Intrusion assessment system

US 10,049,208 B2
Filed: 12/03/2015
Issued: 08/14/2018
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. An intrusion assessment apparatus comprising:

a memory configured to store;

a first email that indicates a first network intrusion;

a second email;

a first keyword pertaining to network intrusions;

a second keyword pertaining to network intrusions; and

a third keyword pertaining to network intrusions; and

a processor communicatively coupled to the memory, the processor configured to;

determine a number of occurrences of the first keyword in the first email;

determine a number of occurrences of the first keyword in the second email;

determine a number of occurrences of the second keyword in the first email;

determine a number of occurrences of the second keyword in the second email;

determine a number of occurrences of the third keyword in the first email;

determine a number of occurrences of the third keyword in the second email;

based on the number of occurrences of the first, second, and third keywords in the first and second emails, assign the first email to a first cluster and the second email to a second cluster;

determine a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster;

determine a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;

determine a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;

receive a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion;

determine, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request;

transmit, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and

implement, based on the first email, a process to prevent the second network intrusion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion assessment apparatus includes a memory and a processor. The memory stores first and second records and first, second, and third keywords. The processor determines a number of occurrences of the first, second, and third keywords in the first and second records and assigns the first record to a first cluster and the second record to a second cluster. The processor also determines a per-record average number of occurrences of the keywords in a plurality of records assigned to the first cluster and in a plurality of records assigned to the second cluster and receives a search request indicating the keywords and an emphasis value for each keyword. The processor also determines that the first cluster should be returned in response to the request and transmits, based on that determination, the first record.

13 Citations

18 Claims

1. An intrusion assessment apparatus comprising:
- a memory configured to store;
  
  a first email that indicates a first network intrusion;
  
  a second email;
  
  a first keyword pertaining to network intrusions;
  
  a second keyword pertaining to network intrusions; and
  
  a third keyword pertaining to network intrusions; and
  
  a processor communicatively coupled to the memory, the processor configured to;
  
  determine a number of occurrences of the first keyword in the first email;
  
  determine a number of occurrences of the first keyword in the second email;
  
  determine a number of occurrences of the second keyword in the first email;
  
  determine a number of occurrences of the second keyword in the second email;
  
  determine a number of occurrences of the third keyword in the first email;
  
  determine a number of occurrences of the third keyword in the second email;
  
  based on the number of occurrences of the first, second, and third keywords in the first and second emails, assign the first email to a first cluster and the second email to a second cluster;
  
  determine a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster;
  
  determine a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
  
  determine a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
  
  receive a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion;
  
  determine, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request;
  
  transmit, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and
  
  implement, based on the first email, a process to prevent the second network intrusion.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The intrusion assessment apparatus of claim 1, wherein determining that the first cluster should be returned, comprises:
    - determining a difference between the emphasis value of the first keyword and the average number of occurrences of the first keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the first keyword and the average number of occurrences of the first keyword in the plurality of emails assigned to the second cluster;
      
      determining a difference between the emphasis value of the second keyword and the average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the second keyword and the average number of occurrences of the second keyword in the plurality of emails assigned to the second cluster;
      
      determining a difference between the emphasis value of the third keyword and the average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the third keyword and the average number of occurrences of the third keyword in the plurality of emails assigned to the second cluster;
      
      determining the root mean square of the determined differences for the first, second, and third keywords in the plurality of emails assigned to the first cluster;
      
      determining the root mean square of the determined differences for the first, second, and third keywords in the plurality of emails assigned to the second cluster;
      
      determining that the root mean square for the first cluster is less than the root mean square for the second cluster; and
      
      in response to the determination that the root mean square of the first cluster is less than the root mean square for the second cluster, transmit the first email.
  - 3. The intrusion assessment apparatus of claim 1, wherein a number of clusters is determined using K-Means clustering.
  - 4. The intrusion assessment apparatus of claim 1, wherein the first keyword comprises a keyphrase.
  - 5. The intrusion assessment apparatus of claim 1, wherein the processor is further configured to communicate an alert indicating the plurality of emails of the first cluster.
  - 6. The intrusion assessment apparatus of claim 1, wherein the processor is further configured to determine a relevance value for the first email by determining:
    - a difference between the number of occurrences in the first email of the first keyword and the determined average number of occurrences of the first keyword in the plurality of emails assigned to the first cluster;
      
      a difference between the number of occurrences in the first email of the second keyword and the determined average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster; and
      
      a difference between the number of occurrences in the first email of the third keyword and the determined average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster.

