Enterprise intrusion detection and remediation

US 9,584,532 B2
Filed: 10/31/2014
Issued: 02/28/2017
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a hardware server, a security intrusion event securely communicated from a component of a terminal over a network, wherein the component is a peripheral of the terminal, wherein receiving further includes obtaining the security intrusion event from the peripheral of the terminal, the security intrusion event pushed up to a secure input/output module (SIOM) that is an independent hardware module operating below an operating system of the terminal and acting as a secure interface for communications to and from the peripheral during a secure session between the peripheral and the SIOM;

accessing, by the hardware server, heuristics and identifying a pattern for the security intrusion event relevant to a security intrusion within the component; and

triggering, by the hardware server, an action based on the pattern and securely pushing the action to the component for dynamic and real-time processing by the component in response to the security intrusion.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Events are securely packaged and transmitted from peripherals of terminals and from secure input/out modules (SIOMs) of terminals. The events are collected and mined in real time for security risk patterns and dynamic remedial actions are pushed back down to the terminals, peripherals, and SIOMs.

Citations

18 Claims

1. A method, comprising:
- receiving, by a hardware server, a security intrusion event securely communicated from a component of a terminal over a network, wherein the component is a peripheral of the terminal, wherein receiving further includes obtaining the security intrusion event from the peripheral of the terminal, the security intrusion event pushed up to a secure input/output module (SIOM) that is an independent hardware module operating below an operating system of the terminal and acting as a secure interface for communications to and from the peripheral during a secure session between the peripheral and the SIOM;
  
  accessing, by the hardware server, heuristics and identifying a pattern for the security intrusion event relevant to a security intrusion within the component; and
  
  triggering, by the hardware server, an action based on the pattern and securely pushing the action to the component for dynamic and real-time processing by the component in response to the security intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein accessing the heuristics further includes identifying the pattern from a task that continuously executes a heuristic algorithm using the event.
  - 3. The method of claim 1, wherein accessing the heuristics further includes identifying the pattern from a plurality of tasks that continuously execute a plurality of heuristic algorithms using the security intrusion event and other collected events.
  - 4. The method of claim 1, wherein accessing further includes mining a data store for a history of other security intrusion events to use with the security intrusion event to identify the pattern in view of the heuristic.
  - 5. The method of claim 1, wherein triggering further includes chaining the action with other actions that is securely pushed to the component and other components.
  - 6. The method of claim 1, wherein triggering further includes securely pushing the action to the component and other components of the terminal.
  - 7. The method of claim 1, wherein triggering further includes instituting counter measures by the component for a suspect security problem associated with the component and in response to the component processing the action.

8. A method, comprising:
- collecting, over a secure network connection by a hardware server, security intrusion events emanating from a secure session between a secure input/output module (SIOM) and a peripheral device, the SIOM and peripheral device integrated into a terminal and the SIOM is an independent hardware module operating below an operating system of the terminal and acting as a secure interface for communications to and from the peripheral during the secure session;
  
  processing heuristics algorithms in view of the security intrusion events and identifying at least one pattern indicating a potential security threat with one or more of;
  
  the SIOM and the peripheral device; and
  
  dynamically and in real time causing at least one action to be sent over the secure network to one or more of;
  
  the SIOM and the peripheral device for remedial action in response to the potential security threat by the SIOM or the peripheral device processing in real time the remedial action.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, wherein collecting further includes concurrently mining a data store for other security intrusion events.
  - 10. The method of claim 9, wherein processing further includes processing the heuristic algorithms with the security intrusion events and the other security intrusion events to identify the at least one pattern.
  - 11. The method of claim 8, wherein processing further includes dynamically adding a new heuristic algorithm to process with the heuristic algorithms.
  - 12. The method of claim 8, wherein processing further includes dynamically updating at least one of heuristic algorithms for processing with the security intrusion events.
  - 13. The method of claim 8, wherein dynamically and in real time causing further includes causing a chain of actions to be sent as the at least one action.
  - 14. The method of claim 8, wherein dynamically and in real time causing further includes terminating the secure session between the MOM and peripheral device during the remedial action.
  - 15. The method of claim 14, wherein terminating further includes re-establishing a new secure session between the SIOM and the peripheral device when the remedial action was successfully processed.

16. A system comprising:
- a terminal devicea secure input/output module (SIOM) integrated and independent from the terminal device;
  
  a peripheral device integrated into the terminal device; and
  
  an Intrusion Detection System (IDS) adapted and configured to;
  
  i) execute on a hardware server external to the terminal device, ii) collect security intrusion events emanating from a secure session between the SIOM and the peripheral device, iii identity a pattern for a potential security threat based on the security intrusion events; and
  
  iv) cause one or more remedial actions to be processed in real time by the SIOM and the peripheral device in response to the potential security threat, wherein the SIOM is an independent hardware module operating below an operating system of the terminal device and acting as a secure interface for communications to and from the peripheral during the secure session.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the terminal is one of:
    - a Point-Of-Sale (POS) device, an Automated Teller Machine (ATM), a Self-Service Terminal (SST), and a kiosk.
  - 18. The system of claim 16, wherein the peripheral device is one of:
    - a Magnetic Strip Reader (MSR), a pin pad, an encrypted pin pad, a printer, a scanner, a keyboard, a value media dispenser, a display, and a touch screen display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NCR Voyix Corporation
Original Assignee
NCR Corporation (NCR Voyix Corporation)
Inventors
Kobres, Erick, Antonakakis, Stavros
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US14/530,133
Publication Number

US 20160127391A1
Time in Patent Office

851 Days
Field of Search

726 22- 25, 713187-188
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/561   Virus type analysis

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

Enterprise intrusion detection and remediation

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise intrusion detection and remediation

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links