US Patent No. 10,659,480

INTEGRATED NETWORK THREAT ANALYSIS


Patent No. 10,659,480
Issue Date May 19, 2020
Title Integrated Network Threat Analysis
Inventorship Michael Arcamone, Arlington, VA (US)
Matthew Diehl, Arlington, VA (US)
Assignee INQUEST, LLC, Arlington, VA (US)

Claim of US Patent No. 10,659,480

1. A method implemented at a computer system for correlating network session and file information, the method comprising:receiving, at a receiver module, packet data in a network communication session;
identifying a portion of the packet data representing a file being transferred in the network communication session over the network between a source and a destination;
associating the identified portion of the packet data with the file being transferred;
reassembling identified portions of the packet data to create a recomposed file;
storing the recomposed file in an electronic data storage device;
analyzing the packet data associated with the file to extract a network communication session parameter associated with the file and corresponding to the network communication session;
storing in the electronic data storage device, the extracted session parameter;
storing in the electronic data storage device, information identifying the recomposed file;
generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred;
calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis, and wherein the calculated threat score is associated with the recomposed file and the session parameter;
prompting, by a user interface of the computer system, a user to enter a parameter indicating a target network communication session;
receiving, at the user interface, the parameter entered by the user;
executing a query in the electronic data storage device to identify a file associated with the received parameter indicating the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter; and
returning, at the user interface, the threat score and an indication of the corresponding target network communication session indicated by the parameter to the user.