System for real-time threat detection and management
First Claim
1. A system for real-time detection and management of security threats, to a computer system having a Local Area Network (LAN), based on system state changes, not based on network packet data, and without third party detection software, comprising:
- a) a threat detection agent (TDA) module, being part of the LAN, in communication with a client device and comprising circuitry and memory that includes;
a1) instructions, in the form of system state data, for observing activity occurring on a client device;
a2) instructions controlling collection of system state data from the client device;
a3) instructions comparing a current configuration of the client device system state data against a previously saved system state data configuration file and generating a threat detection signal when the observed system state data configuration differs from the previously saved system state data configuration file;
a4) instructions for reporting an identified threat detection signal activity related to the client device; and
a5) a detector module and a collector module, each stored in the memory, wherein the collector module creates an event log and the detector module includes a pattern space of threat fingerprints, and the detector module categorizes and prioritizes events by comparing events from the event log to the pattern space, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway, wherein the detector module initializes the pattern space from a collection of the threat fingerprints, wherein patterns in the pattern space specify events and context that represent threats;
b) a threat response agent (TRA) module, being part of the LAN, in communication with the client device and comprising circuitry and memory that includes;
instructions for altering an operating characteristic of a client device in response to a threat response signal; and
c) a threat management server (TMS) module, being part of the LAN, in communication with the TDA and with the TRA and physically remote from the client device, the TMS comprising circuitry and memory that includes;
c1) a threat detection service (TDS) module stored in the memory, and in communication with the TDA, whereby the TDS receives threat information from the TDA;
c2) a threat response service (TRS) module stored in the memory, and in communication with the TRA, whereby the TRS relays threat response instructions to the TRA; and
c3) a threat evaluation service (TES) module stored in the memory, and in communication with the TDS, whereby the TES evaluates threat information received by the TDS and determines an appropriate response as well as determines whether an attack represents a new threat profile.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for threat detection and management. The method includes: comparing the observed activity with a threat profile; generating a threat detection signal including threat information when the observed activity matches the threat profile; altering an operating characteristic of a client device in response to a threat response signal; receiving the threat information; evaluating the threat information; automatically determining an appropriate response to the threat detection signal based on an evaluation of the threat information; comparing the threat detection signal to known threat patterns; distributing new threat information if the threat detection signal does not match a known threat pattern; storing threat information; and providing a user interface information and controls for delivering control information over a control protocol.
255 Citations
19 Claims
-
1. A system for real-time detection and management of security threats, to a computer system having a Local Area Network (LAN), based on system state changes, not based on network packet data, and without third party detection software, comprising:
-
a) a threat detection agent (TDA) module, being part of the LAN, in communication with a client device and comprising circuitry and memory that includes; a1) instructions, in the form of system state data, for observing activity occurring on a client device; a2) instructions controlling collection of system state data from the client device; a3) instructions comparing a current configuration of the client device system state data against a previously saved system state data configuration file and generating a threat detection signal when the observed system state data configuration differs from the previously saved system state data configuration file; a4) instructions for reporting an identified threat detection signal activity related to the client device; and a5) a detector module and a collector module, each stored in the memory, wherein the collector module creates an event log and the detector module includes a pattern space of threat fingerprints, and the detector module categorizes and prioritizes events by comparing events from the event log to the pattern space, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway, wherein the detector module initializes the pattern space from a collection of the threat fingerprints, wherein patterns in the pattern space specify events and context that represent threats; b) a threat response agent (TRA) module, being part of the LAN, in communication with the client device and comprising circuitry and memory that includes; instructions for altering an operating characteristic of a client device in response to a threat response signal; and c) a threat management server (TMS) module, being part of the LAN, in communication with the TDA and with the TRA and physically remote from the client device, the TMS comprising circuitry and memory that includes; c1) a threat detection service (TDS) module stored in the memory, and in communication with the TDA, whereby the TDS receives threat information from the TDA; c2) a threat response service (TRS) module stored in the memory, and in communication with the TRA, whereby the TRS relays threat response instructions to the TRA; and c3) a threat evaluation service (TES) module stored in the memory, and in communication with the TDS, whereby the TES evaluates threat information received by the TDS and determines an appropriate response as well as determines whether an attack represents a new threat profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17)
-
-
15. A method of real-time detection and management of security threats, to a computer system having a Local Area Network (LAN), based on system state changes, not based on network packet data, and without third party detection software, comprising the steps of:
-
observing activity on the computer system in the form of system state data, related to a remote client device among a plurality of client devices remote from each other; comparing the observed activity on the computer system in the form of system state data, with a threat profile; generating a threat detection signal on the computer system, including threat information when the observed activity matches the threat profile, in the form of system state data; altering an operating characteristic of a client device on the computer system, in response to a threat response signal, in the form of system state data; receiving the threat information on the computer system; evaluating the threat information on the computer system; automatically determining an appropriate response to the threat detection signal based on an evaluation of the threat information on the computer system in the form of system state data; comparing on the computer system, the threat detection signal to known threat patterns; distributing on the computer system new threat information if the threat detection signal does not match a known threat; using on the computer system, the threat information to construct additional new threat patterns; storing on the computer system, threat information; providing on the computer system, a user interface information and controls for delivering control information over a control protocol; creating an event log; providing a pattern space of threat fingerprints, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway, wherein the pattern space is initialized from a collection of threat fingerprints, wherein patterns in the pattern space specify events and context that represent threats; and categorizing and prioritizing events by comparing events from the event log to the pattern space. - View Dependent Claims (18, 19)
-
Specification