad actor profile for the first network device. The device is further configured to receive data traffic for a second network device in a private network and to block data communications between the second network device in the private network and the first network device in the public network in response to determining that the first network device is associated with the bad actor profile.
Description
TECHNICAL FIELD

The present disclosure relates generally to network security, and more specifically to preemptive threat detection for an information system.


BACKGROUND

In a network environment, network devices are in data communication with other network devices that may be distributed anywhere in the world. These network environments allow data and information to be shared among devices. Some of the technical challenges that occur when data is exchanged between devices are controlling data leakage, unauthorized access to data, and preventing malicious activities. Data storing devices, such as computers, user devices, databases, and servers, are vulnerable to attacks. This vulnerability poses several network security challenges. Existing systems are typically unable to detect a network attack until after the attack has occurred. For example, a bad actor may connect to a network device in a private network which then allows the bad actor to gain unauthorized access to files or documents that are stored in the network device or the network. Having a delayed response allows the bad actor to gain access to sensitive information within the network and allows bad actors to perform other malicious activities such as data exfiltration or uploading malware.


SUMMARY

The disclosed system provides several practical applications and technical advantages that overcome the previously discussed technical problems. For example, the disclosed system provides a practical application by identifying network devices within a public network that correspond with potential bad actors. The information system is configured to generate a bad actor profile for any identified network devices or entities in the public network. The information system then uses the bad actor profiles to monitor data traffic within a private network and to prevent attacks within the private network. This process provides a technical improvement that improves information security by preemptively identifying and blocking communications with any network devices in the public network that are potential bad actors before they connect with or access network devices in the private network. In an initial search, the information system identifies a coarse level of information that is associated with network devices for a bad actor. After performing the coarse search, the information system then performs a finer and more target search for additional information that is specific to a previously identified entity and network devices. This process provides a technical improvement that increases information security by allowing the information system to generate a more robust and complete bad actor profile that identifies any other information that is associated with a potential bad actor.


Improving information security for the information system also improves the underlying network and the devices within the network. For example, when a data exfiltration attack occurs, there is an increase in the number of network resources and bandwidth that are consumed which reduces the throughput of the network. By preventing data exfiltration attacks, the system can prevent any unnecessary increases in the number of network resources and bandwidth that are consumed that would otherwise negatively impact the throughput of the system. As another example, when a malware attack occurs, one or more devices may be taken out of service until the malware can be removed from the devices. Taking devices out of service negatively impacts the performance and throughput of the network because the network has fewer resources for processing and communicating data. By preventing malware types of attacks, the system prevents any comprised devices from being taken out of service due to an attack that would otherwise negatively impact the performance and throughput of the network. Thus, the disclosed process improves the operation of the information system overall.


In one embodiment, the information system comprises a threat detection device that is configured to receive a data sample comprising information about a configuration for one or more network devices in a public network. The threat detection device is further configured to identify one or more threat indicators, where each threat indicator is associated with a configuration setting and each threat indicator identifies a value for the configuration setting. The threat detection device is further configured to compare the threat indicators to the data sample and to identify a first network device from among the one or more network devices in the public network that comprises a configuration that matches a threat indicator from among the one or more threat indicators. The threat detection device is further configured to generate a bad actor profile for the first network device that comprises a first device identifier for the first network device. The threat detection device is further configured to receive data traffic for a second network device in a private network, to identify a second device identifier within the data traffic, and to determine the second device identifier matches the first device identifier in the bad actor profile. The threat detection device is further configured to block data communications between the second network device in the private network and the first network device in the public network in response to determining that the second device identifier matches the first device identifier in the bad actor profile.


Certain embodiments of the present disclosure may include some, all, or none of these advantages. These advantages and other features will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings and claims.





BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of this disclosure, reference is now made to the following brief description, taken in conjunction with the accompanying drawings and detailed description, wherein like reference numerals represent like parts.



FIG. 1 is a schematic diagram for an information system configured with a threat detection device;



FIG. 2 is a flowchart of an embodiment of a threat detection process for the information system; and



FIG. 3 is an embodiment of a threat detection device for the information system.





DETAILED DESCRIPTION

Information System Overview



FIG. 1 is a schematic diagram of an embodiment of an information system 100 that is generally configured to identify network devices 108 within a public network 110 that correspond with entities that are potential bad actors. The information system 100 is further configured to generate a bad actor profile 118 for any identified entities that can be used to monitor data traffic within a private network 106 and to prevent attacks within the private network 106. This process provides improved information security by preemptively identifying and blocking communications with any network devices 108 in the public network 110 that are potential bad actors before they connect with or access network devices 102 in the private network 106.


Private Network


In one embodiment, the information system 100 comprises one or more network devices 102 and a threat detection device 104 that are in signal communication with each other within a private network 106. The private network 106 allows communication between and amongst the various components of the information system 100. This disclosure contemplates the private network 106 being any suitable network operable to facilitate communication between the components of the information system 100. The private network 106 may include any interconnecting system capable of transmitting audio, video, signals, data, messages, or any combination of the preceding. The private network 106 may include all or a portion of a local area network (LAN), a wide area network (WAN), an overlay network, a software-defined network (SDN), a virtual private network (VPN), a packet data network (e.g., the Internet), a mobile telephone network (e.g., cellular networks, such as 4G or 5G), a Plain Old Telephone (POT) network, a wireless data network (e.g., WiFi, WiGig, WiMax, etc.), a Long Term Evolution (LTE) network, a Universal Mobile Telecommunications System (UMTS) network, a peer-to-peer (P2P) network, a Bluetooth network, a Near Field Communication (NFC) network, a Zigbee network, and/or any other suitable network.


Network Devices


A network device 102 is a hardware device that is generally configured to provide hardware and software resources to a user. Examples of the network device 102 include, but are not limited to, a smartphone, a tablet, a laptop, a computer, a smart device, or any other suitable type of device. Each network device 102 is configured to allow a user to communicate (i.e. send and receive) data with other network devices 102 in the private network 106. A network device 102 may also be configured to allow a user to communicate data 120 with network devices 108 that are in a public network 110 (e.g. the Internet). Examples of network device 108 in a public network 110 include, but are not limited to, a server, a database, a computer, a webcam, a smart device, or any other suitable type of network device. As an example, a user may employ a network device 102 to access a network device 108 in a public network 110 to access a website or download files from the network device 108.


Threat Detection Device


Examples of a threat detection device 104 include, but are not limited to, an access point, a server, a computer, or any other suitable type of network device. In one embodiment, a threat detection device 104 comprises a threat detection engine 112 and a memory 114. Additional details about the hardware configuration of the threat detection device 104 are described in FIG. 3. The memory 114 is configured to store threat indicators 116, bad actor profiles 118, and/or any other suitable type of data.


In one embodiment, the threat detection engine 112 is generally configured to facilitate communications between network devices 102 in the private network 106 and network devices 108 in the public network 110. For example, the threat detection engine 112 is configured to establish and enable network connections between a network device 102 in the private network 106 and a network device 108 in the public network 110 that allows the network device 102 to access data and/or download data from the network device 108. In one embodiment, the threat detection device 104 is configured to receive data that is communicated between a network device 102 in the private network 106 and a network device 108 in the public network 110. In this configuration, the network device 102 in the private network 106 sends data to the network device 108 in the public network 110 via the threat detection device 104. This means that the threat detection device 104 receives the data from the network device 102 in the private network 106 before forwarding the data to the network device 108 in the public network 110. Similarly, the threat detection device 104 is also configured to forward data from a network device 108 in the public network 110 to a network device 102 in the private network 106. This configuration allows the threat detection device 104 to intercept and monitor any data traffic that is communicated between a network device 102 in the private network 106 and a network device 108 in the public network 110.


