Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion

US 20130333041A1
Filed: 06/12/2012
Published: 12/12/2013
Est. Priority Date: 06/12/2012
Status: Abandoned Application

First Claim

Patent Images

1. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system; and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines.

23 Citations

View as Search Results

32 Claims

1. (canceled)

2. (canceled)

3. (canceled)

4. (canceled)

5. (canceled)

6. (canceled)

7. (canceled)

8. (canceled)

9. (canceled)

10. (canceled)

11. (canceled)

12. An apparatus for automatically identifying one or more network resources affected by a computer intrusion, the apparatus comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to;
  
  collecting information about an external system from an external source;
  
  deriving a list of one or more affected internal systems on an internal network by correlating said information with internal information about internal systems that interacted with said external system; and
  
  identifying one or more user accounts associated with said one or more affected internal systems.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The apparatus of claim 12, wherein said at least one hardware device is further configured to identify data residing on systems accessible by said one or more user accounts.
  - 14. The apparatus of claim 12, wherein said at least one hardware device is further configured to present a list to a user of said network resources that may be affected by said computer intrusion.
  - 15. The apparatus of claim 12, wherein said one or more network resources comprise one or more of servers, services and client machines.
  - 16. The apparatus of claim 12, wherein said external source comprises one or more of a provider of an antivirus product and a law enforcement agency.
  - 17. The apparatus of claim 12, wherein said external system comprises one or more of an infected system and a malicious system.
  - 18. The apparatus of claim 12, wherein said internal information comprises one or more of internal network activity, internal e-mail content and authentication logs.
  - 19. The apparatus of claim 12, wherein said step of deriving a list of one or more affected internal systems further comprises the steps of marking an identified internal system as infected and marking any additional internal systems that communicated with an identified external host as infected.
  - 20. The apparatus of claim 19, further comprising the step of marking any internal system that communicated with an infected internal system as infected.
  - 21. The apparatus of claim 19, further comprising the step of marking any internal system with a communication profile similar to an infected system as infected.
  - 22. The apparatus of claim 12, wherein said one or more user accounts associated with said one or more affected internal systems comprises accounts of a user who has access to at least one of said affected internal systems.

23. An article of manufacture for automatically identifying one or more network resources affected by a computer intrusion, comprising a tangible machine readable recordable medium containing one or more programs which when executed implement the steps of:
- collecting information about an external system from an external source;
  
  deriving a list of one or more affected internal systems on an internal network by correlating said information with internal information about internal systems that interacted with said external system; and
  
  identifying one or more user accounts associated with said one or more affected internal systems.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The article of manufacture of claim 23, wherein said internal information comprises one or more of internal network activity, internal e-mail content and authentication logs.
  - 25. The article of manufacture of claim 23, wherein said step of deriving a list of one or more affected internal systems further comprises the steps of marking an identified internal system as infected and marking any additional internal systems that communicated with an identified external host as infected.
  - 26. The article of manufacture of claim 23, further comprising the step of identifying data residing on systems accessible by said one or more user accounts.
  - 27. The article of manufacture of claim 23, further comprising the step of presenting a list to a user of said network resources that may be affected by said computer intrusion.
  - 28. The article of manufacture of claim 23, wherein said one or more network resources comprise one or more of servers, services and client machines.
  - 29. The article of manufacture of claim 23, wherein said external source comprises one or more of a provider of an antivirus product and a law enforcement agency.
  - 30. The article of manufacture of claim 23, wherein said external system comprises one or more of an infected system and a malicious system.
  - 31. The article of manufacture of claim 23, wherein said internal information comprises one or more of internal network activity, internal e-mail content and authentication logs.
  - 32. The article of manufacture of claim 23, wherein said one or more user accounts associated with said one or more affected internal systems comprises accounts of a user who has access to at least one of said affected internal systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Christodorescu, Mihai, Rao, Josyula R., Sailer, Reiner, Schales, Douglas Lee

Application Number

US13/494,108
Publication Number

US 20130333041A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 21/568 eliminating virus, restorin...

Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others