Systems and methods for combined physical and cyber data security

US 9,767,279 B2
Filed: 04/23/2013
Issued: 09/19/2017
Est. Priority Date: 04/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an electronic front-end unit, communication traffic of a computer system from one or more sources;

identifying, by an electronic correlation unit, in the received communication traffic a cyber security event and a physical security event, wherein the cyber security event is an occurrence of unauthorized access to the computer system through the use of malicious software, and wherein the physical security event is an occurrence of unauthorized physical entry into a location where the computer system is physically located; and

identifying, by the electronic correlation unit, an intrusion by correlating the cyber security event and the physical security event by using location-based correlation and identity-based correlation.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for protecting computer systems against intrusion. The disclosed techniques detect intrusions by jointly considering both cyber security events and physical security events. In some embodiments, a correlation subsystem receives information related to the computer system and its physical environment from various information sources in the cyber domain and in the physical domain. The correlation subsystem analyzes the information and identifies both cyber security events and physical security events. The correlation subsystem finds cyber security events and physical security events that are correlative with one another, and uses this correlation to detect intrusions.

22 Citations

View as Search Results

19 Claims

1. A method comprising:
- receiving, by an electronic front-end unit, communication traffic of a computer system from one or more sources;
  
  identifying, by an electronic correlation unit, in the received communication traffic a cyber security event and a physical security event, wherein the cyber security event is an occurrence of unauthorized access to the computer system through the use of malicious software, and wherein the physical security event is an occurrence of unauthorized physical entry into a location where the computer system is physically located; and
  
  identifying, by the electronic correlation unit, an intrusion by correlating the cyber security event and the physical security event by using location-based correlation and identity-based correlation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the location-based correlation comprises correlating a first location at which the cyber security event occurred and a second location at which the physical security event occurred.
  - 3. The method according to claim 1, wherein the identity-based correlation comprises correlating a first identity of an individual who carried out the cyber security event and a second identity of the individual who carried out the physical security event.
  - 4. The method according to claim 1, further comprising configuring a security access control rule based on the correlated cyber security event and physical security event.
  - 5. The method according to claim 4, further comprising reconfiguring at least one of a cyber access control system and a physical access control system responsively to the security access control rule.
  - 6. The method according to claim 1, further comprising updating a characteristic behavior pattern of a user of the computer system based on the correlated cyber security event and physical security event.
  - 7. The method according to claim 1, further comprising adapting a correlation criterion based on the correlated first event and second event.
  - 8. The method according to claim 1, further comprising comparing the correlated cyber security event and physical security event to a predefined threat scenario, and issuing an alert when the predefined threat scenario is met.

9. Apparatus, comprising:
- a front-end unit, which is configured to receive communication traffic of a computer system from one or more sources; and
  
  a correlation subsystem, which is configured to;
  
  identify in the received communication traffic a cyber security event and a physical security event, wherein the cyber security event is an occurrence of unauthorized access to the computer system through the use of malicious software, and wherein the physical security event is an occurrence of unauthorized physical entry into a location where the computer system is physically located; and
  
  identify an intrusion by correlating the cyber security event and the physical security event using location-based correlation and identity-based correlation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus according to claim 9, wherein the location-based correlation comprises correlating a first location at which the cyber security event occurred and a second location at which the physical security event occurred.
  - 11. The apparatus according to claim 9, wherein the identity-based correlation comprises correlating a first identity of an individual who carried out the cyber security event and a second identity of the individual who carried out the physical security event.
  - 12. The apparatus according to claim 9, wherein the correlation subsystem is further configured to set a security access control rule based on the correlated cyber security event and physical security event.
  - 13. The apparatus according to claim 12, wherein the correlation subsystem is further configured to reconfigure at least one of a cyber access control system and a physical access control system responsively to the security access control rule.
  - 14. The apparatus according to claim 9, wherein the correlation subsystem is further configured to update a characteristic behavior pattern of a user of the computer system based on the correlated cyber security event and physical security event.
  - 15. The apparatus according to claim 9, wherein the correlation subsystem is further configured to adapt a correlation criterion based on the correlated cyber security event and physical security event.
  - 16. The apparatus according to claim 9, wherein the correlation subsystem is further configured to compare the correlated cyber security event and physical security event to a predefined threat scenario, and to issue an alert when the predefined threat scenario is met.

17. A non-transitory computer readable medium having stored thereon instructs that, when executed by a processor, direct the processor to:
- receive communication traffic of a computer system from one or more sources;
  
  identify in the received communication traffic a cyber security event and a physical security event, wherein the cyber security event is an occurrence of unauthorized access to the computer system through the use of malicious software, and wherein the physical security event is an occurrence of unauthorized physical entry into a location where the computer system is physically located; and
  
  identify an intrusion by correlating the cyber security event and the physical security event using location-based correlation and identity-based correlation.
- View Dependent Claims (18, 19)
- - 18. The non-transitory computer readable medium of claim 17, further having stored thereon instructs that, when executed by a processor, direct the processor to configure a security access control rule based on the correlated cyber security event and physical security event.
  - 19. The non-transitory computer readable medium of claim 18, further having stored thereon instructs that, when executed by a processor, direct the processor to reconfigure at least one of a cyber access control system and a physical access control system responsively to the security access control rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Hazzani, Gideon
Primary Examiner(s)
Hailu, Teshome

Application Number

US13/868,220
Publication Number

US 20130347060A1
Time in Patent Office

1,610 Days
Field of Search

726 1, 726 25
US Class Current
CPC Class Codes

G06F 21/554 involving event detection a...

Systems and methods for combined physical and cyber data security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for combined physical and cyber data security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links