The threat detection engine 112 is further configured to identify entities within the public network 110 that are potential bad actors based on a set of user-defined threat indicators 116. A threat indicator 116 is an attribute, pattern, or behavior that can be used to identify potential bad actors. In one embodiment, a threat indicator 116 is associated with a configuration setting or values of a configuration setting for a network device 108. Examples of threat indicators 116 include, but are not limited to, Secure Sockets Layer (SSL) certificate values, Hypertext Transfer Protocol (HTTP) values, HTTP responses, non-HTTP protocol values, server header values, shortcut or hyperlink addresses, JARM or JA3S fingerprint values, Hypertext Markup Language (HTML) page attributes (e.g. body, title, etc.) or values, or any other suitable type of attribute that can be used to identify a bad actor.


The threat detection engine 112 is further configured to generate a bad actor profile 118 for any entities that match one or more of the threat indicators 116 for a bad actor. The threat detection device 104 is configured to use bad actor profile 118 while monitoring data traffic of network device 102 in the private network 106 to identify communications with bad actors. A bad actor profile 118 generally comprises information that is associated with an entity that has been identified as a potential bad actor. For example, a bad actor profile 118 may comprise a device identifier for an entity or a network device 108 associated with an entity, an Internet Protocol (IP) address, a port number, a timestamp for when an entity was first identified, a timestamp for when an entity was last seen, a timestamp for when a search was performed, a search platform identifier for where an entity was found, search criteria for identifying an entity, a confidence score or value, a physical location address, any other suitable type of information, or combination, thereof. Examples of a device identifier include, but are not limited to, an IP address, an Internet domain name, a device name, a phone number, an email address, or any other suitable type of identifier. An example of the threat detection engine 112 monitoring data traffic and blocking any detected communications between a network device 102 and an entity that is associated with a bad actor profile 118 is described in more detail in FIG. 2.


Threat Detection Process



FIG. 2 is a flowchart of an embodiment of a threat detection process 200 for the information system 100. The information system 100 may employ process 200 to identify network devices 108 within the public network 110 that correspond with entities that are potential bad actors. The information system 100 may also employ process 200 to generate a bad actor profile 118 for any identified entities that can be used to monitor the private network 106 and to prevent attacks within the private network 106. This process provides improved information security by preemptively identifying and blocking communications with network devices 108 in the public network 110 that are potential bad actors before they connect with or access network devices 102 in the private network 106.


Bad Actor Detection Using a Bad Actor Profile


At operation 202, the threat detection device 104 obtains a data sample 122 from the public network 110. The threat detection device 104 obtains the data sample 122 by performing a search for various types of network devices 108 are connected to the public network 110 (e.g. the Internet). The threat detection device 104 may search one or more data sources (e.g. databases) to obtain the data sample 122. Examples of network devices 108 include, but are not limited to, servers, routers, webcams, smart devices, or any other suitable type of device. The data sample 122 generally comprises information for network devices 108 that are with different entities. For example, the data sample 122 may comprise device identifiers, configuration settings, IP addresses, Internet domain names, device names, phone numbers, email addresses, port numbers, HTML code, HTML pages, or any other sample type of information associated with an entity.


In one embodiment, the threat detection device 104 is configured to periodically perform searches to obtain data samples 122 from the public network 110. In this case, the threat detection device 104 waits a predetermined amount of time after obtaining a data sample 122 before performing an additional search to obtain another data sample 122. Each time the threat detection device 104 performs a search, the threat detection device 104 may use different search criteria to obtain a new data sample 122. In other embodiments, the threat detection device 104 may be configured to obtain a data sample 122 from the public network 110 on demand. In this case, the threat detection device 104 performs a search in response to a user input to initiate a search. The user input may also provide any search criteria that will be used to search the public network 110.


At operation 204, the threat detection device 104 identifies one or more threat indicators 116 that will be used to search for a bad actor. In one embodiment, a user may predefine or identify one or more threat indicators 116 that will be used. In this case, the threat detection device 104 uses the threat indicators 116 that were provided by the user to analyze the data sample 122 to determine whether a bad actor has been detected. In one embodiment, the one or more threat indicators 116 comprise a configuration setting for a network device 108 in the public network 110. In this example, a threat indicator 116 may identify one or more values of a configuration setting for a network device 108. In other examples, the threat indicators 116 may comprise SSL certificate values, HTTP values, HTTP responses, non-HTTP protocol values, server header values, shortcut or hyperlink addresses, JARM or JA3S fingerprint values, HTML page attributes or values, any other suitable type of attribute that can be used to identify a bad actor, or combination, thereof.


At operation 206, the threat detection device 104 determines whether there are any matches in the data sample 122 with the specified threat indicators 116. Here, the threat detection device 104 compares the information from the data sample 112 with the previously specified threat indicators 116. For example, the threat detection device 104 may compare a threat indicator 116 that is associated with an SSL certificate value to SSL certificate values in the data sample 122. As another example, the threat detection device 104 may compare threat indicators 116 associated with HTML page attributes or values to the HTML page attributes or values in the data sample 122. In other examples, the threat detection device 104 may compare any other threat indicators 116 to the information in the data sample 122. The threat detection device 104 returns to operation 202 in response to determining that there are no matches in the data sample 122 with the threat indicators 116. In this case, the threat detection device 104 determines that none of the information in the data sample 122 matches a threat indicator 116 for a potential bad actor and returns to operation 202 to obtain another data sample 122 using different search criteria. The threat detection device 104 proceeds to operation 208 in response to determining that there are matches in the data sample 122 with the threat indicators 116 for a potential bad actor. In this case, the threat detection device 104 determines that a potential bad actor has been detected and proceeds to operation 208 to record information from the data sample 122 for the entity that has been identified as a potential bad actor.


At operation 208, the threat detection device 104 generates a bad actor profile 118. After identifying a match between the data sample 122 with the threat indicators 116 for a potential bad actor, the threat detection device 104 first identifies one or more network devices 108 that are associated with the matching information. The threat detection device 104 then associates the identified network devices 108 with an entity that is a potential bad actor. After identifying the network devices 108 that are associated with a potential bad actor, the threat detection device 104 then generates a bad actor profile 118 for the entity that comprises any information from the data sample 122 that is associated with the identified network devices 108 for the entity. The threat detection device 104 can use this information from the bad actor profile 118 when monitoring the private network 106 to detect and restrict communications with the bad actor. An example of this process is described in operation 210. The bad actor profile 118 may comprise a device identifier for the entity or a network device 108 associated with the entity, an IP address, an Internet domain name, a device name, a phone number, an email address, a port number, a timestamp for a when the entity was identified, a timestamp for when the entity was last seen, a timestamp for when the search was performed, a search platform identifier for where the entity was found, search criteria for identifying the entity, a confidence score or value, any other suitable type of information associated with the entity, or combination, thereof.


