DYNAMIC POLICY INJECTION AND ACCESS VISUALIZATION FOR THREAT DETECTION

US 20180084012A1
Filed: 09/15/2017
Published: 03/22/2018
Est. Priority Date: 09/16/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors and non-transitory machine readable storage medium;

program instructions to monitor a live information flow, wherein the live information flow includes a flow of data from a source to a destination;

program instructions to provide a user interface that includes the source and the destination connected via a line;

program instructions to determine an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and

program instructions to update the user interface to reflect the occurrence of the security event by;

(i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy,wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates generally to threat detection, and more particularly, to techniques for analyzing security events using dynamic policies and displaying a consolidated view of active threats and user activity including the dynamic policies being triggered by the active threats and user activity. Some aspects are directed to the concept of a policy bus for injecting and communicating the dynamic policies to multiple enforcement entities and the ability of the entities to respond to the policies dynamically. Other aspects are directed providing a consolidated view of active threat categories, a count of policies being triggered for each threat category, and associated trends. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the access policies, if any, implicated by the such accesses.

Citations

20 Claims

1. A system comprising:
- one or more processors and non-transitory machine readable storage medium;
  
  program instructions to monitor a live information flow, wherein the live information flow includes a flow of data from a source to a destination;
  
  program instructions to provide a user interface that includes the source and the destination connected via a line;
  
  program instructions to determine an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and
  
  program instructions to update the user interface to reflect the occurrence of the security event by;
  
  (i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy,wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the source is displayed on one side of a window of the user interface, the destination is displayed on a side of the window opposite the side having the source, and the indicator of the enforcement policy is displayed on the line between the source and the destination.
  - 3. The system of claim 1, further comprising program instructions to monitor one or more live information flows, wherein:
    - the live information flows include;
      
      (i) flows of data from a plurality of sources to a plurality of destinations, and (ii) one or more enforcement policies triggered by the data; and
      
      the user interface further includes;
      
      (i) one or more lines connecting each source from the plurality of sources with a corresponding destination from the plurality of destinations, and (ii) an indicator on each line for an enforcement policy triggered by the data flowing between each source and each destination.
  - 4. The system of claim 3, further comprising:
    - program instructions to receive user input corresponding to a selection of a particular source from the plurality of sources; and
      
      program instructions to display the live information flows starting at the particular source including the one or more enforcement policies triggered by the data within the live information flows.
  - 5. The system of claim 3, further comprising:
    - program instructions to receive user input corresponding to a selection of a particular destination from the plurality of destinations; and
      
      program instructions to display the live information flows ending at the particular destination including the one or more enforcement policies triggered by the data within the live information flows.
  - 6. The system of claim 3, further comprising:
    - program instructions to receive a request to create a dynamic enforcement policy based on the data, wherein the dynamic enforcement policy includes a specification of a source, a destination, an enforcement action, and a duration for the dynamic enforcement policy to be active;
      
      program instructions to publish the dynamic enforcement policy on a policy bus such that a plurality of agents have access to the dynamic enforcement policy;
      
      program instructions to implement the enforcement action for another security event within the one or more live information flows based on the dynamic enforcement policy, wherein at least one of the plurality of agents implements the enforcement action; and
      
      program instructions to update the user interface to reflect the implementation of the enforcement action for the another security event by;
      
      (i) identifying an indicator of the enforcement policy, and (ii) displaying a line connecting the source and the destination running through the indicator of the enforcement policy.
  - 7. The system of claim 6, wherein during the duration for the dynamic enforcement policy to be active, the dynamic enforcement policy overwrites a static enforcement policy that includes a specification of the same source and the same destination provided within the dynamic enforcement policy.

8. A non-transitory machine readable storage medium having instructions stored thereon that when executed by one or more processors cause the one or more processors to perform a method comprising:
- monitoring a live information flow, wherein the live information flows includes a flow of data from a source to a destination;
  
  providing a user interface that includes the source and the destination connected via a line;
  
  determining an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and
  
  updating the user interface to reflect the occurrence of the security event by;
  
  (i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory machine readable storage medium of claim 8, wherein the source is displayed on one side of a window of the user interface, the destination is displayed on a side of the window opposite the side having the source, and the indicator of the enforcement policy is displayed on the line between the source and the destination.
  - 10. The non-transitory machine readable storage medium of claim 8, wherein the method further comprises monitoring one or more live information flows, wherein:
    - the live information flows include;
      
      (i) flows of data from a plurality of sources to a plurality of destinations, and (ii) one or more enforcement policies triggered by the data; and
      
      the user interface further includes;
      
