Optimizing security analyses in SaaS environments

US 10,367,837 B2
Filed: 01/25/2017
Issued: 07/30/2019
Est. Priority Date: 01/25/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by one or more hardware processors, a set of observables from an interfacing entity, and one or more of;

a set of structured threat data and a set of unstructured threat data;

analyzing, by the one or more hardware processors, at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein at least one of an observable of the set of observables, the set of structured threat data, and the set of unstructured threat data is analyzed using cognitive computing;

creating, by the one or more hardware processors, a subgraph, based, at least in part, on the analyzed at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein the subgraph represents the set of observables, the set of structured threat data and the set of unstructured threat data,wherein the subgraph is continuously updated upon receiving updates from multiple interfacing entities,wherein the subgraph provides a solution for at least one of;

malicious software and a malicious connection to a Uniform Resource Locator (URL), an internet protocol (IP) address, a hash, or a computer file,wherein the subgraph further provides the solution on a user interface in an interactive format for a user, andwherein the solution comprises a link to a downloadable security patch and information detailing instructions to install the security patch;

transferring, by the one or more hardware processors, the subgraph through intelligent traversals to the interfacing entity;

displaying, by the one or more hardware processors, the subgraph on the user interface; and

responsive to the user interacting with the link, installing and initiating, by the one or more hardware processors, the security patch on the interfacing entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide systems and methods for performing a security analysis on a set of observables by inferring malicious relationships. The method includes receiving a set of observables and structured and unstructured threat data. The method further includes analyzing the observables and the structured and unstructured threat data using cognitive computing, and creating and transferring a subgraph.

8 Citations

14 Claims

1. A method comprising:
- receiving, by one or more hardware processors, a set of observables from an interfacing entity, and one or more of;
  
  a set of structured threat data and a set of unstructured threat data;
  
  analyzing, by the one or more hardware processors, at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein at least one of an observable of the set of observables, the set of structured threat data, and the set of unstructured threat data is analyzed using cognitive computing;
  
  creating, by the one or more hardware processors, a subgraph, based, at least in part, on the analyzed at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein the subgraph represents the set of observables, the set of structured threat data and the set of unstructured threat data,wherein the subgraph is continuously updated upon receiving updates from multiple interfacing entities,wherein the subgraph provides a solution for at least one of;
  
  malicious software and a malicious connection to a Uniform Resource Locator (URL), an internet protocol (IP) address, a hash, or a computer file,wherein the subgraph further provides the solution on a user interface in an interactive format for a user, andwherein the solution comprises a link to a downloadable security patch and information detailing instructions to install the security patch;
  
  transferring, by the one or more hardware processors, the subgraph through intelligent traversals to the interfacing entity;
  
  displaying, by the one or more hardware processors, the subgraph on the user interface; and
  
  responsive to the user interacting with the link, installing and initiating, by the one or more hardware processors, the security patch on the interfacing entity.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving, by the one or more hardware processors, an updated set of observables from the interfacing entity; and
      
      updating, by the one or more hardware processors, the subgraph, based, at least in part, on the updated set of observables.
  - 3. The method of claim 1, further comprising:
    - receiving, by the one or more hardware processors, one or more of an updated set of observables from another interfacing entity, an updated set of structured threat data, and an updated set of unstructured threat data;
      
      analyzing, by the one or more hardware processors, at least one of the updated set of observables from an interfacing entity, the updated set of structured threat data, and the updated set of unstructured threat data; and
      
      updating, by the one or more hardware processors, the subgraph, based, at least in part, on the analysis.
  - 4. The method of claim 1, further comprising:
    - removing, by the one or more hardware processors, one or more of a set of redundant data and a set of masked data.
  - 5. The method of claim 1, further comprising:
    - determining, by the one or more hardware processors, connections to the received set of observables, including one or more of;
      
      a uniform resource locator (URL), an internet protocol (IP) address, a domain, a subdomain, a hash, and a file; and
      
      creating, by the one or more hardware processors, a mapping structure based, at least in part, on the determined connections to the received set of observables.
  - 6. The method of claim 1, further comprising:
    - analyzing, by the one or more hardware processors, the set of observables, the set of structured threat data, and the set of unstructured threat data utilizing a server-less computing architecture.

