System for real-time threat detection and management

US 9,336,385 B1
Filed: 02/11/2008
Issued: 05/10/2016
Est. Priority Date: 02/11/2008
Status: Active Grant

First Claim

Patent Images

1. A system for real-time detection and management of security threats, to a computer system having a Local Area Network (LAN), based on system state changes, not based on network packet data, and without third party detection software, comprising:

a) a threat detection agent (TDA) module, being part of the LAN, in communication with a client device and comprising circuitry and memory that includes;

a1) instructions, in the form of system state data, for observing activity occurring on a client device;

a2) instructions controlling collection of system state data from the client device;

a3) instructions comparing a current configuration of the client device system state data against a previously saved system state data configuration file and generating a threat detection signal when the observed system state data configuration differs from the previously saved system state data configuration file;

a4) instructions for reporting an identified threat detection signal activity related to the client device; and

a5) a detector module and a collector module, each stored in the memory, wherein the collector module creates an event log and the detector module includes a pattern space of threat fingerprints, and the detector module categorizes and prioritizes events by comparing events from the event log to the pattern space, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway, wherein the detector module initializes the pattern space from a collection of the threat fingerprints, wherein patterns in the pattern space specify events and context that represent threats;

b) a threat response agent (TRA) module, being part of the LAN, in communication with the client device and comprising circuitry and memory that includes;

instructions for altering an operating characteristic of a client device in response to a threat response signal; and

c) a threat management server (TMS) module, being part of the LAN, in communication with the TDA and with the TRA and physically remote from the client device, the TMS comprising circuitry and memory that includes;

c1) a threat detection service (TDS) module stored in the memory, and in communication with the TDA, whereby the TDS receives threat information from the TDA;

c2) a threat response service (TRS) module stored in the memory, and in communication with the TRA, whereby the TRS relays threat response instructions to the TRA; and

c3) a threat evaluation service (TES) module stored in the memory, and in communication with the TDS, whereby the TES evaluates threat information received by the TDS and determines an appropriate response as well as determines whether an attack represents a new threat profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for threat detection and management. The method includes: comparing the observed activity with a threat profile; generating a threat detection signal including threat information when the observed activity matches the threat profile; altering an operating characteristic of a client device in response to a threat response signal; receiving the threat information; evaluating the threat information; automatically determining an appropriate response to the threat detection signal based on an evaluation of the threat information; comparing the threat detection signal to known threat patterns; distributing new threat information if the threat detection signal does not match a known threat pattern; storing threat information; and providing a user interface information and controls for delivering control information over a control protocol.

255 Citations

19 Claims

1. A system for real-time detection and management of security threats, to a computer system having a Local Area Network (LAN), based on system state changes, not based on network packet data, and without third party detection software, comprising:
- a) a threat detection agent (TDA) module, being part of the LAN, in communication with a client device and comprising circuitry and memory that includes;
  
  a1) instructions, in the form of system state data, for observing activity occurring on a client device;
  
  a2) instructions controlling collection of system state data from the client device;
  
  a3) instructions comparing a current configuration of the client device system state data against a previously saved system state data configuration file and generating a threat detection signal when the observed system state data configuration differs from the previously saved system state data configuration file;
  
  a4) instructions for reporting an identified threat detection signal activity related to the client device; and
  
  a5) a detector module and a collector module, each stored in the memory, wherein the collector module creates an event log and the detector module includes a pattern space of threat fingerprints, and the detector module categorizes and prioritizes events by comparing events from the event log to the pattern space, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway, wherein the detector module initializes the pattern space from a collection of the threat fingerprints, wherein patterns in the pattern space specify events and context that represent threats;
  
  b) a threat response agent (TRA) module, being part of the LAN, in communication with the client device and comprising circuitry and memory that includes;
  
  instructions for altering an operating characteristic of a client device in response to a threat response signal; and
  
  c) a threat management server (TMS) module, being part of the LAN, in communication with the TDA and with the TRA and physically remote from the client device, the TMS comprising circuitry and memory that includes;
  
  c1) a threat detection service (TDS) module stored in the memory, and in communication with the TDA, whereby the TDS receives threat information from the TDA;
  
  c2) a threat response service (TRS) module stored in the memory, and in communication with the TRA, whereby the TRS relays threat response instructions to the TRA; and
  
