METHOD AND SYSTEM FOR AUTOMATED CYBERSECURITY INCIDENT AND ARTIFACT VISUALIZATION AND CORRELATION FOR SECURITY OPERATION CENTERS AND COMPUTER EMERGENCY RESPONSE TEAMS

US 20160044061A1
Filed: 10/22/2014
Published: 02/11/2016
Est. Priority Date: 08/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method of visualizing and navigating cybersecurity information, comprising:

displaying a hypertree on a display device of a computerized system, comprising a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges;

displaying, through the computerized system, an interactive navigation aid to enable a user to navigate the hypertree;

receiving at the computerized system a navigation command from the user through the interactive navigation aid; and

modifying the displayed hyerptree, by the computerized system, in response to the navigation command;

wherein the navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided for visualizing and navigating cybersecurity information. A hypertree is displayed on a display device of a computerized system. The hypertree includes a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges. The computerized system displays an interactive navigation aid to enable a user to navigate the hypertree, and receives a navigation command from the user through the interactive navigation aid. The computerized system modifies the displayed hyerptree in response to the navigation command. The navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.

34 Citations

View as Search Results

18 Claims

1. A method of visualizing and navigating cybersecurity information, comprising:
- displaying a hypertree on a display device of a computerized system, comprising a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges;
  
  displaying, through the computerized system, an interactive navigation aid to enable a user to navigate the hypertree;
  
  receiving at the computerized system a navigation command from the user through the interactive navigation aid; and
  
  modifying the displayed hyerptree, by the computerized system, in response to the navigation command;
  
  wherein the navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein one or more of the nodes represent elements of cybersecurity incidents including evidence, hosts, forensic images, and e-discovery objects.
  - 3. The method of claim 1 wherein one or more the nodes represent artifacts of cybersecurity incidents.
  - 4. The method of claim 3 wherein the computerized system enables the user to select an alikeness ratio defining a minimum alikeness that the nodes representing artifacts must have with respect to other nodes in the hypertree, and the computerized system, in response to the user selecting an alikeness ratio, re-plots the hyerptree to include nodes representing artifacts that are connected with other nodes by edges that exceed the alikeness ratio selected by the user.
  - 5. The method of claim 1 wherein the computerized system enables the user to navigate the hypertree by selecting a node of the hypertree as a selected node.
  - 6. The method of claim 5 wherein the interactive navigation aid includes a mechanism to enable the user to eliminate or restore the selected node in the displayed hypertree.
  - 7. The method of claim 5 wherein the computerized system modifies the displayed hypertree in response to the user selecting a node of the hypertree as the selected node, at least by re-centering the displayed hypertree around the selected node.
  - 8. The method of claim 1 wherein the interactive navigation aid lists active connections between a selected node of the hypertree and other nodes of the hypertree, together with options for the user to eliminate or restore edges representing the active connections listed in the navigation aid or nodes linked by the active connections.
  - 9. The method of claim 8 wherein the interactive navigation aid includes a mechanism to enable the user to eliminate or restore all edges connected to the selected node in the displayed hypertree.
  - 10. The method of claim 8 wherein the interactive navigation aid comprises a table of nodes having active connections with the selected node.
  - 11. The method of claim 1 wherein the hypertree displays links differentiated by color and the interactive navigation aid enables the user to selectively eliminate or restore edges by color.
  - 12. The method of claim 1 wherein the hypertree includes a plurality of nodes representing cybersecurity incidents, one of the nodes representing a cybersecurity incident being investigated by the user, and one or more of the nodes representing other cybersecurity incidents linked by edges to the node representing the cybersecurity incident being investigated by the user.
  - 13. The method of claim 12 wherein the computerized system enables the user to enable or disable the nodes representing the other cybersecurity incidents, and, in response to instruction from the user to enable or disable the nodes representing the other cybersecurity incidents, re-plots the displayed hypertree.
  - 14. The method of claim 1 wherein the interactive navigation aid lists active connections between a selected node of the hypertree and other nodes of the hypertree and includes a mechanism to enable the user to view details of any node listed in the interactive navigation aid.
  - 15. The method of claim 1 wherein the computerized system enables the user to zoom onto a portion of the displayed hyerptree.
  - 16. The method of claim 1 wherein the interactive navigation aid is distinct from the hypertree.

17. An apparatus for visualizing and navigating cybersecurity information, comprisinga computerized processing system;
- anda visual display system;
  
  wherein the computerized processing system is programmedto display on the visual display system a hypertree comprising a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges;
  
  to display on the visual display system an interactive navigation aid to enable a user to navigate the hypertree;
  
  to receive a navigation command from the user through the interactive navigation aid; and
  
  to modify the displayed hyerptree, by the computerized system, in response to the navigation command;
  
  wherein the navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.

18. A computer-readable, non-transitory, tangible medium comprising software that, when executed by a processor, causes the processor to perform a method of visualizing and navigating cybersecurity information, comprising:
- displaying a hypertree on a display device of a computerized system, comprising a plurality of nodes linked by edges, one or more of the nodes representing cybersecurity incidents, and one or more of the nodes representing elements or artifacts of cybersecurity incidents, the edges representing a specific relationship between the nodes linked by the edges;
  
  displaying, through the computerized system, an interactive navigation aid to enable a user to navigate the hypertree;
  
  receiving at the computerized system a navigation command from the user through the interactive navigation aid; and
  
  modifying the displayed hyerptree, by the computerized system, in response to the navigation command;
  
  wherein the navigation command comprises selective elimination or restoration of edges or nodes on the hypertree so as to enable the user to readily visualize interrelationships between the displayed nodes that are significant to a cybersecurity investigation or response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SUMO Logic Italy SPA
Original Assignee
DF Labs
Inventors
Forte, Dario V.

Granted Patent

US 10,412,117 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/9027   Trees

G06F 16/904   Browsing; Visualisation the...

G06F 16/9538   Presentation of query results

G06F 16/954   Navigation, e.g. using cate...

G06F 3/04817   using icons graphical or vi...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 9/451   Execution arrangements for ...

H04L 41/065   involving logical or physic...

H04L 41/0654   using network fault recover...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/20   for managing network securi...

METHOD AND SYSTEM FOR AUTOMATED CYBERSECURITY INCIDENT AND ARTIFACT VISUALIZATION AND CORRELATION FOR SECURITY OPERATION CENTERS AND COMPUTER EMERGENCY RESPONSE TEAMS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR AUTOMATED CYBERSECURITY INCIDENT AND ARTIFACT VISUALIZATION AND CORRELATION FOR SECURITY OPERATION CENTERS AND COMPUTER EMERGENCY RESPONSE TEAMS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links