Techniques for sharing network security event information
First Claim
1. An apparatus comprising at least one computer, memory and instructions stored on non-transitory machine readable media, the instructions when executed to cause the at least one computer to:
- receive information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event;
automatically update content of a database stored in the memory responsive to the received information;
receive a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event;
search the database to detect correlation between the content of the database and the second network security event;
in the event of correlation between the content of the database and the second network security event, determine a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and
transmit a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level.
3 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.
70 Citations
25 Claims
-
1. An apparatus comprising at least one computer, memory and instructions stored on non-transitory machine readable media, the instructions when executed to cause the at least one computer to:
-
receive information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event; automatically update content of a database stored in the memory responsive to the received information; receive a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event; search the database to detect correlation between the content of the database and the second network security event; in the event of correlation between the content of the database and the second network security event, determine a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and transmit a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus instructions stored on non-transitory machine readable media, the instructions when executed to cause at least one computer to:
-
receive information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event; automatically update content of a database stored responsive to the received information; receive a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event; initiate a search of the database to detect correlation between the content of the database and the second network security event; in the event of correlation between the content of the database and the second network security event, determine a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and transmit a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method, comprising:
-
receiving with a computer from over a wide area network information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event; automatically updating content of a database using a computer in responsive to the received information; receiving with a computer a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event; automatically searching the database to detect correlation between the content of the database and the second network security event; in the event of correlation between the content of the database and the second network security event, automatically determining a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and automatically transmitting a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification