Methods and systems for efficient adaptive logging of cyber threat incidents

Assignee

• Centripetal Networks, LLC · US

Inventors

• John Fenton · Ashburn, US
• Peter P. Geremia · Portsmouth, US
• Richard Goodwin · Bethesda, US
• Sean Moore · Hollis, US
• Vincent Mutolo · Summit, US
• Jess P. Parnell · Herndon, US
• Jonathan R. Rogers · Weare Corner, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1458
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A packet-filtering network appliance protects networks from threats by enforcing policies on in-transit packets crossing network boundaries. The policies are composed of packet filtering rules derived from cyber threat intelligence (CTI). Logs of rule-matching packets and their flows are sent to cyberanalysis applications located at security operations centers (SOCs). Some cyber threats/attacks, or incidents, are composed of many different flows occurring at a very high rate, generating a flood of logs that may overwhelm computer, storage, network, and cyberanalysis resources, thereby compromising cyber defenses. The present disclosure describes incident logging that efficiently incorporates logs of many flows that comprise the incident, potentially reducing resource consumption while improving the informational/cyberanalytical value for cyberanalysis when compared to the component flow logs. Incident logging vs. flow logging can be automatically and adaptively switched on or off.