Space and time efficient threat detection
First Claim
1. A method for performing threat detection, comprising:
- receiving, at a server, event data from a client system, the event data including an obfuscated representation of entity identifiers associated with different events occurring on the client system and excluding the entity identifiers themselves;
in response to receiving the event data, determining, at the server, in real time, that the event data is associated with at least one cyber-threat; and
reporting, by the server, the presence of the at least one cyber-threat to the client system by generating, for display at the client system, a multi-panel display of threat data including at least a first panel, second panel, and third panel, each panel in the multi-panel display presenting the presence of the at least one threat indicator in at least one data dimension, said first panel displaying time of threats of the at least one threat indicator, said second panel displaying a type of threats of the at least one threat indicator, said third panel displaying a data dimension comprising a least one of a group of confidence of threats being valid, severity of threats, type of threatening action, destination ports, source ports, tags, and geography, of the at least one threat indicator.
2 Assignments
0 Petitions
Accused Products
Abstract
A security monitoring system operated by a downstream client continually collects event information indicating events that have occurred within the computing environment of the downstream client. The monitoring system, using software provided by a threat analytics system, aggregates the event information into a secure and space efficient data structure. The monitoring system transmits the data structures storing event information to the threat analytics system for further processing. The threat analytics system also receives threat indicators from intelligence feed data sources. The threat analytics system compares the event information received from each security monitoring system against the threat indicators collected from the intelligence feed data sources to identify red flag events. The threat analytics system processes the event information to synthesize all information related to the red flag event and reports the red flag event to the downstream client.
68 Citations
20 Claims
-
1. A method for performing threat detection, comprising:
-
receiving, at a server, event data from a client system, the event data including an obfuscated representation of entity identifiers associated with different events occurring on the client system and excluding the entity identifiers themselves; in response to receiving the event data, determining, at the server, in real time, that the event data is associated with at least one cyber-threat; and reporting, by the server, the presence of the at least one cyber-threat to the client system by generating, for display at the client system, a multi-panel display of threat data including at least a first panel, second panel, and third panel, each panel in the multi-panel display presenting the presence of the at least one threat indicator in at least one data dimension, said first panel displaying time of threats of the at least one threat indicator, said second panel displaying a type of threats of the at least one threat indicator, said third panel displaying a data dimension comprising a least one of a group of confidence of threats being valid, severity of threats, type of threatening action, destination ports, source ports, tags, and geography, of the at least one threat indicator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium storing instructions that, when executed by a processor of a server, cause the processor to:
-
receive event data from a client system, the event data including an obfuscated representation of entity identifiers associated with different events occurring on the client system and excluding the entity identifiers themselves; in response to receiving the event data, determine, in real time, that the event data is associated with at least one cyber-threat; and report the presence of the at least one cyber-threat to the client system by generating, for display at the client system, a multi-panel display of threat data including at least a first panel, second panel and third panel, each panel in the multi-panel display presenting the presence of the at least one threat indicator in at least one data dimension, said first panel displaying time of threats of the at least one threat indicator, said second panel displaying a type of threats of the at least one threat indicator, said third panel displaying a data dimension comprising a least one of a group of confidence of threats being valid, severity of threats, type of threatening action, destination ports, source ports, tags, and geography, of the at least one threat indicator. - View Dependent Claims (18, 19, 20)
-
Specification