BACKGROUND

[0001 ] Computer networks and the devices that operate on them often experience probiems for a variety of reasons, e.g., due to misconfiguration, software bugs, and malicious network and computing device attacks. In a network services industry, e.g., where a service provider provides computing resources operating on a private network for use by various users, the size and complexity of a private network may make detecting and handling problems with the network difficult. A compromised computing device, for example, may operate in a malicious manner within a private network for a significant period of time before the malicious activity can be identified and handled.

BRIEF DESCRSPTSQM OF THE DRAWINGS

[0002] The following detailed description references the drawings, wherein:

[0003] FIG. 1 is a block diagram of an example computing device for handling network threats.

[0004] FIG. 2 is an example data flow for handling network threats.

[0005] FIG. 3 is a flowchart of an example method for handling network threats.

DETAILED DESCRIPTION

[0006] Potentially problematic network activity occurring on network devices may be detected in a variety of ways. For example, signatures of malicious code may be identified in network communications, the source or destination of network packets may be identified and determined to be sourced from or destined for a device that is known to be malicious, and/or patterns in network traffic may be detected that are indicative of malicious activity. When a potential threat is identified, a threat handling device may be provided with information related to the threat, so that the threat may be handled in a manner designed to ensure the security of the network.

[0007] The threat handler may determine, based on the information provided to it, one or more types of analytics that are to be performed in order to determine more information about the threat and/or to determine how to remediate the threat. In some implementations, the threat handler may use preconfigured playbooks, e.g., preconfigured instructions, to determine how the threat handler proceeds given the particular threat information. Playbooks include data associating a threat or threats with one or more analytics operations that may be used to analyze and/or remediate the threats and one or more types of information used to perform the analytics operations. Playbooks may be implemented in, for example, a list table, or the like, or other data structure including the associated data, executable instructions for performing analytics and obtaining the information used to perform the analytics, or specification documents that include the associated data. The threat handler may, for example, cause various network devices to collect data that can be used to perform particular analytics, the results of which may be used to identify the specific threat occurring on the network. After identifying a specific threat the threat handler may, e.g., using the piaybook, determine how the threat should be remediated, e.g., by providing a network controller with instructions to shut down affected devices.

[0008] By way of example, a DNS analytics device may identify an anomaly in the DNS traffic sent by a particular computing device on a network. An alert, which may contain information about the anomaly, may be sent to the threat handler. The threat handier may use a piaybook to determine that specific analytics should be performed to obtain more information about the threat. The specific analytics may make use of additional information not currently being collected or reviewed within the network, such as web proxy logs, user activity logs, and/or TCP/IP network samples and counters. The threat handler may notify a network device controller, such as software defined network (SDN) controller, to instruct one or more network devices, such as SDN routers and switches, to collect the additional information. The threat handler may also instruct an analytics devices to perform the specific analytics. When the analytics device receives the additional information from the reconfigured network devices, the specific analytics may be performed, with the results being provided to the threat handler. Based on the results of the specific analytics, the threat handler may determine further analytics to be performed and/or remedial actions to be taken to remedy specific threats. For example, the threat handier may determine, based on the results of the specific analytics, that a computing device on the network is infected with maiware, and it may further determine that network communications to and from the affected computing device should be prevented until the maiware can be removed.

[0009] The ability to handle network threats in the above described manner may facilitate relatively efficient identification and remediation of network threats. For example, resource intensive data collection and analytics techniques may be reserved for use in response to identification of particular potential threats that may be identified using relatively lightweight collection and analytics, in addition, a variety of piaybooks for determining analytics and remedial actions may allow for handling potential threats in a variety of ways, and the ability to create new piaybooks or change existing piaybooks may allow network administrators to adapt to new threats and manage many threat handling procedures at a single point in the network. The manner in which network threats may be handled is described in further detail in the paragraphs that follow.

[0010] Referring now to the drawings, FIG. 1 is a block diagram of an example computing device 100 for handling network threats. Computing device 100 may be, for example, a server computer, a personal computer, a mobile computing device, or any other electronic device suitable for processing network communications data, in the embodiment of FIG. 1 , computing device 100 includes hardware processor 1 10 and machine-readable storage medium 120.

