System and method for performing threat assessments using situational awareness
First Claim
1. A computer-implemented method, performed by at least one processor, for performing threat assessments, comprising:
- identifying, by the at least one processor, a first security breach at a first company;
determining, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach;
identifying, by the at least one processor, a first possible security breach at the first company;
determining, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach;
generating, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions;
storing, by the at least one processor, the one or more patterns of behavior in a pattern repository;
comparing, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns of behavior and the one or more standardized log files for the first company;
notifying, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company;
performing, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach;
receiving, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries;
updating, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior;
comparing, by the at least one processor, at least one of the updated patterns of behavior with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and
notifying, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer program products are provided for performing threat assessments. In one exemplary embodiment, the method may include generating one or more patterns of behavior corresponding to a security breach at a first company, and storing the generated one or more patterns in a pattern repository. In addition, the method may include comparing at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the behavior corresponding to the security breach. The method may also include processing at least one pattern of the one or more patterns with one or more standardized log files for a second company to identify log entries of the second company that indicate a possible security breach at the second company.
143 Citations
21 Claims
-
1. A computer-implemented method, performed by at least one processor, for performing threat assessments, comprising:
-
identifying, by the at least one processor, a first security breach at a first company; determining, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach; identifying, by the at least one processor, a first possible security breach at the first company; determining, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach; generating, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions; storing, by the at least one processor, the one or more patterns of behavior in a pattern repository; comparing, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns of behavior and the one or more standardized log files for the first company; notifying, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company; performing, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach; receiving, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries; updating, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior; comparing, by the at least one processor, at least one of the updated patterns of behavior with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and notifying, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing a computer-executable program which, when executed by at least one processor, performs a method for performing threat assessments, comprising:
-
identifying, by the at least one processor, a first security breach at a first company; determining, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach; identifying, by the at least one processor, a first possible security breach at the first company; determining, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach; generating, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions; storing, by the at least one processor, the one or more patterns of behavior in a pattern repository; comparing, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns of behavior and the one or more standardized log files for the first company; notifying, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company; performing, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach; receiving, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries; updating, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior; comparing, by the at least one processor, at least one of the updated patterns of behavior with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and notifying, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for identifying patterns of actions for performing threat assessments, the system comprising:
-
at least one memory to store data and instructions; and at least one processor configured to access the at least one memory and, when executing the instructions to; identify, by the at least one processor, a first security breach at a first company; determine, by the at least one processor, after identifying the first security breach, one or more first actions associated with the first security breach, the one or more first actions including actions taken following the first security breach and actions taken prior to the first security breach; identify, by the at least one processor, a first possible security breach at a first company; determine, by the at least one processor, contemporaneously with the identification of the first possible security breach, one or more second actions associated with the first possible security breach; generate, by the at least one processor, one or more patterns of behavior associated with the first company and corresponding to the one or more first actions and the one or more second actions; store, by the at least one processor, the one or more patterns of behavior in a pattern repository; compare, by the at least one processor, at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the at least one of the one or more patterns of behavior and corresponding to the one or more first actions and the one or more second actions, the one or more first log entries being identified based on a threshold of similarity between the at least one of the one or more patterns and the one or more standardized log files for the first company; notify, by the at least one processor and based on the one or more identified first log entries, the first company of the first possible security breach at the first company; perform, by the at least one processor and the first company and based on the notification, preventative action relating to the first possible security breach; receive, by the at least one processor, feedback from the first company, the feedback including a measure of success relating to the at least one of the one or more patterns of behavior and the one or more identified first log entries; update, by the at least one processor and based on the received feedback, the at least one of the one or more identified patterns of behavior; compare, by the at least one processor, at least one of the updated patterns with one or more standardized log files for a second company to identify log entries of the second company relating to a second possible security breach at the second company; and notify, by the at least one processor and based on the one or more identified first log entries of the second company, the second company of a second possible security breach at the second company. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification