Threat-aware microvisor
US-2015199513-A1 · Jul 16, 2015 · US
Connected security system
US10944772B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10944772-B2 |
| Application number | US-201816191844-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 15, 2018 |
| Priority date | Dec 9, 2015 |
| Publication date | Mar 9, 2021 |
| Grant date | Mar 9, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: receiving, for an organization that is associated with a particular industry, first, information technology (IT) domain activity data from a first, IT network domain and second, operational technology (OT) domain activity data from a second, OT network domain, the first IT domain activity data and the second OT domain activity data including events, alerts, or both from the respective first and second network domains; determining, based on the first IT domain activity data and the second OT domain activity data, one or more anomalous correlated event paths through which security events have progressed through at least one of the first IT network domain or the second OT network domain, each anomalous correlated event path including one or more assets of the organization; generating one or more first data constructs that has a particular data structure and that include (i) the first IT domain activity data, (ii) the second OT domain activity data, and (iii) data describing the one or more anomalous correlated event paths; receiving, from an external threat feed to which the organization subscribes to receive threat data that is specific to the particular industry, the external threat data including events, alerts, or both for one or more other organizations that are different from the organization and that are also associated with the particular industry; generating a second data construct that also has the particular data structure and that includes data from the one or more first data constructs and at least a portion of the external threat data that was received through the feed; determining, based on the one or more anomalous correlated event paths and the external threat data, a risk associated with each of one or more outcomes for the organization; generating a visualization of the one or more anomalous correlated event paths and each risk; generating a third data construct that also has the particular data structure and that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and providing the third data construct to a course of action module that implements the course of action. 2. The method of claim 1 , wherein the visualization presents a number of security events for at least one of the first IT network domain or the second OT network domain for a particular period of time. 3. The method of claim 1 , wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time. 4. The method of claim 1 , wherein the visualization presents an amount of security events that have taken each of the one or more attack paths. 5. The method of claim 1 , wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes. 6. The method of claim 5 , wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization. 7. The method of claim 5 , wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset. 8. A system, comprising: one or more processors; and a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, for an organization that is associated with a particular industry, first, information technology (IT) domain activity data from a first, IT network domain and second, operational technology (OT) domain activity data from a second, OT network domain, the first IT domain activity data and the second OT domain activity data including events, alerts, or both from the respective first and second network domains; determining, based on the first IT domain activity data and the second OT domain activity data, one or more anomalous correlated event paths through which security events have progressed through at least one of the first IT network domain or the second OT network domain, each anomalous correlated event path including one or more assets of the organization; generating one or more first data constructs that has a particular data structure and that include (i) the first IT domain activity data, (ii) the second OT domain activity data, and (iii) data describing the one or more anomalous correlated event paths; receiving, from an external threat feed to which the organization subscribes to receive threat data that is specific to the particular industry, the external threat data including events, alerts, or both for one or more other organizations that are different from the organization and that are also associated with the particular industry; generating a second data construct that also has the particular data structure and that includes data from the one or more first data constructs and at least a portion of the external threat data that was received through the feed; determining, based on the one or more anomalous correlated event paths and the external threat data, a risk associated with each of one or more outcomes for the organization; generating a visualization of the one or more anomalous correlated event paths and each risk; generating a third data construct that also has the particular data structure and that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and providing the third data construct to a course of action module that implements the course of action. 9. The system of claim 8 , wherein the visualization presents a number of security events for at least one of the first IT network domain or the second network OT domain for a particular period of time. 10. The system of claim 8 , wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time. 11. The system of claim 8 , wherein the visualization presents an amount of security events that have taken each of the one or more attack paths. 12. The system of claim 8 , wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes. 13. The system of claim 12 , wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization. 14. The system of claim 12 , wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset. 15. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, for an organization that is associated with a particular industry, first, information technology (IT) domain activity data from a first, IT network domain and second, operational technology (OT) domain activity data from a second, OT network domain, the first IT domain activity data and the second OT domain activity data including events, alerts, or both from the respective first and second network domains; determining, based on the first IT domain activ
Assignees
Inventors
Classifications
involving event detection and direct action · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Vulnerability analysis · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10944772B2 cover?
- Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on re…
- Who is the assignee on this patent?
- Accenture Global Solutions Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 09 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).