At operation 210, the threat detection device 104 monitors the private network 106 using the bad actor profile 118. As an example, the threat detection device 104 may intercept or receive data traffic (e.g. data 120) between a network device 102 in the private network 106 and a network device 108 in the public network 110. The threat detection device 104 scans the data traffic to determine whether any information from the data traffic matches the information in the bad actor profile 118. For example, the threat detection device 104 may compare information from the data traffic to the device identifiers, IP addresses, Internet domain names, port numbers, or any other type of information in the bad actor profile 118. When the threat detection device 104 determines there is a match between any information in the data traffic and the bad actor profile 118, the threat detection device 104 may then restrict or block communications between the network device 102 in the private network 106 and the network device 108 in the public network 110 in response to detecting the match. For example, the threat detection device 104 may analyze the data traffic and determine that a device identifier (e.g. an IP address) for a target network device 108 in the public network 110 matches a device identifier in the bad actor profile 118. In this example, the threat detection device 104 determines that the network device 102 is attempting to communicate with a network device 108 that is associated with a known bad actor and blocks communications between the network device 102 in the private network 106 and the network device 108 in the public network 110. The threat detection device 104 will continue to use the bad actor profile 118 to monitor any data traffic between network devices 102 within the private network 106 and network devices 108 in the public network 110. This process allows the threat detection device 104 to preemptively prevent an attack by restricting communications with any network device 108 that have been previously associated with a bad actor profile 118. This process provided improved information security by allowing the threat detection device 104 to avoid any attacks by a bad actor by preventing the bad actor from connecting to the private network 106 and/or communicating with network devices 102 in the private network 106.


Enhancing and Updating a Bad Actor Profile


After generating a bad actor profile 118, the threat detection device 104 enhance or update the bad actor profile 118 by searching for additional information for the previously identified network device 108 of an entity that has been identified as a potential bad actor. The initial search that is performed in operation 202 provides a coarse level of information that is associated with a bad actor. After performing the coarse search, the threat detection device 104 then performs a finer and more target search for information that is specific to a previously identified entity. This process provides increased information security by allowing the threat detection device 104 to generate a more robust and complete bad actor profile 118 that identifies any other information that is associated with a potential bad actor.


At operation 212, the threat detection device 104 determines whether to update the bad actor profile 118. In one embodiment, the threat detection device 104 may be configured to update the bad actor profile 118 on demand. In this case, the threat detection device 104 will not automatically update the bad actor profile 118 until a user input is provided. For example, the threat detection device 104 will temporarily terminate process 200 and will later return to operation 212 to update the bad actor profile 118 in response to receiving a user's request to update the bad actor profile 118. The user input may comprise an identifier for the entity, a device identifier for a network device 108 associated with the entity, or any other suitable type of information associated with the entity.


In another embodiment, the threat detection device 104 may be configured to periodically update the bad actor profile 118 for the entity by performing additional searches for information associated with the entity. In this case, the threat detection device 104 waits a predetermined amount of time and then performs an additional search for information using a process similar to the process described in operation 202. The threat detection device 104 may be configured to wait one hour, one day, one week, one month, or any other suitable amount of time before performing an additional search. The threat detection device 104 proceeds to operation 214 in response to determining to update the bad actor profile 118. In this case, the threat detection device 104 proceeds to operation 214 to perform an additional search for information associated with the entity.


At operation 214, the threat detection device 104 performs another search in the public network 110 for additional information that is associated with the previously identified entity. The threat detection device 104 may perform a search using the same search criteria that were used in operation 202 or new search criteria. As an example, the threat detection device 104 may identify one or more attributes for the entity that is associated with the bad actor profile 118. Here, the threat detection device 104 identifies one or more attributes for the entity that will be used as search criteria for performing a new search. Examples of attributes include, but are not limited to, a device identifier for the entity or a network device 108 associated with the entity, an IP address, network packet response, network protocol response, an Internet domain name, a device name, a phone number, an email address, a port number, or any other suitable type of information that is associated with the entity. As another example, a user may provide new search criteria (e.g. threat indicators 116) for performing another search. In other examples, the threat detection device 104 may use a combination of attributes for the entity from the bad actor profile 118 and new search criteria from a user.


At operation 216, the threat detection device 104 determines whether any additional information is available for the entity. Here, the threat detection device 104 compares the information obtained from the search in operation 214 to the information in the bad actor profile 118 to determine whether there is any additional information available for the entity. The threat detection device 104 determines there is additional information available when information from the new search is not present in the bad actor profile 118 for the entity. The threat detection device 104 returns to operation 212 in response to determining that no additional information is available for the entity. In this case, the threat detection device 104 determines that there is no additional information to add to the bad actor profile 118 and returns to operation 212 to wait a predetermined amount of time before checking again for additional information associated with the entity. The threat detection device 104 proceeds to operation 218 in response to determining that additional information is available for the entity. In this case, the threat detection device 104 proceeds to operation 218 to add the additional information to the bad actor profile 118 that is associated with the entity.


At operation 218, the threat detection device 104 updates the bad actor profile 118. After determining that additional information is available for the entity, the threat detection device 104 adds the new information to the bad actor profile 118 for the entity. Here, the threat detection device 104 adds any new information from the search performed in operation 214 to the bad actor profile 118 for the entity. For example, the threat detection device 104 may add new device identifiers for other network devices 108 that are associated with the entity to the bad actor profile 118 for the entity. In other examples, the threat detection device 104 may add any new IP addresses, Internet domain names, port numbers, or any other type of new information that is associated with the entity to the bad actor profile 118 for the entity. By adding the additional information to the bad actor profile 118, the threat detection device 104 is able to generate a more comprehensive bad actor profile 118 that can be used to detect attacks while monitoring the private network 106.


Hardware Configuration for the Threat Detection Device



FIG. 3 is an embodiment of a threat detection device 104 for the information system 100. As an example, the threat detection device 104 may be a server, an access point, or a computer. The threat detection device 104 comprises a processor 302, a memory 114, and a network interface 304. The threat detection device 104 may be configured as shown or in any other suitable configuration.


Processor


The processor 302 is a hardware device that comprises one or more processors operably coupled to the memory 114. The processor 302 is any electronic circuitry including, but not limited to, state machines, one or more central processing unit (CPU) chips, logic units, cores (e.g. a multi-core processor), field-programmable gate array (FPGAs), application-specific integrated circuits (ASICs), or digital signal processors (DSPs). The processor 302 may be a programmable logic device, a microcontroller, a microprocessor, or any suitable combination of the preceding. The processor 302 is communicatively coupled to and in signal communication with the memory 114 and the network interface 304. The one or more processors are configured to process data and may be implemented in hardware or software. For example, the processor 302 may be 8-bit, 16-bit, 32-bit, 64-bit, or of any other suitable architecture. The processor 302 may include an arithmetic logic unit (ALU) for performing arithmetic and logic operations, processor registers that supply operands to the ALU and store the results of ALU operations, and a control unit that fetches instructions from memory and executes them by directing the coordinated operations of the ALU, registers and other components.


