Cyber security sharing and identification system

US 9,923,925 B2
Filed: 04/10/2015
Issued: 03/20/2018
Est. Priority Date: 02/20/2014
Status: Active Grant

First Claim

Patent Images

1. A system for sharing security information, the system comprising:

a plurality of entities, wherein each entity of the plurality of entities comprises a network of computing devices; and

one or more computing devices programmed, via executable code instructions, to;

share a first plurality of security attack data, the first plurality of security attack data comprising information regarding one or more first security attacks;

receive a ruleset from a first entity of the plurality of entities, the ruleset comprising instructions selectably applicable by an entity of the plurality of entities to detect one or more security attacks, wherein the ruleset is generated by the first entity, and wherein the ruleset is associated with the first plurality of security attack data; and

apply the ruleset at a second entity of the plurality of entities to identify malicious behavior of a potential or actual security attack, wherein applying the ruleset comprises;

identifying a plurality of network communications associated with a network of computing devices of the second entity, wherein the plurality of network communications are from the network of computing devices of the second entity to an external computing device;

identifying an elapsed time between at least two communications of the plurality of network communications; and

determining that the elapsed time is within a predetermined time interval, wherein said determination indicates beaconing behavior.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and techniques for sharing security data are described herein. Security rules and/or attack data may be automatically shared, investigated, enabled, and/or used by entities. A security rule may be enabled on different entities comprising different computing systems to combat similar security threats and/or attacks. Security rules and/or attack data may be modified to redact sensitive information and/or configured through access controls for sharing.

636 Citations

20 Claims

1. A system for sharing security information, the system comprising:
- a plurality of entities, wherein each entity of the plurality of entities comprises a network of computing devices; and
  
  one or more computing devices programmed, via executable code instructions, to;
  
  share a first plurality of security attack data, the first plurality of security attack data comprising information regarding one or more first security attacks;
  
  receive a ruleset from a first entity of the plurality of entities, the ruleset comprising instructions selectably applicable by an entity of the plurality of entities to detect one or more security attacks, wherein the ruleset is generated by the first entity, and wherein the ruleset is associated with the first plurality of security attack data; and
  
  apply the ruleset at a second entity of the plurality of entities to identify malicious behavior of a potential or actual security attack, wherein applying the ruleset comprises;
  
  identifying a plurality of network communications associated with a network of computing devices of the second entity, wherein the plurality of network communications are from the network of computing devices of the second entity to an external computing device;
  
  identifying an elapsed time between at least two communications of the plurality of network communications; and
  
  determining that the elapsed time is within a predetermined time interval, wherein said determination indicates beaconing behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the ruleset accesses one or more data objects associated with the second entity, the one or more data objects comprising the plurality of network communications.
  - 3. The system of claim 1, wherein the one or more computing devices is further programmed, via executable code instructions, to:
    - provide an alert indicating the potential or actual security attack.
  - 4. The system of claim 3, wherein the one or more computing devices is further programmed, via executable code instructions, to:
    - identify a computing device from the network of computing devices of the second entity, wherein the computing device is the source of at least one communication from the plurality of network communications;
      
      identify potentially malicious code on the computing device, wherein the potentially malicious code sent the at least one communication; and
      
      at least one of;
      
      removing or quarantining the potentially malicious code.
  - 5. The system of claim 1, wherein application of the ruleset at the second entity further comprises identifying an external IP address associated with the potential or actual security attack.
  - 6. The system of claim 5, wherein the one or more computing devices is further programmed, via executable code instructions, to:
    - block one or more communications from the external IP address to a computing device of the second entity.
  - 7. The system of claim 1, wherein the one or more computing devices is further programmed, via executable code instructions, to:
    - access second security attack data associated with a second potential or actual security attack directed at the second entity;
      
      access redaction rules of the second entity, wherein the redaction rules are associated with at least one of;
      
      internal IP addresses, hostnames, or other identifying information of a network of computing devices of the second entity;
      
      generate modified security attack data from the second security attack data by removing any matching internal IP addresses, hostnames, or other identifying information as indicated by the redaction rules; and
      
      share the modified security attack data with a third entity.

