System for identifying anomalies in an information system

US 10,339,309 B1
Filed: 06/09/2017
Issued: 07/02/2019
Est. Priority Date: 06/09/2017
Status: Active Grant

First Claim

Patent Images

1. A computerized system for identifying anomalies in a computerized information system, comprising:

a computer processor;

a memory;

a network communication device; and

an information security analysis module stored in the memory, executable by the processor, and configured for;

collecting information regarding a hierarchy of capabilities of the information system;

storing, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities;

collecting information regarding a hierarchy of resources of the information system;

storing, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources;

collecting information regarding a plurality of capability instances of the information system;

storing, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system;

collecting information regarding a plurality of resource instances of the information system;

storing, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system;

collecting information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;

defining, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;

collecting event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state;

comparing the parameters of the event and/or state to the graph database;

based on comparing the parameters of the event and/or state to the graph database, determining that the event and/or state is anomalous; and

in response to determining that the event and/or state is anomalous, taking an information security action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for identifying anomalies in an information system is typically configured for: collecting information regarding a hierarchy of capabilities, a hierarchy of resources, capability instances, and resource instances of the information system; storing, in a graph database, nodes corresponding to the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; collecting information regarding relationships among the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; defining, in the graph database, edges corresponding to the relationships among the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; collecting event and/or state data for the information system; comparing the event and/or state data to the graph database and determining that an event and/or state is anomalous; and, in response to determining that the event and/or state is anomalous, taking an information security action.

95 Citations

View as Search Results

20 Claims

1. A computerized system for identifying anomalies in a computerized information system, comprising:
- a computer processor;
  
  a memory;
  
  a network communication device; and
  
  an information security analysis module stored in the memory, executable by the processor, and configured for;
  
  collecting information regarding a hierarchy of capabilities of the information system;
  
  storing, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities;
  
  collecting information regarding a hierarchy of resources of the information system;
  
  storing, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources;
  
  collecting information regarding a plurality of capability instances of the information system;
  
  storing, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system;
  
  collecting information regarding a plurality of resource instances of the information system;
  
  storing, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system;
  
  collecting information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
  
  defining, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
  
  collecting event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state;
  
  comparing the parameters of the event and/or state to the graph database;
  
  based on comparing the parameters of the event and/or state to the graph database, determining that the event and/or state is anomalous; and
  
  in response to determining that the event and/or state is anomalous, taking an information security action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computerized system according to claim 1, wherein the information security analysis module is configured for:
    - collecting information regarding a current configuration of the information system;
      
      comparing the current configuration of the information system to the graph database;
      
      based on comparing the current configuration of the information system to the graph database, determining that an inconsistency exists between the current configuration of the information system and the graph database; and
      
      in response to determining that the inconsistency exists between the current configuration of the information system and the graph database, taking a second information security action.
  - 3. The computerized system according to claim 1, wherein the information security analysis module is configured for:
    - displaying, via a graphical user interface, a visual representation of at least a portion of the graph database.
  - 4. The computerized system according to claim 1, wherein storing, in the graph database, the plurality of capability nodes comprises defining edges among the capability nodes that correspond to relationships among different capability categories of the hierarchy of capabilities.
  - 5. The computerized system according to claim 1, wherein storing, in the graph database, the plurality of resource nodes comprises defining edges among the resource nodes that correspond to relationships among different resource categories of the hierarchy of resources.
  - 6. The computerized system according to claim 1, wherein the plurality of capability instances comprise a plurality of abstract capability instances and a plurality of concrete capability instances.
  - 7. The computerized system according to claim 1, wherein the plurality of resource instances comprise a plurality of abstract resource instances and a plurality of concrete resource instances.
  - 8. The computerized system according to claim 1, wherein taking the information security action comprises:
    - (i) disabling a resource instance of the information system, (ii) isolating a resource instance of the information system, (iii) blocking network traffic related to the event and/or state, (iv) quarantining or deleting a malicious file causing the event and/or state, or (v) increasing a level of authentication required to access a resource instance of the information system.
  - 9. The computerized system according to claim 1, wherein taking the information security action comprises:
    - (i) flagging the anomalous event and/or state for further investigation or analysis or (ii) transmitting an alert to a device of a user.
  - 10. The computerized system according to claim 1, wherein (i) collecting the event and/or state data for the information system, (ii) comparing the parameters of the event and/or state to the graph database, (iii) determining that the event and/or state is anomalous, and (iv) in response to determining that the event and/or state is anomalous, taking the information security action are performed in real-time or near real-time.

