Techniques for sharing network security event information

US 10,412,103 B2
Filed: 06/12/2017
Issued: 09/10/2019
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:

receive a possible threat notification from a network of a first client;

translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification;

store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients;

identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client;

after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and

upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.

51 Citations

View as Search Results

16 Claims

1. A tangible, non-transitory, machine-readable medium, comprising machine-readable instructions that when executed by at least one processor, cause the at least one processor to:
- receive a possible threat notification from a network of a first client;
  
  translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification;
  
  store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients;
  
  identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client;
  
  after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and
  
  upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - receive the set of permissions ascribed to the first client along with the permission indication of the possible threats encountered by a second client from the second client.
  - 3. The tangible, non-transitory, machine-readable medium of claim 2, comprising machine-readable instructions to:
    - store the possible threats encountered by the second client as a portion of the stored normalized threat notifications of other clients.
  - 4. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - identify the set of permissions ascribed to the first client based upon a symmetric key architecture.
  - 5. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - provide the other remedial action, comprising;
      
      invoking a web cache application (WCA).
  - 6. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - provide the other remedial action, comprising;
      
      invoking a Vulnerability Assessment Tool (VAT).
  - 7. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - provide a secure web interface;
      
      receive an indication of additions, deletions, modifications, or any combination thereof to a policy defining notifications, remedial actions, or both to provide upon threat detection;
      
      modifying the policy based upon the indication; and
      
      provide a subsequent notification, other remedial action, or both based upon the policy.
  - 8. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - provide the other remedial actions, comprising triggering anti-virus protection, an intrusion detection service, firewall service, an intrusion prevention service, a Virtual-Private Network (VPN) forwarding structure, or any combination thereof.
  - 9. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - translate the possible threat notification from the network of the first client and possible threat data of other clients in the normalized data format, by conversion to a particularly formatted string of text.
  - 10. The tangible, non-transitory, machine-readable medium of claim 1, comprising machine-readable instructions to:
    - store the possible threat notification from the network of the first client and possible threat data of other clients in a relational database, the relational database comprising;
      
      a threat entity configured to hold normalized data representative of a possible threat.
  - 11. The tangible, non-transitory, machine-readable medium of claim 10, wherein the threat entity, comprises:
    - a customer identification field, configured to store an identification of a customer reporting the possible threat; and
      
      a threat level field, configured to store a threat level of the possible threat.
  - 12. The tangible, non-transitory, machine-readable medium of claim 11, wherein the relational database, comprises:
    - a site entity, configured to identify a site of the possible threat;
      
      a data center entity, configured to identify a data center of the possible threat;
      
      a service entity, configured to identify a service of the site;
      
      a machines entity, configured to identify a specific piece of hardware assigned to one or more virtual machines running the service; and
      
      a templates entity, configured to identify a single instance of the service running on the one or more virtual machines.

13. A computer, comprising:
- one or more processors, configured to;
  
  receive a possible threat notification from a network of a first client;
  
  translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification;
  
  store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients;
  
  identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client;
  
  after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and
  
  upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both.
- View Dependent Claims (14)
- - 14. The computer of claim 13, wherein the one or more processors are configured to:
    - receive the possible threat notification via an application programming interface of a particular software product, in the particular format of the software product.

15. A computer-implemented method, comprising:
- receive a possible threat notification from a network of a first client;
  
  translate the possible threat notification from a particular format of a software product into a normalized data format, resulting in a normalized threat notification;
  
  store the normalized threat notification as a possible threat encountered by the first client that is a portion of stored normalized threat notifications of other clients;
  
  identify a set of permissions ascribed to the first client, the set of permissions pertaining to access rights to the stored normalized threat notifications of other clients, by receiving a permission indication, indicating that possible threats encountered by the other clients may be shared with the first client;
  
  after receiving the permission indication, for a subset of the stored normalized threat notifications for the other clients that the first client has permission to access, determine a second subset of data that correlates with the possible threat notification, by querying the subset of the stored normalized threat notifications to determine the second subset of data that correlates with the normalized threat notification; and
  
  upon finding a correlation between the normalized threat notification from the network of the first client and the subset of the stored normalized threat notifications by the other clients, provide an indication of a subset of the possible threats encountered by the other clients to the first client, the other clients, or a combination thereof, based upon the second subset of data, the indication comprising a subsequent notification, other remedial action, or both.
- View Dependent Claims (16)
- - 16. The computer-implemented method of claim 15, comprising:
    - providing the other remedial actions, comprising triggering anti-virus protection, an intrusion a detection service, firewall service, an intrusion prevention service, a Virtual-Private Network (VPN) forwarding structure, or any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Haugsnes, Andreas Seip
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Beheshti Shirazi, Sayed Aresh

Application Number

US15/620,596
Publication Number

US 20170279824A1
Time in Patent Office

820 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24   Querying

G06F 16/24575   using context

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

Techniques for sharing network security event information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Techniques for sharing network security event information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others