Automated security analytics platform with visualization agnostic selection linked portlets

US 8,984,633 B2
Filed: 11/14/2012
Issued: 03/17/2015
Est. Priority Date: 11/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for presenting network security information at a display, the method comprising:

storing the network security information directly from network sensors in an active memory, the network sensors applying publish and subscribe to link the output of at least some security modules to at least other security modules that relate network security information to security of the network;

applying a parent filter set to the network security information to select parent information for presentation in a parent portlet, the presented parent information relating to security of a network;

presenting the parent information in the parent portlet at the display with a selected of plural visualizations;

interacting through the display with the parent portlet to present a child portlet, the child portlet having at least the parent filter and at least one unique factor relative to the parent portlet, the presented child portlet relating to security of the network,wherein interacting through the display with the parent portlet further comprises;

selecting at the parent portlet plural types of information presented at the visualization;

in response to the selecting, generating a filter for each selected type of information; and

presenting each selected type of information in the child portlet with the unique factor of the information other than the selected types being filtered out of the presentation;

preselecting a visualization of the plural visualizations to use in the presenting of each selected type of information in the child portlet; and

automatically applying the preselected visualization upon the selecting.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Visualization agnostic selection linked portlets provide a tree from a parent to one or more children that present each portlet with its own visualization and data synchronized with a root portlet based upon related filters. Each portlet uses its visualization to display a data set derived by applying its filter in conjunction with the filters of its ancestors. Each portlet then presents data that is at most the same size as its root in a visualization adapted to the child'"'"'s type and quantity of data.

12 Citations

View as Search Results

18 Claims

1. A method for presenting network security information at a display, the method comprising:
- storing the network security information directly from network sensors in an active memory, the network sensors applying publish and subscribe to link the output of at least some security modules to at least other security modules that relate network security information to security of the network;
  
  applying a parent filter set to the network security information to select parent information for presentation in a parent portlet, the presented parent information relating to security of a network;
  
  presenting the parent information in the parent portlet at the display with a selected of plural visualizations;
  
  interacting through the display with the parent portlet to present a child portlet, the child portlet having at least the parent filter and at least one unique factor relative to the parent portlet, the presented child portlet relating to security of the network,wherein interacting through the display with the parent portlet further comprises;
  
  selecting at the parent portlet plural types of information presented at the visualization;
  
  in response to the selecting, generating a filter for each selected type of information; and
  
  presenting each selected type of information in the child portlet with the unique factor of the information other than the selected types being filtered out of the presentation;
  
  preselecting a visualization of the plural visualizations to use in the presenting of each selected type of information in the child portlet; and
  
  automatically applying the preselected visualization upon the selecting.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein interacting through the display with the parent portlet further comprises:
    - locking the parent filter for use with the child portlet; and
      
      presenting the parent information in the child portlet with the unique factor of a selected of the plural visualizations and a second factor, the second factor having a visualization different from the visualization of the parent portlet.
  - 3. The method of claim 2 further comprising:
    - altering the network security information stored in the memory;
      
      filtering the altered network security information with the parent filter set; and
      
      synchronizing the altered network security information for presentation at the parent and child portlets.
  - 4. The method of claim 1 further comprising:
    - adding at least one filter to the parent filter set for use with the child portlet;
      
      filtering the root information with the added at least one filter; and
      
      presenting child portlet with the unique factor of the visualization in the child portlet presenting the parent information filtered by the at least one filter.
  - 5. The method of claim 4 wherein the parent portlet and child portlet have a common visualization.
  - 6. The method of claim 1 wherein the visualization of the parent portlet comprises a bar graph having plural bars, the selecting at the parent portlet further comprises selecting a bar of the bar graph for each type of information, and presenting each type of information in the child portlet further comprises presenting information aggregated by the selected bars.
  - 7. The method of claim 1 wherein the information comprises network telemetry information sensed at a network.

