Cyber security sharing and identification system

US 10,873,603 B2
Filed: 03/16/2018
Issued: 12/22/2020
Est. Priority Date: 02/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

by a computer system comprising one or more computer hardware processors and one or more storage devices,communicating with a plurality of entities;

receiving security attack data from a first entity of the plurality of entities, the security attack data comprising information regarding one or more first security attacks;

identifying, based on sharing rules associated with the first entity, one or more recipient entity of a subset of the plurality of entities that are authorized to access a ruleset from the first entity; and

facilitating sharing of the ruleset from the first entity to the one or more recipient entity,wherein the ruleset (i) is determined by the first entity, and (ii) is associated with the security attack data,wherein the ruleset comprises instructions selectably applicable by the one or more recipient entity to detect a potential security attack,wherein the instructions are configured to;

in response to detecting the potential security attack, add data associated with the potential security attack to a cluster as a seed, wherein the cluster comprises a plurality of connected objects and a representation of the cluster is displayable in a user interface.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and techniques for sharing security data are described herein. Security rules and/or attack data may be automatically shared, investigated, enabled, and/or used by entities. A security rule may be enabled on different entities comprising different computing systems to combat similar security threats and/or attacks. Security rules and/or attack data may be modified to redact sensitive information and/or configured through access controls for sharing.

675 Citations

16 Claims

1. A computer implemented method comprising:
- by a computer system comprising one or more computer hardware processors and one or more storage devices,communicating with a plurality of entities;
  
  receiving security attack data from a first entity of the plurality of entities, the security attack data comprising information regarding one or more first security attacks;
  
  identifying, based on sharing rules associated with the first entity, one or more recipient entity of a subset of the plurality of entities that are authorized to access a ruleset from the first entity; and
  
  facilitating sharing of the ruleset from the first entity to the one or more recipient entity,wherein the ruleset (i) is determined by the first entity, and (ii) is associated with the security attack data,wherein the ruleset comprises instructions selectably applicable by the one or more recipient entity to detect a potential security attack,wherein the instructions are configured to;
  
  in response to detecting the potential security attack, add data associated with the potential security attack to a cluster as a seed, wherein the cluster comprises a plurality of connected objects and a representation of the cluster is displayable in a user interface.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer implemented method of claim 1, wherein the sharing rules associated with the first entity further exclude sharing ruleset data from the first entity to particular one or more entities.
  - 3. The computer implemented method of claim 1, wherein the ruleset further comprises second instructions configured to:
    - access one or more data objects associated with the one or more recipient entity, the one or more data objects comprising a plurality of network communications.
  - 4. The computer implemented method of claim 3, wherein the one or more data objects further comprise a first user login object and a second user login object, the first user login object comprising data indicating a first login for a particular user at a first time and a first location, the second user login object comprising data indicating a second login for the particular user at a second time and a second location, and wherein the ruleset further comprises third instructions configured to:
    - calculate, from first user login object and the second user login object, a duration of time between the first time for the first login and the second time for the second login;
      
      calculate, from first user login object and the second user login object, a distance between the first location for the first login and the second location for the second login;
      
      calculate a speed from the duration of time and the distance; and
      
      determine the potential security attack where the speed is greater than a threshold value.
  - 5. The computer implemented method of claim 4, wherein the ruleset further comprises fourth instructions configured to:
    - in response to determining the potential security attack, generate an alert.

