Field
Embodiments of the present invention generally relate to the field of computer networks. In particular, various embodiments relate to methods and systems for extracting and presenting threat information relating to one or more network activities.
Description of the Related Art
The Internet is a network of networks and relates to a global collection of interconnected local, mid-level, wide area networks that use Internet Protocols as the network layer protocol. As the Internet and its underlying technologies are becoming increasingly popular, focus on Internet security and computer network security, in general, is also becoming a topic of growing concern. For instance, growing access to unlimited information available on the Internet gives rise to an opportunity to gain unauthorized access to data, which can relate to threats, such as modification of data, deletion of data, unauthorized use of computer resources, undesired interference with intended use of computer resources, among other such threats. Such threats give rise to development of techniques responsible for handling security of networks and computers served by those networks.
A firewall, as one of the commonly used network security or access control mechanisms, is typically configured to shield data and resources from computer network intruders and create an electronic boundary that prevents unauthorized users from accessing files or other content on a network or a computer. A firewall may be provided at an edge of a network (“edge firewall”) that interfaces with computers or resources outside the network and functions as a mechanism for monitoring and controlling flow of data between resources within the network and those outside such that all communication, such as data packets, requests for web pages, request for specific information, which flows between the networks in either direction passes through firewall. A firewall can be configured to selectively permit communication from one network to another network or device so as to provide bi-directional security.
In addition to firewalls, multiple intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are also available to detect and/or prevent network attacks, including, but not limited to, malicious content, viruses, trojans, exploits, spywares, unexpected data stream, blocked content, security breaches, security violating applications, Domain Name System (DNS) attacks, buffer overflow operations, execution of malformed application data, execution of malicious mobile code, data theft, malware, among others to be passed onto devices of an internal network. IPSs play a vital role of detecting various kinds of attacks and securing the networks from such detected attacks. Another purpose of an IPS is to log evidence of intrusions within normal audit data. IPS is an effective security technology, which can detect, prevent and possibly react to an attack, wherein the IPS performs monitoring of activities by target sources and employs various techniques for providing security services. An IPS may also gather evidence of an attacker's activity, remove the attacker's access to the network, and reconfigure the network to resist the attacker's penetration technique and/or subsequent network access by the attacker.
Existing gateway or security management devices typically log traffic data in terms of packets in a log database, which typically includes information on all packets, whether valid or invalid. Furthermore, invalid packets may or may not necessarily relate to threats as packets may also represent non-desirable packets, such as from social networking websites, for instance. Existing systems also do not allow monitoring of specific threat level resources/parameters and generation of accurate reports that are easy to interpret. Existing traffic logs therefore are not able to explicitly point out packets or traffic data that correspond to threats, which is otherwise important for users to be able to identify, review, and analyze to evaluate the kind of threats that have been detected/prevented by the network system across one or more timeframes, sources of such threats, destination of such threats, ranking of threats based on their occurrence, among other desired objectives. Identification and analysis of threats can also help in assessing potential future threats and accordingly improve the signatures/rules that are implemented to detect/prevent/handle such threats.
In view of the foregoing, there exists a need for improved systems and methods for extracting information and attributes regarding threats and presentation regarding same.