8. A system for analyzing network telemetry information with a network security platform to detect network security threats, the system comprising:
- a processor operable to process the network telemetry information by executing the network security platform to retrieve the network telemetry information from an active random access memory without a database structure, the network security platform relating at least some of the network telemetry information to each other in a logical tree by binding the network telemetry information to input and output specifications as the network telemetry information is stored in the active random access memory;
  
  an active random access memory interfaced with the processor, the memory storing the network telemetry information for access by the processor;
  
  a display interfaced with the processor for presenting the network telemetry information as visual images;
  
  a visualization module having plural visualizations to present network telemetry information as visual images, the visualization module operable to accept preselection of visualizations from the plural visualizations to use in presenting predetermined information and to automatically apply the preselected visualizations upon selection of presentation of the predetermined information;
  
  a portlet module operable to accept a visualization selection and a filter from a user and to apply the visualization selection and filter to the network telemetry information to present a portlet having an image at the display, the image representing filtered network telemetry information in the selected visualization; and
  
  a child portlet initiator associated with the portlet and operable to accept a user input to initiate presentation of a child portlet of the presented portlet with the portlet module, the child portlet having at least the filter and at least one unique factor relative to the presented portlet, the child portlet having an image at the display of the network telemetry information, the at least one unique factor determined by end user interaction with the parent portlet to select at the parent portlet plural types of information presented at the visualization, to generate a filter for each selected type of information and to present each selected type of information in the child portlet.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8 wherein the unique factor comprises locking the filter and presenting the filtered network telemetry information with a selected of the plural visualizations different from the visualization of the presented portlet.
  - 10. The system of claim 8 wherein the portlet module is further operable to:
    - detect one or more alterations of the network telemetry information stored in the memory;
      
      filter the altered network telemetry information with the filter set; and
      
      synchronize the altered network telemetry information for presentation at the presented portlet and the child portlet.
  - 11. The system of claim 8 wherein the unique factor comprises at least one additional filter for use with the child portlet and wherein the portlet module applies the filter and the at least one additional filter to determine the network telemetry information presented in the child portlet.
  - 12. The system of claim 11 wherein presented portlet and the child portlet have a common visualization.
  - 13. The system of claim 8 wherein the child portlet initiator comprises one or more images in the presented portlet, the one or more images representing a portion of the filtered network telemetry information, the child portlet initiator responding to the selection of the image by using the portion to generate one or more additional filters, the portlet module applying the one or more additional filters to present in the child portlet only the filtered network telemetry information associated with the one or more images.
  - 14. The system of claim 13 wherein the one or more images comprise one or more aggregations of filtered network telemetry information.
  - 15. The system of claim 8 wherein the memory is dynamic random access memory.

16. A non-transitory machine readable medium comprising instructions operable to execute on a processor to manage network telemetry information presented at a display by:
- receiving network telemetry information at an active memory;
  
  applying portions of the network telemetry information to security modules as the network telemetry information is received in the active memory by publishing and subscribing the network telemetry information identified by one or more output specifications to the security modules;
  
  deleting network telemetry information from the active memory that is not identified by the one or more output specifications;
  
  applying a parent filter set to the network telemetry information to select parent information for presentation in a parent portlet;
  
  presenting the parent information in the parent portlet at the display with a selected of plural visualizations; and
  
  accepting an input through the display at the parent portlet to present a child portlet, the child portlet having at least the parent filter and at least one unique factor relative to the parent portlet, the child portlet presenting an image representing network telemetry information filtered from the parent portlet;
  
  preselecting a visualization of the plural visualizations to use in the presenting of each selected type of information in the child portlet; and
  
  automatically applying the preselected visualization upon the child portlet presenting the image representing network telemetry information;
  
  wherein accepting an input through the display at the parent portlet to present a child portlet further comprises;
  
  selecting at the parent portlet plural types of information presented at the visualization;
  
  in response to the selecting, generating a filter for each selected type of information; and
  
  presenting each selected type of information in the child portlet with the parent information other than the selected types being filtered out of the presentation.
- View Dependent Claims (17, 18)
- - 17. The machine readable medium of claim 16 wherein the unique factor comprises a lock of the parent filter for use with the child portlet and a visualization for use with the child portlet that differs from the visualization of the parent portlet.
  - 18. The machine readable medium of claim 16 wherein the input comprises a selection at a portion of the parent portlet and the unique factor comprises a filter added to the parent filter to remove network telemetry information other than network telemetry information associated with the selected portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alert Logic Incorporated
Original Assignee
Click Security, Inc. (Alert Logic Incorporated)
Inventors
Reutter, Andrew
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US13/677,160
Publication Number

US 20140137243A1
Time in Patent Office

853 Days
Field of Search

726/22, 726/28, 726/24, 707/103, 709/224, 709/219, 709/206, 713/201
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0218   Distributed architectures, ...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Automated security analytics platform with visualization agnostic selection linked portlets

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automated security analytics platform with visualization agnostic selection linked portlets

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links