Techniques for sharing network security event information

US 10,032,020 B2
Filed: 07/17/2017
Issued: 07/24/2018
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:

access one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, an adjustment of data provided in the possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment to a computer-implemented threat remediation action, or any combination thereof;

determine when the one or more conditions are satisfied;

perform the computer-implemented actions associated with a first network device when the one or more conditions are satisfied;

receive the possible threat notification from the first network device;

determine whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device;

determine a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile, wherein when commonality between the first network device and the alternative network device has reached a first threshold, perform a first computer-implemented action of the one or more computer-implemented actions,and wherein when the commonality has reached a second threshold, perform a second computer-implemented action of the one or more computer-implemented actions different from the first computer-implemented action;

when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generate and provide electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and

identify at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Citations

13 Claims

1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:
- access one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, an adjustment of data provided in the possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment to a computer-implemented threat remediation action, or any combination thereof;
  
  determine when the one or more conditions are satisfied;
  
  perform the computer-implemented actions associated with a first network device when the one or more conditions are satisfied;
  
  receive the possible threat notification from the first network device;
  
  determine whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device;
  
  determine a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile, wherein when commonality between the first network device and the alternative network device has reached a first threshold, perform a first computer-implemented action of the one or more computer-implemented actions,and wherein when the commonality has reached a second threshold, perform a second computer-implemented action of the one or more computer-implemented actions different from the first computer-implemented action;
  
  when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generate and provide electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and
  
  identify at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The tangible, non-transitory, machine-readable medium of claim 1, wherein the computer-implemented threat remediation action comprises providing a notification to the first network device of an increased risk, based upon the additional possible threat notifications.
  - 3. The tangible, non-transitory, machine-readable medium of claim 1, wherein the first profile comprises an indication of:
    - a membership of the first network device within a group;
      
      a threat associated with a first network of the first network device;
      
      a pattern of events associated with the first network of the first network device;
      
      a specific network type of the first network;
      
      a specific network configuration of the first network;
      
      orany combination thereof.
  - 4. The tangible, non-transitory, machine-readable medium of claim 3, comprising machine-readable instructions to:
    - determine the set of common characteristics between the first network device and the alternative network device by;
      
      accessing a second profile associated with a second network device; and
      
      filtering based upon commonalities between the first profile and the second profile.
  - 5. The tangible, non-transitory, machine-readable medium of claim 4, wherein the first profile comprises an indication of:
    - a membership of the second network device within a group;
      
      a threat associated with a second network of the second network device;
      
      a pattern of events associated with the second network of the second network device;
      
      a specific network type of the second network;
      
      a specific network configuration of the second network;
      
      orany combination thereof.
  - 6. The tangible, non-transitory, machine-readable medium of claim 1,wherein the one or more computer-implemented actions comprises an adjustment to group membership trust levels.
  - 7. The tangible, non-transitory, machine-readable medium of claim 6, wherein:
    - the one or more computer-implemented actions comprise providing a notification the first network device; and
      
      the one or more conditions comprise an indication of when that first network device should receive the notification.
  - 8. The tangible, non-transitory, machine-readable medium of claim 6, wherein the one or more processor-interpretable rules comprise an indication of:
    - how event data should be reported;
      
      whether a client accepts automated threat response templates;
      
      how messages should be configured;
      
      whether third parties should be notified upon an event;
      
      whether outgoing or incoming information should be sanitized;
      
      orany combination thereof.

9. A system, comprising:
- one or more computer processors configured to execute a central aggregating service, by;
  
  accessing one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment of data provided in the possible threat notification, an adjustment to a computer-implemented threat remediation action, or any combination thereof;
  
  determining when the one or more conditions are satisfied;
  
  performing the computer-implemented actions associated with a first network device when the one or more conditions are satisfied;
  
  receiving the possible threat notification from the first network device;
  
  determining whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device;
  
  determining a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile;
  
  when commonality between the first network device and the alternative network device has reached a first threshold, performing a first computer-implemented action;
  
  when the commonality has reached a second threshold, performing a second computer-implemented action different from the first computer-implemented action;
  
  when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generating and providing electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and
  
  identifying at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, comprising one or more distributed databases, configured to:
    - pool and store security events, the security events comprising the possible threat notification.
  - 11. The system of claim 9, comprising one or more distributed databases, configured to store a plurality of profiles for client devices coupled to the central aggregating service;
    - wherein the plurality of profiles comprise an indication of;
      
      a membership of a corresponding network device within a group;
      
      a threat associated with a corresponding network of the corresponding network device;
      
      a pattern of events associated with a corresponding network of the corresponding network device;
      
      a specific network type of the corresponding network;
      
      a specific network configuration of the corresponding network;
      
      orany combination thereof.
  - 12. The system of claim 11, wherein the computer-implemented threat remediation action comprises providing a notification to the first network device of an increased risk, based upon the additional possible threat notifications.

13. A computer-processor implemented method, comprising:
- accessing one or more processor-interpretable rules comprising one or more conditions to be satisfied prior to performing one or more computer-implemented actions, the one or more computer-implemented actions comprising an adjustment of when to receive a possible threat notification, the possible threat notification indicative of a computer network threat, an adjustment of data provided in the possible threat notification, an adjustment to a computer-implemented threat remediation action, or any combination thereof;
  
  determining when the one or more conditions are satisfied;
  
  performing the computer-implemented actions associated with a first network device when the one or more conditions are satisfied;
  
  receiving the possible threat notification from the first network device;
  
  determining whether additional possible threat notifications corresponding to the possible threat notification are received from an alternative network device;
  
  determining a set of common characteristics between the first network device and the alternative network device by accessing a first profile associated with the first network device and by filtering based upon the first profile;
  
  when commonality between the first network device and the alternative network device has reached a first threshold, performing a first computer-implemented action;
  
  when the commonality has reached a second threshold, performing a second computer-implemented action different from the first computer-implemented action;
  
  when additional possible threat notifications corresponding to the possible threat notification have been received from the alternative network device, generating and providing electronic data to the first network device to cause performance of the computer-implemented threat remediation action at the first network device; and
  
  identifying at least one third network device having the set of common characteristics and wherein the computer-implemented threat remediation action comprises providing a notification to the at least one third network device of possible threats indicated from network devices having the set of common characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Reybok, Richard, Haugsnes, Andreis Seip, Zettel, II, Kurt Joseph, Rhines, Jeffrey, Geddes, Henry, Osypov, Volodymyr, Lewis, Scott, Brady, Sean, Manning, Mark
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Shirazi, Sayed Beheshti

Application Number

US15/651,924
Publication Number

US 20170316203A1
Time in Patent Office

372 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/145 the attack involving the pr...

Techniques for sharing network security event information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for sharing network security event information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links