Associations among data records in a security information sharing platform

US 10,764,329 B2
Filed: 09/25/2015
Issued: 09/01/2020
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method for creating associations among data records in a security information sharing platform, the method comprising:

determining, by a processor in a security information sharing platform that enables sharing of security information among a plurality of users, a number of sightings of a first observable by members of a particular group of users, wherein the first observable is included in a first security indicator;

determining, by the processor, whether the number of sightings of the first observable exceeds a predetermined threshold;

prior to receiving a search query, the processor generating a first association between the first security indicator and a first data record in response to a determination that the number of sightings of the first observable exceeds the predetermined threshold, wherein the first data record represents the particular group of users;

after generating the first association, the processor receiving the search query, wherein the search query specifies the first security indicator; and

identifying, by the processor, a set of data records that satisfy the search query using the first association, the set of data records including the first data record.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples disclosed herein relate to associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform that enables sharing of security information among a plurality of users, an association between a first security indicator comprising a first observable and a first data record based on sightings of the first observable by at least one source entity associated with the first data record. Some examples may further enable obtaining a search query that specifies the first security indicator, and identifying a set of data records that satisfy the search query. The set of data records may include the first data record.

30 Citations

View as Search Results

20 Claims

1. A method for creating associations among data records in a security information sharing platform, the method comprising:
- determining, by a processor in a security information sharing platform that enables sharing of security information among a plurality of users, a number of sightings of a first observable by members of a particular group of users, wherein the first observable is included in a first security indicator;
  
  determining, by the processor, whether the number of sightings of the first observable exceeds a predetermined threshold;
  
  prior to receiving a search query, the processor generating a first association between the first security indicator and a first data record in response to a determination that the number of sightings of the first observable exceeds the predetermined threshold, wherein the first data record represents the particular group of users;
  
  after generating the first association, the processor receiving the search query, wherein the search query specifies the first security indicator; and
  
  identifying, by the processor, a set of data records that satisfy the search query using the first association, the set of data records including the first data record.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first observable is a particular Internet Protocol (IP) address.
  - 3. The method of claim 1, further comprising:
    - identifying a threat actor for the first security indicator from a threat intelligence feed; and
      
      creating, by the processor in the security information sharing platform, a second association between the first security indicator and a second data record that represents the threat actor.
  - 4. The method of claim 1, further comprising:
    - creating, by the processor in the security information sharing platform, a second association between the first security indicator and a second data record based on Domain Name Service (DNS) data, wherein the second data record represents a domain name.
  - 5. The method of claim 4, further comprising:
    - providing the set of data records in response to the search query, wherein the set of data records also includes the second data record.
  - 6. The method of claim 1, wherein the first observable is a particular email address.
  - 7. The method of claim 1, wherein the first observable is a particular software file hash.

8. A non-transitory machine-readable storage medium comprising instructions executable by a processor of a computing device for creating associations among data records in a security information sharing platform, the machine-readable storage medium comprising:
- instructions to determine a number of sightings of a first observable by members of a particular group of users, wherein the first observable is included in a first security indicator;
  
  instructions to determine whether the number of sightings of the first observable exceeds a predetermined threshold;
  
  instructions to create, prior to receiving a search query, a first association between the first security indicator comprising the first observable and a first data record in response to a determination that the number of sightings of the first observable exceeds the predetermined threshold, wherein the first data record represents the particular group of users;
  
  instructions to, after creating the first association, receive the search query, wherein the search query specifies the first security indicator; and
  
  instructions to, in response to the search query, provide the first data record using the first association.
- View Dependent Claims (9, 10, 11, 18, 19, 20)
- - 9. The non-transitory machine-readable storage medium of claim 8, wherein the first observable is a particular Internet Protocol (IP) address.
  - 10. The non-transitory machine-readable storage medium of claim 8, further comprising:
    - instructions to create a visual representation of the first security indicator as a first node, the first data record as a second node, and the first association between the first security indicator and the first data record as an edge between the first and second nodes.
  - 11. The non-transitory machine-readable storage medium of claim 8, wherein the first observable is a particular email address.
  - 18. The non-transitory machine-readable storage medium of claim 8, wherein the first observable is a particular software file hash.
  - 19. The non-transitory machine-readable storage medium of claim 8, further comprising:
    - instructions to identify a threat actor for the first security indicator from a threat intelligence feed; and
      
      instructions to generate a second association between the first security indicator and a second data record that represents the threat actor.
  - 20. The non-transitory machine-readable storage medium of claim 8, further comprising:
    - instructions to generate a second association between the first security indicator and a second data record based on Domain Name Service (DNS) data, wherein the second data record represents a domain name.

12. A system for creating associations among data records in a security information sharing platform comprising:
- a processor to;
  
  determine, in a security information sharing platform that enables sharing of security information among a plurality of users, a number of sightings of a first observable by members of a particular group of users, wherein the first observable is included in a security indicator;
  
  prior to receiving a search query, in response to a determination that the number of sightings of the first observable exceeds a predetermined threshold, generate a first association between the security indicator comprising the first observable and a first data record, wherein the first data record represents the particular group of users;
  
  after generating the first association, receive the search query, wherein the search query specifies the security indicator;
  
  identify a set of data records that satisfy the search query, the set of data records including the first data record; and
  
  provide a visual representation of associations between the security indicator and the set of data records.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the first observable is a particular Internet Protocol (IP) address.
  - 14. The system of claim 12, wherein the first observable is a particular email address.
  - 15. The system of claim 12, wherein the first observable is a particular software file hash.
  - 16. The system of claim 12, the processor to:
    - identify a threat actor for the security indicator from a threat intelligence feed; and
      
      generate a second association between the security indicator and a second data record that represents the threat actor.
  - 17. The system of claim 12, the processor to:
    - generate a second association between the security indicator and a second data record based on Domain Name Service (DNS) data, wherein the second data record represents a domain name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Micro Focus LLC (Open Text Corporation)
Inventors
Sander, Tomas, Cohen, Nadav, Hein, Brian Frederik Hosea Che, Ross, Ted
Primary Examiner(s)
Jhaveri, Jayesh M

Application Number

US15/760,983
Publication Number

US 20180255104A1
Time in Patent Office

1,803 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6227   where protection concerns t...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

Associations among data records in a security information sharing platform

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Associations among data records in a security information sharing platform

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links