Providing alerts based on unstructured information methods and apparatus

US 9,230,101 B2
Filed: 03/15/2013
Issued: 01/05/2016
Est. Priority Date: 03/15/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving a data item from a remotely located information source, the data item including unstructured information;

determining a threat score for the data item by matching information associated with the data item to pre-identified information associated with a numerical value;

responsive to the threat score exceeding a predetermined threshold, determining labels for at least one Common Alerting Protocol field associated with a Common Alerting Protocol data structure using at least a portion of the information associated with the data item by;

determining a first label for an urgency field within the Common Alerting Protocol data structure based on the threat score and the data item,determining a second label for a severity field within the Common Alerting Protocol data structure based on the threat score and the data item,determining a third label for a category field within the Common Alerting Protocol data structure based on the threat score and the data item, anddetermining a fourth label for a certainty field within the Common Alerting Protocol data structure based on the threat score and the first data item;

creating the Common Alerting Protocol data structure that includes the labels; and

transmitting the Common Alerting Protocol data structure for use within a decision system or to cause security personnel to perform an action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and apparatus for providing alerts based on unstructured information are disclosed. An example method includes receiving a data item from a remotely located information source, the data item including unstructured information. The method also includes determining a threat score for the data item by matching information associated with the data item to pre-identified information associated with a numerical value. The method further includes responsive to the threat score exceeding a predetermined threshold, creating a Common Alerting Protocol data structure that includes at least a portion of the information associated with the data item and transmitting the Common Alerting Protocol data structure.

16 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a data item from a remotely located information source, the data item including unstructured information;
  
  determining a threat score for the data item by matching information associated with the data item to pre-identified information associated with a numerical value;
  
  responsive to the threat score exceeding a predetermined threshold, determining labels for at least one Common Alerting Protocol field associated with a Common Alerting Protocol data structure using at least a portion of the information associated with the data item by;
  
  determining a first label for an urgency field within the Common Alerting Protocol data structure based on the threat score and the data item,determining a second label for a severity field within the Common Alerting Protocol data structure based on the threat score and the data item,determining a third label for a category field within the Common Alerting Protocol data structure based on the threat score and the data item, anddetermining a fourth label for a certainty field within the Common Alerting Protocol data structure based on the threat score and the first data item;
  
  creating the Common Alerting Protocol data structure that includes the labels; and
  
  transmitting the Common Alerting Protocol data structure for use within a decision system or to cause security personnel to perform an action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - responsive to determining that the threat score is below a second predetermined threshold, disregarding the data item,wherein the second predetermined threshold is less than the predetermined threshold.
  - 3. The method of claim 2, further comprising responsive to determining that the threat score is greater than the second predetermined threshold and less than the predetermined threshold, routing the data item to a moderator.
  - 4. The method of claim 3, further comprisingreceiving a message from the moderator regarding the data item;
    - responsive to the message including an indication to promote the data item, creating the Common Alerting Protocol data structure that includes at least the portion of the information associated with the data item and transmitting the Common Alerting Protocol data structure;
      
      responsive to the message including an indication to disregard the data item, deleting the data item; and
      
      amending the pre-identified information based on the message from the moderator and the information associated with the data item.
  - 5. The method of claim 4, wherein amending the pre-identified information includes changing the numerical value of the pre-identified information.
  - 6. The method of claim 4, wherein amending the pre-identified information includes adding at least one term to the pre-identified information from the information associated with the data item.
  - 7. The method of claim 1, wherein determining the threat score includes i) classifying the information associated with the data item based on matches to pre-identified semantic information, ii) classifying the information associated with the data item based on matches to dictionary terms or phrases, iii) determining a geographic location corresponding to the information associated with the first data item, and iv) assigning the threat score based on the classifications and the geographic location.
  - 8. The method of claim 1, further comprising determining a client among a plurality of clients that is to receive the Common Alerting Protocol data structure based on the at least a portion of the information associated with the data item being associated with the client.
  - 9. The method of claim 1, wherein at least one additional label is determined for a geographic field within the Common Alerting Protocol data structure based on the threat score and the data item.