11. A computer program product for identifying anomalies in a computerized information system comprising a non-transitory computer-readable storage medium having computer-executable instructions for:
- collecting information regarding a hierarchy of capabilities of the information system;
  
  storing, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities;
  
  collecting information regarding a hierarchy of resources of the information system;
  
  storing, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources;
  
  collecting information regarding a plurality of capability instances of the information system;
  
  storing, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system;
  
  collecting information regarding a plurality of resource instances of the information system;
  
  storing, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system;
  
  collecting information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
  
  defining, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
  
  collecting event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state;
  
  comparing the parameters of the event and/or state to the graph database;
  
  based on comparing the parameters of the event and/or state to the graph database, determining that the event and/or state is anomalous; and
  
  in response to determining that the event and/or state is anomalous, taking an information security action.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer program product according to claim 11, wherein the non-transitory computer-readable storage medium has computer-executable instructions for:
    - collecting information regarding a current configuration of the information system;
      
      comparing the current configuration of the information system to the graph database;
      
      based on comparing the current configuration of the information system to the graph database, determining that an inconsistency exists between the current configuration of the information system and the graph database; and
      
      in response to determining that the inconsistency exists between the current configuration of the information system and the graph database, taking a second information security action.
  - 13. The computer program product according to claim 11, wherein the non-transitory computer-readable storage medium has computer-executable instructions for:
    - displaying, via a graphical user interface, a visual representation of at least a portion of the graph database.
  - 14. The computer program product according to claim 11, wherein storing, in the graph database, the plurality of capability nodes comprises defining edges among the capability nodes that correspond to relationships among different capability categories of the hierarchy of capabilities.
  - 15. The computer program product according to claim 11, wherein storing, in the graph database, the plurality of resource nodes comprises defining edges among the resource nodes that correspond to relationships among different resource categories of the hierarchy of resources.
  - 16. The computer program product according to claim 11, wherein the plurality of capability instances comprise a plurality of abstract capability instances and a plurality of concrete capability instances.
  - 17. The computer program product according to claim 11, wherein the plurality of resource instances comprise a plurality of abstract resource instances and a plurality of concrete resource instances.
  - 18. The computer program product according to claim 11, wherein taking the information security action comprises:
    - (i) disabling a resource instance of the information system, (ii) isolating a resource instance of the information system, (iii) blocking network traffic related to the event and/or state, (iv) quarantining or deleting a malicious file causing the event and/or state, or (v) increasing a level of authentication required to access a resource instance of the information system.
  - 19. The computer program product according to claim 11, wherein taking the information security action comprises:
    - (i) flagging the anomalous event and/or state for further investigation or analysis or (ii) transmitting an alert to a device of a user.

20. A method for identifying anomalies in a computerized information system, comprising:
- collecting, via a computer processor, information regarding a hierarchy of capabilities of the information system;
  
  storing, via a computer processor, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities;
  
  collecting, via a computer processor, information regarding a hierarchy of resources of the information system;
  
  storing, via a computer processor, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources;
  
  collecting, via a computer processor, information regarding a plurality of capability instances of the information system;
  
  storing, via a computer processor, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system;
  
  collecting, via a computer processor, information regarding a plurality of resource instances of the information system;
  
  storing, via a computer processor, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system;
  
  collecting, via a computer processor, information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
  
  defining, via a computer processor, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
  
  collecting, via a computer processor, event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state;
  
  comparing, via a computer processor, the parameters of the event and/or state to the graph database;
  
  based on comparing the parameters of the event and/or state to the graph database, determining, via a computer processor, that the event and/or state is anomalous; and
  
  in response to determining that the event and/or state is anomalous, taking, via a computer processor, an information security action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kling, John Howard, Brubaker, Mark Earl, Kuhlmeier, Ronald James, Diederich, Brian D., Sloane, Brandon Matthew, Bierner, Rachel Yun Kim, Quon, Cora Yan
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Choy, Ka Shan

Application Number

US15/618,893
Time in Patent Office

753 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

System for identifying anomalies in an information system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for identifying anomalies in an information system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links