Automated intelligence graph construction and countermeasure deployment

US 10,162,970 B2
Filed: 02/05/2018
Issued: 12/25/2018
Est. Priority Date: 02/25/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by one or more devices and via a computer network, computer-readable data that includes fundamental data and document data;

preparing, by the one or more devices, a plurality of nodes and a plurality of edges, between the plurality of nodes, by extracting information from the computer-readable data;

storing, by the one or more devices and in a memory, the plurality of nodes and the plurality of edges as a graph;

identifying, by the one or more devices, a subgraph, of the graph, that includes a match to a pattern of attack,identifying the subgraph comprising;

identifying the subgraph after a traversal of at least a portion of the graph is triggered due to data being added to the graph, andthe plurality of nodes including a node associated with common vulnerability and exposure information;

obtaining, by the one or more devices and based on identifying the subgraph, a countermeasure corresponding to the subgraph; and

performing, by the one or more devices and based on the countermeasure, one or more actions for one or more computers impacted by the attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing information security threat assessment and amelioration are disclosed. The techniques may include obtaining fundamental data, obtaining document data, preparing fundamental instance nodes from the fundamental data, preparing document nodes from the document data, preparing edges between at least some of the nodes, storing the nodes and the edges in a manner that reflects a graph structure, and causing to be displayed at least a portion of a graph defined by at least one node and at least one edge.

143 Citations

20 Claims

1. A method comprising:
- obtaining, by one or more devices and via a computer network, computer-readable data that includes fundamental data and document data;
  
  preparing, by the one or more devices, a plurality of nodes and a plurality of edges, between the plurality of nodes, by extracting information from the computer-readable data;
  
  storing, by the one or more devices and in a memory, the plurality of nodes and the plurality of edges as a graph;
  
  identifying, by the one or more devices, a subgraph, of the graph, that includes a match to a pattern of attack,identifying the subgraph comprising;
  
  identifying the subgraph after a traversal of at least a portion of the graph is triggered due to data being added to the graph, andthe plurality of nodes including a node associated with common vulnerability and exposure information;
  
  obtaining, by the one or more devices and based on identifying the subgraph, a countermeasure corresponding to the subgraph; and
  
  performing, by the one or more devices and based on the countermeasure, one or more actions for one or more computers impacted by the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1,where the plurality of nodes further include one or more nodes that represent malicious activity,where the method further comprises:
    - traversing the graph starting from the one or more nodes that represent malicious activity, andwhere identifying the subgraph comprises;
      
      identifying the subgraph based on traversing the graph starting from the one or more nodes that represent malicious activity.
  - 3. The method of claim 1, further comprising:
    - inspecting time data associated with the subgraph,where performing the one or more actions based on the countermeasure comprises;
      
      performing the one or more actions based on the countermeasure and based on inspecting the time data.
  - 4. The method of claim 3, further comprising:
    - determining that the time data is within a fixed interval of a current time,where performing the one or more actions based on the countermeasure comprises;
      
      performing the one or more actions based on the countermeasure and based on determining that the time data is within the fixed interval of the current time.
  - 5. The method of claim 1, further comprising:
    - providing, for display, information identifying the countermeasure; and
      
      determining a selection of the countermeasure after providing the information identifying the countermeasure,where performing the one or more actions based on the countermeasure comprises;
      
      activating the countermeasure based on the selection of the countermeasure.
  - 6. The method of claim 1,where the node is a first node, andwhere the plurality of nodes further include:
    - a second node associated with one of;
      
      an internet protocol (IP) address,a domain name,a uniform resource locator,a file system path,a software vulnerability,an account handle,an email address,a malware family,an attack campaign,a network,a file, oran autonomous system number, anda third node that is a document node associated with an intelligence report.
  - 7. The method of claim 1, where the fundamental data includes a malware sample.

