Techniques for sharing network security event information
First Claim
1. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to:
- receive information representing a possible threat to a first network;
receive information representing a profile associated with the first network;
access a stored database having records of possible threats to multiple, diverse networks;
access a stored database having information representing profiles associated with respective, diverse networks; and
determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic.
4 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.
168 Citations
23 Claims
-
1. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to:
-
receive information representing a possible threat to a first network; receive information representing a profile associated with the first network; access a stored database having records of possible threats to multiple, diverse networks; access a stored database having information representing profiles associated with respective, diverse networks; and determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to:
-
receive information representing a possible threat to a first network; receive information representing a profile associated with the first network; access a stored database having records of possible threats to multiple, diverse network networks; access a stored database having information representing profiles associated with respective, diverse networks; determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, have profiles that match the profile associated with the first network in at least one characteristic; responsive to a determination that one or more threats to members of the subset correlate with the possible threat to the first network, rank the possible threat to the first network; and transmit a notification message to a destination associated with at least one of the first network or one or more of the respective, diverse networks, wherein the notification message is formatted to not include information identifying any member of the subset not associated with the destination where such is a target of the possible threat to the first network. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method, comprising:
-
receiving with at least one computer information representing a possible threat to a first network; receiving with the at least one computer information representing a profile associated with the first network; accessing with the at least one computer a stored database having records of possible threats to multiple, diverse networks; accessing with the at least one computer a stored database having information representing profiles associated with respective, diverse networks; and using the at least one computer to determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification