Analytics engine

US 8,990,947 B2
Filed: 06/18/2008
Issued: 03/24/2015
Est. Priority Date: 02/04/2008
Status: Active Grant

First Claim

Patent Images

1. A method implemented at least in part by a computer, the method comprising:

receiving dependency data that indicates dependencies among security components, a security component having a dependency on another security component if the security component uses output data generated by the other security component, the security components including a sensor;

receiving an indication that input data related to security has been received at the sensor;

executing the sensor to produce output data based on the input data, the executing of the sensor including, based at least in part on the dependency data, determining a set of the security components to execute and an order in which to execute the security components of the set, the set including the sensor;

providing the output data produced by the sensor to a rule, the rule being separate from the sensor;

evaluating the rule to produce a first candidate assessment comprising a proposed assessment regarding security of a computer-related asset, the first candidate assessment including a first fidelity;

generating by a consolidator a consolidated assessment regarding security of the computer-related asset by evaluating a plurality of proposed assessments comprising the first candidate assessment and a second candidate assessment regarding security of the computer-related asset, the second candidate assessment including a second fidelity and the first candidate assessment, second candidate assessment and consolidated assessment representing three security assessments of the same computer-related asset; and

providing output data from a first security component of the set of the security components to one or more other security components of the set that depend from the first security component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components.

12 Citations

18 Claims

1. A method implemented at least in part by a computer, the method comprising:
- receiving dependency data that indicates dependencies among security components, a security component having a dependency on another security component if the security component uses output data generated by the other security component, the security components including a sensor;
  
  receiving an indication that input data related to security has been received at the sensor;
  
  executing the sensor to produce output data based on the input data, the executing of the sensor including, based at least in part on the dependency data, determining a set of the security components to execute and an order in which to execute the security components of the set, the set including the sensor;
  
  providing the output data produced by the sensor to a rule, the rule being separate from the sensor;
  
  evaluating the rule to produce a first candidate assessment comprising a proposed assessment regarding security of a computer-related asset, the first candidate assessment including a first fidelity;
  
  generating by a consolidator a consolidated assessment regarding security of the computer-related asset by evaluating a plurality of proposed assessments comprising the first candidate assessment and a second candidate assessment regarding security of the computer-related asset, the second candidate assessment including a second fidelity and the first candidate assessment, second candidate assessment and consolidated assessment representing three security assessments of the same computer-related asset; and
  
  providing output data from a first security component of the set of the security components to one or more other security components of the set that depend from the first security component.
- View Dependent Claims (2, 3, 4, 5, 11, 12, 13)
- - 2. The method of claim 1, further comprising storing the first candidate assessment in a candidate assessment store, the first candidate assessment including an expiration time and a severity, the first fidelity being one of at least three different possible fidelity values.
  - 3. The method of claim 1, further comprising producing a public assessment by publishing the consolidated assessment to an assessment store.
  - 4. The method of claim 1, wherein the sensor, the rule, and the consolidator maintain no state with respect to previous security assessments.
  - 5. The method of claim 3, wherein the public assessment including an expiration time, a severity, and a fidelity.
  - 11. The method of claim 1, wherein the input data is provided by another sensor that creates the input data by actions comprising examining other input data.
  - 12. The method of claim 11, wherein the other input data comprises as assessment.
  - 13. The method of claim 12, wherein the other input data comprises a log of a security component.

6. In a computing environment, an apparatus, comprising:
- a sensor operable to receive input data related to computer security and to provide output data in response thereto;
  
  a rule component operable to receive the output data and to generate a first candidate assessment comprising a proposed assessment based at least in part on the output data, the first candidate assessment including a first fidelity;
  
  a consolidator operable to determine a consolidated assessment by evaluating a plurality of proposed assessments comprising the first candidate assessment and a second candidate assessment including a second fidelity, the first candidate assessment, second candidate assessment and consolidated assessment representing three security assessments of the same computer-related asset; and
  
  a realizer operable to publish the consolidated assessment to an assessments store, making the consolidated assessment a public assessment; and
  
  a dependency unit configured to receive dependency data that indicates dependencies among security components, a security component having a dependency on another security component if the security component uses output data generated by the other security component, the sensor being one of the security components,the dependency unit being further configured to, based at least in part on the dependency data, determine a set of the security components to execute and an order in which to execute the security components of the set and to provide output data from a first security component of the set to one or more other security components of the set that depend on the first security component,the order including having two of the security components execute in parallel, the two security components not depending on each other directly or indirectly, the order further including having a first one or more other security components of the set that depend on the first security component execute after the first security component executes, each security component generating output data based solely on input data and logic included in the security component,the dependency unit being further configured to wait to execute a second security component until all security components upon which the second security component depends have completed execution.
- View Dependent Claims (7, 8, 9, 10, 14)
- - 7. The apparatus of claim 6, wherein the sensor receives the input data from a device remote from the apparatus.
  - 8. the apparatus of claim 6, wherein the sensor receives the input data from the assessments store.
  - 9. The apparatus of claim 6, wherein the sensor generates the output data using solely the input data and logic included in or associated with the sensor.
  - 10. The apparatus of claim 6, wherein the apparatus further comprises an engine that is operable to perform actions, comprising:
    - receiving the output data from the sensor;
      
      providing the output data from the sensor to the rule component;
      
      storing the first candidate assessment in a candidate assessment store;
      
      providing the first candidate assessment to the consolidator;
      
      providing the consolidated assessment to the realizer; and
      
      storing the consolidated assessment in the assessments store.
  - 14. The apparatus of claim 6, wherein the sensor receives the input data from another sensor.

15. A computer-readable storage device having computer-executable instructions recorded thereon, which when executed by at least one processor perform actions, the actions comprising:
- receiving dependency data that indicates dependencies among security components, a security component having a dependency on another security component if the security component uses output data generated by the other security component, the security components including a sensor;
  
  receiving an indication that input data related to security has been received at the sensor;
  
  executing the sensor to produce output data based on the input data, the executing of the sensor including, based at least in part on the dependency data, determining a set of the security components to execute and an order in which to execute the security components of the set, the set including the sensor;
  
  providing the output data produced by the sensor to a rule, the rule being separate from the sensor;
  
  evaluating the rule to produce a first candidate assessment comprising a proposed assessment regarding security of a computer-related asset, the first candidate assessment including a first fidelity;
  
  generating by a consolidator a consolidated assessment regarding security of the computer-related asset by evaluating a plurality of proposed assessments comprising the first candidate assessment and a second candidate assessment regarding security of the computer-related asset, the second candidate assessment including a second fidelity, the consolidated assessment including a third fidelity that is different from at least one of the first fidelity and the second fidelity and the first candidate assessment, second candidate assessment and consolidated assessment representing three security assessments of the same computer-related asset; and
  
  providing output data from a first security component of the set of security components to one or more other security components of the set that depends from the first security component.
- View Dependent Claims (16, 17, 18)
- - 16. The computer storage medium of claim 15, wherein the generating the consolidated assessment comprises merging a first time to expire included in the first candidate assessment with a second time to expire included in the second candidate assessment.
  - 17. The computer storage medium of claim 15, wherein the generating the consolidated assessment comprises merging a first start time included in the first candidate assessment with a second start time included in the second candidate assessment.
  - 18. The computer storage medium of claim 15, wherein the actions further comprise:
    - publishing the consolidated assessment to an assessments store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Hudis, Efim, Zangi, Eyal, Sapir, Moshe, Weisberg, Tomer, Helman, Yair, Rubin, Shai Aharon, Dinerstein, Yosef, Arzi, Lior
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US12/141,897
Publication Number

US 20090199265A1
Time in Patent Office

2,470 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6209   to a single file or object,...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2151   Time stamp

G06N 5/025   Extracting rules from data

H04L 63/1433   Vulnerability analysis

Analytics engine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Analytics engine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others