System and method for collaborative information security correlation in low bandwidth environments

US 7,950,058 B1
Filed: 09/01/2005
Issued: 05/24/2011
Est. Priority Date: 09/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method for security information management in a network, comprising:

receiving event information for a plurality of events at a first network node, wherein the event information for a particular event comprises a plurality of attributes associated with the particular event;

assigning a plurality of attribute values to each event, the attribute values of each event defining a point in n-dimensional space;

generating a first n-dimensional graph comprising a plurality of points, the points corresponding to the events;

receiving a second n-dimensional graph comprising a plurality of points, the second n-dimensional graph generated by a second network node;

dimming the plurality of points in the second n-dimensional graph based at least in part on a distance between the first network node and the second network node, wherein;

dimming the plurality of points in the second n-dimensional graph comprises reducing visibility of the plurality of points in the second n-dimensional graph by a percentage; and

the percentage is based at least in part on the distance between the first network node and the second network node; and

combining the first n-dimensional graph with the second n-dimensional graph to generate a third n-dimensional graph comprising points from each of the first n-dimensional graph and the second n-dimensional graph, the points of the third n-dimensional graph that are from the second n-dimensional graph being dimmed based at least in part on the distance between the first network node and the second network node.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for security information management in a network comprises receiving event information for a plurality of events, wherein the event information for a particular event comprises a plurality of attributes associated with that event. The method continues by assigning a plurality of attribute values to each event, the attribute values of each event defining a point in n-dimensional space. The method continues by generating a first n-dimensional graph comprising a plurality of points, the points corresponding to the events. The method continues by receiving a second n-dimensional graph comprising a plurality of points. The method concludes by combining the first n-dimensional graph with the second n-dimensional graph.

89 Citations

View as Search Results

34 Claims

1. A method for security information management in a network, comprising:
- receiving event information for a plurality of events at a first network node, wherein the event information for a particular event comprises a plurality of attributes associated with the particular event;
  
  assigning a plurality of attribute values to each event, the attribute values of each event defining a point in n-dimensional space;
  
  generating a first n-dimensional graph comprising a plurality of points, the points corresponding to the events;
  
  receiving a second n-dimensional graph comprising a plurality of points, the second n-dimensional graph generated by a second network node;
  
  dimming the plurality of points in the second n-dimensional graph based at least in part on a distance between the first network node and the second network node, wherein;
  
  dimming the plurality of points in the second n-dimensional graph comprises reducing visibility of the plurality of points in the second n-dimensional graph by a percentage; and
  
  the percentage is based at least in part on the distance between the first network node and the second network node; and
  
  combining the first n-dimensional graph with the second n-dimensional graph to generate a third n-dimensional graph comprising points from each of the first n-dimensional graph and the second n-dimensional graph, the points of the third n-dimensional graph that are from the second n-dimensional graph being dimmed based at least in part on the distance between the first network node and the second network node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the plurality of attributes comprises a source Internet Protocol address and a destination Internet Protocol address.
  - 3. The method of claim 2, wherein the first and second network nodes are communicatively linked by at least one bandwidth constrained network connection.
  - 4. The method of claim 1, further comprising:
    - sending the second n-dimensional graph from the second network node to the first network node; and
      
      identifying a state of the network based at least in part on the combination of the first and second n-dimensional graphs.
  - 5. The method of claim 1, wherein generating a first n-dimensional graph comprises plotting each of the plurality of events in accordance with the attribute values assigned to that event.
  - 6. The method of claim 1, wherein the first and second network nodes are wireless terminals communicatively coupled by a radio wave link.
  - 7. The method of claim 1, further comprising generating an alert based at least in part on a cluster of points in the third n-dimensional graph, wherein:
    - the alert has a medium severity if all points in the cluster have a visibility from 50 percent to 100 percent; and
      
      the alert has a high severity if all points in the cluster have a visibility from 75 percent to 100 percent.
  - 8. The method of claim 1, further comprising:
    - identifying at least one cluster of points in the combination of the first and second n-dimensional graphs; and
      
      displaying information associated with the points in the at least one cluster of points.
  - 9. The method of claim 8, further comprising generating an alert based on the at least one cluster of points.
  - 10. The method of claim 8, wherein the identification is performed using at least one Gaussian distribution function.
  - 11. The method of claim 1, further comprising compressing at least one n-dimensional graph by means of lossy or lossless compression.
  - 12. The method of claim 1, further comprising storing the first n-dimensional graph in a memory at a first network node and storing the second n-dimensional graph in a memory at a second network node.
  - 13. The method of claim 1, wherein at least a portion of the events comprise alerts generated in a military information system.
  - 14. The method of claim 1, wherein the event information is received by a plurality of sensors configured to receive data associated with potential attacks on at least one enterprise network.

