Abstract: A dynamic hybrid residential threat detection method is disclosed. The method includes receiving, by a packet selector on a customer premises equipment (CPE), communication sessions and selecting and sending, by the packet selector, a predefined number of packets of the communication sessions to a CPE detection engine based on packet selection rules. The method also includes inspecting, by the CPE detection engine, the predefined number of packets of each communication session based on CPE detection rules that establish what type of inspection is to be performed by the CPE detection engine based at least in part on CPE resource constraints. The method further includes sending, by the packet selector, the predefined number of packets of at least some of the communication sessions to a cloud detection engine and blocking particular communication traffic on the CPE based on the inspection and/or an instruction from the cloud detection engine.

Abstract: A dynamic cloud-based threat detection system is disclosed. The system comprises a network broker that receives communication sessions associated with communication device(s) via a network and selects and sends a predefined number of packets of each communication session to a detection based on packet selection rules. The communication device(s) comprises customer premises equipment (CPE) and/or a mobile communication device. The detection engine receives and inspects the predefined number of packets of each communication session and a governor that initiates blocking of particular communication traffic based on the inspection. The system also comprises a dynamic optimizer that monitors factor(s) and creates and sends updated packet rules to the network broker based on the monitoring. The network broker selects and sends a different predefined number of packets of each of a second plurality of communication sessions to the detection engine for inspection based on the updated packet selection rules.

Abstract: A method of dynamic residential threat detection is disclosed. The method includes a packet selection component on a customer premises equipment (CPE) sending a predefined number of packets of each of a plurality of communication sessions to a detection engine based on packet selection rules. The method also includes the detection engine on the CPE receiving and inspecting the predefined number of packets. The method further includes a dynamic optimizing component on the CPE monitoring one or more factors and creating and sending updated packet selection rules based on the monitored factor(s) to the packet selection component. The method additionally comprises the packet selection component sending a different predefined number of packets of each of a second plurality of communication sessions to the detection engine based on the updated packet selection rules. The method further includes the detection engine receiving and inspecting the different predefined number of packets.

Abstract: A cyber threat attenuation system. The system comprises a cyber threat data store, a plurality of sensor control points (SCPs), wherein at least one SCP is located in each local area network (LAN) segment of an enterprise network, and an analytics correlation system (ACS). Each SCP comprises a plurality of sensor applications that analyze data packets transported by the LAN segment in which the SCP is located and transmits a notification identifying the transmitting sensor, an identity of the source of the data packet, an identity of the destination of the data packet, and a notification reason to the data store. The ACS comprises an application that determines unusual data packet traffic in the enterprise network and transmits a notification comprising information about the unusual data packet traffic and an identity of a host computer associated with the unusual data packet traffic to the data store.

Abstract: A cyber threat attenuation system. The system comprises a cyber threat data store, a plurality of sensor control points (SCPs), wherein at least one SCP is located in each local area network (LAN) segment of an enterprise network, and an analytics correlation system (ACS). Each SCP comprises a plurality of sensor applications that analyze data packets transported by the LAN segment in which the SCP is located and transmits a notification identifying the transmitting sensor, an identity of the source of the data packet, an identity of the destination of the data packet, and a notification reason to the data store. The ACS comprises an application that determines unusual data packet traffic in the enterprise network and transmits a notification comprising information about the unusual data packet traffic and an identity of a host computer associated with the unusual data packet traffic to the data store.

Abstract: A cyber threat attenuation system. The system comprises a cyber threat data store, a plurality of sensor control points (SCPs), wherein at least one SCP is located in each local area network (LAN) segment of an enterprise network, and an analytics correlation system (ACS). Each SCP comprises a plurality of sensor applications that analyze data packets transported by the LAN segment in which the SCP is located and transmits a notification identifying the transmitting sensor, an identity of the source of the data packet, an identity of the destination of the data packet, and a notification reason to the data store. The ACS comprises an application that determines unusual data packet traffic in the enterprise network and transmits a notification comprising information about the unusual data packet traffic and an identity of a host computer associated with the unusual data packet traffic to the data store.

Abstract: A device and method for providing forensic data in network activity indicative of the presence of malware. A distributed set of network-based sensors operates within an enterprise network in cooperation with a centralized analytics and correlation engine that correlates detected events across the sensors to detect malicious activity on a monitored network which may include using a multi-tiered or Rete net rule set or engine. When malicious activity is detected upon the satisfaction of a predetermined set of conditions, the invention traces the activity to a host responsible for the activity for further action.