Multi-node affinity-based examination for computer network security remediation

US 9,762,599 B2
Filed: 11/10/2016
Issued: 09/12/2017
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a query that comprises a selection of Internet protocol (IP) addresses belonging to nodes within a network;

obtaining characteristics for the nodes;

determining communications between the nodes and communications between the nodes and any other nodes not included in the selection of IP addresses;

determining a primary affinity indicative of the communications between the nodes and a secondary affinity indicative of the communications between the nodes and the other nodes not included in the selection of IP addresses, the primary affinity and the secondary affinity further indicative of a frequency of communications between nodes;

generating a graphical user interface (GUI) that comprises representations of the nodes in the selection of IP addresses and the other nodes not included in the selection of IP addresses;

placing links between the representations of the nodes in the selection of IP addresses and the representations of the other nodes not included in the selection of IP addresses based on the primary affinity and the secondary affinity;

providing the GUI to a user;

applying at least one of a cyber security policy or a network ruleset;

altering the representations for nodes that fail to comply with the cyber security policy or the network ruleset such that the representations are visually distinct compared to the nodes that comply with the cyber security policy or the network ruleset;

receiving user input associated with either one of the nodes or one of the links; and

sending a message in response to the user input, the message including instructions to bring at least one of the nodes that fail to comply with the cyber security policy or the network ruleset into compliance with the cyber security policy or the network ruleset.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Multi-node affinity-based examination for computer network security remediation is provided herein. Exemplary methods may include receiving a query that includes a selection of Internet protocol (IP) addresses belonging to nodes within a network, obtaining characteristics for the nodes, determining communications between the nodes and communications between the nodes and any other nodes not included in the selection, determining a primary affinity indicative of communication between the nodes and a secondary affinity indicative of communication between the nodes and the other nodes not included in the selection, and generating a graphical user interface (GUI) that includes representations of the nodes in the range and the other nodes outside the range, placing links between the nodes in the selection and the other nodes not included in the selection based on the primary affinity and the secondary affinity, and providing the graphical user interface to a user.

Citations

18 Claims

1. A method, comprising:
- receiving a query that comprises a selection of Internet protocol (IP) addresses belonging to nodes within a network;
  
  obtaining characteristics for the nodes;
  
  determining communications between the nodes and communications between the nodes and any other nodes not included in the selection of IP addresses;
  
  determining a primary affinity indicative of the communications between the nodes and a secondary affinity indicative of the communications between the nodes and the other nodes not included in the selection of IP addresses, the primary affinity and the secondary affinity further indicative of a frequency of communications between nodes;
  
  generating a graphical user interface (GUI) that comprises representations of the nodes in the selection of IP addresses and the other nodes not included in the selection of IP addresses;
  
  placing links between the representations of the nodes in the selection of IP addresses and the representations of the other nodes not included in the selection of IP addresses based on the primary affinity and the secondary affinity;
  
  providing the GUI to a user;
  
  applying at least one of a cyber security policy or a network ruleset;
  
  altering the representations for nodes that fail to comply with the cyber security policy or the network ruleset such that the representations are visually distinct compared to the nodes that comply with the cyber security policy or the network ruleset;
  
  receiving user input associated with either one of the nodes or one of the links; and
  
  sending a message in response to the user input, the message including instructions to bring at least one of the nodes that fail to comply with the cyber security policy or the network ruleset into compliance with the cyber security policy or the network ruleset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, in which the GUI is configured such that the representations of the nodes in the selection of IP addresses and the representations of the other nodes not included in the selection of IP addresses are included in a display of the GUI at a maximum zoom value.
  - 3. The method according to claim 2, in which the GUI is selectively altered to remove representations of nodes inside one or more boundaries based on user manipulation of the one or more boundaries.
  - 4. The method according to claim 1, in which the nodes in the selection of IP addresses are associated with a same application.
  - 5. The method according to claim 1, further comprising:
    - receiving a selection of one of the nodes; and
      
