Visualization and analysis of complex security information

US 9,591,028 B2
Filed: 12/13/2013
Issued: 03/07/2017
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. At least one machine readable non-transitory storage medium having instructions stored thereon for providing intelligent suggestions in visualizing network security data, wherein the instructions when executed by at least one processors cause the at least one processors to perform the following operations:

retrieving the network security data from one or more data sources;

rendering the network security data for display on a user interface as a first force-directed node graph, wherein the first force-directed node graph has the network security data as nodes whose motion and position information are computed using an energy function;

applying principal component analysis on the network security data to reduce dimensionality of the network security data and identify a first set of principal components of the network security data; and

outputting a first message to the user through the user interface suggesting a first filter on the network security data based on the one or more principal components of the network security data.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a visualization data engine may be responsible for rendering the visualization data obtained from the backend data server and providing the user interface (UI) necessary to allow an administrator to analyze the data. An example UI may include the ability to filter, organize, reorganize, and choose the raw data to be transformed. The UI may also provide interactions that expand and compress sections of the dataset, drill into the underlying dataset that is represented to the user, and move the data from one visualization to another.

13 Citations

View as Search Results

20 Claims

1. At least one machine readable non-transitory storage medium having instructions stored thereon for providing intelligent suggestions in visualizing network security data, wherein the instructions when executed by at least one processors cause the at least one processors to perform the following operations:
- retrieving the network security data from one or more data sources;
  
  rendering the network security data for display on a user interface as a first force-directed node graph, wherein the first force-directed node graph has the network security data as nodes whose motion and position information are computed using an energy function;
  
  applying principal component analysis on the network security data to reduce dimensionality of the network security data and identify a first set of principal components of the network security data; and
  
  outputting a first message to the user through the user interface suggesting a first filter on the network security data based on the one or more principal components of the network security data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The at least one machine readable non-transitory storage medium of claim 1, wherein the network security data comprises event counts by a network address.
  - 3. The at least one machine readable non-transitory storage medium of claim 1, wherein the network security data comprises one or more of the following:
    - machine asset information, network topology, reputation data, traffic logs, real-time event streams, malware detection data;
      
      employee records and organizational data.
  - 4. The at least one machine readable non-transitory storage medium of claim 1, wherein the operations further comprises:
    - receiving a first user input indicating a first acceptance to the first message suggesting the first filter;
      
      generating a first filtered network security data by filtering the network security data using a first set of one or more principal components of the network security data; and
      
      rendering the first filtered network security data for display on the user interface as a second force-directed node graph using the energy function.
  - 5. The at least one machine readable non-transitory storage medium of claim 4, wherein the operations further comprises:
    - identifying a second set of principal components of the network security data; and
      
      outputting a second message to the user through the user interface suggesting a second filter based on the second set of principal components of the network security data.
  - 6. The at least one machine readable non-transitory storage medium of claim 5, wherein the operations further comprises:
    - receiving a second user input indicating a second acceptance to the second message suggesting the second filter;
      
      generating a second filtered network security data by filtering the network security data using the second set of principal components of the network security data; and
      
      rendering the second filtered network security data for display on the user interface as a third force-directed node graph using the energy function.
  - 7. The at least one machine readable non-transitory storage medium of claim 1, wherein applying principal component analysis on the network security data comprises:
    - creating a coefficient matrix from the network security data, the coefficient matrix being a m×
      
      n matrix, where m correspond to events and n correspond to network addresses associated with those events, and the coefficient for each network address and event combination is a number equal to the number of times the combination occurred in the network security data;
      
      computing mean of coefficient matrix;
      
      centering the network security data into a centered data matrix based on the mean;
      
      performing singular value decomposition on the centered data matrix; and
      
      selecting a number of principal components to retain for analysis.
  - 8. The at least one machine readable non-transitory storage medium of claim 7, wherein events correspond to the m row variables of the coefficient matrix and network addresses correspond to the n column variables of the coefficient matrix.
  - 9. The at least one machine readable non-transitory storage medium of claim 7, wherein the number of principal components is less than or equal to 12.
  - 10. The at least one machine readable non-transitory storage medium of claim 7, wherein the number of principal components is less than or equal to 9.
  - 11. The at least one machine readable non-transitory storage medium of claim 7, wherein the number of principal components is less than or equal to 7.
  - 12. The at least one machine readable non-transitory storage medium of claim 1, wherein the energy function comprises:
    - model equations for modeling electrostatic forces between data points; and
      
      a procedure for determining the motion and position of the data points using the model equations, partial differential equations, and ordinary differential equations to determine the motion and position of nodes in the graph, wherein the equations are solved using 3-D Fast Fourier Transformations.

