Cyber-security system and methods thereof

US 9,565,204 B2
Filed: 02/05/2015
Issued: 02/07/2017
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method for adaptively securing a protected entity against cyber-threats, comprising:

selecting at least one security application from a plurality of security applications, wherein each of the plurality of security applications is configured to handle a different type of cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one selected security application;

determining at least one workflow rule respective of the at least one security application, wherein the at least one workflow rule is defined to handle a certain type of cyber-threat;

generating a plurality of signals by the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat;

generating at least one security event respective of the plurality of received signals;

determining if the at least one security event satisfies the at least one workflow rule; and

upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat, wherein the at least one workflow rule applies a set of logical operators on events to generate the at least one action.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for adaptively securing a protected entity against cyber-threats are presented. The method includes selecting at least one security application configured to handle a cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application; determining at least one workflow rule respective of the at least one security application; receiving a plurality of signals from the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat; generating at least one security event respective of the plurality of received signals; checking determining if the at least one security event satisfies the at least one workflow rule; and upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat.

60 Citations

View as Search Results

33 Claims

1. A method for adaptively securing a protected entity against cyber-threats, comprising:
- selecting at least one security application from a plurality of security applications, wherein each of the plurality of security applications is configured to handle a different type of cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one selected security application;
  
  determining at least one workflow rule respective of the at least one security application, wherein the at least one workflow rule is defined to handle a certain type of cyber-threat;
  
  generating a plurality of signals by the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat;
  
  generating at least one security event respective of the plurality of received signals;
  
  determining if the at least one security event satisfies the at least one workflow rule; and
  
  upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat, wherein the at least one workflow rule applies a set of logical operators on events to generate the at least one action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein generating the at least one security event respective of the plurality of received signals further comprising:
    - determining if the plurality of received signals satisfies at least one event rule; and
      
      upon determining that the plurality of received signals satisfies the at least one event rule, generating the at least one security event.
  - 3. The method of claim 2, wherein the at least one event rule evaluates at least one of:
    - a signal value, a signal duration, and a signal frequency.
  - 4. The method of claim 1, wherein the at least one security service is at least one of:
    - a network anomaly security service, a user application anomaly security service, a sandbox security service, a reputation security service, a user identity security service, an attack signatures security service, a challenge-response security service, a real-time fingerprint generation security service, an anti-virus security service, and a Web application security service.
  - 5. The method of claim 4, wherein each of the plurality of security signals is received in response to at least one of:
    - a detection of malware activity, a protocol usage anomaly, a drop of point behavior, and a network scan behavior.
  - 6. The method of claim 1, wherein the at least one action is any one of:
    - a mitigation action, an investigation action, a detection action.
  - 7. The method of claim 6, wherein the at least one action further comprises an activation of security services.
  - 8. The method of claim 1, further comprising:
    - analyzing the plurality of received signals to determine if the at least one security application is optimally configured to handle the potential cyber-threat; and
      
      upon determining that the at least one security application is not optimally configured to handle the potential cyber-threat, reprogramming the at least one selected security application.
  - 9. The method of claim 8, wherein reprogramming the at least one selected security application further comprising:
    - selecting at least one new security resource, wherein each selected security resource includes at least one of;
      
      one or more new security services and one or more new engines, wherein the one or more new engines may be assigned to one of the plurality of security services assigned for the selected security application;
      
      assigning the at least one new security resource to the at least one security application; and
      
      activating the at least one of new security resource for execution in the at least one security application, wherein the activation is performed during a runtime of the at least one security application.
  - 10. The method of claim 9, wherein selecting the at least one new security resource further comprising:
    - programming each of the one or more new engines to optimally handle the potential cyber-threat.
  - 11. The method of claim 9, wherein assigning the at least one new security resource further comprising:
    - tagging the at least one new security resource with one or more unique tags, wherein the at least one workflow rule and at least one event rule process signals and events based on the one or more unique tags.
  - 12. The method of claim 9, wherein the at least one new security resource is imported from a remote repository.
  - 13. The method of claim 1, wherein the cyber threat is any of:
    - an advanced persistent threat (APT), a web injection, an SQL injection, a phishing attempt, a bruteforce attack, a business-logic attack, a denial of service (DoS) attack, and a distributed DoS attack.
  - 14. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1.

15. A method for adaptively securing a protected entity against cyber-threats, comprising:
- selecting at least one security application from a plurality of security applications, wherein each of the plurality of security applications is configured to handle a different type of cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the selected at least one security application, and wherein each security service of the plurality of security services is configured to execute at least one engine, wherein each of the least one application is configured with at least one workflow rule, wherein the at least one workflow rule applies a set of logical operators on events to generate at least one action;
  
  receiving a plurality of signals related to the protected entity;
  
  analyzing the plurality of received signals to determine if the selected at least one security application is optimally configured to handle a potential cyber-threat that threatens the protected entity; and
  
  upon determining that the at least one security application is not optimally configured to handle the potential cyber-threat, reprogramming the selected at least one security application.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein reprogramming the at least one selected security application further comprising:
    - selecting at least one new security resource, wherein each selected security resource includes at least one of;
      
      one or more new security services and one or more new engines, wherein the one or more new engines may be assigned to one of the plurality of security services assigned for the selected security application;
      
      assigning the at least one new security resource to the at least one security application; and
      
      activating the at least one of new security resource for execution in the at least one security application, wherein the activation is performed during a runtime of the at least one security application.
  - 17. The method of claim 16, wherein selecting the at least one new security resource further comprising:
    - programming each of the one or more new engines to optimally handle the potential cyber-threat.
  - 18. The method of claim 17, wherein assigning the at least one new security resource further comprising:
    - tagging the at least one new security resource with one or more unique tags, wherein the at least one workflow rule and at least one event rule process signals and events based on the one or more unique tags.
  - 19. The method of claim 15, wherein the at least one new security resource is imported from a remote repository.