[001 1 ] Hardware processor 1 10 may be one or more central processing units (CPUs), semiconductor-based microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 120. Hardware processor 1 10 may fetch, decode, and execute instructions, such as 122-130, to control the process for handling network threats. As an alternative or in addition to retrieving and executing instructions, hardware processor 1 10 may include one or more electronic circuits that include electronic components for performing the functionality of one or more of instructions. The functionalities described herein in relation to instructions 122-130 may, in some implementations, be implemented as engines comprising hardware or combination of hardware and programming to implement the functionalities of the engines.

[0012] A machine-readable storage medium, such as 120, may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, machine-readable storage medium 120 may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, and the like. In some implementations, storage medium 120 may be a non- transitory storage medium, where the term "non-transitory" does not encompass transitory propagating signals. As described in detail below, machine-readable storage medium 120 may be encoded with a series of executable instructions: 122-128, for handling network threats.

[0013] The example environment depicted in FIG. 1 also includes a threat detector 140, network devices 150, and an analytics device 160. The threat detector 140 is a computing device that provides threat data 142 to the computing device 100. The threat detector may be, for example, an analytics devices that performs analytics on network communications or other information to determine if a potential threat exists within the network. Another example threat detector 140 is a network router that includes logic for identifying a particular threat and, upon identification of the particular threat, sending threat data to the computing device 100. In some implementations, a variety of threat detectors, of the same or differing types, may be used to identify potential threats to the network and/or the devices operating on the network.

[0014] Network devices 150 depicted in FIG. 1 may include any number of network devices capable of receiving instructions 152, directly or indirectly, from the computing device 100. For example, the network devices 150 may include multiple SDN switches and routers that are capable of being configured to collect and send particular information from the network packets as they traverse the network devices 150. Other types of network devices 150 may include, for example, end-point devices such as content servers and user devices, analytics devices, event control devices, network tap devices, and other devices capable of communicating with the computing device 100.

[0015] The analytics device 160 may be one or more computing devices designed to provide analytics results 162 to the computing device 100. Analytics may be used, for example, to identify and communicate patterns - found within input data - that may indicate malicious or potentially malicious activity. A network may include multiple analytics devices, each capable of performing its own analytics operations and/or working with other analytics devices to perform one analytics operation. The analytics performed by the analytics device 180 may vary; e.g., the input, output, and particular analytics operations performed may be configured by the computing device 100.

[0016] As shown in FIG. 1 , the computing device 100 executes instructions (122) to receive, from a threat detector 140, threat data 142 associated with a particular network device included in a plurality of network devices. For example, a threat detector 140 may be a network packet capture device that sends an alert when a particular end-point computing device, such as a server computer, is uploading a threshold amount of data out of the network over a certain period of time. The alert may be sent to the computing device 100, along with threat data 142 that includes some information about the potential threat, e.g., the amount of data transferred, in some implementations, a variety of threat detectors may be used to provide a variety of different types of threat data to the computing device.

[0017] The computing device 100 executes instructions (124) to identify, based on the threat data 142, a particular analytics operation for assisting with remediation of a threat associated with the threat data 142. Using the example above, a potential threat may be a malicious entity causing sensitive data stored on the end-point device to be uploaded to the malicious entity. Example analytics operations may include an analysis of the intended destination(s) of the uploaded data and/or an analysis of the type(s) of data being uploaded. In some implementations, the computing device 100 may use predefined playbooks for determining analytics operation(s) that may be useful to determine more information about a potential threat and/or to determine how to remediate the potential threat. For example, a particular playbook may specify that, in response to identifying a large amount of data being uploaded from an end-point device to an external entity, analytics should be performed to determine whether the destination of the uploaded data is associated with a known malicious entity. Playbooks may be configured in a variety of ways, e.g., multiple playbooks may be associated with one potential threat, some playbooks may specify multiple analytics operations, and some playbooks may be designed to be used in response to identifying a particular combination of potential threats.

[0018] The computing device 100 executes instructions (128) to identify, based on the threat data 142, additional data for performing the particular analytics operation. For example, an analytics operation designed to determine whether the data being uploaded is indicative of a compromised system may use file extension information included in network packets to determine the likelihood that the system is compromised. As another example, an analytics operation used to determine whether network traffic is destined for a known malicious entity may use destination information included in network packets and/or source information included in incoming network packets associated with upload requests. The additional data may be a type of data not currently being collected by the network, e.g., the additional data may be different from the data being collected when the original potential threat was identified. In implementations where playbooks are used to determine analytics operations, playbooks may also specify the additional data used to perform the analytics operations.

