System for identifying anomalies in an information system
First Claim
1. A computerized system for identifying anomalies in a computerized information system, comprising:
- a computer processor;
a memory;
a network communication device; and
an information security analysis module stored in the memory, executable by the processor, and configured for;
collecting information regarding a hierarchy of capabilities of the information system;
storing, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities;
collecting information regarding a hierarchy of resources of the information system;
storing, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources;
collecting information regarding a plurality of capability instances of the information system;
storing, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system;
collecting information regarding a plurality of resource instances of the information system;
storing, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system;
collecting information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
defining, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances;
collecting event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state;
comparing the parameters of the event and/or state to the graph database;
based on comparing the parameters of the event and/or state to the graph database, determining that the event and/or state is anomalous; and
in response to determining that the event and/or state is anomalous, taking an information security action.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for identifying anomalies in an information system is typically configured for: collecting information regarding a hierarchy of capabilities, a hierarchy of resources, capability instances, and resource instances of the information system; storing, in a graph database, nodes corresponding to the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; collecting information regarding relationships among the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; defining, in the graph database, edges corresponding to the relationships among the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; collecting event and/or state data for the information system; comparing the event and/or state data to the graph database and determining that an event and/or state is anomalous; and, in response to determining that the event and/or state is anomalous, taking an information security action.
-
Citations
20 Claims
-
1. A computerized system for identifying anomalies in a computerized information system, comprising:
-
a computer processor; a memory; a network communication device; and an information security analysis module stored in the memory, executable by the processor, and configured for; collecting information regarding a hierarchy of capabilities of the information system; storing, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities; collecting information regarding a hierarchy of resources of the information system; storing, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources; collecting information regarding a plurality of capability instances of the information system; storing, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system; collecting information regarding a plurality of resource instances of the information system; storing, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system; collecting information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances; defining, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances; collecting event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state; comparing the parameters of the event and/or state to the graph database; based on comparing the parameters of the event and/or state to the graph database, determining that the event and/or state is anomalous; and in response to determining that the event and/or state is anomalous, taking an information security action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for identifying anomalies in a computerized information system comprising a non-transitory computer-readable storage medium having computer-executable instructions for:
-
collecting information regarding a hierarchy of capabilities of the information system; storing, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities; collecting information regarding a hierarchy of resources of the information system; storing, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources; collecting information regarding a plurality of capability instances of the information system; storing, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system; collecting information regarding a plurality of resource instances of the information system; storing, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system; collecting information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances; defining, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances; collecting event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state; comparing the parameters of the event and/or state to the graph database; based on comparing the parameters of the event and/or state to the graph database, determining that the event and/or state is anomalous; and in response to determining that the event and/or state is anomalous, taking an information security action. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for identifying anomalies in a computerized information system, comprising:
-
collecting, via a computer processor, information regarding a hierarchy of capabilities of the information system; storing, via a computer processor, in a graph database, a plurality of capability nodes, each capability node corresponding to a capability category of the hierarchy of capabilities; collecting, via a computer processor, information regarding a hierarchy of resources of the information system; storing, via a computer processor, in the graph database, a plurality of resource nodes, each resource node corresponding to a resource category of the hierarchy of resources; collecting, via a computer processor, information regarding a plurality of capability instances of the information system; storing, via a computer processor, in the graph database, a plurality of capability instance nodes, each capability instance node corresponding to a capability instance of the plurality of capability instances of the information system; collecting, via a computer processor, information regarding a plurality of resource instances of the information system; storing, via a computer processor, in the graph database, a plurality of resource instance nodes, each resource instance node corresponding to a resource instance of the plurality of resource instances of the information system; collecting, via a computer processor, information regarding relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances; defining, via a computer processor, in the graph database, edges among the plurality of capability nodes, the plurality of resource nodes, the plurality of capability instance nodes, and the plurality of resource instance nodes, the edges corresponding to the relationships among the hierarchy of capabilities, the hierarchy of resources, the plurality of capability instances, and the plurality of resource instances; collecting, via a computer processor, event and/or state data for the information system, wherein the event and/or state data includes parameters of an event and/or state; comparing, via a computer processor, the parameters of the event and/or state to the graph database; based on comparing the parameters of the event and/or state to the graph database, determining, via a computer processor, that the event and/or state is anomalous; and in response to determining that the event and/or state is anomalous, taking, via a computer processor, an information security action.
-
Specification