20. A system for adaptively securing a protected entity against cyber-threats, comprising:
- a processor; and
  
  a memory, the memory containing instructions that, when executed by the processor, configure the system to;
  
  select at least one security application from a plurality of security applications, wherein each of the plurality of security applications is configured to handle a different type of cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application;
  
  determine at least one workflow rule respective of the at least one security application, wherein the at least one workflow rule is defined to handle a certain type of cyber-threat;
  
  generate a plurality of signals by the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat;
  
  generate at least one security event respective of the plurality of received signals;
  
  determine if the at least one security event satisfies the at least one workflow rule; and
  
  upon determining that the at least one security event satisfies the workflow rule, generate at least one action with respect to the potential cyber-threat, wherein the at least one workflow rule applies a set of logical operators on events to generate at least the one action.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 21. The system of claim 20, wherein the system is further configured to:
    - determine if the plurality of received signals satisfies at least one event rule; and
      
      upon determining that the plurality of received signals satisfies the at least one event rule, generate the at least one security event.
  - 22. The system of claim 21, wherein the at least one event rule evaluates at least one of:
    - a signal value, a signal duration, and a signal frequency.
  - 23. The system of claim 20, wherein the at least one security service is at least one of:
    - a network anomaly security service, a user application anomaly security service, a sandbox security service, a reputation security service, a user identity security service, an attack signatures security service, a challenge-response security service, a real-time fingerprint generation security service, an anti-virus security service, and a Web application security service.
  - 24. The system of claim 23, wherein each of the plurality of security signals is received in response to at least one of:
    - a detection of malware activity, a protocol usage anomaly, a drop of point behavior, and a network scan behavior.
  - 25. The system of claim 20, wherein the at least one action is any one of:
    - a mitigation action, an investigation action, a detection action.
  - 26. The system of claim 25, wherein the at least one action further comprises an activation of security services.
  - 27. The system of claim 20, wherein the system is further configured to:
    - analyze the plurality of received signals to determine if the at least one security application is optimally configured to handle the potential cyber-threat; and
      
      upon determining that the at least one security application is not optimally configured to handle the potential cyber-threat, reprogram the at least one security application.
  - 28. The system of claim 27, wherein the system is further configured to:
    - select at least one new security resource, wherein each selected security resource includes at least one of;
      
      one or more new security services and one or more new engines, wherein the one or more new engines may be assigned to one of the plurality of security services assigned for the selected security application;
      
      assign the at least one new security resource to the at least one security application; and
      
      activate the at least one of new security resource for execution in the at least one security application, wherein the activation is performed during a runtime of the at least one security application.
  - 29. The system of claim 28, wherein the system is further configured to:
    - program each of the one or more new engines to optimally handle the potential cyber-threat.
  - 30. The system of claim 28, wherein the system is further configured to:
    - tag the at least one new security resource with one or more unique tags, wherein the at least one workflow rule and at least one event rule process signals and events based on the one or more unique tags.
  - 31. The system of claim 28, wherein the at least one new security service is imported from a remote repository.
  - 32. The system of claim 20, wherein the cyber threat is any of:
    - an advanced persistent threat (APT), a web injection, an SQL injection, a phishing attempt, a bruteforce attack, a business-logic attack, a denial of service (DoS) attack, and a distributed DoS attack.

33. A system for adaptively securing a protected entity against cyber-threats, comprising:
- a processor; and
  
  a memory, the memory containing instructions that, when executed by the processor, configure the system to;
  
  select at least one security application from a plurality of security applications, wherein each security application is configured to handle a different type of cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the selected at least one security application, and wherein each security service of the plurality of security services is configured to execute at least one engine;
  
  receive a plurality of signals related to the protected entity, wherein each of the least one application is configured with at least one workflow rule, wherein the at least one workflow rule applies a set of logical operators on events to generate at least one action;
  
  analyze the plurality of received signals to determine if the selected at least one security application is optimally configured to handle a potential cyber-threat that threatens the protected entity; and
  
  upon determining that the at least one security application is not optimally configured to handle the potential cyber-threat, reprogram the selected at least one security application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybereason, Inc.
Original Assignee
empow Cyber Security Ltd.
Inventors
Chesla, Avi
Primary Examiner(s)
To, Baotran N

Application Number

US14/615,020
Publication Number

US 20160021056A1
Time in Patent Office

733 Days
Field of Search

726 22- 23
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/02   for separating internal fro...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/20   for managing network securi...

Cyber-security system and methods thereof

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber-security system and methods thereof

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links