[0019] The computing device 100 executes instructions (128) to cause reconfiguration of at least one of the plurality of network devices 150.

Reconfiguration causes each reconfigured network device to i) collect the additional data, and ii) provide the additional data to an analytics device, such as analytics device 160. For example, the computing device 100 may provide instructions 152, directly or indirectly, to a network switch or packet capturing device, to instruct the device to capture the type(s) of data being uploaded from the potentially compromised server computer and send the captured information to an analytics device. In some implementations, the computing device 100 may provide reconfiguration instructions 152 to a separate controller device designed to reconfigure network devices 150. For example, in the SDN context, an SDN network controller may be capable of causing SDN network elements, such as SDN switches and routers, to be reconfigured for capturing and transmitting specific data of interest. In this context, the computing device 100 may provide information to the SDN controller that specifies the additional data to be collected and sent to a particular analytics device or devices, and the SDN controller will provide the appropriate SDN devices with data that causes reconfiguration of the SDN devices.

[0020] in some implementations, the computing device 100 may execute instructions to provide instructions to an analytics device, such as analytics device 160, the instructions causing the analytics device to perform the particular analytics. For example, the computing device 100 may provide the analytics device 160 with instructions to perform the particular analytics using the additional data that is being captured and provided by the reconfigured network devices.

[0021 ] The computing device 100 executes instructions (130) to receive, from the analytics device 160, particular analytics results 162 of the particular analytics operation. For example, the analytics results may indicate a measure of likelihood that the server computer is compromised by a malicious actor. In some implementations, the computing device 100 may determine to perform additional analytics based on the analytics results, e.g., in situations where the results were not conclusive enough to determine whether a potential threat is a false positive or an actual threat, in some implementations, a piaybook may specify subsequent analytics to be performed, in some implementations, the computing device 100 may identify a new piaybook to be used to identify additional analytics and data to be captured.

[0022] in situations where additional analytics are to be performed, the computing device 100 may cause reconfiguration of at least one of the network devices. The reconfigured network devices may be the same devices reconfigured in the first round of analytics and/or different network devices. The second analytics results may be determined by the same analytics device 180 and/or different analytics devices. The second results may be used to determine whether the threat is a false positive or indicative of an actual threat. The process for reconfiguring network devices, gathering additional data, and performing other analytics, may be repeated, e.g., until the computing device 100 has the information needed to determine how to handle the potential threat.

[0023] in situations where the computing device 100 determines, e.g., based on analytics results, that a threat is not a false positive - or is not likely to be a false positive - the computing device 100 may initiate remedial measures in a variety of ways. The computing device 100 may notify an administrator, notify a user associated with an affected device, instruct network devices to restrict communications to/from the affected device, or instruct a network device controiler to restrict communications involving the affected device, to name a few. In implementations where playbooks are used, p!aybooks may include one or more remedial measures that may be taken in response to determining that a threat is real or likely to be real. By way of example, in a situation where the computing device 100 determines that a server computer on the network is infected with maiware that is causing the server computer to upload data, the computing device 100 may instruct an SDN controiler to cause SDN switches or routers within the network to prevent transmission of network packets sent by the server computer.

[0024] While the threat detector 140 and analytics device 160 are depicted separately from the computing device 100 in FIG. 1 , in some implementations the actions performed by each device may be executed by a single computing device, e.g., computing device 100. in addition, the instructions executed by the computing device 100 need not be performed by a single device and may be performed by multiple computing devices. Other computing device configurations and/or combinations of devices may also be used to execute instructions for handling network threats.

[0025] FIG. 2 is an example data flow 200 for handling network threats. The data flow depicts a threat handler 210, which may be implemented by a computing device, such as the computing device 100 described above with respect to FIG. 1. The network device(s) 240 may be any intermediary network device suitable for transmitting network communications within and outside of the network 205, such as routers and switches, software defined or otherwise, and virtual or hardware. The client device(s) 250 may be any end-point computing device suitable for network communications, such as a personal computer, mobile computer, virtual machine, server computer, or any combination thereof. For example, the client computing device(s) 250 may be virtual machines operating within a private cloud computing network 205 and managed by a user external to the private network 205. The network device controller 230 may be one or more computing devices that manage the network device(s) 240. For example, in the SDN context, the network device controller 230 may be a SDN network controller. The analytics device 220 may be one or more computing devices for analyzing network data for various purposes, e.g., to identify potential threats, patterns, network traffic information, and various metrics.