The one or more processors are configured to implement various instructions. For example, the one or more processors are configured to execute threat detection instructions 306 to implement the threat detection engine 112. In this way, processor 302 may be a special-purpose computer designed to implement the functions disclosed herein. In an embodiment, the threat detection engine 112 is implemented using logic units, FPGAs, ASICs, DSPs, or any other suitable hardware. The threat detection engine 112 is configured to operate as described in FIGS. 1 and 2. For example, the threat detection engine 112 may be configured to perform the operations of process 200 as described in FIG. 2.


Memory


The memory 114 is a hardware device that is operable to store any of the information described above with respect to FIGS. 1 and 2 along with any other data, instructions, logic, rules, or code operable to implement the function(s) described herein when executed by the processor 302. The memory 114 comprises one or more disks, tape drives, or solid-state drives, and may be used as an over-flow data storage device, to store programs when such programs are selected for execution, and to store instructions and data that are read during program execution. The memory 114 may be volatile or non-volatile and may comprise a read-only memory (ROM), random-access memory (RAM), ternary content-addressable memory (TCAM), dynamic random-access memory (DRAM), and static random-access memory (SRAM).


The memory 114 is operable to store threat detection instructions 306, threat indicators 116, bad actor profiles 118, and/or any other data or instructions. The threat detection instructions 306 may comprise any suitable set of instructions, logic, rules, or code operable to execute the threat detection engine 112. The threat indicators 116 and the bad actor profiles 118 are configured similar to the threat indicators 116 and the bad actor profiles 118 described in FIGS. 1 and 2, respectively.


Network Interface


The network interface 304 is a hardware device that is configured to enable wired and/or wireless communications. The network interface 304 is configured to communicate data between network devices 102 in the private network 106, network devices 108 in the public network 110, and other devices, systems, or domains. For example, the network interface 304 may comprise an NFC interface, a Bluetooth interface, a Zigbee interface, a Z-wave interface, a radio-frequency identification (RFID) interface, a WIFI interface, a LAN interface, a WAN interface, a PAN interface, a modem, a switch, or a router. The processor 302 is configured to send and receive data using the network interface 304. The network interface 304 may be configured to use any suitable type of communication protocol as would be appreciated by one of ordinary skill in the art.


While several embodiments have been provided in the present disclosure, it should be understood that the disclosed systems and methods might be embodied in many other specific forms without departing from the spirit or scope of the present disclosure. The present examples are to be considered as illustrative and not restrictive, and the intention is not to be limited to the details given herein. For example, the various elements or components may be combined or integrated with another system or certain features may be omitted, or not implemented.


In addition, techniques, systems, subsystems, and methods described and illustrated in the various embodiments as discrete or separate may be combined or integrated with other systems, modules, techniques, or methods without departing from the scope of the present disclosure. Other items shown or discussed as coupled or directly coupled or communicating with each other may be indirectly coupled or communicating through some interface, device, or intermediate component whether electrically, mechanically, or otherwise. Other examples of changes, substitutions, and alterations are ascertainable by one skilled in the art and could be made without departing from the spirit and scope disclosed herein.


To aid the Patent Office, and any readers of any patent issued on this application in interpreting the claims appended hereto, applicants note that they do not intend any of the appended claims to invoke 35 U.S.C. § 112(f) as it exists on the date of filing hereof unless the words “means for” or “step for” are explicitly used in the particular claim.

