Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams

US 10,412,117 B2
Filed: 10/22/2014
Issued: 09/10/2019
Est. Priority Date: 08/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method of correlating, visualizing and navigating cybersecurity information, comprising:

displaying a list of a plurality cybersecurity incidents on a display device of a computerized system;

receiving a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents;

correlating, through use of a correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of an artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident;

displaying a hypertree on the display device of the computerized system, the displayed hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident;

receiving a second selection from the user of a first node of the plurality of nodes;

responsive to the second selection from the user of the first node, generating and displaying, through the computerized system, an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree;

receiving at the computerized system a navigation command from the user through the interactive navigation aid comprising receiving a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and

simulating alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, by the computerized system, in response to the navigation command, wherein the simulating alternative correlations in response to the navigation command comprises;

modifying, by the computerized system, the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and

in response to modifying the displayed hypertree, receiving a fourth selection from the user of a displayed option to re-plot the hypertree; and

in response to the fourth selection, replotting, by the computerized system, the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided for visualizing and navigating cybersecurity information. A hypertree is displayed on a display device of a computerized system. The hypertree includes a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges. The computerized system displays an interactive navigation aid to enable a user to navigate the hypertree, and receives a navigation command from the user through the interactive navigation aid. The computerized system modifies the displayed hypertree in response to the navigation command. The navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.

27 Citations

View as Search Results

14 Claims

1. A method of correlating, visualizing and navigating cybersecurity information, comprising:
- displaying a list of a plurality cybersecurity incidents on a display device of a computerized system;
  
  receiving a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents;
  
  correlating, through use of a correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of an artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident;
  
  displaying a hypertree on the display device of the computerized system, the displayed hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident;
  
  receiving a second selection from the user of a first node of the plurality of nodes;
  
  responsive to the second selection from the user of the first node, generating and displaying, through the computerized system, an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree;
  
  receiving at the computerized system a navigation command from the user through the interactive navigation aid comprising receiving a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and
  
  simulating alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, by the computerized system, in response to the navigation command, wherein the simulating alternative correlations in response to the navigation command comprises;
  
  modifying, by the computerized system, the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and
  
  in response to modifying the displayed hypertree, receiving a fourth selection from the user of a displayed option to re-plot the hypertree; and
  
  in response to the fourth selection, replotting, by the computerized system, the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the one or more of the plurality of nodes representing the one or more cybersecurity incident elements include evidence, hosts, forensic images, and e-discovery objects.
  - 3. The method of claim 1 wherein the computerized system enables the user to select an alikeness ratio defining a minimum alikeness that the one or more nodes of the plurality of nodes representing the one or more artifacts must have with respect to the one of the plurality of nodes representing the first cybersecurity incident in the hypertree, and the computerized system, in response to the user selecting the alikeness ratio, re-plots the hypertree to include the one or more nodes representing the one or more artifacts that exceed the alikeness ratio selected by the user.
  - 4. The method of claim 1 wherein the computerized system enables the user to navigate the hypertree by selecting a second node of the plurality of nodes of the hypertree as a selected node.
  - 5. The method of claim 4 wherein the interactive navigation aid includes a mechanism to enable the user to eliminate or restore the selected node in the displayed hypertree.
  - 6. The method of claim 4 wherein the computerized system modifies the displayed hypertree in response to the user selecting the second node of the plurality of nodes as the selected node, at least by re-centering the displayed hypertree around the selected node.
  - 7. The method of claim 1 wherein the interactive navigation aid includes a mechanism to enable the user to eliminate or restore all of the one or more edges of the plurality of edges linked to the first node in the displayed hypertree.
  - 8. The method of claim 1 wherein the hypertree displays the plurality of edges differentiated by color and the interactive navigation aid enables the user to selectively eliminate or restore the plurality edges by the color.
  - 9. The method of claim 1 wherein the interactive navigation aid includes a mechanism to enable the user to view details of any node of the one or more nodes of the plurality of nodes linked to the first node listed in the interactive navigation aid.
  - 10. The method of claim 1 wherein the computerized system enables the user to zoom onto a portion of the displayed hypertree.
  - 11. The method of claim 1 wherein the at least one respective second user-selectable image displayed on the interactive navigation aid is an icon representing the respective node of the plurality of nodes linked to the first node.
  - 12. The method of claim 1 wherein the at least one respective first user-selectable image displayed on the interactive navigation aid is a colorbox representing the respective edge of the one or more edges of the plurality of edges.

13. An apparatus for correlating, visualizing, and navigating cybersecurity information, comprising:
- a computerized processing system comprising a processor programmed to execute a correlation finder or an artifacts correlator; and
  
  a visual display system;
  
  wherein the processor of the computerized processing system is programmed to;
  
  display a list of a plurality cybersecurity incidents on the visual display system;
  
  receive a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents;
  
  correlate, through use of the correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of the artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident;
  
  display on the visual display system a hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident;
  
  receive a second selection from the user of a first node of the plurality of nodes;
  
  responsive to the second selection from the user of the first node, generate and display on the visual display system an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree;
  
  receive a navigation command from the user through the interactive navigation aid comprising a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and
  
  simulate alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, in response to the navigation command, comprising;
  
  modifying the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and
  
  in response to modifying the displayed hypertree, receive a fourth selection from the user of a displayed option to re-plot the hypertree; and
  
  in response to the fourth selection, replot the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.

14. A computer-readable, non-transitory, tangible medium comprising software that, when executed by a processor, causes the processor to perform a method of correlating, visualizing, and navigating cybersecurity information, comprising:
- displaying a list of a plurality cybersecurity incidents on a display device of a computerized system;
  
  receiving a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents;
  
  correlating, through use of a correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of an artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident;
  
  displaying a hypertree on the display device of the computerized system, the displayed hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident;
  
  receiving a second selection from the user of a first node of the plurality of nodes;
  
  responsive to the second selection from the user of the first node, generating and displaying, through the computerized system, an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree;
  
  receiving at the computerized system a navigation command from the user through the interactive navigation aid comprising receiving a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and
  
  simulating alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, by the computerized system, in response to the navigation command, wherein the simulating alternative correlations in response to the navigation command comprises;
  
  modifying, by the computerized system, the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and
  
  in response to modifying the displayed hypertree, receiving a fourth selection from the user of a displayed option to re-plot the hypertree; and
  
  in response to the fourth selection, replotting, by the computerized system, the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SUMO Logic Italy SPA
Original Assignee
DFLabs SpA
Inventors
Forte, Dario V., Zambelli, Michele
Primary Examiner(s)
Posigian, David S

Application Number

US14/521,328
Publication Number

US 20160044061A1
Time in Patent Office

1,784 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/9027   Trees

G06F 16/904   Browsing; Visualisation the...

G06F 16/9538   Presentation of query results

G06F 16/954   Navigation, e.g. using cate...

G06F 3/04817   using icons graphical or vi...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 9/451   Execution arrangements for ...

H04L 41/065   involving logical or physic...

H04L 41/0654   using network fault recover...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/20   for managing network securi...

Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others