Non-rule based security risk detection

US 10,601,844 B2
Filed: 07/14/2017
Issued: 03/24/2020
Est. Priority Date: 07/14/2017
Status: Active Grant

First Claim

Patent Images

1. A non-rule based security detection method comprising:

communicatively coupling a sub-system to at least one computing device of a plurality of computing devices, wherein the sub-system includes a processor, memory, and security detection module, wherein each computing device of the plurality of servers is associated with at least one data source of a plurality of data sources;

identifying, by the security detection module, the plurality of data sources;

generating, by the security detection module, a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;

detecting, by the security detection module, a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;

identifying, by the security detection module, a geolocation for each data source anomaly;

generating, by the security detection module, a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and

associating, by the security detection module, at least one correlation with a security event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-rule based security detection system and method is described. The method includes identifying a plurality of data sources. The method then proceeds to generate a baseline for each data source. The baseline includes a plurality of data source outputs that are evaluated over a time period. A plurality of data source anomalies are detected, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline. A geolocation for each data source anomaly is then identified. A plurality of correlations between the plurality of data source anomalies and the geolocation for each data source anomaly are generated. At least one correlation is associated with a security event.

Citations

21 Claims

1. A non-rule based security detection method comprising:
- communicatively coupling a sub-system to at least one computing device of a plurality of computing devices, wherein the sub-system includes a processor, memory, and security detection module, wherein each computing device of the plurality of servers is associated with at least one data source of a plurality of data sources;
  
  identifying, by the security detection module, the plurality of data sources;
  
  generating, by the security detection module, a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
  
  detecting, by the security detection module, a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
  
  identifying, by the security detection module, a geolocation for each data source anomaly;
  
  generating, by the security detection module, a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
  
  associating, by the security detection module, at least one correlation with a security event.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The security detection method of claim 1 further comprising,receiving, by the sub-system, a trouble ticket, andassociating, by the security detection module, the trouble ticket with at least one security event.
  - 3. The security detection method of claim 1 further comprising,performing, by the security detection module, a flow analysis, in which a data source baseline is established for at least one data source, andgenerating, by the security detection module, an alert when there are changes to the data source baseline.
  - 4. The security detection method of claim 1 further comprising,performing, by the security detection module, a malware analysis, in which an alert is detected that identifies an executable file,identifying, by the security detection module, an IP address for each computing device of the plurality of computing devices attempting to launch the executable file,correlating, by the security detection module, a plurality of received emails with a computing device of the plurality of computing devices attempting to launch the executable file.
  - 5. The security detection method of claim 1 further comprising,performing, by the security detection module, a Virtual Private Network (VPN) analysis, in which a VPN connection baseline is established for the plurality of computing devices,identifying, by the security detection module, an IP address for each computing device of the plurality of computing devices,determining, by the security detection module, a geolocation for each IP address;
    - identifying, by the security detection module, a failed login attempt based on the geolocation of the computing device of the plurality of computing devices that attempted the failed login; and
      
      generating, by the security detection module, an alert when the failed login attempt based on the geolocation of the computing device of the plurality of computing devices is inconsistent with the VPN connecting baseline.
  - 6. The security detection method of claim 1 further comprising,performing, by the security detection module, an account validation, in which an anomalous account validation data flow is detected over the time period, andcorrelating, by the security detection module, at least one of an administrator login activity and a privileged user login activity with the anomalous account validation data flow.
  - 7. The security detection method of claim 1 further comprising,performing, by the security detection module, an email analysis, in which an email baseline is determined, andgenerating, by the security detection module, an email alert when an email address operates inconsistently with an email baseline.

8. A non-rule based security detection system comprising:
- a sub-system including a processor, a memory, and a security detection module, wherein the sub-system is communicatively coupled to at least one computing device of a plurality of computing devices, wherein the memory includes a database, wherein each computing device of the plurality of computing devices is associated with at least one data source of a plurality of data sources;
  
  the database receives data from the plurality of data sources;
  
  the security detection module generates a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
  
  the security detection module detects a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
  
  the security detection module identifying a geolocation for each data source anomaly;
  
  the security detection module generating a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
  