Claims
  • 1. A threat detection device, comprising: a network interface configured to communicate data traffic between one or more network devices in a private network and one or more network devices in a public network; anda processor operably coupled to the network interface, configured to: receive, via the network interface and from the public network, a data sample comprising configuration information for a first network device in the public network;obtain a plurality of threat indicators configured to guide analysis of the data sample, wherein: each threat indicator of the plurality of threat indicators is associated with a configuration setting; andthe configuration setting being used to identify at least one network device from the one or more network devices in the public network as a bad actor;determine whether the data sample matches at least one threat indicator of the plurality of threat indicators;in response to determining that the data sample matches the at least one threat indicator of the plurality of threat indicators, generate a bad actor profile for the first network device, wherein: the bad actor profile comprises a first device identifier for the first network device; andthe first device identifier identifies the first network device among the one or more network devices in the public network;intercept, via the network interface, data traffic transmitted from the one or more network devices in the public network to a second network device in the private network;determine whether first information in the data traffic matches second information in the bad actor profile;in response to determining that the first information in the data traffic matches the second information in the bad actor profile, determine that the data traffic comprises communication between the first network device in the public network and the second network device in the private network;determine a second device identifier within the data traffic;determine that the second device identifier matches the first device identifier in the bad actor profile;in response to determining that the second device identifier matches the first device identifier in the bad actor profile, determine that the data traffic comprises additional communication between the first network device in the public network and the second network device in the private network;perform a search in the public network using the first device identifier for the first network device;identify a third device identifier associated with the first network device based on results of the search;store the third device identifier in the bad actor profile; andblock data communications between the second network device in the private network and the first network device in the public network.
  • 2. The device of claim 1, wherein the at least one threat indicator comprises a Secure Sockets Layer (SSL) certificate value.
  • 3. The device of claim 1, wherein the at least one threat indicator comprises a Hypertext Transfer Protocol (HTTP) value.
  • 4. The device of claim 1, wherein the first device identifier is an Internet Protocol (IP) address.
  • 5. The device of claim 1, wherein the first device identifier is a port number.
  • 6. The device of claim 1, wherein the first device identifier is an Internet domain name.
  • 7. The device of claim 1, wherein the processor is further configured to: search, via the network interface, the public network for additional information matching the first device identifier;determine whether the public network comprises the additional information matching the first device identifier;in response to determining that the public network comprises the additional information matching the first device identifier, determine that the additional information comprises additional bad actor information; andupdate the bad actor profile to include the additional information as the additional bad actor information.
  • 8. A threat detection method, comprising: receiving, via a network interface and from a public network, a data sample comprising configuration information for a first network device in the public network;obtain a plurality of threat indicators configured to guide analysis of the data sample, wherein: each threat indicator of the plurality of threat indicators is associated with a configuration setting; andthe configuration setting being used to identify at least one network device from one or more network devices in the public network as a bad actor;determining whether the data sample matches at least one threat indicator of the plurality of threat indicators;in response to determining that the data sample matches the at least one threat indicator of the plurality of threat indicators, generating a bad actor profile for the first network device, wherein: the bad actor profile comprises a first device identifier for the first network device; andthe first device identifier identifies the first network device among the one or more network devices in the public network;intercepting, via the network interface, data traffic transmitted from the one or more network devices in the public network to a second network device in a private network;determining whether first information in the data traffic matches second information in the bad actor profile;in response to determining that the first information in the data traffic matches the second information in the bad actor profile, determining that the data traffic comprises communication between the first network device in the public network and the second network device in the private network;determining a second device identifier within the data traffic;determining that the second device identifier matches the first device identifier in the bad actor profile;in response to determining that the second device identifier matches the first device identifier in the bad actor profile, determining that the data traffic comprises additional communication between the first network device in the public network and the second network device in the private network;performing a search in the public network using the first device identifier for the first network device;identifying a third device identifier associated with the first network device based on results of the search;storing the third device identifier in the bad actor profile; andblocking data communications between the second network device in the private network and the first network device in the public network.
  • 9. The method of claim 8, wherein the at least one threat indicator comprises a Secure Sockets Layer (SSL) certificate value.
  • 10. The method of claim 8, wherein the at least one threat indicator comprises a Hypertext Transfer Protocol (HTTP) value.
  • 11. The method of claim 8, wherein the first device identifier is an Internet Protocol (IP) address.
  • 12. The method of claim 8, wherein the first device identifier is a port number.