7. A method comprising:
- storing;
  
  a first email that indicates a first network intrusion;
  
  a second email;
  
  a first keyword pertaining to network intrusions;
  
  a second keyword pertaining to network intrusions; and
  
  a third keyword pertaining to network intrusions;
  
  determining a number of occurrences of the first keyword in the first email;
  
  determining a number of occurrences of the first keyword in the second email;
  
  determining a number of occurrences of the second keyword in the first email;
  
  determining a number of occurrences of the second keyword in the second email;
  
  determining a number of occurrences of the third keyword in the first email;
  
  determining a number of occurrences of the third keyword in the second email;
  
  based on the number of occurrences of the first, second, and third keywords in the first and second emails, assigning the first email to a first cluster and the second email to a second cluster;
  
  determining a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster;
  
  determining a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
  
  determining a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of records assigned to the second cluster;
  
  receiving a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion;
  
  determining, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request; and
  
  transmitting, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and
  
  implementing, based on the first email, a process to prevent the second network intrusion.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein determining that the first cluster should be returned, comprises:
    - determining a difference between the emphasis value of the first keyword and the average number of occurrences of the first keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the first keyword and the average number of occurrences of the first keyword in the plurality of emails assigned to the second cluster;
      
      determining a difference between the emphasis value of the second keyword and the average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the second keyword and the average number of occurrences of the second keyword in the plurality of emails assigned to the second cluster;
      
      determining a difference between the emphasis value of the third keyword and the average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the third keyword and the average number of occurrences of the third keyword in the plurality of emails assigned to the second cluster;
      
      determining the root mean square of the determined differences for the first, second, and third keywords in the plurality of emails assigned to the first cluster;
      
      determining the root mean square of the determined differences for the first, second, and third keywords in the plurality of emails assigned to the second cluster;
      
      determining that the root mean square for the first cluster is less than the root mean square for the second cluster; and
      
      in response to the determination that the root mean square of the first cluster is less than the root mean square for the second cluster, transmit the first email.
  - 9. The method of claim 7, wherein a number of clusters is determined using K-Means clustering.
  - 10. The method of claim 7, wherein the first keyword comprises a keyphrase.
  - 11. The method of claim 7, further comprising communicating an alert indicating the plurality of emails of the first cluster.
  - 12. The method of claim 7, further comprising determining a relevance value for the first email by determining:
    - a difference between the number of occurrences in the first email of the first keyword and the determined average number of occurrences of the first keyword in the plurality of emails assigned to the first cluster;
      
      a difference between the number of occurrences in the first email of the second keyword and the determined average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster; and
      
      a difference between the number of occurrences in the first email of the third keyword and the determined average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster.

13. One or more computer-readable non-transitory storage media embodying software that is operable when executed to:
- store;
  
  a first email that indicates a first network intrusion;
  
  a second email;
  
  a first keyword pertaining to network intrusions;
  
  a second keyword pertaining to network intrusions; and
  
  a third keyword pertaining to network intrusions;
  
  determine a number of occurrences of the first keyword in the first email;
  
  determine a number of occurrences of the first keyword in the second email;
  
  determine a number of occurrences of the second keyword in the first email;
  
  determine a number of occurrences of the second keyword in the second email;
  
  determine a number of occurrences of the third keyword in the first email;
  
  determine a number of occurrences of the third keyword in the second email;
  
  based on the number of occurrences of the first, second, and third keywords in the first and second emails, assign the first email to a first cluster and the second email to a second cluster;
  
  determine a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster;
  
  determine a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
  
  determine a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
  
  receive a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion;
  
  determine, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request; and
  
  transmit, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and
  
  implement, based on the first email, a process to prevent the second network intrusion.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The media of claim 13, wherein determining that the first cluster should be returned, comprises:
    - determining a difference between the emphasis value of the first keyword and the average number of occurrences of the first keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the first keyword and the average number of occurrences of the first keyword in the plurality of emails assigned to the second cluster;
      
      determining a difference between the emphasis value of the second keyword and the average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the second keyword and the average number of occurrences of the second keyword in the plurality of emails assigned to the second cluster;
      
      determining a difference between the emphasis value of the third keyword and the average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster;
      
      determining a difference between the emphasis value of the third keyword and the average number of occurrences of the third keyword in the plurality of emails assigned to the second cluster;
      
      determining the root mean square of the determined differences for the first, second, and third keywords in the plurality of emails assigned to the first cluster;
      
      determining the root mean square of the determined differences for the first, second, and third keywords in the plurality of emails assigned to the second cluster;
      
      determining that the root mean square for the first cluster is less than the root mean square for the second cluster; and
      
      in response to the determination that the root mean square of the first cluster is less than the root mean square for the second cluster, transmit the first email.
  - 15. The media of claim 13, wherein a number of clusters is determined using K-Means clustering.
  - 16. The media of claim 13, wherein the first keyword comprises a keyphrase.
  - 17. The media of claim 13, wherein the software is further operable when executed to communicate an alert indicating the plurality of emails of the first cluster.
  - 18. The media of claim 13, wherein the software is further operable when executed to determine a relevance value for the first email by determining:
    - a difference between the number of occurrences in the first email of the first keyword and the determined average number of occurrences of the first keyword in the plurality of emails assigned to the first cluster;
      
      a difference between the number of occurrences in the first email of the second keyword and the determined average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster; and
      
      a difference between the number of occurrences in the first email of the third keyword and the determined average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Kern, Daniel C., Sun, Adam Z.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/958,578
Publication Number

US 20170161494A1
Time in Patent Office

985 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/034   Test or assess a computer o...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Intrusion assessment system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion assessment system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links