7. A computer program product comprising:
- one or more computer non-transitory readable storage medium and program instructions stored on the non-transitory computer readable storage medium, the program instructions comprising;
  
  program instructions to receive a set of observables from an interfacing entity, and one or more of;
  
  a set of structured threat data and a set of unstructured threat data;
  
  program instructions to analyze at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein at least one of an observable of the set of observables, the set of structured threat data, and the set of unstructured threat data is analyzed using cognitive computing;
  
  program instructions to create a subgraph, based, at least in part, on the analyzed at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein the subgraph represents the set of observables, the set of structured threat data and the set of unstructured threat data,wherein the subgraph is continuously updated upon receiving updates from multiple interfacing entities,wherein the subgraph provides a solution for at least one of;
  
  malicious software and a malicious connection to a Uniform Resource Locator (URL), an internet protocol (IP) address, a hash, or a computer file,wherein the subgraph further provides the solution on a user interface in an interactive format for a user, andwherein the solution comprises a link to a downloadable security patch and information detailing instructions to install the security patch;
  
  program instructions to transfer the subgraph through intelligent traversals to the to the interfacing entity to the interfacing entity;
  
  program instructions to display the subgraph on the user interface; and
  
  program instructions to, responsive to the user interacting with the link, install and initiate the security patch on the interfacing entity.
- View Dependent Claims (8, 9, 10)
- - 8. The computer program product of claim 7, further comprising:
    - program instructions to receive one or more of an updated set of observables from another interfacing entity, an updated set of structured threat data, and an updated set of unstructured threat data;
      
      program instructions to analyze at least one of the updated set of observables from an interfacing entity, the updated set of structured threat data, and the updated set of unstructured threat data; and
      
      program instructions to update the subgraph, based, at least in part, on the analysis.
  - 9. The computer program product of claim 7, further comprising:
    - program instructions to determine connections to the received set of observables, including one or more of;
      
      a uniform resource locator (URL), an internet protocol (IP) address, a domain, a subdomain, a hash, and a file; and
      
      program instructions to create a mapping structure based, at least in part, on the determined connections to the received set of observables.
  - 10. The computer program product of claim 7, further comprising:
    - program instructions to analyze the set of observables, the set of structured threat data, and the set of unstructured threat data utilizing a server-less computing architecture.

11. A computer system comprising:
- one or more computer hardware processors;
  
  one or more computer readable storage media;
  
  program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more hardware processors, the program instructions comprising;
  
  program instructions to receive a set of observables from an interfacing entity, and one or more of;
  
  a set of structured threat data and a set of unstructured threat data;
  
  program instructions to analyze at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein at least one of an observable of the set of observables, the set of structured threat data, and the set of unstructured threat data is analyzed using cognitive computing;
  
  program instructions to create a subgraph, based, at least in part, on the analyzed at least one of the set of observables, the set of structured threat data, and the set of unstructured threat data, wherein the subgraph represents the set of observables, the set of structured threat data and the set of unstructured threat data,wherein the subgraph is continuously updated upon receiving updates from multiple interfacing entities,wherein the subgraph provides a solution for at least one of;
  
  malicious software and a malicious connection to a Uniform Resource Locator (URL), an internet protocol (IP) address, a hash, or a computer file,wherein the subgraph further provides the solution on a user interface in an interactive format for a user, andwherein the solution comprises a link to a downloadable security patch and information detailing instructions to install the security patch;
  
  program instructions to transfer the subgraph through intelligent traversals to the interfacing entity;
  
  program instructions to display the subgraph on the user interface; and
  
  program instructions to, responsive to the user interacting with the link, install and initiate the security patch on the interfacing entity.
- View Dependent Claims (12, 13, 14)
- - 12. The computer system of claim 11, further comprising:
    - program instructions to receive one or more of an updated set of observables from another interfacing entity, an updated set of structured threat data, and an updated set of unstructured threat data;
      
      program instructions to analyze at least one of the updated set of observables from an interfacing entity, the updated set of structured threat data, and the updated set of unstructured threat data; and
      
      program instructions to update the subgraph, based, at least in part, on the analysis.
  - 13. The computer system of claim 11, further comprising:
    - program instructions to determine connections to the received set of observables, including one or more of;
      
      a uniform resource locator (URL), an internet protocol (IP) address, a domain, a subdomain, a hash, and a file; and
      
      program instructions to create a mapping structure based, at least in part, on the determined connections to the received set of observables.
  - 14. The computer system of claim 11, further comprising:
    - program instructions to analyze the set of observables, the set of structured threat data, and the set of unstructured threat data utilizing a server-less computing architecture.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kapadia, Kaushal K., Kirat, Dhilung H., Park, Youngja, Stoecklin, Marc P., Vajipayajula, Sulakshan
Primary Examiner(s)
Zoubair, Noura

Application Number

US15/414,809
Publication Number

US 20180212984A1
Time in Patent Office

916 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1433 Vulnerability analysis

Optimizing security analyses in SaaS environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Optimizing security analyses in SaaS environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others