  • 13. The method of claim 8, wherein the first device identifier is an Internet domain name.
  • 14. A non-transitory computer-readable medium storing instructions that when executed by a processor cause the processor to: receive, via a network interface and from a public network, a data sample comprising configuration information for a first network device in the public network;obtain a plurality of threat indicators configured to guide analysis of the data sample, wherein: each threat indicator of the plurality of threat indicators is associated with a configuration setting; andthe configuration setting being used to identify at least one network device from one or more network devices in the public network as a bad actor;determine whether the data sample matches at least one threat indicator of the plurality of threat indicators;in response to determining that the data sample matches the at least one threat indicator of the plurality of threat indicators, generate a bad actor profile for the first network device, wherein: the bad actor profile comprises a first device identifier for the first network device; andthe first device identifier identifies the first network device among the one or more network devices in the public network;intercept, via the network interface, data traffic transmitted from the one or more network devices in the public network to a second network device in a private network;determine whether first information in the data traffic matches second information in the bad actor profile;in response to determining that the first information in the data traffic matches the second information in the bad actor profile, determine that the data traffic comprises communication between the first network device in the public network and the second network device in the private network;determine a second device identifier within the data traffic;determine that the second device identifier matches the first device identifier in the bad actor profile;in response to determining that the second device identifier matches the first device identifier in the bad actor profile, determine that the data traffic comprises additional communication between the first network device in the public network and the second network device in the private network;perform a search in the public network using the first device identifier for the first network device;identify a third device identifier associated with the first network device based on results of the search;store the third device identifier in the bad actor profile; andblock data communications between the second network device in the private network and the first network device in the public network.
  • 15. The non-transitory computer-readable medium of claim 14, wherein the at least one threat indicator comprises a Secure Sockets Layer (SSL) certificate value.
  • 16. The non-transitory computer-readable medium of claim 14, wherein the at least one threat indicator comprises a Hypertext Transfer Protocol (HTTP) value.
  • 17. The non-transitory computer-readable medium of claim 14, wherein the first device identifier is an Internet Protocol (IP) address.
US Referenced Citations (530)
Number Name Date Kind
6609198 Wood Aug 2003 B1
6668322 Wood Dec 2003 B1
6691232 Wood Feb 2004 B1
6742128 Joiner May 2004 B1
6807569 Bhimani Oct 2004 B1
6892307 Wood May 2005 B1
7028338 Norris Apr 2006 B1
7571483 Bascle Aug 2009 B1
7584508 Kashchenko Sep 2009 B1
7735116 Gauvin Jun 2010 B1
7840958 Wan Nov 2010 B1
7849507 Bloch Dec 2010 B1
8117657 Elrod Feb 2012 B1
8156541 Thomas et al. Apr 2012 B1
8161548 Wan Apr 2012 B1
8181253 Zaitsev May 2012 B1
8488488 Hermanns Jul 2013 B1
8578499 Zhu Nov 2013 B1
8661102 Steiner et al. Feb 2014 B1
8726379 Stiansen May 2014 B1
8745734 Brandwine Jun 2014 B1
8800044 Raad Aug 2014 B2
8813234 Bowers Aug 2014 B1
8918785 Brandwine Dec 2014 B1
9009334 Jenkins Apr 2015 B1
9100428 Visbal Aug 2015 B1
9117069 Oliphant Aug 2015 B2
9124617 Palumbo et al. Sep 2015 B2
9137210 Joglekar Sep 2015 B1
9148441 Tamersoy Sep 2015 B1
9208316 Hill Dec 2015 B1
9325732 Stickle Apr 2016 B1
9336385 Spencer May 2016 B1
9378361 Yen Jun 2016 B1
9413722 Ahn Aug 2016 B1
9467435 Tyler Oct 2016 B1
9516053 Muddu Dec 2016 B1
9571510 Shen Feb 2017 B1
9584541 Weinstein Feb 2017 B1
9609460 Sinha Mar 2017 B2
9641544 Treat May 2017 B1
9680861 Ward et al. Jun 2017 B2
9692789 Kirti Jun 2017 B2
9762582 Hockings Sep 2017 B1
9800590 Gates Oct 2017 B1
9838407 Oprea et al. Dec 2017 B1
9894088 Ward et al. Feb 2018 B2
9948671 Perdisci et al. Apr 2018 B2
9954881 Lin Apr 2018 B1
9998480 Gates Jun 2018 B1
10033747 Paithane Jul 2018 B1
10045217 Stan Aug 2018 B2
10069847 Bonney Sep 2018 B2
10084806 Ward et al. Sep 2018 B2
10104102 Neumann Oct 2018 B1
10116679 Wu Oct 2018 B1
10158653 Magcale Dec 2018 B1
10158677 DiCorpo Dec 2018 B1
10237283 Zhang et al. Mar 2019 B2
10257227 Stickle Apr 2019 B1
10298598 Mcclintock et al. May 2019 B1
10326796 Varadarajan et al. Jun 2019 B1
10341856 Weinberg Jul 2019 B2
10419469 Singh Sep 2019 B1
10521584 Sharifi Mehr Dec 2019 B1
10565372 Stickle Feb 2020 B1
10652266 Tautschnig May 2020 B1
10726125 Zhang et al. Jul 2020 B2
10735466 Wright Aug 2020 B2
10764313 Mushtaq Sep 2020 B1
10764434 Yoskowitz Sep 2020 B1
10785258 Lam Sep 2020 B2
10826931 Quan Nov 2020 B1
10826939 Hodgman et al. Nov 2020 B2
10839703 Bodnariuc Nov 2020 B2
10862907 Pon Dec 2020 B1
10873578 Rose Dec 2020 B1
10887333 Pereira Jan 2021 B1
10904277 Sharifi Mehr Jan 2021 B1
10951606 Shahidzadeh Mar 2021 B1
10965674 Zigman Mar 2021 B1
11082441 Bouguerra Aug 2021 B1
11100217 Natanzon Aug 2021 B1
11159546 Moore Oct 2021 B1
11290489 Xing Mar 2022 B2
11303633 Williams Apr 2022 B1
11329998 Shahidzadeh May 2022 B1
11336674 Kair May 2022 B2
11444974 Shakhzadyan Sep 2022 B1
11516222 Srinivasan Nov 2022 B1
11522884 Vashisht Dec 2022 B1
11558189 Garcia Valenzuela Jan 2023 B2
11611580 Sharifi Mehr Mar 2023 B1
11677786 Vashisht Jun 2023 B1
11838300 Vashisht Dec 2023 B1
20020066034 Schlossberg et al. May 2002 A1
20020112185 Hodges Aug 2002 A1
20020133603 Mitomo et al. Sep 2002 A1
20030172167 Judge Sep 2003 A1
20030172294 Judge Sep 2003 A1
20030217283 Hrastar et al. Nov 2003 A1
20040064726 Girouard Apr 2004 A1
20040102923 Tracy May 2004 A1
20040103309 Tracy May 2004 A1
20040107219 Rosenberger Jun 2004 A1
20040128543 Blake et al. Jul 2004 A1
20050086197 Boubez Apr 2005 A1
20050193430 Cohen Sep 2005 A1
20060075504 Liu Apr 2006 A1
20060101515 Amoroso et al. May 2006 A1
20060117385 Mester Jun 2006 A1
20060130142 Mester Jun 2006 A1
20060212942 Barford et al. Sep 2006 A1
20060242701 Black et al. Oct 2006 A1
20070067841 Yegneswaran et al. Mar 2007 A1
20070094725 Borders Apr 2007 A1
20070094728 Julisch et al. Apr 2007 A1
20070097963 Thermos May 2007 A1
20070100768 Boccon-Gibod May 2007 A1
20070101405 Engle May 2007 A1
20070177615 Miliefsky Aug 2007 A1
20070185814 Boccon-Gibod Aug 2007 A1
20070186284 McConnell Aug 2007 A1
20070192863 Kapoor Aug 2007 A1
20070220602 Ricks Sep 2007 A1
20070271614 Capalik Nov 2007 A1