10. A machine-accessible device comprising a memory having instructions stored thereon that, when executed, cause a machine to at least:
- determine a threat score for a first data item received from a data source by matching unstructured content within the first data item to pre-identified content associated with at least a value;
  
  responsive to the threat score exceeding a predetermined threshold, determine labels for at least one Common Alerting Protocol field for a Common Alerting Protocol data structure using at least a portion of the content associated with the first data item by;
  
  selecting a first label for an urgency field within the Common Alerting Protocol data structure based on the threat score and the first data item;
  
  selecting a second label for a severity field within the Common Alerting Protocol data structure based on the threat score and the first data item;
  
  selecting a third label for a category field within the Common Alerting Protocol data structure based on the threat score and the first data item; and
  
  selecting a fourth label for a certainty field within the Common Alerting Protocol data structure based on the threat score and the first data item;
  
  create the Common Alerting Protocol data structure that includes the labels; and
  
  transmit the Common Alerting Protocol data structure causing security personnel associated with a client to perform an action.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The machine-accessible device of claim 10, further comprising instructions stored thereon that are configured when executed to cause the machine to subscribe to the data source to receive the first data item.
  - 12. The machine-accessible device of claim 10, further comprising instructions stored thereon that are configured when executed to cause the machine to:
    - determine a semantic threat score based on the content within the first data item matching pre-identified semantic content;
      
      determine a dictionary threat score based on the content within the first data item matching pre-identified dictionary content; and
      
      determine the threat score by combining the semantic threat score with the dictionary threat score.
  - 13. The machine-accessible device of claim 10 further comprising instructions stored thereon that are configured when executed to cause the machine to determine a geographic location referenced within the first data item.
  - 14. The machine-accessible device of claim 10, further comprising instructions stored thereon that are configured when executed to cause the machine to:
    - determine a second threat score for a second data item received from a second data source by matching content within the second data item to the pre-identified content;
      
      responsive to the second threat score exceeding the predetermined threshold, create a second Common Alerting Protocol data structure that includes at least a portion of the content associated with the second data item; and
      
      responsive to determining the portion of the content associated with the second data item substantially matches the portion of the content associated with the first data item, discarding the second Common Alerting Protocol data structure.
  - 15. The machine-accessible device of claim 10, wherein the unstructured content includes at least one of text, a picture, a graph, a chart, a video, audio, an image, and a map.

16. An apparatus comprising at least one hardware processor that in aggregate includes:
- an interface configured to receive an unstructured data item from a data source;
  
  a semantic classifier configured to determine a first threat score by determining content within the data item that matches pre-identified semantic information;
  
  a dictionary classifier configured to determine a second threat score by determining the content within the data item that matches pre-identified dictionary information;
  
  a location identifier configured to determine a third threat score by determining the content within the data item that substantially matches geographic location information;
  
  a content scorer configured to determine whether the combination of the first, second, and third threat scores is greater than a predetermined threshold; and
  
  a Common Alerting Protocol processor configured to;
  
  determine labels for at least one Common Alerting Protocol field using at least some of the content within the data item responsive to the content scorer determining that the combined threat score is greater than the predetermined threshold by;
  
  determining a first label for an urgency field within the Common Alerting Protocol data structure based on the threat score and the data item,determining a second label for a severity field within the Common Alerting Protocol data structure based on the threat score and the data item,determining a third label for a category field within the Common Alerting Protocol data structure based on the threat score and the data item, anddetermining a fourth label for a certainty field within the Common Alerting Protocol data structure based on the threat score and the first data item, andcreate a Common Alerting Protocol data structure that includes the labels for use by a decision system or security personnel.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, further comprising a transmitter configured to transmit the Common Alerting Protocol data structure to the decision system.
  - 18. The apparatus of claim 16, further comprising a calibration processor configured to calibrate the semantic classifier by analyzing previously received data items to determine the pre-identified semantic information.
  - 19. The apparatus of claim 18, wherein the calibration processor is configured to:
    - receive feedback from a moderator regarding a previously scored data item; and
      
      amend the pre-identified semantic information based on the feedback.
  - 20. The apparatus of claim 19, wherein the semantic classifier includes a machine learning algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pinkerton Consulting & Investigations, Inc. (Securitas AB)
Original Assignee
Pinkerton Consulting & Investigations, Inc. (Securitas AB)
Inventors
Zahran, Jack I.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US13/837,959
Publication Number

US 20140283055A1
Time in Patent Office

1,026 Days
Field of Search

726/242
US Class Current

1/1
CPC Class Codes

G06F 16/353   into predefined classes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

Providing alerts based on unstructured information methods and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Providing alerts based on unstructured information methods and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others