Space and time efficient threat detection

US 10,230,742 B2
Filed: 01/26/2016
Issued: 03/12/2019
Est. Priority Date: 01/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for performing threat detection, comprising:

receiving, at a server, event data from a client system, the event data including an obfuscated representation of entity identifiers associated with different events occurring on the client system and excluding the entity identifiers themselves;

in response to receiving the event data, determining, at the server, in real time, that the event data is associated with at least one cyber-threat; and

reporting, by the server, the presence of the at least one cyber-threat to the client system by generating, for display at the client system, a multi-panel display of threat data including at least a first panel, second panel, and third panel, each panel in the multi-panel display presenting the presence of the at least one threat indicator in at least one data dimension, said first panel displaying time of threats of the at least one threat indicator, said second panel displaying a type of threats of the at least one threat indicator, said third panel displaying a data dimension comprising a least one of a group of confidence of threats being valid, severity of threats, type of threatening action, destination ports, source ports, tags, and geography, of the at least one threat indicator.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security monitoring system operated by a downstream client continually collects event information indicating events that have occurred within the computing environment of the downstream client. The monitoring system, using software provided by a threat analytics system, aggregates the event information into a secure and space efficient data structure. The monitoring system transmits the data structures storing event information to the threat analytics system for further processing. The threat analytics system also receives threat indicators from intelligence feed data sources. The threat analytics system compares the event information received from each security monitoring system against the threat indicators collected from the intelligence feed data sources to identify red flag events. The threat analytics system processes the event information to synthesize all information related to the red flag event and reports the red flag event to the downstream client.

68 Citations

View as Search Results

20 Claims

1. A method for performing threat detection, comprising:
- receiving, at a server, event data from a client system, the event data including an obfuscated representation of entity identifiers associated with different events occurring on the client system and excluding the entity identifiers themselves;
  
  in response to receiving the event data, determining, at the server, in real time, that the event data is associated with at least one cyber-threat; and
  
  reporting, by the server, the presence of the at least one cyber-threat to the client system by generating, for display at the client system, a multi-panel display of threat data including at least a first panel, second panel, and third panel, each panel in the multi-panel display presenting the presence of the at least one threat indicator in at least one data dimension, said first panel displaying time of threats of the at least one threat indicator, said second panel displaying a type of threats of the at least one threat indicator, said third panel displaying a data dimension comprising a least one of a group of confidence of threats being valid, severity of threats, type of threatening action, destination ports, source ports, tags, and geography, of the at least one threat indicator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein determining that the event data is associated with at least one cyber-threat comprises determining whether a domain name associated with the event data is affiliated with a malicious entity.
  - 3. The method of claim 1, wherein determining that the event data is associated with at least one cyber-threat comprises comparing the event data with one or more threat indicators to determine whether at least one threat indicator is present in the event data, each threat indicator associated with at least one potential cyber-threat.
  - 4. The method of claim 3, wherein the event data comprises an indexed hierarchy of events, a first level in the indexed hierarchy associated with a different time-based granularity relative to a second level in the indexed hierarchy.
  - 5. The method of claim 4, wherein comparing the event data with the one or more threat indicators comprises comparing the first level in the indexed hierarchy with the one or more threat indicators and proceeding to the second level only when a match exists between the first level and at least one of the one or more threat indicators.
  - 6. The method of claim 3, further comprising:
    - identifying an additional threat indicator not included in the one or more threat indicators;
      
      performing one or more real-time forensics operations on the event data to determine whether a cyber-threat associated with the additional threat indicator is present in the event data.
  - 7. The method of claim 1, further comprising receiving a user input to select a portion of the first panel in the multi-panel display, and presenting a more detailed view of the selected portion in the first panel.
  - 8. The method of claim 7, further comprising updating at least one of the second panel and the third panel based on the selected portion in the first panel.
  - 9. The method of claim 1, wherein at least one panel in the multi-panel display is manipulated using user touch on a display surface.
  - 10. The method of claim 1, further comprising receiving a textual search query specifying one or more parameters for filtering the threat data, and updating the multi-panel display to present the threat data filtered according to the one or more parameters.
  - 11. The method of claim 3, further comprising generating a second threat indicator from a first threat indicator based on data extracted from the first threat indicator, the second threat indicator included in the one or more threat indicators.
  - 12. The method of claim 1, further comprising receiving a plurality of threat data feeds from threat data sources that include at least one of the one or more threat indicators.
  - 13. The method of claim 12, further comprising computing a relevance index associated with each of the threat data feeds, the relevance index for a given threat data feed indicating how relevant threat indicators included in the threat data feed are to the client system.
  - 14. The method of claim 12, further comprising providing the plurality of threat data feeds to client system for purchase in a digital store.
  - 15. The method of claim 14, further comprising enabling the client system to compare how many threat indicators are common between two or more of the plurality of threat data feeds.
  - 16. The method of claim 3, further comprising:
    - processing a first threat indicator to generate an additional threat indicator based on one or more parameters of the first threat indicator; and
      
      determining that the additional threat indicator is present in the event data.

17. A non-transitory computer readable medium storing instructions that, when executed by a processor of a server, cause the processor to:
- receive event data from a client system, the event data including an obfuscated representation of entity identifiers associated with different events occurring on the client system and excluding the entity identifiers themselves;
  
  in response to receiving the event data, determine, in real time, that the event data is associated with at least one cyber-threat; and
  
  report the presence of the at least one cyber-threat to the client system by generating, for display at the client system, a multi-panel display of threat data including at least a first panel, second panel and third panel, each panel in the multi-panel display presenting the presence of the at least one threat indicator in at least one data dimension, said first panel displaying time of threats of the at least one threat indicator, said second panel displaying a type of threats of the at least one threat indicator, said third panel displaying a data dimension comprising a least one of a group of confidence of threats being valid, severity of threats, type of threatening action, destination ports, source ports, tags, and geography, of the at least one threat indicator.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable medium of claim 17, wherein determining that the event data is associated with at least one cyber-threat comprises comparing the event data with one or more threat indicators to determine whether at least one threat indicator is present in the event data, each threat indicator associated with at least one potential cyber-threat.
  - 19. The non-transitory computer readable medium of claim 18, wherein the event data comprises an indexed hierarchy of events, a first level in the indexed hierarchy associated with a different time-based granularity relative to a second level in the indexed hierarchy.
  - 20. The non-transitory computer readable medium of claim 19, wherein comparing the event data with the one or more threat indicators comprises comparing the first level in the indexed hierarchy with the one or more threat indicators and proceeding to the second level only when a match exists between the first level and at least one of the one or more threat indicators.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Anomali, Inc.
Original Assignee
Anomali, Inc.
Inventors
Huang, Wei, Zhou, Yizheng, Njemanze, Hugh
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US15/007,131
Publication Number

US 20160226895A1
Time in Patent Office

1,141 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/6254   by anonymising data, e.g. d...

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Space and time efficient threat detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Space and time efficient threat detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links