20080016570 Capalik Jan 2008 A1
20080034424 Overcash Feb 2008 A1
20080044018 Scrimsher et al. Feb 2008 A1
20080047009 Overcash Feb 2008 A1
20080168135 Redlich Jul 2008 A1
20080229415 Kapoor Sep 2008 A1
20080244691 Hilerio Oct 2008 A1
20080262990 Kapoor Oct 2008 A1
20080262991 Kapoor Oct 2008 A1
20080263197 Stephens Oct 2008 A1
20080271143 Stephens Oct 2008 A1
20090158428 Wang Jun 2009 A1
20090158430 Borders Jun 2009 A1
20090178139 Stute Jul 2009 A1
20090241173 Troyansky Sep 2009 A1
20090241190 Todd et al. Sep 2009 A1
20090325615 McKay Dec 2009 A1
20100071054 Hart Mar 2010 A1
20100159877 Salkini Jun 2010 A1
20100159879 Salkini Jun 2010 A1
20100169971 Raviv Jul 2010 A1
20100250497 Redlich Sep 2010 A1
20100269175 Stolfo et al. Oct 2010 A1
20110213869 Korsunsky Sep 2011 A1
20110214157 Korsunsky Sep 2011 A1
20110214182 Adams Sep 2011 A1
20110219035 Korsunsky Sep 2011 A1
20110231510 Korsunsky Sep 2011 A1
20110231564 Korsunsky Sep 2011 A1
20110238855 Korsunsky Sep 2011 A1
20110239303 Owens, Jr. Sep 2011 A1
20110247058 Kisters Oct 2011 A1
20110283359 Prince Nov 2011 A1
20110302663 Prodan Dec 2011 A1
20120023576 Sorensen Jan 2012 A1
20120144492 Griffin Jun 2012 A1
20120151559 Koudys Jun 2012 A1
20120221721 Bhatt et al. Aug 2012 A1
20120240185 Kapoor Sep 2012 A1
20120260343 Sun et al. Oct 2012 A1
20120311703 Yanovsky Dec 2012 A1
20120324242 Kirsch Dec 2012 A1
20130029630 Salkini Jan 2013 A1
20130138428 Chandramouli May 2013 A1
20130205361 Narayanaswamy Aug 2013 A1
20130263280 Cote Oct 2013 A1
20130298244 Kumar Nov 2013 A1
20130305357 Ayyagari Nov 2013 A1
20130318603 Merza Nov 2013 A1
20130326620 Merza Dec 2013 A1
20130333028 Hagar Dec 2013 A1
20140007238 Magee Jan 2014 A1
20140096251 Doctor Apr 2014 A1
20140108652 Richard Apr 2014 A1
20140123222 Omar May 2014 A1
20140157417 Grubel Jun 2014 A1
20140173731 Mantripragada Jun 2014 A1
20140214938 Bhatt Jul 2014 A1
20140259170 Amsler Sep 2014 A1
20140282977 Madhu Sep 2014 A1
20140283085 Maestas Sep 2014 A1
20140298419 Boubez Oct 2014 A1
20140310739 Ricci Oct 2014 A1
20140344926 Cunningham Nov 2014 A1
20140351316 Boubez Nov 2014 A1
20140365418 Grant Dec 2014 A1
20150033287 Oliphant Jan 2015 A1
20150033323 Oliphant Jan 2015 A1
20150033348 Oliphant Jan 2015 A1
20150033349 Oliphant Jan 2015 A1
20150033350 Oliphant Jan 2015 A1
20150033351 Oliphant Jan 2015 A1
20150033352 Oliphant Jan 2015 A1
20150033353 Oliphant Jan 2015 A1
20150040230 Oliphant Feb 2015 A1
20150040231 Oliphant Feb 2015 A1
20150040232 Oliphant Feb 2015 A1
20150040233 Oliphant Feb 2015 A1
20150047008 Undernehr Feb 2015 A1
20150096019 Davis Apr 2015 A1
20150106889 Sharabani et al. Apr 2015 A1
20150121528 Crowley Apr 2015 A1
20150127832 Kirner May 2015 A1
20150128274 Giokas May 2015 A1
20150150124 Zhang May 2015 A1
20150178496 Kohlenberg Jun 2015 A1
20150195299 Zoldi Jul 2015 A1
20150207809 Macaulay Jul 2015 A1
20150229656 Shieh Aug 2015 A1
20150249685 Crane Sep 2015 A1
20150264072 Savchuk Sep 2015 A1
20150281260 Arcamone Oct 2015 A1
20150288709 Singhal Oct 2015 A1
20150295948 Hassell Oct 2015 A1
20150319185 Kirti Nov 2015 A1
20150332054 Eck Nov 2015 A1
20150347750 Lietz Dec 2015 A1
20160006756 Ismael Jan 2016 A1
20160021117 Harmon Jan 2016 A1
20160036816 Srinivasan Feb 2016 A1
20160044054 Stiansen et al. Feb 2016 A1
20160057167 Bach Feb 2016 A1
20160065598 Modi Mar 2016 A1
20160065610 Peteroy Mar 2016 A1
20160072770 Crane Mar 2016 A1
20160078225 Ray Mar 2016 A1
20160080399 Harris Mar 2016 A1
20160080417 Thomas Mar 2016 A1
20160080418 Ray Mar 2016 A1
20160080419 Schiappa Mar 2016 A1
20160080420 Ray Mar 2016 A1
20160094580 Handel Mar 2016 A1
20160119365 Barel Apr 2016 A1
20160164916 Satish Jun 2016 A1
20160182454 Phonsa Jun 2016 A1
20160182546 Coates Jun 2016 A1
20160191465 Thomas Jun 2016 A1
20160191476 Schütz Jun 2016 A1
20160196628 Crowley Jul 2016 A1
20160197941 Smith Jul 2016 A1
20160197951 Lietz Jul 2016 A1
20160226905 Baikalov Aug 2016 A1
20160241574 Kumar Aug 2016 A1
20160269434 DiValentin Sep 2016 A1
20160294854 Parthasarathi Oct 2016 A1
20160294860 Hathaway Oct 2016 A1
20160295410 Gupta Oct 2016 A1
20160300227 Subhedar Oct 2016 A1
20160308890 Weilbacher Oct 2016 A1
20160308898 Teeple Oct 2016 A1
20160337384 Jansson Nov 2016 A1
20160359900 Crisler Dec 2016 A1
20160381027 Mitchell Dec 2016 A1
20170013008 Carey Jan 2017 A1
20170026401 Polyakov Jan 2017 A1
20170048276 Bailey Feb 2017 A1
20170063920 Thomas Mar 2017 A1
20170091482 Sarin Mar 2017 A1
20170104782 Folco Apr 2017 A1
20170126728 Beam May 2017 A1
20170126740 Bejarano Ardila May 2017 A1
20170142144 Weinberger May 2017 A1
20170149807 Schilling May 2017 A1
20170155683 Singla Jun 2017 A1
20170163677 Gordon Jun 2017 A1
20170171231 Reybok, Jr. Jun 2017 A1
20170178025 Thomas Jun 2017 A1
20170180421 Shieh Jun 2017 A1
20170187686 Shaikh Jun 2017 A1
20170201537 Caldwell Jul 2017 A1
20170214701 Hasan Jul 2017 A1
20170214707 Grubel Jul 2017 A1
20170214708 Gukal Jul 2017 A1
20170214709 Maestas Jul 2017 A1
20170223046 Singh Aug 2017 A1
20170230350 Enrique Salpico Aug 2017 A1
20170237752 Ganguly Aug 2017 A1
20170237756 Lietz Aug 2017 A1
20170243008 Cornell Aug 2017 A1
20170250953 Jain Aug 2017 A1
20170257397 Graham Sep 2017 A1
20170277774 Eigner Sep 2017 A1
20170279819 More Sep 2017 A1
20170293906 Komarov Oct 2017 A1
20170310704 Wu Oct 2017 A1
20170324709 Ahn Nov 2017 A1
20170324768 Crabtree Nov 2017 A1
20170331835 Yu Nov 2017 A1
20170331849 Yu Nov 2017 A1
20170346853 Wyatt Nov 2017 A1
20170353484 Knapp Dec 2017 A1
20170359366 Bushey Dec 2017 A1
20180018463 Grossman Jan 2018 A1
20180026944 Phillips Jan 2018 A1
20180039922 King-Wilson Feb 2018 A1
20180041529 Mixer Feb 2018 A1
20180048660 Paithane Feb 2018 A1
20180063167 Rodeck Mar 2018 A1
20180063176 Katrekar Mar 2018 A1
20180063181 Jones Mar 2018 A1
20180063182 Jones Mar 2018 A1
20180077183 Swann Mar 2018 A1
20180077189 Doppke Mar 2018 A1
20180083785 Shields Mar 2018 A1
20180084012 Joseph Mar 2018 A1
20180089676 Narasimhan Mar 2018 A1
20180103052 Choudhury Apr 2018 A1
20180115554 Dyon Apr 2018 A1
20180124072 Hamdi May 2018 A1
20180124094 Hamdi May 2018 A1
20180124095 Hamdi May 2018 A1
20180124099 St. Pierre May 2018 A1
20180176206 Matthews Jun 2018 A1
20180181763 Gunda Jun 2018 A1
20180189498 Boutnaru Jul 2018 A1
20180189502 Kumar Jul 2018 A1
20180189697 Thomson Jul 2018 A1
20180191684 Hoy Jul 2018 A1
20180191744 Morales Jul 2018 A1
20180191747 Nachenberg Jul 2018 A1
20180191763 Hillard Jul 2018 A1
20180191771 Newman Jul 2018 A1
20180196960 Gullicksen Jul 2018 A1
20180205755 Kavi Jul 2018 A1
20180219914 Reith Aug 2018 A1
20180227315 Taneja Aug 2018 A1
20180295154 Crabtree Oct 2018 A1
20180309782 Adams Oct 2018 A1
20180316706 Tsironis Nov 2018 A1
20180316711 Iyer Nov 2018 A1
20180337941 Kraning Nov 2018 A1
20180359270 Chari Dec 2018 A1
20180367561 Givental Dec 2018 A1
20190007447 Barnes Jan 2019 A1
20190007451 Pierce Jan 2019 A1
20190020676 Laughlin Jan 2019 A1
20190021004 Shanmugavadivel Jan 2019 A1
20190028504 Shtar Jan 2019 A1
20190034660 Ford Jan 2019 A1
