Location enrichment in enterprise threat detection

US 10,542,016 B2
Filed: 08/31/2016
Issued: 01/21/2020
Est. Priority Date: 08/31/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment;

receiving log event data in the SDS;

normalizing the log event data in the SDS as normalized log event data;

enriching the normalized log event data with the subnet information and the location information as enriched log event data;

writing the enriched log event data into a log event persistence in the database; and

using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Subnet information and location information is received from a database by a smart data streaming engine (SDS). A particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value. Log event data received in the SDS is normalized as normalized log event data. The normalized log event data is enriched with subnet and location information as enriched log event data and written into a log event persistence in the database. A subnet ID value retrieved from an enriched log event of the enriched log event data is used by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using a location ID value associated with the subnet ID.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment;
  
  receiving log event data in the SDS;
  
  normalizing the log event data in the SDS as normalized log event data;
  
  enriching the normalized log event data with the subnet information and the location information as enriched log event data;
  
  writing the enriched log event data into a log event persistence in the database; and
  
  using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the subnet information and the location information is maintained in the database.
  - 3. The computer-implemented method of claim 2, wherein system information is maintained in the database, and wherein a particular system of the system information is associated with a particular location of the location information by a particular globally unique location ID value.
  - 4. The computer-implemented method of claim 1, comprising:
    - reading the subnet information and the location information from the database; and
      
      writing the subnet information and the location information into the subnet-location cache of the SDS.
  - 5. The computer-implemented method of claim 4, wherein the subnet information and the location information is read from the subnet-location persistence and written to the subnet-location cache using an SDS database in adapter coupling the database and the SDS.
  - 6. The computer-implemented method of claim 1, wherein the enriched log event data is written to the log event persistence using an SDS database out adapter coupling the SDS and the database.
  - 7. The computer-implemented method of claim 1, comprising enriching the normalized log event data with a determined subnet ID value.

8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment;
  
  receiving log event data in the SDS;
  
  normalizing the log event data in the SDS as normalized log event data;
  
  enriching the normalized log event data with the subnet information and the location information as enriched log event data;
  
  writing the enriched log event data into a log event persistence in the database; and
  
  using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, wherein the subnet information and the location information is maintained in the database.
  - 10. The non-transitory, computer-readable medium of claim 9, wherein system information is maintained in the database, and wherein a particular system of the system information is associated with a particular location of the location information by a particular globally unique location ID value.
  - 11. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to:
    - read the subnet information and the location information from the database; and
      
      write the subnet information and the location information into the subnet-location cache of the SDS.
  - 12. The non-transitory, computer-readable medium of claim 11, wherein the subnet information and the location information is read from the subnet-location persistence and written to the subnet-location cache using an SDS database in adapter coupling the database and the SDS.
  - 13. The non-transitory, computer-readable medium of claim 8, wherein the enriched log event data is written to the log event persistence using an SDS database out adapter coupling the SDS and the database.
  - 14. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to enrich the normalized log event data is enriched with a determined subnet ID value.

15. A computer-implemented system, comprising:
- a computer memory; and
  
  a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising;
  
  receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment;
  
  receiving log event data in the SDS;
  
  normalizing the log event data in the SDS as normalized log event data;
  
  enriching the normalized log event data with the subnet information and the location information as enriched log event data;
  
  writing the enriched log event data into a log event persistence in the database; and
  
  using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented system of claim 15, wherein the subnet information and the location information is maintained in the database.
  - 17. The computer-implemented system of claim 16, wherein system information is maintained in the database, and wherein a particular system of the system information is associated with a particular location of the location information by a particular globally unique location ID value.
  - 18. The computer-implemented system of claim 15, configured to:
    - read the subnet information and the location information from the database; and
      
      write the subnet information and the location information into the subnet-location cache of the SDS.
  - 19. The computer-implemented system of claim 18, wherein the subnet information and the location information is read from the subnet-location persistence and written to the subnet-location cache using an SDS database in adapter coupling the database and the SDS, and wherein the enriched log event data is written to the log event persistence using an SDS database out adapter coupling the SDS and the database.
  - 20. The computer-implemented system of claim 15, configured to enrich the normalized log event data is enriched with a determined subnet ID value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Rodeck, Marco, Mehta, Harish, Seifert, Hartwig, Kunz, Thomas, Pritzkau, Eugen, Peng, Wei-Guo, Luo, Lin, Merkel, Rita, Chrosziel, Florian, Hassforther, Jona, Menke, Thorsten
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ahmed, Mahabub S

Application Number

US15/253,438
Publication Number

US 20180063167A1
Time in Patent Office

1,238 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

H04W 12/63   Location-dependent; Proximi...

Location enrichment in enterprise threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Location enrichment in enterprise threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links