8. A system comprising:
- a memory; and
  
  one or more processors to;
  
  obtain, via a computer network, computer-readable data that includes fundamental data and document data;
  
  prepare a plurality of nodes and a plurality of edges, between the plurality of nodes, by extracting information from the computer-readable data;
  
  store the plurality of nodes and the plurality of edges as a graph;
  
  identify a subgraph, of the graph, that includes a match to a pattern of attack,when identifying the subgraph, the one or more processors are to;
  
  identify the subgraph after a traversal of at least a portion of the graph is triggered due to data being added to the graph;
  
  obtain, based on identifying the subgraph, a countermeasure corresponding to the subgraph; and
  
  perform, based on the countermeasure, one or more actions for one or more computers impacted by the attack.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, where the plurality of nodes include one or more nodes that represents malicious activity.
  - 10. The system of claim 8,where the one or more processors are further to:
    - inspect time data associated with the subgraph; and
      
      determine that the time data is within a fixed interval of a current time, andwhere, when performing the one or more actions action based on the countermeasure, the one or more processors are to;
      
      perform the one or more actions based on the countermeasure and based on determining that the time data is within the fixed interval of the current time.
  - 11. The system of claim 8,where the one or more processors are further to:
    - provide, for display, information identifying the countermeasure; and
      
      determine a selection of the countermeasure after providing the information identifying the countermeasure, andwhere, when performing the one or more actions, the one or more processors are to;
      
      activate the countermeasure based on the selection of the countermeasure.
  - 12. The system of claim 8, where the plurality of nodes include:
    - a first node associated with common vulnerability and exposure information,a second node associated with one of;
      
      an internet protocol (IP) address,a domain name,a uniform resource locator,a file system path,a software vulnerability,a software,a name of a person,an account handle,an email address,a malware family,an attack campaign,an event,an organization,a network,a file,a country,a region, oran autonomous system number, anda third node that is a document node associated with one of;
      
      an intelligence report,a communication,an analysis, ora context.
  - 13. The system of claim 8, where the document data includes one or more of:
    - intelligence reports,communication documents,context documents, oranalysis documents.

14. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by at least one processor, cause the at least one processor to;
  
  obtain, via a computer network, computer-readable data that includes fundamental data and document data;
  
  prepare a plurality of nodes and a plurality of edges, between the plurality of nodes, by extracting information from the computer-readable data;
  
  store the plurality of nodes and the plurality of edges as a graph;
  
  identify, after a traversal of at least a portion of the graph is triggered due to data being added to the graph, a subgraph, of the graph, that includes a match to a pattern of attack;
  
  obtain, based on identifying the subgraph, a countermeasure corresponding to the subgraph; and
  
  perform, based on the countermeasure, one or more actions for one or more computers impacted by the attack.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, where the plurality of nodes include one or more nodes that represents malicious activity.
  - 16. The non-transitory computer-readable medium of claim 14,where the one or more instructions further cause the at least one processor to:
    - inspect time data associated with the subgraph; and
      
      determine that the time data is within a fixed interval of a current time, andwhere the one or more actions are performed further based on determining that the time data is within the fixed interval of the current time.
  - 17. The non-transitory computer-readable medium of claim 14,where the one or more instructions further cause the at least one processor to:
    - provide, for display, information identifying the countermeasure; and
      
      determine a selection of the countermeasure after providing the information identifying the countermeasure, andwhere the one or more actions are performed based on the selection of the countermeasure.
  - 18. The non-transitory computer-readable medium of claim 14, where the countermeasure is identified by accessing a first storage source that is different from a second storage source that stores templates that are used to identify the subgraph.
  - 19. The non-transitory computer-readable medium of claim 14, where the plurality of nodes include:
    - a first node associated with common vulnerability and exposure information,a second node associated with one of;
      
      an internet protocol (IP) address,a domain name,a uniform resource locator,a file system path,a software vulnerability,a software,a name of a person,an account handle,an email address,a malware family,an attack campaign,an event,an organization,a network,a file,a country,a region, oran autonomous system number, anda third node that is a document node associated with one of;
      
      an intelligence report,a communication,an analysis, ora context.
  - 20. The non-transitory computer-readable medium of claim 14, where the document data includes one or more of:
    - an author name,an email address,a uniform resource locator (URL),an interne protocol (IP) address,a domain name,a malicious software name,a vulnerability identifier, ora malware sample.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Olson, Ryan, Tonn, Trevor
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US15/888,600
Publication Number

US 20180211047A1
Time in Patent Office

323 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Automated intelligence graph construction and countermeasure deployment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated intelligence graph construction and countermeasure deployment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links