Methods and apparatus for analyzing asynchronous cyber-threat event data using discrete time intervals

US 9,930,059 B1
Filed: 03/31/2016
Issued: 03/27/2018
Est. Priority Date: 03/31/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a global workspace manager implemented in at least one of a memory device or a processor circuit, the global workspace manager, receiving, during operation and from a workspace of a plurality of workspaces, cyber-threat event data including a time of a cyber-threat event associated with a communication network,a global time interval manager implemented in at least one of a memory device or a processor circuit, the global time interval manager selecting, during operation, a discrete time interval including the time of the cyber-threat event, the global time interval manager, recursively dividing, during operation, the discrete time interval into smaller discrete time intervals, the global time interval manager storing, during operation, the smaller discrete time intervals in a time interval queue,the global workspace manager determining, during operation and for each discrete time interval in the time interval queue, a threat score function from a plurality of threat score functions and associated with each discrete time interval in the time interval queue,the global workspace manager calculating, during operation and for each discrete time interval in the time interval queue, a threat score in the time interval queue using the threat score function for that discrete time interval in the time interval queue,the global workspace manager applying, during operation and for each discrete time interval in the time interval queue, the threat score of the discrete time interval to a workspace factor graph defining a set of relationships between each workspace of the plurality of workspaces so as to initiate an update of a threat score for each remaining workspace of the plurality of workspaces based on a relationship between each of the remaining workspaces of the plurality of workspaces, the global workspace manager generating, during operation, an updated workspace factor graph in which each workspace of the plurality of workspaces is associated with an updated threat score, the generating performed without referring to past iterations of the workspace factor graph, andsending a representation of the updated workspace factor graph to a local workspace computer for analysis of the cyber-threat event.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods described herein relate to a global workspace manager that can dynamically update historical cyber-threat data for a network. The global workspace manager can receive cyber-threat event data including a time of a cyber-threat event. The global workspace manager can identify a workspace node in a workspace graph associated with the cyber-threat event data, and can identify a threat score interval including a set of times that includes the time of the cyber-threat event. The global workspace manager can retrieve, from the workspace node, a threat score calculation function associated with the threat score interval, and can calculate a threat score for the workspace node during the threat score interval using the threat score calculation function and the cyber-threat event data. The global workspace manager can calculate a set of threat scores based on the threat score for the workspace nodes, such that each threat score in the set of threat scores is associated with the remaining workspace nodes in the workspace graph.

Citations

7 Claims

1. An apparatus, comprising:
- a global workspace manager implemented in at least one of a memory device or a processor circuit, the global workspace manager, receiving, during operation and from a workspace of a plurality of workspaces, cyber-threat event data including a time of a cyber-threat event associated with a communication network,a global time interval manager implemented in at least one of a memory device or a processor circuit, the global time interval manager selecting, during operation, a discrete time interval including the time of the cyber-threat event, the global time interval manager, recursively dividing, during operation, the discrete time interval into smaller discrete time intervals, the global time interval manager storing, during operation, the smaller discrete time intervals in a time interval queue,the global workspace manager determining, during operation and for each discrete time interval in the time interval queue, a threat score function from a plurality of threat score functions and associated with each discrete time interval in the time interval queue,the global workspace manager calculating, during operation and for each discrete time interval in the time interval queue, a threat score in the time interval queue using the threat score function for that discrete time interval in the time interval queue,the global workspace manager applying, during operation and for each discrete time interval in the time interval queue, the threat score of the discrete time interval to a workspace factor graph defining a set of relationships between each workspace of the plurality of workspaces so as to initiate an update of a threat score for each remaining workspace of the plurality of workspaces based on a relationship between each of the remaining workspaces of the plurality of workspaces, the global workspace manager generating, during operation, an updated workspace factor graph in which each workspace of the plurality of workspaces is associated with an updated threat score, the generating performed without referring to past iterations of the workspace factor graph, andsending a representation of the updated workspace factor graph to a local workspace computer for analysis of the cyber-threat event.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, further comprising:
    - a local workspace manager implemented in at least one of a memory device or a processor circuit the local workspace manager sending, during operation, a portion of the workspace factor graph including the workspace to a workspace administrator after the threat score for each time interval in the time interval have been applied.
  - 3. The apparatus of claim 1, wherein the global workspace manager stores, during operation, the workspace factor graph after the threat score for each time interval in the time interval have been applied.
  - 4. The apparatus of claim 1, wherein:
    - the workspace is associated with a workspace node in the workspace factor graph; and
      
      the global workspace manager applies, during operation the threat score for each discrete time interval in the time interval queue to the workspace factor graph by;
      
      calculating a threat score for the workspace node in the workspace factor graph based on the threat score for each discrete time interval in the time interval queue; and
      
      calculating a threat score for remaining workspace nodes in the workspace factor graph based on the threat score for the workspace node.
  - 5. The apparatus of claim 1, wherein the discrete time intervals in the time interval queue are ordered in ascending order of discrete time interval size in the time interval queue.
  - 6. The apparatus of claim 1, wherein the discrete time intervals in the time interval queue are ordered based on an earliest time of each discrete time interval.
  - 7. The apparatus of claim 1, wherein the cyber-threat event data is received from a workspace of the plurality of workspaces as a result of a change to a local workspace factor graph including a workspace node associated with the workspace.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookingglass Cyber Solutions, LLC
Original Assignee
Lookingglass Cyber Solutions, LLC
Inventors
Helmsen, John Joseph, Allen, Ken, Pinney Wood, Christopher Paul
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/087,517
Time in Patent Office

726 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04W 12/61   Time-dependent

Methods and apparatus for analyzing asynchronous cyber-threat event data using discrete time intervals

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for analyzing asynchronous cyber-threat event data using discrete time intervals

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links