Security threat detection associated with security events and an actor category model

US 9,069,954 B2
Filed: 05/20/2011
Issued: 06/30/2015
Est. Priority Date: 05/25/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method of determining a security threat comprising:

storing security events associated with network devices;

storing an actor category model including a plurality of levels arranged in a hierarchy, wherein each level is associated with a subcategory for a category of the actor category model, wherein the actor category model comprises an attribute for users, and the actor category model comprises parent-child relationships between the plurality of levels, and child levels inherit rules from their parent levels;

correlating security events with the actor category model,wherein the correlating of the security events with the actor category model includesidentifying a user for each security event;

determining the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model; and

identifying a level in the actor category model associated with the user for each security event; and

determining, by at least one processor, whether the security threat exists based on the correlating,wherein the determining of whether the security threat exists based on the correlating includesdetermining a security rule for the identified level; and

determining whether the security threat exists by applying the security rule.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security events associated with network devices and an actor category model are stored (501, 503). The actor category model includes levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model. Security events are correlated with the actor category model (505), and a determination of whether a security threat exists is performed based on the correlating (506).

Citations

17 Claims

1. A method of determining a security threat comprising:
- storing security events associated with network devices;
  
  storing an actor category model including a plurality of levels arranged in a hierarchy, wherein each level is associated with a subcategory for a category of the actor category model, wherein the actor category model comprises an attribute for users, and the actor category model comprises parent-child relationships between the plurality of levels, and child levels inherit rules from their parent levels;
  
  correlating security events with the actor category model,wherein the correlating of the security events with the actor category model includesidentifying a user for each security event;
  
  determining the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model; and
  
  identifying a level in the actor category model associated with the user for each security event; and
  
  determining, by at least one processor, whether the security threat exists based on the correlating,wherein the determining of whether the security threat exists based on the correlating includesdetermining a security rule for the identified level; and
  
  determining whether the security threat exists by applying the security rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, comprising:
    - aggregating two or more of the security events into an aggregated event based on the correlating, wherein the aggregated event satisfies a condition in the identified rule.
  - 3. The method of claim 1, further comprising:
    - modifying an attribute or a parent-child relationship in the actor category model; and
      
      storing the modified actor category model.
  - 4. The method of claim 1, further comprising:
    - providing a notification responsive to a determination that the network security threat exists.
  - 5. The method of claim 1, comprising:
    - storing the user data model including an individual unique user identifier (ID) and an account for the user for each security event;
      
      storing history in the user data model indicating a time period the user account is associated with the unique user ID; and
      
      associating the user with a security event of the security events based on the history.
  - 6. The method of claim 1, comprising:
    - storing a plurality of actor category models;
      
      for each actor category model, determining whether the actor category model is associated with the security events based on attributes associated with the security events and the actor category model; and
      
      for each actor category model determined to be associated with the security events, using the associated actor category model to identify rules to determine whether the security threat exists.
  - 7. The method of claim 1, wherein identifying a user for each security event comprises:
    - determining an application associated with the security event;
      
      identifying an authenticator that provisions user accounts for the application;
      
      determine an account ID associated with the security event; and
      
      determining the actor based on the authenticator and the account ID.

8. A threat detection system comprising:
- a non-transitory data storage that stores security events associated with network devices, and an actor category model including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the actor category model, wherein the actor category model comprises an attribute for users, and the actor category model comprises parent-child relationships between the plurality of levels, and child levels inherit rules from their parent levels; and
  
  at least one physical processor that correlates security events with the actor category model, wherein to correlate the security events the at least one processor;
  
  identifies a user for each security event;
  
  determines the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model;
  
  identifies a level in the actor category model associated with the user for each security event; and
  
  determines whether a security threat exists based on the correlating, wherein to determine whether the security threat exists, the at least one processor;
  
  determines a security rule for the identified level; and
  
  applies the security rule to determine whether the security threat exists.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The threat detection system of claim 8, wherein the non-transitory data storage stores the user data model including an individual unique user ID and an account for the user for each security event, stores history in the user data model indicating a time period each user account is associated with the unique user ID, and associates the user with a security event of the security events based on the history.
  - 10. The threat detection system of claim 8, wherein to identify a user, for each security event, the physical processor determines an application associated with the security event, identifies an authenticator that provisions user accounts for the application, determines an account ID associated with the security event and determines the user based on the authenticator and the account ID.
  - 11. The threat detection system of claim 8, wherein the physical processor aggregates two or more of the security events into an aggregated event based on the correlated security events, wherein the aggregated event satisfies a condition in the security rule.
  - 12. The threat detection system of claim 8, wherein the physical processor modifies the attribute or a parent-child relationship in the actor category model;
    - and stores the modified actor category model in the non-transitory data storage.
  - 13. The threat detection system of claim 8, wherein the physical processor provides notification responsive to a determination being made that the network security threat exists.
  - 14. The threat detection system of claim 8, wherein the non-transitory data storage stores a plurality of actor category models;
    - andfor each actor category model, the at least one physical processor determines whether the actor category model is associated with the security events based on attributes associated with the security events and the actor category model; and
      
      for each actor category model determined to be associated with the security events, uses the associated actor category model to identify rules to determine whether the security threat exists.

15. The A non-transitory computer readable medium storing machine readable instructions that when executed by a physical processor cause the physical processor to:
- store security events associated with network devices;
  
  store an actor category model including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model;
  
  correlate security events with the actor category model, wherein to correlate the security events the at least one processor is to identify a user for each security event, determine the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model, and identify a level in the actor category model associated with the user for each security event, wherein to identify the user for each security event, the processor determines an application associated with the security event, identifies an authenticator that provisions user accounts for the application, determines an account ID associated with the security event, and determines the user based on the authenticator and the account ID; and
  
  determines whether the security threat exists based on the correlating, wherein to determine whether the security threat exists, the at least one processor is to select a security rule for the identified level from a plurality of security rules, and determine whether the security threat exists by applying the selected security rule.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer readable medium of claim 15, wherein the machine readable instructions, when executed by the physical processor causes the physical processor to:
    - aggregate two or more of the security events into an aggregated event based on the correlated security events, wherein the aggregated event satisfies a condition in the security rule.
  - 17. The non-transitory computer readable medium of claim 15, wherein the machine readable instructions, when executed by the processor cause the processor to:
    - modify an attribute or a parent-child relationship in the actor category model; and
      
      store the modified actor category model in a data storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Anurag, Singla
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Kusyk, Janusz

Application Number

US13/699,030
Publication Number

US 20130081141A1
Time in Patent Office

1,502 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

Security threat detection associated with security events and an actor category model

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat detection associated with security events and an actor category model

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links