Techniques for sharing network security event information

US 20150222656A1
Filed: 02/05/2015
Published: 08/06/2015
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising at least one computer, memory and instructions stored on non-transitory machine readable media, the instructions when executed to cause the at least one computer to:

receive information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event;

automatically update content of a database stored in the memory responsive to the received information;

receive a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event;

search the database to detect correlation between the content of the database and the second network security event;

in the event of correlation between the content of the database and the second network security event, determine a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and

transmit a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.

70 Citations

25 Claims

1. An apparatus comprising at least one computer, memory and instructions stored on non-transitory machine readable media, the instructions when executed to cause the at least one computer to:
- receive information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event;
  
  automatically update content of a database stored in the memory responsive to the received information;
  
  receive a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event;
  
  search the database to detect correlation between the content of the database and the second network security event;
  
  in the event of correlation between the content of the database and the second network security event, determine a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and
  
  transmit a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the instructions when executed are further to cause the at least one computer to:
    - sanitize the information representing first network security events received from the third party systems, so as to remove any data associated therewith which identifies one of the third party systems which transmitted said information to said apparatus.
  - 3. The apparatus of claim 1, wherein:
    - said database is a first database;
      
      the communication includes a hash; and
      
      said instructions when executed are further to cause the at least one computer toaccess a second database containing cryptographic keys, each cryptographic key associated with a respective one of the third party systems,process the communication using one or more of the cryptographic keys from the second database, to detect correspondence between the hash and at least one of the cryptographic keys from the second database, andprocess the communication in dependence on the detected correspondence.
  - 4. The apparatus of claim 3, wherein the second database is further to store profile information for each of the cryptographic keys, and wherein the instructions when executed are further to cause the at least one computer to:
    - access the second database responsive to the detected correspondence to retrieve profile information associated with cryptographic key which produced the detected correspondence; and
      
      process the communication using the retrieved profile information.
  - 5. The apparatus of claim 3, wherein the instructions are to cause the at least one computer to process of the communication using the corresponding profile information by causing the at least one computer to initiate the search of the database to detect correlation between the content of the database and the second network security event.
  - 6. The apparatus of claim 1, wherein the instructions when executed are further to cause the at least one computer to:
    - transmit a query to at least one third party system responsive to the communication, to solicit information associated with the second network security event.
  - 7. The apparatus of claim 6, wherein the instructions when executed are further to cause the at least one computer to:
    - upon receipt of a response to the query, update the content of the database with information responsive to the solicited information.
  - 8. The apparatus of claim 6, wherein the instructions when executed are further to cause the at least one computer to:
    - transmit the query to the at least one third party system only in the event of detected correlation between the content of the database and the second network security event.
  - 9. The apparatus of claim 1, wherein the instructions when executed are further to cause the at least one computer to search the database to detect correlation by detecting a match between a source of one of the first network security events and the source of the second network security event.

10. An apparatus instructions stored on non-transitory machine readable media, the instructions when executed to cause at least one computer to:
- receive information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event;
  
  automatically update content of a database stored responsive to the received information;
  
  receive a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event;
  
  initiate a search of the database to detect correlation between the content of the database and the second network security event;
  
  in the event of correlation between the content of the database and the second network security event, determine a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and
  
  transmit a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, wherein the database is distributed across multiple networks and wherein the instructions when executed are to cause the at least one computer to transmit at least one query over a wide area network (WAN) to a first network of the multiple networks as part of initiating the search, and to receive a response thereto in the event of correlation detected by the first network.
  - 12. The apparatus of claim 10, wherein the instructions when executed are further to cause the at least one computer to:
    - sanitize the information representing first network security events received from the third party systems, so as to remove any data associated therewith which identifies one of the third party systems which transmitted said information to said apparatus.
  - 13. The apparatus of claim 10, wherein the database is a first database, wherein the communication includes a hash, and wherein said instructions when executed are further to cause the at least one computer to:
    - access a second database containing cryptographic keys, each cryptographic key associated with a respective one of the third party systems;
      
      process the communication using one or more of the cryptographic keys from the second database, to detect correspondence between the hash and at least one of the cryptographic keys from the second database; and
      
      process the communication in dependence on the detected correspondence.
  - 14. The apparatus of claim 13, wherein the second database is further to store profile information for each of the cryptographic keys, and wherein the instructions when executed are further to cause the at least one computer to:
    - access the second database responsive to the detected correspondence to retrieve profile information associated with cryptographic key which produced the detected correspondence; and
      
      process the communication using the retrieved profile information.
  - 15. The apparatus of claim 13, wherein the instructions are to cause the at least one computer to process of the communication using the corresponding profile information by causing the at least one computer to initiate the search of the database to detect correlation between the content of the database and the second network security event.
  - 16. The apparatus of claim 10, wherein the instructions when executed are further to cause the at least one computer to:
    - transmit a query to at least one third party system responsive to the communication, to solicit information associated with the second network security event.
  - 17. The apparatus of claim 16, wherein the instructions when executed are further to cause the at least one computer to:
    - upon receipt of a response to the query, update the content of the database with information responsive to the solicited information.
  - 18. The apparatus of claim 16, wherein the instructions when executed are further to cause the at least one computer to:
    - transmit the query to the at least one third party system only in the event of detected correlation between the content of the database and the second network security event.

19. A method, comprising:
- receiving with a computer from over a wide area network information representing first network security events from third party systems, said information for each first network security event including data identifying a source of the respective first network security event;
  
  automatically updating content of a database using a computer in responsive to the received information;
  
  receiving with a computer a communication from one of the third party systems which identifies a second network security event, said communication including data identifying a source of the second network security event;
  
  automatically searching the database to detect correlation between the content of the database and the second network security event;
  
  in the event of correlation between the content of the database and the second network security event, automatically determining a threat level associated with the second network security event based on the information representing the first network security events received from the third party systems; and
  
  automatically transmitting a reply message to the one of the third party systems which sent the communication, in a manner such that the reply message conveys the calculated threat level.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The method of claim 19, wherein the information received representing the first network security events includes information identifying one of the third party systems from which said information was received, and wherein:
    - the method further comprises sanitizing the information received from third party systems representing the first network security events, so as to remove the information identifying the one of the third party systems from which said information was received; and
      
      the updating of the content is performed dependent on the sanitized information.
  - 21. The method of claim 19, wherein the database is a first database and the communication includes a hash, and wherein the method further comprises:
    - accessing a second database containing cryptographic keys, each cryptographic key associated with a respective one of the third party systems;
      
      processing the communication using one or more of the cryptographic keys from the second database, to detect correspondence between the hash and at least one of the keys from the second database; and
      
      processing the communication in dependence on detected correspondence between the hash and at least one of the keys from the second database.
  - 22. The method of claim 21, wherein the second database is to store profile information for each of the cryptographic keys, and wherein the method further comprises:
    - accessing the second database responsive to detected correspondence between the hash and at least one of the keys to retrieve the profile information associated with one of the cryptographic keys which produced the detected correspondence; and
      
      processing the communication in dependence on the retrieved profile information.
  - 23. The method of claim 21, wherein automatically searching the database is performed dependent on the detected correspondence.
  - 24. The method of claim 23, further comprising automatically transmitting a query to at least one third party system responsive to the communication, to solicit information associated with the second network security event.
  - 25. The method of claim 24, wherein automatically transmitting the query is performed only in the event of correlation between the content of the database and the second network security event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
Vorstack, Inc.
Inventors
Haugsnes, Andreas Seip

Granted Patent

US 9,137,258 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24   Querying

G06F 16/24575   using context

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

Techniques for sharing network security event information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Techniques for sharing network security event information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others