[0026] During their operation, the client device(s) 250 may communicate with other devices, e.g., devices internal to the network 205 and external devices 245, using the network device(s) 240, e.g., routers and switches. The network device controller 230 manages the operation, monitoring, and/or configuration of the network device(s) 240, e.g., in the SDN context, the network device controller 230 may be a SDN controller that controls the configuration of SDN network devices. The analytics device 220 may perform a variety of analytics based on data received from one or more sources within the network 205. For example, individual network devices 240 may be configured to send information related to DNS traffic to the analytics device 220, which may perform analytics on the information to determine potential problems, or threats, are occurring within any of the devices operating on the network 205.

[0027] in the example data flow 200, the analytics device 220 sends threat data 202 to the threat handier 210. The threat data 202 may be, for example, an alert regarding an anomaly in DNS requests sent by a particular client device. The threat data 202 may specify that a particular client device operating on the network 205 is sending DNS queries at a rate that exceeds a threshold that indicates, based on analytics, a potential malware infection on the particular client device.

[0028] The threat handler 210, using the threat data 202, identifies a particular analytics operation for assisting with remediation of the potential threat and additional data to be used for performing the analytics operation. For example, the threat handler 210 may identify one playbook from a group of playbooks 217 stored on a playbook storage 215 device. The example playbooks indicate, for each of several different threats - threats A, B, C, and D - analytics operation(s) and data used for performing the analytics operation(s). For example, in a situation where the threat data 202 specifies a threat associated with "threat C," the threat handier 210 may use the playbook associated with "threat C" to determine that "analytics C" should be performed to determine how to remediate the potential threat associated with "threat C," and that "data C" should be gathered in order to perform "analytics C." In the DNS query threshold example, the threat may be malware on the client device that uses a high volume of pseudorandom DNS queries to find malware command and control devices. Analytics to be performed may use web proxy logs, user activity logs, and TCP/IP network samples and counters to further investigate and determine a root cause of the problem and potential steps for remediation.

[0029] After identifying the analytics to be performed and additional data to be collected, the threat handler 210 sends analytics instructions 212 to the analytics device 220 and reconfiguration instructions 214 to the network device controller 230. The analytics instructions 212 may specify, for example, which analytics operation(s) should be performed by the analytics device 220. The reconfiguration instructions 214 may specify, for example, the additional data to be gathered for performing the analytics.

[0030] The network device controller 230, in response to receiving the reconfiguration instructions 214, causes reconfiguration of at least one of the network devices 240. The reconfiguration instructions 216 provided by the network device controller may be the same instructions, or different instructions, from those provided by the threat handler 210. For example, the reconfiguration instructions 214 sent by the threat handler 210 may specify the additional data to be collected, while the reconfiguration instructions 218 sent by the network device controller 230 may be more specific instructions for multiple network devices 240. In the SDN context, reconfiguration instructions provided by the SDN controller will cause reconfiguration of hardware and/or software on individual SDN network devices.

[0031 ] The reconfigured network devices 240 send, to the analytics device 220, the additional data 218 captured as a result of their reconfiguration. In the DNS query threat example, one or more of the network devices 240 may be reconfigured to send, to the analytics device 220, web proxy logs, user activity logs, and TCP/IP network samples and counters of the affected client device and, in some implementations, other client devices.

[0032] The analytics device 220 performs analytics using the additional data 218. The actual analytics operation(s) performed may vary, in the example above, an analytics operation may be performed on the additional data 218 to determine the likelihood that the additional data 218 supports a pattern of communications associated with a particular type of ma!ware. Analytics results 222 are sent from the analytics device 220 to the threat handier 210. The results 222 may specify a variety of information, such as an additional threat, likelihood of an additional threat, likelihood of other client devices being affected, and/or a prediction regarding the existing threat, to name a few.

[0033] in response to receiving the analytics results 222, the threat handler 210 may take a variety of actions. For example, the threat handler 210 may follow instructions included in the piaybook used for the original threat, identify one or more additional playbooks for handling of newly identified threats, notify a system administrator of a threat or potential threat, take remedial action designed to stop a threat, and/or end collection of additional data in situations where a potential threat was a false positive.