20190058702 Kurian Feb 2019 A1
20190089677 Ashley Mar 2019 A1
20190098037 Shenoy, Jr. Mar 2019 A1
20190104138 Storms Apr 2019 A1
20190108333 Licata Apr 2019 A1
20190158513 Shtar May 2019 A1
20190163914 Steele May 2019 A1
20190165997 Shaikh May 2019 A1
20190166142 Lee May 2019 A1
20190166154 Steele May 2019 A1
20190173909 Mixer Jun 2019 A1
20190188395 Cote Jun 2019 A1
20190190930 Miron Jun 2019 A1
20190190961 McGrew Jun 2019 A1
20190205317 Tobias Jul 2019 A1
20190205555 Duffy Jul 2019 A1
20190222604 Vaidya Jul 2019 A1
20190229998 Cattoni Jul 2019 A1
20190238583 Vaidya Aug 2019 A1
20190260795 Araiza Aug 2019 A1
20190268350 Salkini Aug 2019 A1
20190311102 Tussy Oct 2019 A1
20190319980 Levy Oct 2019 A1
20190334929 Teshome Oct 2019 A1
20190340339 Moroney Nov 2019 A1
20190349350 Valites Nov 2019 A1
20190349407 Luger Nov 2019 A1
20190372934 Yehudai et al. Dec 2019 A1
20190377902 Schroeder Dec 2019 A1
20190379678 McLean Dec 2019 A1
20190379683 Overby Dec 2019 A1
20190379705 Murphy Dec 2019 A1
20190386969 Verzun Dec 2019 A1
20200004697 Le Roy Jan 2020 A1
20200007586 Seeber Jan 2020 A1
20200014711 Rego Jan 2020 A1
20200028876 Cohen Jan 2020 A1
20200036739 Novikov Jan 2020 A1
20200045075 Kliger Feb 2020 A1
20200067961 Qin Feb 2020 A1
20200074059 Beckett, Jr. Mar 2020 A1
20200076835 Ladnai Mar 2020 A1
20200082081 Sarin Mar 2020 A1
20200084232 Lebling Mar 2020 A1
20200084235 Tang Mar 2020 A1
20200092335 Brooks Mar 2020 A1
20200106787 Galinski Apr 2020 A1
20200106793 Vanamali Apr 2020 A1
20200112582 Chakra Apr 2020 A1
20200120126 Ocepek Apr 2020 A1
20200120144 Yadav Apr 2020 A1
20200137110 Tyler Apr 2020 A1
20200145439 Griggs May 2020 A1
20200177614 Burns Jun 2020 A1
20200193047 Moore Jun 2020 A1
20200213277 Rudnik Jul 2020 A1
20200218221 Gendelman Jul 2020 A1
20200228551 Dalal Jul 2020 A1
20200236119 Chamarajnager Jul 2020 A1
20200250667 Ow Aug 2020 A1
20200259852 Wolff Aug 2020 A1
20200285737 Kraus Sep 2020 A1
20200287916 Aksela Sep 2020 A1
20200296589 Malik Sep 2020 A1
20200314067 Rudnik Oct 2020 A1
20200314121 Mittermaier Oct 2020 A1
20200314126 Schmugar Oct 2020 A1
20200320211 Moore Oct 2020 A1
20200322371 Chesla Oct 2020 A1
20200329072 Dubois Oct 2020 A1
20200336508 Srivastava Oct 2020 A1
20200358738 Mircescu Nov 2020 A1
20200358801 Allouche Nov 2020 A1
20200358804 Crabtree Nov 2020 A1
20200382527 Mitelman Dec 2020 A1
20200404490 Thai Dec 2020 A1
20210004597 Dascola Jan 2021 A1
20210006584 Basballe Sorensen Jan 2021 A1
20210021629 Dani Jan 2021 A1
20210029137 Wright Jan 2021 A1
20210029159 Murphy Jan 2021 A1
20210035116 Berrington Feb 2021 A1
20210075820 Murphy Mar 2021 A1
20210092149 Carlson Mar 2021 A1
20210092154 Kumar Mar 2021 A1
20210105869 Mo Apr 2021 A1
20210112054 Bailey Apr 2021 A1
20210112092 Chen Apr 2021 A1
20210144555 Kim May 2021 A1
20210152538 Kurian May 2021 A1
20210160274 Murphy May 2021 A1
20210160281 Hallaji May 2021 A1
20210185076 Miller Jun 2021 A1
20210185080 Wang Jun 2021 A1
20210194911 Hecht Jun 2021 A1
20210194925 Xiao Jun 2021 A1
20210203674 Azaria Jul 2021 A1
20210203681 Shukla Jul 2021 A1
20210211452 Patel Jul 2021 A1
20210234884 Brown Jul 2021 A1
20210243204 Taylor Aug 2021 A1
20210243223 Arora Aug 2021 A1
20210248230 Dodson Aug 2021 A1
20210258336 Clifford Aug 2021 A1
20210273950 Lawson Sep 2021 A1
20210273957 Boyer Sep 2021 A1
20210273960 Humphrey Sep 2021 A1
20210273961 Humphrey Sep 2021 A1
20210286899 Schroeder Sep 2021 A1
20210288951 Rose Sep 2021 A1
20210306350 Somol Sep 2021 A1
20210306371 Majkowski Sep 2021 A1
20210312026 Rose Oct 2021 A1
20210314339 Tsarfati Oct 2021 A1
20210329032 Shaw Oct 2021 A1
20210336991 Couturier Oct 2021 A1
20210344690 Sharifi Mehr Nov 2021 A1
20210349994 Ravindra Nov 2021 A1
20210352104 Sampat et al. Nov 2021 A1
20210367970 Carpenter Nov 2021 A1
20210377278 Yin Dec 2021 A1
20210392151 Lakhani Dec 2021 A1
20210398225 Crabtree Dec 2021 A1
20210409427 Patel Dec 2021 A1
20210409429 Komashinskiy Dec 2021 A1
20210409430 Alford Dec 2021 A1
20210409436 Todd Dec 2021 A1
20220007192 Shaw Jan 2022 A1
20220007194 Shaw Jan 2022 A1
20220019674 Frey Jan 2022 A1
20220021653 Metz Jan 2022 A1
20220021654 Trentini Jan 2022 A1
20220060474 Trentini Feb 2022 A1
20220070185 Yang Mar 2022 A1
20220070222 Rao Mar 2022 A1
20220094705 Tineo Mar 2022 A1
20220103581 Bernholz Mar 2022 A1
20220103681 Prodanovic Mar 2022 A1
20220109562 Feola Apr 2022 A1
20220109681 Hamdi Apr 2022 A1
20220116398 Rose Apr 2022 A1
20220116736 Williams Apr 2022 A1
20220131835 Fenton Apr 2022 A1
20220150269 Eidissen May 2022 A1
20220159056 Rose May 2022 A1
20220164440 Murphy May 2022 A1
20220164892 Venter May 2022 A1
20220166801 Murphy May 2022 A1
20220174066 Rose Jun 2022 A1
20220210168 Yavo Jun 2022 A1
20220224702 Dherange Jul 2022 A1
20220239634 Woodberg Jul 2022 A1
20220239671 Wang Jul 2022 A1
20220247762 Jasleen Aug 2022 A1
20220255926 Crabtree Aug 2022 A1
20220309197 Dattani Sep 2022 A1
20220311770 Shieh Sep 2022 A1
20220321397 Tormasov Oct 2022 A1
20220321533 Zheng Oct 2022 A1
20220360594 Cosgrove Nov 2022 A1
20220368699 Thomson Nov 2022 A1
20220368711 Bladow Nov 2022 A1
20220385673 Dong Dec 2022 A1
20220391508 Garchery Dec 2022 A1
20230011397 Panse Jan 2023 A1
20230020504 Moon Jan 2023 A1
20230024127 Moon Jan 2023 A1
20230088415 Friedlander Mar 2023 A1
20230134546 Gopalakrishnan May 2023 A1
20230147714 Shaik May 2023 A1
20230155822 Chen May 2023 A1
20230169165 Williams Jun 2023 A1
20230171110 Brown Jun 2023 A1
20230171212 Hathaway Jun 2023 A1
20230171266 Brunner Jun 2023 A1
20230171271 Williams Jun 2023 A1
20230171273 Vaidya Jun 2023 A1
20230179637 Nunn Jun 2023 A1
20230188525 Singh Jun 2023 A1
20230188540 Valluri Jun 2023 A1
20230195863 Xu Jun 2023 A1
20230224146 Stayskal Jul 2023 A1
20230224277 Tarighat Jul 2023 A1
20240015175 Hakala Jan 2024 A1
20240330441 Tiwari Oct 2024 A1
Foreign Referenced Citations (4)
Number Date Country
0223805 Mar 2002 WO
2012011070 Jan 2012 WO
2016005273 Jan 2016 WO
WO-2017131963 Aug 2017 WO
Non-Patent Literature Citations (6)
Entry
Dooley et al “DNS Security Management,” Wiley-IEEE Press, pp. 1-324 (Year: 2017).
Moriarty et al RFC8953 Coordinating Attack Response at Internet Scale 2 (CARIS2) Workshop Report, pp. 1-14 (Year: 2020).
More et al “Real Time Threat Detection System in Cloud using Big Data Analytics,” 2017 2nd IEEE International Conference on Recent Trends in Electronics Informaiton & Commnication Technology (RTEICT), IEEE, pp. 1262-1264 (Year: 2017).
Quader et al “Persistent Threat Pattern Discovery,” IEEE, pp. 179-181 (Year: 2015).
Suliman et al “Network Intrusion Detection System Using Artifical Immune System (AIS),” 2018 3rd International Conference on Computer and Communication Systems, pp. 178-182 (Year: 2018).
Tian et al “Design and Implementation of an Initiative and Passive Network Intrusion Detection System,” Second International Symposium on Information Science and Engineering, IEEE Computer Society, pp. 196-198 (Year: 2009).
Related Publications (1)
Number Date Country
20230224275 A1 Jul 2023 US