      displaying the characteristics for the node.
  - 6. The method according to claim 1, further comprising:
    - receiving a selection of one of the links; and
      
      displaying details of the communications including communication protocol information, packet information, and communication frequency.
  - 7. The method according to claim 1, in which:
    - a proximity of the representations of the nodes in the selection of IP addresses to one another in the GUI is based on the primary affinity; and
      
      a proximity of the representations of the other nodes not included in the selection of IP addresses to the representations of the nodes in the selection of IP addresses in the GUI is based on the secondary affinity.
  - 8. The method according to claim 1, in which the altering the representations includes color coding any of the representations of the nodes or the links based on compliance of the nodes or the links with the cyber security policy or the network ruleset.
  - 9. The method according to claim 1, further comprising:
    - generating an updated cyber security policy based on the user input, the user input comprising any of selection, movement, and deletion; and
      
      applying the updated cyber security policy to the network.
  - 10. The method according to claim 9, in which the updated cyber security policy indicates that communications between the nodes is forbidden in response to a user removing a link between the nodes.
  - 11. The method according to claim 1, in which the communications determined are selected from a timeframe included in the query.
  - 12. The method according to claim 1, in which the representations of the nodes in the selection of IP addresses are visually distinct from the representations of the other nodes not included in the selection of IP addresses.
  - 13. The method according to claim 1, in which the nodes in the selection of IP addresses are each associated with a layer 7 application protocol that processes sensitive information.
  - 14. The method according to claim 1, in which at least a portion of the nodes are edge nodes and the representations of the edge nodes are visually distinct from the remaining nodes.

15. A system, comprising:
- a query processing module that;
  
  receives a query that comprises a selection of Internet protocol (IP) addresses belonging to nodes within a network;
  
  a data gathering module that;
  
  obtains characteristics for the nodes; and
  
  determines communications between the nodes and communications between the nodes and any other nodes not included in the selection of IP addresses;
  
  an affinity analysis module that;
  
  determines a primary affinity indicative of the communications between the nodes and a secondary affinity indicative of the communications between the nodes and the other nodes not included in the selection of IP addresses, the primary affinity and the secondary affinity further indicative of a frequency of communications between nodes;
  
  a graphics engine that;
  
  generates a graphical user interface (GUI) that comprises representations of the nodes in the selection of IP addresses and the other nodes not included in the selection of IP addresses;
  
  places links between the representations of the nodes in the selection of IP addresses and the representations of the other nodes not included in the selection of IP addresses based on the primary affinity and the secondary affinity; and
  
  provides the GUI to a user; and
  
  a security module that;
  
  applies at least one of a cyber security policy or a network ruleset;
  
  receives user input associated with either one of the nodes or one of the links; and
  
  sends a message in response to the user input, the message including instructions to bring at least one of the nodes that fail to comply with the cyber security policy or the network ruleset into compliance with the cyber security policy or the network ruleset.
- View Dependent Claims (16, 17, 18)
- - 16. The system according to claim 15, further comprising a physics engine that generates the GUI based on a display size in such a way that all nodes are included in the display size at a maximum zoom value even when the nodes are moved around the GUI by the user.
  - 17. The system according to claim 15, in which the security module further:
    - alters the representations for nodes that fail to comply with the cyber security policy or the network ruleset such that the representations are visually distinct compared to the nodes that comply with the cyber security policy or the network ruleset.
  - 18. The system according to claim 15, in which the security module further:
    - generates an updated cyber security policy based on the user input, the user input comprising any of selection, movement, editing, and deletion; and
      
      applies the updated cyber security policy to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Wager, Ryan, Yarochkin, Fyodor, Yu, Rudin, Jones, Darren
Primary Examiner(s)
Korsak, Oleg

Application Number

US15/348,978
Publication Number

US 20170223033A1
Time in Patent Office

306 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 3/0482   Interaction with lists of s...

G06F 3/04845   for image manipulation, e.g...

H04L 41/22   comprising specially adapte...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Multi-node affinity-based examination for computer network security remediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-node affinity-based examination for computer network security remediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links