[0034] In the example data flow 200, the threat handier 210 provides remediation instructions 232 to the network device controller 230 for remediating the threat. The remediation instructions 232 may, for example, have been included in a p!aybook or provided by a system administrator. The network device controller 230 uses the remediation instructions 232 to provide its own remediation instructions 234 to the network devices 240. The remediation instructions 234 sent by the network device controller may include reconfiguration data used to cause reconfiguration of at least one network device 240. Using the DNS query malware example above, and in the SDN context, the threat handier 210 may instruct the SDN controller to halt ail outgoing traffic from the affected client device and enable collection of new data from different client devices that may be at risk. The SDN controller may then cause reconfiguration of one or more of the network devices to prevent outgoing communications from the affected client device and to collect the additional information to be used to verify the status of other at-risk client devices.

[0035] The analytics performed, data collected, network device reconfigurations, and remedial actions may be iteratively adjusted throughout the process for handling potential network threats. When a threat is fully handled, e.g., malware or affected client device(s) removed, the network data collection and analytics may return to a default state, e.g., a less resource-intensive collection and analysis of DNS data only. The threat handler 210 may also, in some implementations, assist in handling multiple threats in parallel, e.g., using playbacks, administrator instructions, or a combination thereof. For example, when faced with two different types of threats, network devices may be reconfigured to collect data for one or both, at the same time or according to a priority associated with the threats, and analytics for multiple threats may be performed, at the same time or according to the same or a different priority. As noted above, device configurations other than the one depicted in the example data flow 200 may be used in a system that handles network threats, e.g., by combining the threat handler 210 and network device controller 230.

[0036] FIG. 3 is a flowchart of an example method 300 for handling network threats. The method 300 may be performed by a computing device, such as a computing device described in FIG. 1. Other computing devices may also be used to execute method 300. Method 300 may be implemented in the form of executable instructions stored on a machine-readable storage medium, such as the storage medium 120, and/or in the form of electronic circuitry.

[0037] Threat data associated with a particular client device included in a plurality of client devices is received from a threat detector (302). The threat detector may be, for example, an intermediary network device, an analytics device, a client device, or a user. The threat data may specify a type of threat, network anomaly information, and or symptoms of one or more devices operating on a network with a threat handler.

[0038] Based on the threat data, a particular analytics operation is identified for assisting with remediation of a threat associated with the threat data (304). In some implementations, a responsive playbook is identified from a set of predefined p!aybooks, each predefined playbook including instructions for handling threat data. The responsive playbook, e.g., identified based on the threat data matching a threat associated with the playbook, may specify which particular analytics operation(s) are to be performed.

[0039] Based on the threat data, additional data for performing the particular analytics operation is identified (308). The additional data is a type of data not being collected, by the plurality of network devices, at the time of receipt of the threat data. For example, the responsive playbook may specify additional data, not currently being collected by SDN devices, that may be used by an analytics device to determine more information about the threat indicated by the threat data.

[0040] At least one of a set of SDN devices is reconfigured, the reconfiguration causing each reconfigured device to I) collect the additional data, and ii) provide the additional data to an analytics device (308). For example, reconfiguration instructions may be issued to a SDN switch to reconfigure the switch to send certain types of network packets from a particular client device to an analytics device.

[0041 ] Particular analytics results resulting from the particular analytics operation are received from the analytics device (310). For example, the analytics device may, upon receipt of the additional data, perform the particular analytics operation and send the results to the threat handier. [0042] In some implementations that make use of playbooks, a second piaybook may be identified from the predefined set of playbooks, the second piaybook being different from the original responsive piaybook. One or more of the SDN devices may be reconfigured again to collect secondary data specified by the second piaybook. A second analytics operation may be performed, and second analytics results may be received. The additional analytics and data gathering may allow a threat handier to iteratively manage a network to obtain information about multiple threats. The information gathered by the threat handler may, in some implementations, be used to remediate threats identified using the data collection and analytics methods described above, in situations where remediation is to be performed, a remediation device may be provided with instructions to remediate the threat based on analytics results. As described above, a variety of threats and remedial actions may be handled by the network threat handling device.

[0043] The foregoing disclosure describes a number of example implementations for handling network threats. As detailed above, examples provide a mechanism for initiating data collection and analytics based on information about potential threats, e.g., using predefined playbooks, and potential applications of a system that is capable of handling threats in this manner.