13. An apparatus for providing intelligent suggestions in visualizing network security data, the apparatus comprising:
- at least one memory element;
  
  at least one processors coupled to the at least one memory element;
  
  a visualization data engine that when executed by the at least one processors is configured to;
  
  retrieve the network security data from one or more data sources;
  
  determine motion and position information of the network security data as nodes in a first force-directed node graph; and
  
  apply principal component analysis on the network security data to reduce dimensionality of the network security data and identify a first set of principal components of the network security data; and
  
  a visualization display engine that when executed by the at least one processors is configured to;
  
  render the first force-directed node graph for display on a user interface; and
  
  output a first message to the user through the user interface suggesting a first filter on the network security data based on the one or more principal components of the network security data.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13, wherein the network security data comprises event counts organized by network addresses.
  - 15. The apparatus of claim 13, wherein:
    - the visualization data engine is further configured to generate a first filtered network security data by filtering the network security data using a first set of one or more principal components of the network security data; and
      
      the visualization display engine is further configured to;
      
      receive a first user input indicating a first acceptance to the first message suggesting the first filter; and
      
      render the first filtered network security data for display on the user interface as a second force-directed node graph using the energy function.

16. A computerized method for providing intelligent suggestions in visualizing network security data, the method comprising:
- retrieving and processing, using a visualization data engine implemented in one or more processors, the network security data from one or more data sources using at least an energy function to determine motion and position information of the network security data as nodes in a first force-directed node graph;
  
  rendering, using a visualization display engine implemented in one or more processors, the first force-directed node graph for display on a user interface;
  
  applying, using the visualization data engine implemented in one or more processors, principal component analysis on the network security data to identify a first set of principal components of the network security data; and
  
  outputting, using the visualization display engine implemented in one or more processors, a first message to the user through the user interface suggesting a first filter on the network security data based on the one or more principal components of the network security data.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein applying principal component analysis on the network security data comprises:
    - creating a coefficient matrix from the network security data, the coefficient matrix being a m×
      
      n matrix, where m correspond to events and n correspond to network addresses associated with those events, and the coefficient for each network address and event combination is a number equal to the number of times the combination occurred in the network security data;
      
      computing mean of coefficient matrix;
      
      centering the network security data into a centered data matrix based on the mean;
      
      performing singular value decomposition on the centered data matrix; and
      
      selecting a number of principal components to retain for analysis.
  - 18. The method of claim 17, wherein events correspond to the m row variables of the coefficient matrix and network addresses correspond to the n column variables of the coefficient matrix.
  - 19. The method of claim 17, wherein the number of principal components is less than or equal to 9.
  - 20. The method of claim 16, wherein the energy function comprises:
    - model equations for modeling electrostatic forces between data points; and
      
      a procedure for determining the motion and position of the data points using the model equations, partial differential equations, and ordinary differential equations to determine the motion and position of nodes in the graph, wherein the equations are solved using 3-D Fast Fourier Transformations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Babb, Grant, Briercliffe, Matthew, Diercks, Paul, Glamm, Robert P., Koster, Kirby
Primary Examiner(s)
Song, Hosuk

Application Number

US14/780,533
Publication Number

US 20160205137A1
Time in Patent Office

1,180 Days
Field of Search

726 11- 14, 726 22- 23, 713150-154, 709225-225
US Class Current

1/1
CPC Class Codes

G06F 16/26   Visual data mining; Browsin...

G06F 21/552   involving long-term monitor...

G06F 3/04842   Selection of displayed obje...

H04L 63/20   for managing network securi...

Visualization and analysis of complex security information

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Visualization and analysis of complex security information

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links