Event correlation across heterogeneous operations

US 10,148,685 B2
Filed: 07/17/2017
Issued: 12/04/2018
Est. Priority Date: 04/09/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining a network security threat response, the method being executed by one or more processors and comprising:

receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains;

analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device;

receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and

based on the prior attack pattern data, for at least one of the plurality of threat scenarios;

determining one or more courses of action for responding to the threat scenario; and

providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received. Based on the threat scenario and the attack pattern data, one or more courses of action for responding to the threat scenario is determined, and information associated with the one or more courses of action is provided.

21 Citations

View as Search Results

22 Claims

1. A computer-implemented method for determining a network security threat response, the method being executed by one or more processors and comprising:
- receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains;
  
  analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device;
  
  receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and
  
  based on the prior attack pattern data, for at least one of the plurality of threat scenarios;
  
  determining one or more courses of action for responding to the threat scenario; and
  
  providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the data structure is a directed graph maintained by a graph database.
  - 3. The method of claim 1, wherein the prior attack pattern data includes attack signatures and profiles associated with the one or more prior attacks.
  - 4. The method of claim 1, further comprising:
    - detecting that the potential attack is an actual attack that has occurred on a network that includes the two or more network domains;
      
      determining observed attack pattern data that is associated with communications between the computing devices of the two or more network domains that occurred during the actual attack; and
      
      providing the observed attack pattern data to the threat intelligence data source.
  - 5. The method of claim 4, wherein the actual attack is a successful attack.
  - 6. The method of claim 4, wherein the actual attack is an unsuccessful attack.
  - 7. The method of claim 1, further comprising:
    - determining, for each of the plurality of threat scenarios, an impact of the potential attack on operation of the two or more network domains; and
      
      ranking the plurality of threat scenarios based on system priorities, and providing information associated with the ranked plurality of threat scenarios.
  - 8. The method of claim 1, further comprising providing, for the at least one of the plurality of threat scenarios and for each of the two or more network domains, information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the respective network domain.
  - 9. The method of claim 1, further comprising determining a potential target device of the potential attack, wherein providing information associated with the one or more courses of action for responding to the threat scenario includes providing instructions for installing or updating one or more software applications on the potential target device.
  - 10. The method of claim 1, further comprising determining a potential source device of the potential attack, wherein providing information associated with the one or more courses of action for responding to the threat scenario includes providing instructions for blocking communications that originate from the potential source device.

11. A system, comprising:
- one or more processors; and
  
  a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for determining a network security threat response, the operations comprising;
  
  receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains;
  
  analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device;
  
  receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and
  
  based on the prior attack pattern data, for each of the plurality of threat scenarios;
  
  determining one or more courses of action for responding to the threat scenario;
  
  determining an impact of the potential attack on operation of the two or more network domains;
  
  ranking the threat scenario among the plurality of threat scenarios based on system priorities; and
  
  providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, further comprising providing, for each of the plurality of threat scenarios and for each of the two or more network domains, information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the respective network domain.
  - 13. The system of claim 11, further comprising determining a potential target device of the potential attack, wherein providing information associated with the one or more courses of action for responding to the threat scenario includes providing instructions for installing or updating one or more software applications on the potential target device.
  - 14. The system of claim 11, further comprising:
    - detecting that the potential attack is an attack that has occurred on a network that includes the two or more network domains;
      
      determining observed attack pattern data that is associated with communications between the computing devices of the two or more network domains that occurred during the actual attack; and
      
      providing the observed attack pattern data to the threat intelligence data source.
  - 15. The system of claim 14, wherein the actual attack is a successful attack.
  - 16. The system of claim 14, wherein the actual attack is an unsuccessful attack.
  - 17. The system of claim 11, wherein the data structure is a directed graph maintained by a graph database.
  - 18. The system of claim 11, wherein the prior attack pattern data includes attack signatures and profiles associated with the one or more prior attacks.

19. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for determining a network security threat response, the operations comprising:
- receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains;
  
  analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device;
  
  receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and
  
  based on the prior attack pattern data, for at least one of the plurality of threat scenarios;
  
  determining one or more courses of action for responding to the threat scenario; and
  
  providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains.
- View Dependent Claims (20, 21, 22)
- - 20. The computer-readable storage medium of claim 19, further comprising:
    - determining, for the at least one of the plurality of threat scenarios, an impact of the potential attack on operation of the two or more network domains.
  - 21. The computer-readable storage medium of claim 19, further comprising providing, for the at least one of the plurality of threat scenarios and for each of the two or more network domains, information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the respective network domain.
  - 22. The computer-readable storage medium of claim 19, further comprising determining a potential target device of the potential attack, wherein providing information associated with the one or more courses of action for responding to the threat scenario includes providing instructions for installing or updating one or more software applications on the potential target device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin, Modi, Shimon, Mulchandani, Shaan, Negm, Walid
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US15/651,779
Publication Number

US 20170318050A1
Time in Patent Office

505 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

Event correlation across heterogeneous operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Event correlation across heterogeneous operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links