  c3) a threat evaluation service (TES) module stored in the memory, and in communication with the TDS, whereby the TES evaluates threat information received by the TDS and determines an appropriate response as well as determines whether an attack represents a new threat profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17)
- - 2. The system of claim 1, wherein the TDA includes a reporter module.
  - 3. The system of claim 1, wherein the TRA is in communication with the TRS through an authenticated and authorized communication channel.
  - 4. The system of claim 1, wherein the TMS retains an active model of the client device and retains a historical model of the client device.
  - 5. The system of claim 1, wherein the TDS is in communication with the TDA through an authenticated and authorized communication channel.
  - 6. The system of claim 1, wherein the TDS maintains a system model of the client device and communicates system changes to the TES.
  - 7. The system of claim 1, wherein the TES determines if a new threat is in progress and if so initializes a new incident to track information regarding the threat as the threat continues.
  - 8. The system of claim 1, wherein the TRS throttles on forensics quality information collection on the client device when an emerging threat is detected.
  - 9. The system of claim 8, wherein a threat management repository comprises memory that stores the forensics quality information throughout an emerging attack and makes it available as real-time forensics to an end user forensics investigator via a threat console services and a threat management console.
  - 10. The system of claim 9, wherein the forensics quality information is stored using algorithms to ensure that a forensics evidence is preserved for future legal proceedings.
  - 11. The system of claim 1, wherein the TRS compares a response script to a relevant characteristic of the client device before execution of the response script;
    - the system further comprises;
      
      a threat information propagation service (TIPS) module comprising circuitry and memory, and in communication with the TES and configured to transfer threat profiles of new attacks;
      
      a threat management repository (TMR) module comprising memory, and in communication with the TES and with the TIPS and configured to store threat information; and
      
      a Threat Console Services (TCS) module comprising circuitry and memory, and in communication with the TMR and the TES configured to construct and issue user interface display instructions and information; and
      
      a threat management console (TMC) module stored in a memory, and in communication with the TCS and configured to display user interface information and provide controls for delivering control information over the control protocol.
  - 12. The system of claim 1, wherein the TRS modifies a response script according to a characteristic of a client device.
  - 13. The system of claim 1, wherein the system comprises a threat management console module stored in a memory and configured to display information regarding a response script and enables a user to alter the displayed response script before execution thereof.
  - 14. The system of claim 1, wherein the system comprises a threat management console module stored in a memory and configured to display an event and enables a user to enter a response script and cause execution of the response script in the client device.
  - 16. The system of claim 1, further comprising multiple TMS modules forming a federated database, where the threat information from multiple TMS modules are collected and reviewed to provide the pattern space of threat fingerprints, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway.
  - 17. The system of claim 16, wherein the TDA sends instruction to the TDS to terminate a connection with the TDS.

15. A method of real-time detection and management of security threats, to a computer system having a Local Area Network (LAN), based on system state changes, not based on network packet data, and without third party detection software, comprising the steps of:
- observing activity on the computer system in the form of system state data, related to a remote client device among a plurality of client devices remote from each other;
  
  comparing the observed activity on the computer system in the form of system state data, with a threat profile;
  
  generating a threat detection signal on the computer system, including threat information when the observed activity matches the threat profile, in the form of system state data;
  
  altering an operating characteristic of a client device on the computer system, in response to a threat response signal, in the form of system state data;
  
  receiving the threat information on the computer system;
  
  evaluating the threat information on the computer system;
  
  automatically determining an appropriate response to the threat detection signal based on an evaluation of the threat information on the computer system in the form of system state data;
  
  comparing on the computer system, the threat detection signal to known threat patterns;
  
  distributing on the computer system new threat information if the threat detection signal does not match a known threat;
  
  using on the computer system, the threat information to construct additional new threat patterns;
  
  storing on the computer system, threat information;
  
  providing on the computer system, a user interface information and controls for delivering control information over a control protocol;
  
  creating an event log;
  
  providing a pattern space of threat fingerprints, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway, wherein the pattern space is initialized from a collection of threat fingerprints, wherein patterns in the pattern space specify events and context that represent threats; and
  
  categorizing and prioritizing events by comparing events from the event log to the pattern space.
- View Dependent Claims (18, 19)
- - 18. The method of claim 15, wherein storing on the computer system, threat information includes relaying threat information to a federated database of the computer system, where the threat information from multiple sources are collected and reviewed to provide the pattern space of threat fingerprints, wherein each threat fingerprint consists of one or more specific events that imply an attack is underway.
  - 19. The system of claim 18, further comprising sending instruction from the TDA to the TDS to terminate a connection with the TDS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adaptive Cyber Security Instruments, Inc.
Original Assignee
Adaptive Cyber Security Instruments, Inc.
Inventors
Spencer, Reid, Beaver, Terry, Markman, Steven
Primary Examiner(s)
Jhaveri, Jayesh

Application Number

US12/029,352
Time in Patent Office

3,011 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/57   Certifying or maintaining t...

H04L 41/0813   characterised by the condit...

H04L 41/0816   the condition being an adap...

H04L 63/00   Network architectures or ne...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

System for real-time threat detection and management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

255 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System for real-time threat detection and management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

255 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links