Techniques for sharing network security event information

US 20150207813A1
Filed: 02/05/2015
Published: 07/23/2015
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to:

receive information representing a possible threat to a first network;

receive information representing a profile associated with the first network;

access a stored database having records of possible threats to multiple, diverse networks;

access a stored database having information representing profiles associated with respective, diverse networks; and

determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

168 Citations

23 Claims

1. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to:
- receive information representing a possible threat to a first network;
  
  receive information representing a profile associated with the first network;
  
  access a stored database having records of possible threats to multiple, diverse networks;
  
  access a stored database having information representing profiles associated with respective, diverse networks; and
  
  determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the instructions when executed are to further cause the at least one computer to:
    - responsive to the determination, rank the possible threat to the first network; and
      
      transmit a notification message to a destination associated with the first network, the notification message to identify the possible threat to the first network.
  - 3. The apparatus of claim 2, wherein the instructions when executed are to further cause the at least one computer to, responsive to the determination, query a database to determine at least one remedial action associated with the possible threat to the first network, and transmit a notification message to the destination associated with the first network to identify the at least one remedial action.
  - 4. The apparatus of claim 1, further embodied as one or more servers.
  - 5. The apparatus of claim 4, wherein the instructions when executed are further to cause the one or more servers to retrieve the information representing the profile associated with the first network from a database maintained by the one or more servers in response to the receipt of the information representing the possible threat to the first network, to thereby receive said information representing the profile associated with the first network.
  - 6. The apparatus of claim 1, wherein the instructions when executed are to further cause the at least one computer to:
    - responsive to the determination, rank the possible threat to the first network; and
      
      transmit a notification message to a destination associated with a third network to identify the possible threat to the first network;
      
      wherein the third network is associated with a profile that in the at least one characteristic matches (a) the profile associated with the first network and (b) each profile associated with a network corresponding to the subset.
  - 7. The apparatus of claim 6, wherein:
    - the instructions when executed are to cause the at least one computer to determine the correlation by identifying at least one first internet protocol (IP) address associated with the possible threat to the first network and also with the possible threats to the subset of one or more of the respective, diverse networks;
      
      the information representing the possible threat to the first network and the possible threats to the one or more respective, diverse networks in the subset also collectively include one or more second IP addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks;
      
      the instructions when executed are to further cause the at least one computer to sanitize information conveyed by the notification message to the destination, by formatting said notification message in a manner where no second IP address is included.
  - 8. The apparatus of claim 1, wherein the at least one characteristic includes an industry identifier.
  - 9. The apparatus of claim 1, wherein the at least one characteristic includes a group membership, and wherein the instructions when executed are further to dynamically determine group membership at a time when the stored database having the records is accessed.
  - 10. The apparatus of claim 1, wherein the instructions when executed are further to update stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network.
  - 11. The apparatus of claim 10, wherein the instructions when executed are, responsive to update of stored ranking information associated with the records, to transmit a notification message to a destination associated with a first one of the respective, diverse network that is a member of the subset and that first reported a possible threat determined to be correlated with the possible threat to the first network, and wherein the notification message is to indicate an upgraded threat severity based on the information representing the possible threat to the first network.

12. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to:
- receive information representing a possible threat to a first network;
  
  receive information representing a profile associated with the first network;
  
  access a stored database having records of possible threats to multiple, diverse network networks;
  
  access a stored database having information representing profiles associated with respective, diverse networks;
  
  determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, have profiles that match the profile associated with the first network in at least one characteristic;
  
  responsive to a determination that one or more threats to members of the subset correlate with the possible threat to the first network, rank the possible threat to the first network;
  
  and transmit a notification message to a destination associated with at least one of the first network or one or more of the respective, diverse networks, wherein the notification message is formatted to not include information identifying any member of the subset not associated with the destination where such is a target of the possible threat to the first network.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, wherein the at least one characteristic includes a group membership.
  - 14. The apparatus of claim 13, wherein the instructions when executed are further to receive group membership information for the first network from a network administrator associated with the first network, and further, where the apparatus is to permit each network to have multiple group memberships.
  - 15. The apparatus of claim 13, wherein the instructions when executed are further to dynamically determine group membership at a time when the stored database having the records is accessed.
  - 16. The apparatus of claim 12, wherein the instructions when executed are further to update stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network.

17. A method, comprising:
- receiving with at least one computer information representing a possible threat to a first network;
  
  receiving with the at least one computer information representing a profile associated with the first network;
  
  accessing with the at least one computer a stored database having records of possible threats to multiple, diverse networks;
  
  accessing with the at least one computer a stored database having information representing profiles associated with respective, diverse networks; and
  
  using the at least one computer to determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further comprising:
    - using the at least one computer to, responsive to the determination, rank the possible threat to the first network; and
      
      using the at least one computer to transmit a notification message to a destination with the first network, the notification message to identify the possible threat to the first network.
  - 19. The method of claim 17, further comprising:
    - responsive to the determination, ranking the possible threat to the first network; and
      
      transmitting a notification message to a destination associated with a third network to identify the possible threat to the first network;
      
      wherein the third network is associated with a profile that in the at least one characteristic matches (a) the profile associated with the first network and (b) each profile associated with a network corresponding to the subset.
  - 20. The method of claim 19, wherein the information representing the possible threat to the first network and the possible threats to the one or more respective, diverse networks in the subset also collectively include one or more second internet protocol (IP) addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks, the method further comprising:
    - identifying at least one first IP address associated with the possible threat to the first network and associated with the possible threats to the subset of one or more of the respective, diverse networks; and
      
      sanitizing information conveyed by the notification message to the destination, by formatting said notification message in a manner where no second IP address is included.
  - 21. The method of claim 20, wherein the at least one characteristic includes a group membership, and wherein the method further comprises receiving group membership information for the first network from a network administrator associated with the first network, and further, wherein the method further comprises permitting each network to have multiple group memberships, and dynamically determining group membership at a time of accessing the stored database having the records.
  - 22. The method of claim 17, further comprising updating stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network.
  - 23. The method of claim 17, further comprising, responsive to update of stored ranking information associated with the records, transmitting a notification message to a destination associated with a first one of the respective, diverse network that is a member of the subset and that first reported a possible threat determined to be correlated with the possible threat to the first network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
Vorstack, Inc.
Inventors
Haugsnes, Andreas Seip, Rhines, Jeffrey, Lewis, Scott, Reybok, Richard, Zettel, Kurt Joseph II, Geddes, Henry, Osypov, Volodymyr, Brady, Sean, Manning, Mark

Granted Patent

US 9,710,644 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/145 the attack involving the pr...

Techniques for sharing network security event information

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Techniques for sharing network security event information

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others