15. A system for security information management in a network, comprising a first network node and a second network node, the first and second network nodes each comprising:
- at least one sensor configured to receive event information for a plurality of events, wherein the event information for a particular event comprises a plurality of attributes associated with the particular event; and
  
  a processor configured to;
  
  assign a plurality of attribute values to each event, the attribute values of each event defining a point in n-dimensional space;
  
  generate a first n-dimensional graph comprising a plurality of points, the points corresponding to the events;
  
  receive a second n-dimensional graph comprising a plurality of points;
  
  dim the plurality of points in the second n-dimensional graph based at least in part on a distance between the first network node and the second network node, wherein;
  
  dimming the plurality of points in the second n-dimensional graph comprises reducing visibility of the plurality of points in the second n-dimensional graph by a percentage; and
  
  the percentage is based at least in part on the distance between the first network node and the second network node; and
  
  combine the first n-dimensional graph with the second n-dimensional graph to generate a third n-dimensional graph comprising points from each of the first n-dimensional graph and the second n-dimensional graph, the points of the third n-dimensional graph that are from the second n-dimensional graph being dimmed based at least in part on the distance between the first network node and the second network node.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The system of claim 15, wherein the processor is configured to identify a state of the network based at least in part on the combination of the first and second n-dimensional graphs.
  - 17. The system of claim 15, wherein the first and second network nodes are communicatively linked by at least one bandwidth constrained network connection.
  - 18. The system of claim 15, wherein the processor is configured to generate the first n-dimensional graph by plotting a plurality of points, each point corresponding to the attribute values assigned to a particular event.
  - 19. The system of claim 15, wherein:
    - the first and second network nodes each comprises a graphical user interface;
      
      the processor is further configured to identify at least one cluster of points in the combination of the first and second n-dimensional graphs; and
      
      the graphical user interface is configured to display information associated with the points in the at least one cluster of points.
  - 20. The system of claim 19, wherein the processor is further configured to generate an alert based on the at least one cluster of points.
  - 21. The system of claim 19, wherein the processor is configured to identify the at least one cluster of points using at least one Gaussian distribution function.
  - 22. The system of claim 15, wherein the processor is configured to compress at least one n-dimensional graph by means of lossy or lossless compression.
  - 23. The system of claim 15, further comprising a memory configured to store the first n-dimensional graph.
  - 24. The system of claim 15, wherein at least a portion of the events comprise alerts generated in a military information system.

25. An apparatus for security information management in a network, comprising:
- at least one sensor configured to receive, at a first network node, event information for a plurality of events, wherein the event information for a particular event comprises a plurality of attributes associated with the particular event; and
  
  a processor configured to;
  
  assign a plurality of attribute values to each event, the attribute values of each event defining a point in n-dimensional space;
  
  generate a first n-dimensional graph comprising a plurality of points, the points corresponding to the events;
  
  receive a second n-dimensional graph comprising a plurality of points, the second n-dimensional graph generated by a second network node;
  
  dim the plurality of points in the second n-dimensional graph based at least in part on a distance between the first network node and the second network node, wherein;
  
  dimming the plurality of points in the second n-dimensional graph comprises reducing visibility of the plurality of points in the second n-dimensional graph by a percentage; and
  
  the percentage is based at least in part on the distance between the first network node and the second network node; and
  
  combine the first n-dimensional graph with the second n-dimensional graph to generate a third n-dimensional graph comprising points from each of the first n-dimensional graph and the second n-dimensional graph, the points of the third n-dimensional graph that are from the second n-dimensional graph being dimmed based at least in part on the distance between the first network node and the second network node.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The apparatus of claim 25, wherein the processor is further configured to identify a state of the network based at least in part on the combination of the first and second n-dimensional graphs.
  - 27. The apparatus of claim 25, wherein the processor is configured to send one or more n-dimensional graphs to one or more nodes of the network.
  - 28. The apparatus of claim 25, further comprising one or more bandwidth constrained communication links from the apparatus to one or more nodes of the network.
  - 29. The apparatus of claim 25, wherein the processor is configured to generate the first n-dimensional graph by plotting a plurality of points, each point corresponding to the attribute values assigned to a particular event.
  - 30. The apparatus of claim 25, further comprising a graphical user interface and wherein:
    - the processor is configured to identify at least one cluster of points in the combination of the first and second n-dimensional graphs; and
      
      the graphical user interface is configured to display information associated with the points in the at least one cluster of points.
  - 31. The apparatus of claim 30, wherein the processor is further configured to generate an alert based at least in part on the at least one cluster of points.
  - 32. The apparatus of claim 30, further comprising a memory and wherein:
    - the memory is configured to store at least one Gaussian distribution function; and
      
      the processor is configured to identify the at least one cluster of points using the at least one Gaussian distribution function.
  - 33. The apparatus of claim 25, wherein the processor is further configured to compress at least one n-dimensional graph by means of lossy or lossless compression.
  - 34. The apparatus of claim 25, wherein at least a portion of the events comprise alerts generated in a military information system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US11/219,291
Time in Patent Office

2,091 Days
Field of Search

726 11- 13, 726 22- 23, 726/25, 340521-522, 340/546, 340/945, 340/961, 345/440
US Class Current

726/23
CPC Class Codes

H04L 41/0686 Additional information in t...

H04L 63/1416 Event detection, e.g. attac...

System and method for collaborative information security correlation in low bandwidth environments

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for collaborative information security correlation in low bandwidth environments

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links