Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control

US 10,581,876 B2
Filed: 10/05/2016
Issued: 03/03/2020
Est. Priority Date: 08/04/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus for events inspection in a computerized network environment respective of a unified index, the apparatus comprising:

an interface to a data network;

a processor;

a non-transitory computer memory coupled to the processor, the memory contains therein instructions that are translatable by the processor to perform;

identifying at least one event that occurred in the data network;

determining whether the at least one event was previously handled by the apparatus by querying a database for identifiers stored in the database;

responsive to the at least one event having not been handled by the apparatus, generating an identifier respective of the at least one event;

storing the generated identifier in the database in association with the at least one event;

analyzing the at least one event to generate metadata associated therewith, wherein the metadata is generated based on at least one of;

a content of the at least one event, a header associated with the at least one event, or a metatag;

matching the metadata to a unified index stored in a database communicatively coupled to the apparatus via the interface to determine whether the at least one event matches a predefined policy, the unified index enabling unified classification of events occurring in the data network;

determining whether the at least one event is potentially a security incident respective of the match; and

performing an action required by the predefined policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus collects data from a data network for the purpose of detection and interception of security incidents therein. The apparatus identifies at least one event in the data network. The apparatus then inspects the event to identify its properties and metadata associated therewith. Based on the inspection, the apparatus identifies at least a type of the event, an operation and a resource associated with the event, and a device associated with the event. The metadata is the matched to a unified index stored in a database communicatively coupled to the apparatus via a network. Based on the match the apparatus determines whether the event is potentially a security incident. In case a determination of a potential security incident is made, the apparatus queries a set of set of policy rules to determine a type of action required respective of the metadata. The apparatus then performs the required action.

4 Citations

View as Search Results

20 Claims

1. An apparatus for events inspection in a computerized network environment respective of a unified index, the apparatus comprising:
- an interface to a data network;
  
  a processor;
  
  a non-transitory computer memory coupled to the processor, the memory contains therein instructions that are translatable by the processor to perform;
  
  identifying at least one event that occurred in the data network;
  
  determining whether the at least one event was previously handled by the apparatus by querying a database for identifiers stored in the database;
  
  responsive to the at least one event having not been handled by the apparatus, generating an identifier respective of the at least one event;
  
  storing the generated identifier in the database in association with the at least one event;
  
  analyzing the at least one event to generate metadata associated therewith, wherein the metadata is generated based on at least one of;
  
  a content of the at least one event, a header associated with the at least one event, or a metatag;
  
  matching the metadata to a unified index stored in a database communicatively coupled to the apparatus via the interface to determine whether the at least one event matches a predefined policy, the unified index enabling unified classification of events occurring in the data network;
  
  determining whether the at least one event is potentially a security incident respective of the match; and
  
  performing an action required by the predefined policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the non-transitory computer memory further contains therein instructions that are translatable by the processor to perform:
    - querying an interception policy administration to determine a type of interception required upon determination that the at least one event is potentially a security incident respective of the metadata.
  - 3. The apparatus of claim 2, wherein the type of interception is at least one of:
    - providing a notification, terminating the at least one event, storing the metadata associated with the at least one even in a data warehouse, a combination thereof, or a portion thereof.
  - 4. The apparatus of claim 1, wherein the predefined policy is stored in the database.
  - 5. The apparatus of claim 1, wherein the at least one event is at least one of:
    - a file download/upload, removal of a file, termination/execution of a process, view of a file, a communication request, or a combination thereof.
  - 6. The apparatus of claim 1, wherein the interface further enables interaction with one or more web sources communicatively coupled to the apparatus through the data network.
  - 7. The apparatus of claim 1, wherein identification of the at least one event is achieved at least in conjunction with at least an application programming interface (API) coupled to a web source communicatively coupled to the data network.
  - 8. The apparatus of claim 1,wherein the identifier comprises a numeric injective value representative of the at least one event.

