SECURITY THREAT DETECTION ASSOCIATED WITH SECURITY EVENTS AND AN ACTOR CATEGORY MODEL

US 20130081141A1
Filed: 05/20/2011
Published: 03/28/2013
Est. Priority Date: 05/25/2010
Status: Active Grant

First Claim

Patent Images

1. A method of determining a security threat comprising:

storing security events (501) associated with network devices;

storing an actor category model (503) including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model;

correlating security events (505) with the actor category model; and

determining, by a computer system, whether the security threat exists (506) based on the correlating.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security events associated with network devices and an actor category model are stored (501, 503). The actor category model includes levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model. Security events are correlated with the actor category model (505), and a determination of whether a security threat exists is performed based on the correlating (506).

Citations

15 Claims

1. A method of determining a security threat comprising:
- storing security events (501) associated with network devices;
  
  storing an actor category model (503) including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model;
  
  correlating security events (505) with the actor category model; and
  
  determining, by a computer system, whether the security threat exists (506) based on the correlating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein correlating security events with the actor category model comprises:
    - identifying an actor for each security event; and
      
      identifying a level in the model associated with the actor.
  - 3. The method of claim 2, wherein determining whether a security threat exists based on the correlating comprises:
    - determining a security rule for the identified level; and
      
      determining whether the security threat exists by applying the security rule.
  - 4. The method of claim 3, comprising:
    - aggregating two or more of the security events into an aggregated event based on the correlating, wherein the two or more of the security events collectively satisfy a condition in the identified rule.
  - 5. The method of claim 1, wherein the actor category model comprises an attribute for users, and the method comprises matching the attribute for users in the actor category model with a user attribute in a user model to determine whether the actor category model is applicable to security events associated with the user.
  - 6. The method of claim 5, wherein the actor category model comprises parent-child relationships between the levels, and child levels inherit rules from their parent levels.
  - 7. The method of claim 6 further comprising:
    - modifying an attribute or a parent-child relationship in the actor category model; and
      
      storing the modified actor category model.
  - 8. The method of claim 1, further comprising:
    - notifying a predetermined user if a determination is made that the network security threat exists.
  - 9. The method of claim 1, comprising:
    - storing a user data model including a unique user ID (UUID) for each user and accounts for each user under the associated UUID;
      
      storing history in the user data model indicating a time period each user account is associated with the respective UUID; and
      
      associating a user with a security event of the security events based on the history.
  - 10. The method of claim 1, comprising:
    - storing a plurality of actor category models;
      
      for each actor category model, determining whether the actor category model is associated with the security events based on attributes associated with the security events and the actor category model; and
      
      for each actor category model determined to be associated with the security events, using the associated actor category model to identify rules to determine whether the security threat exists.

11. A threat detection system (110) comprising:
- a data storage (111) to store security events associated with network devices, and an actor category model including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model; and
  
  a processor (602) to correlate security events with the actor category model, and to determine whether a security threat exists based on the correlating.
- View Dependent Claims (12, 13)
- - 12. The threat detection system of claim 11, wherein the processor (602) identifies an actor for each security event, identifies a level in the model associated with the actor to correlate the security events with the actor category model, determines a security rule for the identified level, and determines whether the security threat exists by applying the security rule.
  - 13. The threat detection system of claim 11, wherein the data storage (111) stores a user data model including a unique user ID (UUID) for each user and account IDs for each user under the associated UUID, stores history in the user data model indicating a time period each user account is associated with the respective UUID, and associates a user with a security event of the security events based on the history.

14. A non-transitory computer readable medium (604) storing machine readable instructions that when executed by a computer system (600) performs a method comprising:
- storing security events (501) associated with network devices;
  
  storing an actor category model (503) including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model;
  
  correlating security events (505) with the actor category model; and
  
  determining, by a computer system, whether the security threat exists (506) based on the correlating.
- View Dependent Claims (15)
- - 15. The non-transitory computer readable medium (604) of claim 14, wherein correlating security events with the actor category model comprises:
    - identifying an actor for each security event;
      
      identifying a level in the model associated with the actor;
      
      selecting a security rule for the identified level from a plurality of security rules; and
      
      determining whether a network security threat exists by applying the selected security rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Anurag, Singla

Granted Patent

US 9,069,954 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

SECURITY THREAT DETECTION ASSOCIATED WITH SECURITY EVENTS AND AN ACTOR CATEGORY MODEL

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY THREAT DETECTION ASSOCIATED WITH SECURITY EVENTS AND AN ACTOR CATEGORY MODEL

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links