Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams
First Claim
1. A method of correlating, visualizing and navigating cybersecurity information, comprising:
- displaying a list of a plurality cybersecurity incidents on a display device of a computerized system;
receiving a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents;
correlating, through use of a correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of an artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident;
displaying a hypertree on the display device of the computerized system, the displayed hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident;
receiving a second selection from the user of a first node of the plurality of nodes;
responsive to the second selection from the user of the first node, generating and displaying, through the computerized system, an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree;
receiving at the computerized system a navigation command from the user through the interactive navigation aid comprising receiving a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and
simulating alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, by the computerized system, in response to the navigation command, wherein the simulating alternative correlations in response to the navigation command comprises;
modifying, by the computerized system, the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and
in response to modifying the displayed hypertree, receiving a fourth selection from the user of a displayed option to re-plot the hypertree; and
in response to the fourth selection, replotting, by the computerized system, the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and system is provided for visualizing and navigating cybersecurity information. A hypertree is displayed on a display device of a computerized system. The hypertree includes a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges. The computerized system displays an interactive navigation aid to enable a user to navigate the hypertree, and receives a navigation command from the user through the interactive navigation aid. The computerized system modifies the displayed hypertree in response to the navigation command. The navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.
27 Citations
14 Claims
-
1. A method of correlating, visualizing and navigating cybersecurity information, comprising:
-
displaying a list of a plurality cybersecurity incidents on a display device of a computerized system; receiving a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents; correlating, through use of a correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of an artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident; displaying a hypertree on the display device of the computerized system, the displayed hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident; receiving a second selection from the user of a first node of the plurality of nodes; responsive to the second selection from the user of the first node, generating and displaying, through the computerized system, an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree; receiving at the computerized system a navigation command from the user through the interactive navigation aid comprising receiving a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and simulating alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, by the computerized system, in response to the navigation command, wherein the simulating alternative correlations in response to the navigation command comprises; modifying, by the computerized system, the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and in response to modifying the displayed hypertree, receiving a fourth selection from the user of a displayed option to re-plot the hypertree; and in response to the fourth selection, replotting, by the computerized system, the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus for correlating, visualizing, and navigating cybersecurity information, comprising:
-
a computerized processing system comprising a processor programmed to execute a correlation finder or an artifacts correlator; and a visual display system; wherein the processor of the computerized processing system is programmed to; display a list of a plurality cybersecurity incidents on the visual display system; receive a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents; correlate, through use of the correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of the artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident; display on the visual display system a hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident; receive a second selection from the user of a first node of the plurality of nodes; responsive to the second selection from the user of the first node, generate and display on the visual display system an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree; receive a navigation command from the user through the interactive navigation aid comprising a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and simulate alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, in response to the navigation command, comprising; modifying the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and in response to modifying the displayed hypertree, receive a fourth selection from the user of a displayed option to re-plot the hypertree; and in response to the fourth selection, replot the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.
-
-
14. A computer-readable, non-transitory, tangible medium comprising software that, when executed by a processor, causes the processor to perform a method of correlating, visualizing, and navigating cybersecurity information, comprising:
-
displaying a list of a plurality cybersecurity incidents on a display device of a computerized system; receiving a first selection from a user of a first cybersecurity incident to be investigated from the displayed list of the plurality cybersecurity incidents; correlating, through use of a correlation finder, one or more cybersecurity incident elements and one or more cybersecurity incidents of the plurality of cybersecurity incidents to the first cybersecurity incident by matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or, through use of an artifacts correlator, one or more artifacts of the plurality of cybersecurity incidents to the first cybersecurity incident by finding points of correlation between the one or more artifacts and the first cybersecurity incident; displaying a hypertree on the display device of the computerized system, the displayed hypertree comprising a plurality of nodes linked by a plurality of edges, one of the plurality of nodes representing the first cybersecurity incident, one or more of the plurality of nodes representing the one or more cybersecurity incidents, and one or more of the plurality of nodes representing the one or more cybersecurity incident elements or the one or more artifacts of the plurality of cybersecurity incidents, the plurality of edges representing a specific relationship between the plurality of nodes linked by the plurality of edges, the specific relationship represented by the plurality of edges being the matching details of the one or more cybersecurity incident elements and the one or more cybersecurity incidents to the first cybersecurity incident, or the points of correlation between the one or more artifacts and the first cybersecurity incident; receiving a second selection from the user of a first node of the plurality of nodes; responsive to the second selection from the user of the first node, generating and displaying, through the computerized system, an interactive navigation aid to enable the user to navigate the hypertree, the interactive navigation aid being unique to the first node by displaying a table listing one or more nodes of the plurality of nodes linked to the first node by one or more edges of the plurality of edges, each of the one or more nodes of the plurality of nodes linked to the first node listed in the table displayed with at least one respective first user-selectable image for selectively eliminating a respective edge of the one or more edges of the plurality of edges without eliminating a respective node of the one or more nodes of the plurality of nodes linked to the first node in response to a first user selection of the at least one respective first user-selectable image and restoring the eliminated respective edge of the one or more edges of the plurality of edges in response to a second user selection of the at least one respective first user-selectable image and at least one respective second user-selectable image for selectively eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node and one or more edges of the plurality of edges linked to the respective node in response to a first user selection of the at least one respective second user-selectable image and restoring the eliminated respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the eliminated respective node in response to a second user selection of the at least one respective second user-selectable image, wherein the interactive navigation aid is displayed simultaneously with, and distinct from, the hypertree; receiving at the computerized system a navigation command from the user through the interactive navigation aid comprising receiving a third selection from the user selecting either the at least one respective first user-selectable image or the at least one respective second user-selectable image displayed on the interactive navigation aid; and simulating alternative correlations of the one or more cybersecurity incidents and the one or more cybersecurity incident elements, or the one or more artifacts of the plurality of cybersecurity incidents, to the first cybersecurity incident, by the computerized system, in response to the navigation command, wherein the simulating alternative correlations in response to the navigation command comprises; modifying, by the computerized system, the displayed hypertree by selective elimination of the respective node of the one or more nodes of the plurality of nodes linked to the first node and the one or more edges of the plurality of edges linked to the respective node in response to the user selecting the at least one respective second user-selectable image displayed on the interactive navigation aid, or selective elimination of the respective edge of the one or more edges of the plurality of edges without eliminating the respective node of the one or more nodes of the plurality of nodes linked to the first node in response to the user selecting the at least one respective first user-selectable image; and in response to modifying the displayed hypertree, receiving a fourth selection from the user of a displayed option to re-plot the hypertree; and in response to the fourth selection, replotting, by the computerized system, the modified hypertree centered on the one of the plurality of nodes representing the first cybersecurity incident.
-
Specification