  the security detection module associating at least one correlation with a security event.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-rule based security detection system of claim 8 further comprising,the sub-system receiving a trouble ticket, andthe security detection module associating the trouble ticket with at least one security event.
  - 10. The non-rule based security detection system of claim 8 further comprising,the security detection module performing a flow analysis, in which a data source baseline is established for at least one data source, andthe security detection module generating an alert when there are changes to the data source baseline.
  - 11. The non-rule based security detection system of claim 8 further comprising,the security detection module performing a malware analysis, in which an alert is detected that identifies an executable file,the security detection module identifying an IP address for each computing device of the plurality of computing devices attempting to launch the executable file,the security detection module correlating a plurality of received emails with the computing device of the plurality of computing devices attempting to launch the executable file.
  - 12. The non-rule based security detection system of claim 8 further comprising,the security detection module performing a Virtual Private Network (VPN) analysis, in which a VPN connection baseline is established for a plurality of computing devices,the security detection module identifying an IP address for each computing device,the security detection module determining a geolocation for each IP address;
    - the security detection module identifying a failed login attempt based on the geolocation of the computing device that attempted the failed login; and
      
      the security detection module generating an alert when the failed login attempt based on the geolocation of the computing device is inconsistent with the VPN connection baseline.
  - 13. The non-rule based security detection system of claim 8 further comprising,the security detection module performing an account validation, in which an anomalous account validation data flow is detected over the time period, andthe security detection module correlating at least one of an administrator login activity and a privileged user login activity with the anomalous account validation data flow.
  - 14. The non-rule based security detection system of claim 8 further comprising,the security detection module performing an email analysis, in which an email baseline is determined, andthe security detection module generating an email alert when an email address operates inconsistently with an email baseline.

15. A non-rule based security detection system comprising:
- a sub-system including a processor, a memory, a timeline module, a geolocation module, and a correlation module, wherein the sub-system is communicatively coupled to at least one computing device of a plurality of computing devices, wherein the memory includes a database, wherein each computing device of the plurality of computing devices is associated with at least one data source of a plurality of data sources;
  
  the database receives data from the plurality of data sources;
  
  the timeline module generates a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
  
  the timeline module configured to detect a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
  
  the geolocation module configured to identify a geolocation for each data source anomaly;
  
  the correlation module configured to generate a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
  
  the correlation module associating at least one correlation with a security event.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-rule based security detection system of claim 15 further comprising,a trouble ticket that is received by the sub-system, andthe trouble ticket being associated with at least one security event.
  - 17. The non-rule based security detection system of claim 15 further comprising a data source baseline corresponding to at least one data source, and the timeline module generating an alert when there are changes to the data source baseline.
  - 18. The non-rule based security detection system of claim 15 further comprising,a malware analysis performed by the sub-system, in which an alert is detected that identifies an executable file,an IP address that is identified by the sub-system for each computing device of the plurality of computing devices attempting to launch the executable file,a plurality of emails received by the sub-system, wherein the sub-system correlates the received emails with the computing device of the plurality of computing devices attempting to launch the executable file.
  - 19. The non-rule based security detection system of claim 15 further comprising,a Virtual Private Network (VPN) analysis based upon at least one VPN connection baseline that is established for a plurality of computing devices, wherein the timeline module performs the VPN analysis,an IP address identified for each computing device, wherein the sub-system identifies the IP address for each computing device,a geolocation determined by the sub-system for each IP address,a failed login attempt identified by the sub-system based on the geolocation of the computing device of the plurality of computing devices that attempted the failed login;
    - andan alert generated by the sub-system when the failed login attempt based on the geolocation of the computing device is inconsistent with the VPN connection baseline.
  - 20. The non-rule based security detection system of claim 15 further comprising,an account validation, in which an anomalous account validation data flow is detected by the sub-system over the time period, andat least one of an administrator login activity and a privileged user login activity correlated with the anomalous account validation data flow.
  - 21. The non-rule based security detection system of claim 15 further comprising,an email analysis, in which an email baseline is determined by the timeline module, andan email alert generated by the sub-system when an email address operates inconsistently with an email baseline.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guavus, Inc. (Thales SA)
Original Assignee
Guavus, Inc. (Thales SA)
Inventors
Parker, Benjamin James
Primary Examiner(s)
To, Baotran N

Application Number

US15/650,809
Publication Number

US 20190020667A1
Time in Patent Office

984 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/107   wherein the security polici...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Non-rule based security risk detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Non-rule based security risk detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links