Automated intelligence graph construction and countermeasure deployment

US 9,886,581 B2
Filed: 02/25/2014
Issued: 02/06/2018
Est. Priority Date: 02/25/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a computer security company computer system, and over a computer network, computer readable fundamental data;

obtaining, by the computer security company computer system, and over the computer network, computer readable document data;

preparing, using a hardware electronic processor, fundamental instance nodes from the fundamental data,wherein the fundamental instance nodes include a fundamental instance node that is associated with common vulnerability and exposure information;

preparing, using the hardware electronic processor, document nodes from the document data;

preparing, using the hardware electronic processor, edges between nodes of the fundamental instance nodes and the document nodes,wherein an edge, of the edges, comprises a timestamp comprising a time of day, andwherein preparing the edges comprises extracting at least one fundamental data string from a fundamental instance represented by one of the fundamental instance nodes;

storing, in electronic persistent memory, the nodes and the edges in a manner that reflects a graph structure;

causing to be displayed, on a hardware computer monitor, at least a portion of a graph defined by at least one of the nodes and at least one of the edges;

matching a subgraph, comprising the at least one of the nodes and the at least one of the edges, to a pattern of an attack when an additional node or an additional edge is added; and

implementing a countermeasure to the attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing information security threat assessment and amelioration are disclosed. The techniques may include obtaining fundamental data, obtaining document data, preparing fundamental instance nodes from the fundamental data, preparing document nodes from the document data, preparing edges between at least some of the nodes, storing the nodes and the edges in a manner that reflects a graph structure, and causing to be displayed at least a portion of a graph defined by at least one node and at least one edge.

114 Citations

20 Claims

1. A method comprising:
- obtaining, by a computer security company computer system, and over a computer network, computer readable fundamental data;
  
  obtaining, by the computer security company computer system, and over the computer network, computer readable document data;
  
  preparing, using a hardware electronic processor, fundamental instance nodes from the fundamental data,wherein the fundamental instance nodes include a fundamental instance node that is associated with common vulnerability and exposure information;
  
  preparing, using the hardware electronic processor, document nodes from the document data;
  
  preparing, using the hardware electronic processor, edges between nodes of the fundamental instance nodes and the document nodes,wherein an edge, of the edges, comprises a timestamp comprising a time of day, andwherein preparing the edges comprises extracting at least one fundamental data string from a fundamental instance represented by one of the fundamental instance nodes;
  
  storing, in electronic persistent memory, the nodes and the edges in a manner that reflects a graph structure;
  
  causing to be displayed, on a hardware computer monitor, at least a portion of a graph defined by at least one of the nodes and at least one of the edges;
  
  matching a subgraph, comprising the at least one of the nodes and the at least one of the edges, to a pattern of an attack when an additional node or an additional edge is added; and
  
  implementing a countermeasure to the attack.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein another fundamental instance node, of the fundamental instance nodes, comprises data describing one of:
    - an IP address, a domain name, a uniform resource locator, a file system path, a software vulnerability, a software, a person'"'"'s name, an account handle, an email address, a malware family, an attack campaign, an event, an organization, a network, a file, a country, a region, or an autonomous system number.
  - 3. The method of claim 1, wherein the document nodes include a document node that comprises data describing one of:
    - an intelligence report, a communication, an analysis, or a context.
  - 4. The method of claim 1, wherein preparing the edges comprises selecting an appropriate set of one or more words.
  - 5. The method of claim 1, wherein matching the subgraph is performed periodically.
  - 6. The method of claim 1, further comprising:
    - obtaining a description of the countermeasure to the attack.

7. Non-transitory computer readable media comprising instructions which, when executed by a computer system comprising at least one electronic processor, cause the at least one electronic processor to:
- obtain, over a computer network, computer readable fundamental data;
  
  obtain, over the computer network, computer readable document data;
  
  prepare fundamental instance nodes from the fundamental data,wherein the fundamental instance nodes include a fundamental instance node that is associated with common vulnerability and exposure information;
  
  prepare document nodes from the document data;
  
  prepare edges between nodes of the fundamental instance nodes and the document nodes by extracting at least one fundamental data string from a fundamental instance represented by one of the fundamental instance nodes,wherein an edge, of the edges, comprises a timestamp comprising a time of day;
  
  store, in electronic persistent memory, the nodes and the edges in a manner that reflects a graph structure;
  
  cause to be displayed, on a hardware computer monitor, at least a portion of a graph defined by at least one of the nodes and at least one of the edges;
  
  match a subgraph, comprising the at least one of the nodes and the at least one of the edges, to a pattern of an attack when an additional node or an additional edge is added; and
  
  implement a countermeasure to the attack.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The non-transitory computer readable media of claim 7, wherein each fundamental instance node comprises data describing one of:
    - an IP address, a domain name, a uniform resource locator, a file system path, a software vulnerability, a software, a person'"'"'s name, an account handle, an email address, a malware family, an attack campaign, an event, an organization, a network, a file, a country, a region, or an autonomous system number.
  - 9. The non-transitory computer readable media of claim 7, wherein the document nodes include a document node that comprises data describing one of:
    - an intelligence report, a communication, an analysis, or a context.
  - 10. The non-transitory computer readable media of claim 7, wherein an appropriate set of one or more words are selected for the edges.
  - 11. The non-transitory computer readable media of claim 7, wherein the instructions, when executed by the computer system comprising the at least one electronic processor, further cause the at least one electronic processor to:
    - obtain a description of the countermeasure to the attack.
  - 12. The non-transitory computer readable media of claim 7, wherein the edge corresponds to a relationship between the fundamental instance and a document represented by one of the document nodes.
  - 13. The non-transitory computer readable media of claim 7, wherein the fundamental instance nodes further include another fundamental instance node that is mentioned by two or more documents represented by two or more of the document nodes.
  - 14. The non-transitory computer readable media of claim 7, wherein another edge, of the edges, is between two nodes of the fundamental instance nodes.
  - 15. The non-transitory computer readable media of claim 7, wherein the countermeasure includes blocking access to a link.

16. A computer system comprising:
- one or more memories; and
  
  one or more processors, communicatively coupled to the one or more memories, to;
  
  obtain, over a computer network, computer readable fundamental data;
  
  obtain, and over the computer network, computer readable document data;
  
  prepare fundamental instance nodes from the fundamental data,wherein the fundamental instance nodes include a fundamental instance node that is associated with common vulnerability and exposure information;
  
  prepare document nodes from the document data;
  
  prepare edges between nodes of the fundamental instance nodes and the document nodes by extracting at least one fundamental data string from a fundamental instance represented by one of the fundamental instance nodes,wherein an edge, of the edges, comprises a timestamp comprising a time of day;
  
  store, in electronic persistent memory, the nodes and the edges in a manner that reflects a graph structure;
  
  cause to be displayed at least a portion of a graph defined by at least one of the nodes and at least one of the edges;
  
  match a subgraph, comprising the at least one of the nodes and the at least one of the edges, to a pattern of an attack when an additional node or an additional edge is added; and
  
  implement a countermeasure to the attack.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer system of claim 16, wherein the edge corresponds to a relationship between the fundamental instance and a document represented by one of the document nodes.
  - 18. The computer system of claim 16, wherein the fundamental instance nodes further include another fundamental instance node that corresponds to a malware family.
  - 19. The computer system of claim 16, wherein the fundamental instance nodes further include another fundamental instance node that is mentioned by two or more documents represented by two or more of the document nodes.
  - 20. The computer system of claim 16, wherein another edge, of the edges, indicates a relations between two fundamental instances that correspond two nodes of the fundamental instance nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Olson, Ryan, Tonn, Trevor
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/190,051
Publication Number

US 20150244734A1
Time in Patent Office

1,442 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Automated intelligence graph construction and countermeasure deployment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated intelligence graph construction and countermeasure deployment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links