      (i) one or more lines connecting each source from the plurality of sources with a corresponding destination from the plurality of destinations, and (ii) an indicator on each line for an enforcement policy triggered by the data flowing between each source and each destination.
  - 11. The non-transitory machine readable storage medium of claim 10, wherein the method further comprises:
    - receiving user input corresponding to a selection of a particular source from the plurality of sources; and
      
      displaying the live information flows starting at the particular source including the one or more enforcement policies triggered by the data within the live information flows.
  - 12. The non-transitory machine readable storage medium of claim 10, wherein the method further comprises:
    - receiving user input corresponding to a selection of a particular destination from the plurality of destinations; and
      
      displaying the live information flows ending at the particular destination including the one or more enforcement policies triggered by the data within the live information flows.
  - 13. The non-transitory machine readable storage medium of claim 10, wherein the method further comprises:
    - receiving a request to create a dynamic enforcement policy based on the data, wherein the dynamic enforcement policy includes a specification of a source, a destination, an enforcement action, and a duration for the dynamic enforcement policy to be active;
      
      publishing the dynamic enforcement policy on a policy bus such that a plurality of agents have access to the dynamic enforcement policy;
      
      implementing the enforcement action for another security event within the one or more live information flows based on the dynamic enforcement policy, wherein at least one of the plurality of agents implements the enforcement action; and
      
      updating the user interface to reflect the implementation of the enforcement action for the another security event by;
      
      (i) identifying an indicator of the enforcement policy, and (ii) displaying a line connecting the source and the destination running through the indicator of the enforcement policy.
  - 14. The non-transitory machine readable storage medium of claim 13, wherein during the duration for the dynamic enforcement policy to be active, the dynamic enforcement policy overwrites a static enforcement policy that includes a specification of the same source and the same destination provided within the dynamic enforcement policy.

15. A method comprising:
- monitoring, by a computing system, a live information flow, wherein the live information flows includes a flow of data from a source to a destination;
  
  providing, by the computing system, a user interface that includes the source and the destination connected via a line;
  
  determining, by the computing system, an occurrence of a security event within the live information flow based on a trigger of an enforcement policy, wherein the enforcement policy includes a specification of the source, the destination, and an enforcement action, and when the data within the one or more live information flows matches at least the source and the destination of the enforcement policy, the enforcement policy is triggered and the enforcement action is applied; and
  
  updating, by the computing system, the user interface to reflect the occurrence of the security event by;
  
  (i) identifying an indicator of the enforcement policy, and (ii) displaying the line connecting the source and the destination running through the indicator of the enforcement policy.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the source is displayed on one side of a window of the user interface, the destination is displayed on a side of the window opposite the side having the source, and the indicator of the enforcement policy is displayed on the line between the source and the destination.
  - 17. The method of claim 15, further comprising monitoring, by the computing system, one or more live information flows, wherein:
    - the live information flows include;
      
      (i) flows of data from a plurality of sources to a plurality of destinations, and (ii) one or more enforcement policies triggered by the data; and
      
      the user interface further includes;
      
      (i) one or more lines connecting each source from the plurality of sources with a corresponding destination from the plurality of destinations, and (ii) an indicator on each line for an enforcement policy triggered by the data flowing between each source and each destination.
  - 18. The method of claim 17, further comprising:
    - receiving, by the computing system, user input corresponding to a selection of a particular source from the plurality of sources; and
      
      displaying, by the computing system, the live information flows starting at the particular source including the one or more enforcement policies triggered by the data within the live information flows.
  - 19. The method of claim 17, further comprising:
    - receiving, by the computing system, user input corresponding to a selection of a particular destination from the plurality of destinations; and
      
      displaying, by the computing system, the live information flows ending at the particular destination including the one or more enforcement policies triggered by the data within the live information flows.
  - 20. The method of claim 17, further comprising:
    - receiving, by the computing system, a request to create a dynamic enforcement policy based on the data, wherein the dynamic enforcement policy includes a specification of a source, a destination, an enforcement action, and a duration for the dynamic enforcement policy to be active;
      
      publishing, by the computing system, the dynamic enforcement policy on a policy bus such that a plurality of agents have access to the dynamic enforcement policy;
      
      implementing, by the computing system, the enforcement action for another security event within the one or more live information flows based on the dynamic enforcement policy, wherein at least one of the plurality of agents implements the enforcement action; and
      
      updating, by the computing system, the user interface to reflect the implementation of the enforcement action for the another security event by;
      
      (i) identifying an indicator of the enforcement policy, and (ii) displaying a line connecting the source and the destination running through the indicator of the enforcement policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Joseph, Aji, Raote, Paresh, Hariharan, Lakshmi, Mahajan, Kanishk, Kolli, Ashish, Banerjee, Moushmi, Weiser, Yitzchak, Xie, Weifang, Cui, Jingyu

Granted Patent

US 10,547,646 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

DYNAMIC POLICY INJECTION AND ACCESS VISUALIZATION FOR THREAT DETECTION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC POLICY INJECTION AND ACCESS VISUALIZATION FOR THREAT DETECTION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links