9. A method for inspecting events in a computerized network environment respective of a unified index, the method comprising:
- identifying, by a proxy server computer, at least one event in a data network communicatively coupled to the proxy server computer;
  
  determining, by the proxy server computer, whether the at least one event was previously handled by the proxy server computer by querying a database for identifiers stored in the database;
  
  responsive to the at least one event having not been handled by the proxy server computer, generating, by the proxy server computer, an identifier respective of the at least one event;
  
  storing, by the proxy server computer, the generated identifier in the database in association with the at least one event;
  
  analyzing, by the proxy server computer, the at least one event to generate metadata associated therewith, wherein the metadata is generated based on at least one of;
  
  a content of the at least one event, a header associated with the at least one event, or a metatag;
  
  matching, by the proxy server computer, the metadata to a unified index stored in a database communicatively coupled to the proxy server computer to determine whether the at least one event matches a predefined policy, the unified index enabling unified classification of events occurring in the data network;
  
  determining, by the proxy server computer, whether the at least one event is potentially a security incident respective of the match; and
  
  performing, by the proxy server computer, an action required by the predefined policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising:
    - querying an interception policy administration to determine a type of interception required upon determination that the at least one event is potentially a security incident respective of the metadata.
  - 11. The method of claim 10, wherein the type of interception is at least one of:
    - providing a notification, terminating the at least one event, storing the metadata associated with the at least one even in a data warehouse, a combination thereof, or a portion thereof.
  - 12. The method of claim 9, wherein the predefined policy is stored in the database.
  - 13. The method of claim 9, wherein the at least one event is at least one of:
    - a file download/upload, removal of a file, termination/execution of a process, view of a file, a communication request, or a combination thereof.
  - 14. The method of claim 9, wherein the interface further enables interaction with one or more web sources communicatively coupled to the proxy server computer through the data network.
  - 15. The method of claim 9, wherein identification of the at least one event is achieved at least in conjunction with at least an application programming interface (API) coupled to a web source communicatively coupled to the data network.
  - 16. The method of claim 9,wherein the identifier is a numeric injective value representative of the at least one event.

17. A computer software product comprising a non-transitory computer-readable medium containing instructions that are translatable by a computer to perform:
- identifying at least one event that occurred in a data network;
  
  determining whether the at least one event was previously handled by the computer by querying a database for identifiers stored in the database;
  
  responsive to the at least one event having not been handled by the computer, generating an identifier respective of the at least one event;
  
  storing the generated identifier in the database in association with the at least one event;
  
  analyzing the at least one event to generate metadata associated therewith, wherein the metadata is generated based on at least one of;
  
  a content of the at least one event, a header associated with the at least one event, or a metatag;
  
  matching the metadata to a unified index stored in a database communicatively coupled to the computer to determine whether the at least one event matches a predefined policy, the unified index enabling unified classification of events occurring in the data network;
  
  determining whether the at least one event is potentially a security incident respective of the match; and
  
  performing an action required by the predefined policy.
- View Dependent Claims (18, 19, 20)
- - 18. The computer software product of claim 17, wherein the non-transitory computer memory further contains therein instructions that are translatable by the computer to perform:
    - querying an interception policy administration to determine a type of interception required upon determination that the at least one event is potentially a security incident respective of the metadata.
  - 19. The computer software product of claim 18, wherein the type of interception is at least one of:
    - providing a notification, terminating the at least one event, storing the metadata associated with the at least one even in a data warehouse, a combination thereof, or a portion thereof.
  - 20. The computer software product of claim 17, wherein the at least one event is at least one of:
    - a file download/upload, removal of a file, termination/execution of a process, view of a file, a communication request, or a combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Israel Ltd. (Proofpoint Incorporated)
Original Assignee
Proofpoint Israel Ltd. (Proofpoint Incorporated)
Inventors
Elgressy, Doron, Grindlinger, Yair, Gorin, Boris
Primary Examiner(s)
Alata, Ayoub

Application Number

US15/285,858
Publication Number

US 20180041525A1
Time in Patent Office

1,245 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

4 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links