Techniques for sharing network security event information

US 9,680,846 B2
Filed: 08/06/2015
Issued: 06/13/2017
Est. Priority Date: 02/01/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one computer;

a database representing groups, the database identifying respective clients that are members of each group;

instructions stored on a non-transitory, machine-readable media that when executed cause the at least one computer to;

receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash,process the operand iteratively using different cryptographic keys to produce respective second hashes;

identify a match between one of the second hashes and the first hash;

identify one of the groups based at least on the match identified between the one of the second hashes and the first hash;

identify a second client that is a member of the identified group;

query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client;

responsive to results of the query, identify a threat level associated with the data from the network of the first client; and

report the identified threat level to the first client via the wide area network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.

98 Citations

View as Search Results

19 Claims

1. An apparatus comprising:
- at least one computer;
  
  a database representing groups, the database identifying respective clients that are members of each group;
  
  instructions stored on a non-transitory, machine-readable media that when executed cause the at least one computer to;
  
  receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash,process the operand iteratively using different cryptographic keys to produce respective second hashes;
  
  identify a match between one of the second hashes and the first hash;
  
  identify one of the groups based at least on the match identified between the one of the second hashes and the first hash;
  
  identify a second client that is a member of the identified group;
  
  query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client;
  
  responsive to results of the query, identify a threat level associated with the data from the network of the first client; and
  
  report the identified threat level to the first client via the wide area network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein:
    - the database stores the security event data associated with the network of the second client that is a member of the identified group;
      
      the instructions when executed, cause the at least one computer to update the security event data responsive to data submitted by the respective clients that are members of the identified group; and
      
      the query is performed based in part on the security event data stored in the database.
  - 3. The apparatus of claim 1, wherein:
    - the instructions, when executed, cause the at least one computer to direct the query to a predetermined network destination respective to each client that is a member of the identified group, and to update the security event data responsive to the data submitted by the respective clients that are members of the identified group in response to the query.
  - 4. The apparatus of claim 3, wherein the instructions when executed, cause the at least one computer to assess a threat level represented by the data from the network of a first client against a threshold, and provided that the threat level meets the threshold, to responsively query the predetermined network destination respective to each client that is a member of the identified group.
  - 5. The apparatus of claim 1, wherein the instructions when executed cause the at least one computer to update the threat level in dependence on at least one of the data received from the network of the first client or the results of the query.
  - 6. The apparatus of claim 1, wherein:
    - the first client is a member of the identified group;
      
      the database stores the cryptographic keys in association with the groups; and
      
      the instructions when executed, cause the at least one computer to query security event data associated with a network of each other client that is a member of the identified group and to identify the threat level in dependence thereon.
  - 7. The apparatus of claim 1, wherein the instructions when executed, cause the at least one computer to provide a user interface respective to each of the clients, the user interface to permit a network administrator for the respective client to update group membership of the respective client, and to responsively update the database to reflect the updated group membership.
  - 8. The apparatus of claim 1, wherein the instructions when executed, cause the at least one computer to send a preconfigured remedial measure to the network of the first client in response to the detected correlation with the security event data, the preconfigured remedial measure to directly implement one or more network rules on a computer in order to impede a network threat represented by the data received from the network of the first client.
  - 9. The apparatus of claim 1, wherein the data received from the network of the first client is in the form of a query received from the network of the first client, and wherein the instructions when executed are to cause the at least one computer to report the updated threat level as part of a response to the query received from the network of the first client.

10. A method of processing security event data from a first client network, the method comprising causing at least one computer to:
- maintain a database representing groups, the database identifying respective clients that are members of each group;
  
  receive data from a network of a first client via a wide area network, the data received from the network of the first client including an operand and a first hash;
  
  process the operand iteratively using different cryptographic keys to produce respective second hashes;
  
  identify a match between one of the second hashes and the first hash;
  
  identify one of the groups based at least on the match identified between the one of the second hashes and first hash, and identify a second client that is a member of the identified group;
  
  query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client;
  
  responsive to results of the query;
  
  identify a threat level associated with the data from the network of the first client; and
  
  report the identified threat level to the first client via the wide area network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein:
    - the database stores the security event data associated with the network of the second client that is a member of the identified group; and
      
      the method further comprisescausing the at least one computer to update the security event data responsive to data submitted by the respective clients that are members of the identified group, andperforming the query based in part on the security event data stored in the database.
  - 12. The method of claim 10, wherein the method further comprises causing the at least one computer to direct the query to a predetermined network destination respective to each client that is a member of the identified group, and to update the security event data responsive to the data submitted by the respective clients that are members of the identified group in response to the query.
  - 13. The method of claim 12, wherein the method further comprises causing the at least one computer to assess a threat level represented by the data from the network of a first client against a threshold and, provided that the threat level meets the threshold, to responsively query the predetermined network destination respective to each client that is a member of the identified group.
  - 14. The method of claim 10, wherein:
    - the first client is a member of the identified group;
      
      the database stores the cryptographic keys in association with the groups; and
      
      the method further comprises causing the at least one computer to query security event data associated with a network of each other client that is a member of the identified group and identify the threat level in dependence thereon.
  - 15. The method of claim 10, wherein the method further comprises causing the at least one computer to provide a user interface respective to each of the clients, the user interface to permit a network administrator for the respective client to update group membership of the respective client, and to responsively update the database to reflect the updated group membership.
  - 16. The method of claim 10, wherein the method further comprises causing the at least one computer to send a preconfigured remedial measure to the network of the first client in response to the level of detected correlation with the security event data, the preconfigured remedial measure to directly implement one or more network rules on a computer in order to impede a network threat represented by the data received from the network of the first client.
  - 17. The method of claim 10, wherein the data received from the network of the first client is in the form of a query received from the network of the first client, and wherein the method further comprises causing the at least one computer to report the updated threat level as part of a response to the query from the network of the first client.

18. A system comprising:
- a storage device storing a database of information representing groups, where the groups are respective subsets of a set of clients identified by the database;
  
  a receiver module configured to receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash;
  
  an authority module configured to process the operand iteratively using different cryptographic keys to produce respective second hashes, identify a match between one of the second hashes and the first hash, and, responsive to the match, determine a request in the received data is authorized;
  
  a query module configured to, responsive to the authorized request, access the database to identify one of the groups in dependence on the received data, identify a second client that is a member of the identified group, and query security event data associated with a network of the second client to detect a correlation with the received;
  
  a threat assessment module configured to, responsive to results of the query, determine a threat level associated with the data from the network of the first client; and
  
  a response module configured to report the threat level to the first client via the wide area network.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein the threat assessment module is configured to assess a threat level represented by the data from the network of a first client against a threshold, and provided that the threat level meets the threshold, to responsively query respective networks of each client that is a member of the identified group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
ServiceNow Incorporated
Inventors
Haugsnes, Andreas Seip
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/819,443
Publication Number

US 20160164890A1
Time in Patent Office

677 Days
Field of Search

726 23, 726 25
US Class Current
CPC Class Codes

G06F 16/24   Querying

G06F 16/24575   using context

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

Techniques for sharing network security event information

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for sharing network security event information

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links