Intrusion assessment system
First Claim
1. An intrusion assessment apparatus comprising:
- a memory configured to store;
a first email that indicates a first network intrusion;
a second email;
a first keyword pertaining to network intrusions;
a second keyword pertaining to network intrusions; and
a third keyword pertaining to network intrusions; and
a processor communicatively coupled to the memory, the processor configured to;
determine a number of occurrences of the first keyword in the first email;
determine a number of occurrences of the first keyword in the second email;
determine a number of occurrences of the second keyword in the first email;
determine a number of occurrences of the second keyword in the second email;
determine a number of occurrences of the third keyword in the first email;
determine a number of occurrences of the third keyword in the second email;
based on the number of occurrences of the first, second, and third keywords in the first and second emails, assign the first email to a first cluster and the second email to a second cluster;
determine a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster;
determine a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
determine a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster;
receive a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion;
determine, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request;
transmit, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and
implement, based on the first email, a process to prevent the second network intrusion.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion assessment apparatus includes a memory and a processor. The memory stores first and second records and first, second, and third keywords. The processor determines a number of occurrences of the first, second, and third keywords in the first and second records and assigns the first record to a first cluster and the second record to a second cluster. The processor also determines a per-record average number of occurrences of the keywords in a plurality of records assigned to the first cluster and in a plurality of records assigned to the second cluster and receives a search request indicating the keywords and an emphasis value for each keyword. The processor also determines that the first cluster should be returned in response to the request and transmits, based on that determination, the first record.
13 Citations
18 Claims
-
1. An intrusion assessment apparatus comprising:
-
a memory configured to store; a first email that indicates a first network intrusion; a second email; a first keyword pertaining to network intrusions; a second keyword pertaining to network intrusions; and a third keyword pertaining to network intrusions; and a processor communicatively coupled to the memory, the processor configured to; determine a number of occurrences of the first keyword in the first email; determine a number of occurrences of the first keyword in the second email; determine a number of occurrences of the second keyword in the first email; determine a number of occurrences of the second keyword in the second email; determine a number of occurrences of the third keyword in the first email; determine a number of occurrences of the third keyword in the second email; based on the number of occurrences of the first, second, and third keywords in the first and second emails, assign the first email to a first cluster and the second email to a second cluster; determine a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster; determine a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster; determine a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster; receive a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion; determine, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request; transmit, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and implement, based on the first email, a process to prevent the second network intrusion. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
storing; a first email that indicates a first network intrusion; a second email; a first keyword pertaining to network intrusions; a second keyword pertaining to network intrusions; and a third keyword pertaining to network intrusions; determining a number of occurrences of the first keyword in the first email; determining a number of occurrences of the first keyword in the second email; determining a number of occurrences of the second keyword in the first email; determining a number of occurrences of the second keyword in the second email; determining a number of occurrences of the third keyword in the first email; determining a number of occurrences of the third keyword in the second email; based on the number of occurrences of the first, second, and third keywords in the first and second emails, assigning the first email to a first cluster and the second email to a second cluster; determining a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster; determining a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster; determining a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of records assigned to the second cluster; receiving a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion; determining, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request; and transmitting, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and implementing, based on the first email, a process to prevent the second network intrusion. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. One or more computer-readable non-transitory storage media embodying software that is operable when executed to:
-
store; a first email that indicates a first network intrusion; a second email; a first keyword pertaining to network intrusions; a second keyword pertaining to network intrusions; and a third keyword pertaining to network intrusions; determine a number of occurrences of the first keyword in the first email; determine a number of occurrences of the first keyword in the second email; determine a number of occurrences of the second keyword in the first email; determine a number of occurrences of the second keyword in the second email; determine a number of occurrences of the third keyword in the first email; determine a number of occurrences of the third keyword in the second email; based on the number of occurrences of the first, second, and third keywords in the first and second emails, assign the first email to a first cluster and the second email to a second cluster; determine a per-record average number of occurrences of the first keyword in a plurality of emails assigned to the first cluster and in a plurality of emails assigned to the second cluster; determine a per-record average number of occurrences of the second keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster; determine a per-record average number of occurrences of the third keyword in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster; receive a search request indicating the first, second, and third keywords and an emphasis value for each of the first, second, and third keywords, the search request pertaining to a second network intrusion; determine, based on the per-record average numbers of occurrences of the first, second, and third keywords in the plurality of emails assigned to the first cluster and in the plurality of emails assigned to the second cluster, that the first cluster should be returned in response to the request; and transmit, based on the determination that the first cluster should be returned, the first email indicating the first network intrusion; and implement, based on the first email, a process to prevent the second network intrusion. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification