Systems and methods of network security and threat management

US 10,091,229 B2
Filed: 01/09/2009
Issued: 10/02/2018
Est. Priority Date: 01/09/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

performing, by one or more computer systems;

receiving traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, each of the plurality of enterprise assets coupled to at least one of a plurality of distinct computer networks;

receiving vulnerability information generated based, at least in part, upon a scan of the plurality of distinct computer networks, the scan configured to detect vulnerabilities associated with one or more of the plurality of enterprise assets;

receiving vendor alert information provided by one or more third-party vendors, the vendor alert information related to one or more of the plurality of enterprise assets;

continuously correlating;

the received traffic information, vulnerability information, and vendor alert information; and

each of at least one security threat of one or more security threats occurring within a first period of time with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat;

assigning threat points to the one or more security threats based, at least in part, upon the continuous correlation;

dynamically adjusting a priority of each of the one or more security threats and threat points associated with each of the one or more security threats by escalating a security threat with a highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlation,wherein escalating the security threat with the highest potential to be successful comprises;

identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat,wherein a potential for the security threat to be successful against the enterprise asset is based on a degree of vulnerability of the enterprise asset with respect to the security threat and the age of the vulnerability information with respect to the security threat;

associating different security threats of the one or more security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the one or more security threats; and

providing the at least one security threat of the one or more security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure generally provides systems and methods of network security and threat management. An exemplary system includes detection and prevention modules (DPM) designed specifically to collect and transmit suspicious binary network packet data. The collected network packets are sent to a behavioral correlation module to perform automatic behavioral correlation: (1) within each DPM, (2) across all DPMs installed on a network, and (3) across all DPMs installed on all networks. The results of the behavioral correlation are sent to a security dashboard module (SDM), which generally acts as a fully integrated Security Event Management system and collects, correlates, and prioritizes global network alerts, local network alerts, posted vendor alerts, and detected network vulnerabilities with enterprise assets. The SDM could display the results in a user-friendly graphical user interface and has the ability to perform geographic mapping of externally generated threats.

21 Citations

View as Search Results

17 Claims

1. A method, comprising:
- performing, by one or more computer systems;
  
  receiving traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, each of the plurality of enterprise assets coupled to at least one of a plurality of distinct computer networks;
  
  receiving vulnerability information generated based, at least in part, upon a scan of the plurality of distinct computer networks, the scan configured to detect vulnerabilities associated with one or more of the plurality of enterprise assets;
  
  receiving vendor alert information provided by one or more third-party vendors, the vendor alert information related to one or more of the plurality of enterprise assets;
  
  continuously correlating;
  
  the received traffic information, vulnerability information, and vendor alert information; and
  
  each of at least one security threat of one or more security threats occurring within a first period of time with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat;
  
  assigning threat points to the one or more security threats based, at least in part, upon the continuous correlation;
  
  dynamically adjusting a priority of each of the one or more security threats and threat points associated with each of the one or more security threats by escalating a security threat with a highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlation,wherein escalating the security threat with the highest potential to be successful comprises;
  
  identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat,wherein a potential for the security threat to be successful against the enterprise asset is based on a degree of vulnerability of the enterprise asset with respect to the security threat and the age of the vulnerability information with respect to the security threat;
  
  associating different security threats of the one or more security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the one or more security threats; and
  
  providing the at least one security threat of the one or more security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the packets directed to the plurality of enterprise assets include packets intercepted outside of a firewall, packets intercepted inside the firewall, and packets reaching specific ones of the plurality of enterprise assets.
  - 3. The method of claim 2, wherein the traffic information includes a resource violation message reporting an unknown client'"'"'s attempt to use an unknown protocol.
  - 4. The method of claim 3, wherein assigning the threat points includes upgrading threat points associated with a given security threat in response to the resource violation message being correlated with the vulnerability information.
  - 5. The method of claim 4, wherein assigning the threat points includes upgrading threat points associated with the given security threat in response to the resource violation message being correlated with the vendor alert information.
  - 6. The method of claim 5, wherein the vulnerability information includes an open service port of an enterprise asset.
  - 7. The method of claim 6, wherein assigning the threat points includes upgrading threat points associated with the given security threat in response to the traffic information being correlated with the open service port.
  - 8. The method of claim 7, wherein assigning the threat points includes upgrading an amount of threat points associated with the given security threat in response to the vendor alert information being correlated with the open service port.
  - 9. The method of claim 8, further comprising performing, by the one or more computer systems:
    - issuing an alert to a customer associated with a first of the plurality of distinct networks in response to a detection of the given security threat in a second of the plurality of distinct networks based, at least in part, upon the assigned threat points, the given security threat common to both the first and second of the plurality of the distinct networks, the given security threat having been undetected in the first of the plurality of distinct networks prior to issuing the alert.

10. A network security and threat management system, comprising:
- a computer configured to;
  
  receive traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, wherein the traffic information includes a resource violation message reporting an unknown client'"'"'s attempt to use an unknown protocol;
  
  receive vulnerability information generated based, at least in part, upon an analysis of one or more of the plurality of enterprise assets;
  
  receive vendor alert information provided by one or more third-party vendors;
  
  continuously correlate;
  
  the received traffic information, vulnerability information, and vendor alert information; and
  
  each of at least one security threat of a plurality of security threats occurring within a first period of time with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat to reduce false positives and to enhance threat relevance of the at least one security threat;
  
  assign threat points to each of the plurality of security threats based, at least in part, upon the continuous correlation, wherein to assign the threat points the computer is further configured to;
  
  upgrade the threat points associated with the given security threat in response to the traffic information being correlated with the vulnerability information;
  
  upgrade the threat points associated with the given security threat in response to the traffic information being correlated with the vendor alert information; and
  
  upgrade the threat points associated with the given security threat in response to the vulnerability information being correlated with the vendor alert information;
  
  dynamically adjust a priority of a given one of the plurality of security threats and threat points associated with the given one of the plurality of security threats by escalating a security threat with a highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlation and upon an age of the given one of the plurality of security threats,wherein escalating the security threat with the highest potential to be successful comprises;
  
  identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat and the age of the vulnerability information with respect to the security threat,wherein a potential for the security threat to be successful against the enterprise asset is directly proportional to a degree of vulnerability of the enterprise asset with respect to the security threat;
  
  associate different security threats of the plurality of security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the plurality of security threats; and
  
  provide the at least one security threat of the plurality of security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat.
- View Dependent Claims (11)
- - 11. The system of claim 10, the computer further configured to:
    - issue an alert to a customer associated with a first of a plurality of distinct networks in response to a detection of the given one of the plurality of security threats in a second of the plurality of distinct networks based, at least in part, upon the assigned threat points, the given one of the plurality of security threats corresponding to an identified vulnerability common to both the first and second of the plurality of the distinct networks, the given one of the plurality of security threats having been undetected in the first of the plurality of distinct networks prior to issuing the alert.

12. A method, comprising:
- performing, by one or more computer systems;
  
  receiving traffic information generated based, at least in part, upon an analysis of packets directed to a plurality of enterprise assets, wherein the traffic information includes a resource violation message reporting an unknown client'"'"'s attempt to use an unknown protocol;
  
  receiving vulnerability information generated based, at least in part, upon vulnerabilities detected in one or more of the plurality of enterprise assets;
  
  receiving vendor alert information provided by one or more third-party vendors, the vendor alert information related to one or more of the plurality of enterprise assets;
  
  increasing a security threat level associated with a given one of a plurality of security threats in response to;
  
  the traffic information being correlated with the vulnerability information, the traffic information being correlated with the vendor alert information, and the vulnerability information being correlated with the vendor alert information; and
  
  each of at least one security threat of the plurality of security threats occurring within a first period of time being correlated with at least one similar security threat occurring within a second period of time to assess a threat potential of the respective security threat of the at least one security threat;
  
  dynamically adjusting a priority of each of the plurality of security threats and threat points associated with each of the plurality of security threats by escalating a security threat of the plurality of security threats with highest potential to be successful and modifying a risk associated with other security threats based, at least in part, upon the continuous correlations,wherein escalating the security threat with the highest potential to be successful comprises;
  
  identifying, based on the received vulnerability information and an age of the vulnerability information, an enterprise asset of the plurality of enterprise assets being vulnerable to the security threat,wherein a potential for the security threat to be successful against the enterprise asset is based on a vulnerability of the enterprise asset with respect to the security threat and the age of the vulnerability information with respect to the security threat;
  
  associating different security threats of the plurality of security threats with different colors, each color being indicative of a different level of priority of a corresponding security threat of the plurality of security threats; and
  
  providing the at least one security threat of the plurality of security threats for display, wherein each of the at least one security threat is displayed in a color associated with the respective security threat.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein the packets directed to the plurality of enterprise assets include packets intercepted outside of a firewall, packets intercepted inside the firewall, and packets directed to specific ones of the plurality of enterprise assets.
  - 14. The method of claim 12, wherein the resource violation message is associated with a vulnerability of one of the plurality of enterprise assets.
  - 15. The method of claim 14, wherein the vulnerability information includes an open service port of the one of the plurality of enterprise assets.
  - 16. The method of claim 12, wherein ones of the plurality of enterprise assets are coupled to distinct computer networks.
  - 17. The method of claim 16, further comprising:
    - performing, by the one or more computer systems;
      
      issuing an alert to a customer associated with a first of the distinct networks in response to a detection of the given one of the plurality of security threats in a second of the distinct networks based, at least in part, upon the assigned threat points, the given one of the plurality of security threats common to both the first and the second of the distinct networks, the given one of the plurality of security threats having been undetected in the first of the distinct networks prior to issuing the alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Masergy Communications Incorporated (Comcast Corporation)
Original Assignee
Masergy Communications Incorporated (Comcast Corporation)
Inventors
Stute, Michael Roy, Paly, Scott S.
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Lavelle, Gary E

Application Number

US12/351,645
Publication Number

US 20090178139A1
Time in Patent Office

3,553 Days
Field of Search

726 2, 726 13, 726 21- 25, 726188, 713188
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06Q 10/109   Time management, e.g. calen...

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Systems and methods of network security and threat management

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of network security and threat management

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links