8. Non-transitory computer storage comprising instructions for causing one or more computing devices to perform operations comprising:
- sharing a first plurality of security attack data, the first plurality of security attack data comprising information regarding one or more first security attacks;
  
  receiving a ruleset from a first entity of a plurality of entities, the ruleset comprising instructions selectably applicable by an entity of the plurality of entities to detect one or more security attacks, wherein the ruleset is generated by the first entity, and wherein the ruleset is associated with the first plurality of security attack data, and wherein each entity of the plurality of entities comprises a network of computing devices; and
  
  applying the ruleset at a second entity of the plurality of entities to identify malicious behavior of a potential or actual security attack, wherein applying the ruleset comprises;
  
  identifying a plurality of network communications associated with a network of computing devices of the second entity, wherein the plurality of network communications are from the network of computing devices of the second entity to an external computing device;
  
  identifying an elapsed time between at least two communications of the plurality of network communications; and
  
  determining that the elapsed time is within a predetermined time interval, wherein said determination indicates beaconing behavior.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer storage of claim 8, wherein the ruleset accesses one or more data objects associated with the second entity, the one or more data objects comprising the plurality of network communications.
  - 10. The non-transitory computer storage of claim 8, wherein the operations further comprise:
    - providing an alert indicating the potential or actual security attack.
  - 11. The non-transitory computer storage of claim 10, wherein the operations further comprise:
    - accessing second security attack data associated with a second potential or actual security attack directed at the second entity;
      
      accessing redaction rules of the second entity, wherein the redaction rules are associated with at least one of;
      
      internal IP addresses, hostnames, or other identifying information of a network of computing devices of the second entity;
      
      generating modified security attack data from the second security attack data by removing any matching internal IP addresses, hostnames, or other identifying information as indicated by the redaction rules; and
      
      sharing the modified security attack data with a third entity.
  - 12. The non-transitory computer storage of claim 8, wherein applying the ruleset at the second entity further comprises identifying an external IP address associated with the potential or actual security attack.
  - 13. The non-transitory computer storage of claim 12, wherein the operations further comprise:
    - blocking one or more communications from the external IP address to a computing device of the second entity.

14. A computer implemented method comprising:
- receiving a ruleset at a second entity of a plurality of entities, wherein the ruleset comprises instructions selectably applicable by an entity of the plurality of entities to detect one or more security attacks, wherein the ruleset was generated by a first entity of the plurality of entities, wherein the ruleset is associated with a first plurality of security attack data, and wherein each entity of the plurality of entities comprises a network of computing devices; and
  
  applying the ruleset at the second entity to identify a potential or actual security attack at the second entity, wherein applying the ruleset comprises;
  
  identifying a plurality of network communications associated with a network of computing devices of the second entity, wherein the plurality of network communications are from the network of computing devices of the second entity to an external computing device;
  
  identifying an elapsed time between at least two communications of the plurality of network communications; and
  
  determining that the elapsed time is within a predetermined time interval, wherein said determination indicates beaconing behavior.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer implemented method of claim 14, further comprising:
    - providing an alert indicating the potential or actual security attack.
  - 16. The computer implemented method of claim 14, wherein applying the ruleset at the second entity further comprises identifying an external IP address associated with the potential or actual security attack.
  - 17. The computer implemented method of claim 16, further comprising blocking one or more communications from the external IP address to a computing device of the second entity.
  - 18. The computer implemented method of claim 16, wherein the external IP address is associated with the external computing device.
  - 19. The computer implemented method of claim 18, further comprising:
    - identifying a computing device from the network of computing devices of the second entity, wherein the computing device is the source of at least one communication from the plurality of network communications;
      
      identifying potentially malicious code on the computing device, wherein the potentially malicious code sent the at least one communication; and
      
      at least one of;
      
      removing or quarantining the potentially malicious code.
  - 20. The computer implemented method of claim 14, further comprising:
    - accessing second security attack data associated with a second potential or actual security attack directed at the second entity;
      
      accessing redaction rules of the second entity, wherein the redaction rules are associated with at least one of;
      
      internal IP addresses, hostnames, or other identifying information of a network of computing devices of the second entity;
      
      generating modified security attack data from the second security attack data by removing any matching internal IP addresses, hostnames, or other identifying information as indicated by the redaction rules; and
      
      sharing the modified security attack data with a third entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Albertson, Jacob, Hildebrandt, Melody, Singh, Harkirat, Sankar, Shyam, Ducott, Rick, Maag, Peter, Kimball, Marissa
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US14/684,231
Publication Number

US 20170134425A1
Time in Patent Office

1,075 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Cyber security sharing and identification system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

636 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber security sharing and identification system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

636 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links