6. Non-transitory computer storage medium comprising instructions for causing one or more computing devices to perform operations comprising:
- communicating with a plurality of entities;
  
  receiving security attack data from a first entity of the plurality of entities, the security attack data comprising information regarding one or more first security attacks;
  
  identifying, based on sharing rules associated with the first entity, one or more recipient entity of a subset of the plurality of entities that are authorized to access a ruleset from the first entity; and
  
  transmitting at least a portion of a ruleset from the first entity to the one or more recipient entity,wherein the ruleset (i) is determined by the first entity, and (ii) is associated with the security attack data,wherein the ruleset comprises instructions selectably applicable by the one or more recipient entity to detect a potential security attack,wherein the instructions are configured to;
  
  in response to detecting the potential security attack, add data associated with the potential security attack to a cluster as a seed, wherein the cluster comprises a plurality of connected objects and a representation of the cluster is displayable in a user interface.
- View Dependent Claims (7, 8, 9)
- - 7. The non-transitory computer storage medium of claim 6, wherein the sharing rules associated with the first entity further exclude sharing ruleset data from the first entity to particular one or more entities.
  - 8. The non-transitory computer storage medium of claim 6, wherein the ruleset further comprises second instructions configured to:
    - access one or more data objects associated with the one or more recipient entity, the one or more data objects comprising a plurality of network communications.
  - 9. The non-transitory computer storage medium of claim 6, wherein the ruleset further comprises second instructions configured to:
    - receive a user agent identifier for a first login;
      
      perform, at the one or more recipient entity, a search for the user agent identifier, wherein performing the search further comprises;
      
      determining that the user agent identifier is a new user agent identifier; and
      
      in response to determining that the user agent identifier is a new user agent identifier, generate an alert.

10. A system for sharing security information, the system comprising:
- one or more computer processors executing code instructions, to;
  
  communicate with a plurality of entities;
  
  receive security attack data from a first entity of the plurality of entities, the security attack data comprising information regarding one or more first security attacks;
  
  identify, based on sharing rules associated with the first entity, one or more recipient entity of a subset of the plurality of entities that are authorized to access ruleset data from the first entity; and
  
  facilitate sharing of at least a portion of a ruleset from the first entity to the one or more recipient entity,wherein the ruleset (i) is determined by the first entity, and (ii) is associated with the security attack data,wherein the ruleset comprises instructions selectably applicable by the one or more recipient entity to detect a potential security attack,wherein the instructions are configured to;
  
  in response to detecting the potential security attack, add data associated with the potential security attack to a cluster as a seed, wherein the cluster comprises a plurality of connected objects and a representation of the cluster is displayable in a user interface.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the ruleset further comprises second instructions configured to:
    - access one or more data objects associated with the one or more recipient entity, the one or more data objects comprising a plurality of network communications.
  - 12. The system of claim 10, wherein the ruleset further comprises second instructions configured to:
    - identify a first login for a particular user at a first time and a first location;
      
      identify a second login for the particular user at a second time and a second location;
      
      calculate a duration of time between the first time for the first login and the second time for the second login;
      
      calculate a distance between the first location for the first login and the second location for the second login;
      
      calculate a speed from the duration of time and the distance; and
      
      determine the potential security attack where the speed is greater than a threshold value.
  - 13. The system of claim 12, wherein the ruleset further comprises third instructions configured to:
    - in response to determining the potential security attack, generate an alert.
  - 14. The system of claim 10, wherein the one or more computer processors execute further code instructions, to:
    - facilitate sharing of at least a portion of a second ruleset from the first entity, the second ruleset comprising second instructions different from the instructions of the ruleset.
  - 15. The system of claim 14, wherein the second instructions are configured to:
    - receive a user agent identifier for a first login;
      
      perform, at the one or more recipient entity, a search for the user agent identifier, wherein performing the search further comprises;
      
      determining that the user agent identifier is a new user agent identifier.
  - 16. The system of claim 10, where the seed comprises at least one of:
    - (i) an IP address or (ii) a user login identifier for the particular user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Albertson, Jacob, Hildebrandt, Melody, Singh, Harkirat, Sankar, Shyam, Ducott, Rick, Maag, Peter, Kimball, Marissa
Primary Examiner(s)
Goodchild, William J.

Application Number

US15/923,949
Publication Number

US 20180337952A1
Time in Patent Office

1,012 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Cyber security sharing and identification system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

675 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Cyber security sharing and identification system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

675 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others