NON-RULE BASED SECURITY RISK DETECTION

US 20190020667A1
Filed: 07/14/2017
Published: 01/17/2019
Est. Priority Date: 07/14/2017
Status: Active Grant

First Claim

Patent Images

1. A non-rule based security detection method comprising:

identifying a plurality of data sources;

generating a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;

detecting a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;

identify a geolocation for each data source anomaly;

generating a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and

associating at least one correlation with a security event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-rule based security detection system and method is described. The method includes identifying a plurality of data sources. The method then proceeds to generate a baseline for each data source. The baseline includes a plurality of data source outputs that are evaluated over a time period. A plurality of data source anomalies are detected, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline. A geolocation for each data source anomaly is then identified. A plurality of correlations between the plurality of data source anomalies and the geolocation for each data source anomaly are generated. At least one correlation is associated with a security event.

40 Citations

View as Search Results

21 Claims

1. A non-rule based security detection method comprising:
- identifying a plurality of data sources;
  
  generating a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
  
  detecting a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
  
  identify a geolocation for each data source anomaly;
  
  generating a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
  
  associating at least one correlation with a security event.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The security detection method of claim 1 further comprising,receiving a trouble ticket, andassociating the trouble ticket with at least one security event.
  - 3. The security detection method of claim 1 further comprising,performing a flow analysis, in which a data source baseline is established for at least one data source, andgenerating an alert when there are changes to the data source baseline.
  - 4. The security detection method of claim 1 further comprising,performing a malware analysis, in which an alert is detected that identifies an executable file,identifying an IP address for each computing device attempting to launch the executable file,correlating a plurality of received emails with the computing device attempting to launch the executable file.
  - 5. The security detection method of claim 1 further comprising,performing a Virtual Private Network (VPN) analysis, in which a VPN connection baseline is established for a plurality of computing devices,identifying an IP address for each computing device,determining a geolocation for each IP address;
    - identifying a failed login attempt based on the geolocation of the computing device that attempted the failed login; and
      
      generating an alert when the failed login attempt based on the geolocation of the computing device is inconsistent with the VPN connection baseline.
  - 6. The security detection method of claim 1 further comprising,performing an account validation, in which an anomalous account validation data flow is detected over the time period, andcorrelating at least one of an administrator login activity and a privileged user login activity with the anomalous account validation data flow.
  - 7. The security detection method of claim 1 further comprising,performing an email analysis, in which an email baseline is determined, andgenerating an email alert when an email address operates inconsistently with an email baseline.

8. A non-rule based security detection system comprising:
- a database that receives data from a plurality of data sources;
  
  a sub-system that generates a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
  
  the sub-system configured to detect a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
  
  the sub-system identifying a geolocation for each data source anomaly;
  
  the sub-system generating a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
  
  the sub-system associating at least one correlation with a security event.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-rule based security detection method of claim 8 further comprising,the sub-system receiving a trouble ticket, andthe sub-system associating the trouble ticket with at least one security event.
  - 10. The non-rule based security detection system of claim 8 further comprising,the sub-system performing a flow analysis, in which a data source baseline is established for at least one data source, andthe sub-system generating an alert when there are changes to the data source baseline.
  - 11. The non-rule based security detection system of claim 8 further comprising,the sub-system performing a malware analysis, in which an alert is detected that identifies an executable file,the sub-system identifying an IP address for each computing device attempting to launch the executable file,the sub-system correlating a plurality of received emails with the computing device attempting to launch the executable file.
  - 12. The non-rule based security detection system of claim 8 further comprising,the sub-system performing a Virtual Private Network (VPN) analysis, in which a VPN connection baseline is established for a plurality of computing devices,the sub-system identifying an IP address for each computing device,the sub-system determining a geolocation for each IP address;
    - the sub-system identifying a failed login attempt based on the geolocation of the computing device that attempted the failed login; and
      
      the sub-system generating an alert when the failed login attempt based on the geolocation of the computing device is inconsistent with the VPN connection baseline.
  - 13. The non-rule based security detection system of claim 8 further comprising,the sub-system performing an account validation, in which an anomalous account validation data flow is detected over the time period, andthe sub-system correlating at least one of an administrator login activity and a privileged user login activity with the anomalous account validation data flow.
  - 14. The non-rule based security detection system of claim 8 further comprising,the sub-system performing an email analysis, in which an email baseline is determined, andthe sub-system generating an email alert when an email address operates inconsistently with an email baseline.

15. A non-rule based security detection system comprising:
- a database that receives data from a plurality of data sources;
  
  a timeline module that generates a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
  
  the timeline module configured to detect a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
  
  a geolocation module configured to identify a geolocation for each data source anomaly;
  
  a correlation module configured to generate a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
  
  the correlation module associating at least one correlation with a security event.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-rule based security detection method of claim 15 further comprising,a trouble ticket that is received, andthe trouble ticket being associated with at least one security event.
  - 17. The non-rule based security detection system of claim 15 further comprising a data source baseline that is established for at least one data source, and generating an alert when there are changes to the data source baseline.
  - 18. The non-rule based security detection system of claim 15 further comprising,a malware analysis, in which an alert is detected that identifies an executable file,an IP address that is identified for each computing device attempting to launch the executable file,a plurality of received emails correlated with the computing device attempting to launch the executable file.
  - 19. The non-rule based security detection system of claim 15 further comprising,a Virtual Private Network (VPN) analysis performed with a VPN connection baseline that is established for a plurality of computing devices,an IP address identified for each computing device,a geolocation determined for each IP address,a failed login identified attempt based on the geolocation of the computing device that attempted the failed login;
    - andan alert generated when the failed login attempt based on the geolocation of the computing device is inconsistent with the VPN connection baseline.
  - 20. The non-rule based security detection system of claim 15 further comprising,an account validation, in which an anomalous account validation data flow is detected over the time period, andat least one of an administrator login activity correlated with a privileged user login activity and the anomalous account validation data flow.
  - 21. The non-rule based security detection system of claim 15 further comprising,an email analysis, in which an email baseline is determined, andan email alert generated when an email address operates inconsistently with an email baseline.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guavus, Inc. (Thales SA)
Original Assignee
Guavus, Inc. (Thales SA)
Inventors
Parker, Benjamin James

Granted Patent

US 10,601,844 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/107   wherein the security polici...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

NON-RULE BASED SECURITY RISK DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

NON-RULE BASED SECURITY RISK DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others