Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Connected security system
US2019089727A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2019089727-A1 |
| Application number | US-201816191844-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 15, 2018 |
| Priority date | Dec 9, 2015 |
| Publication date | Mar 21, 2019 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data constructs that include enriched data regarding the malicious activity. The enriched data includes data describing a campaign in which at least a portion of the malicious activity is involved and one or more courses of action. A course of action module receives the second data constructs and implements a given course of action.
First claim
Opening claim text (preview).
What is claimed is: 1 . A computer-implemented method comprising: receiving, for an organization, first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; determining, based on the first domain activity data and the second domain activity data of the first data construct, one or more anomalous correlated event paths through which security events have progressed through at least one of the first network domain or the second network domain, each anomalous correlated event path including one or more assets of the organization; generating one or more first data constructs that include at least one of (i) the first domain activity data, (ii) the second domain activity data, or (iii) data describing the one or more anomalous correlated event paths; receiving external threat data including events, alerts, or both for one or more organizations different from the organization; generating a second data construct that includes data from the one or more first data constructs and at least a portion of the external threat data; determining, based on the one or more anomalous correlated event paths and the threat data, a risk associated with each of one or more outcomes for the organization; generating a visualization of the one or more anomalous correlated event paths and each risk; generating a third data construct that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and providing the third data construct to a course of action module that implements the course of action, wherein the first data construct, the second data construct, and the third data construct have a common data structure. 2 . The method of claim 1 , wherein the first network domain is an information technology domain and the second network domain is an operational technology domain. 3 . The method of claim 1 , wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes. 4 . The method of claim 3 , wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization. 5 . The method of claim 3 , wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset. 6 . The method of claim 1 , wherein the visualization presents a number of security events for at least one of the first network domain or the second network domain for a particular period of time. 7 . The method of claim 1 , wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time. 8 . The method of claim 1 , wherein the visualization presents an amount of security events that have taken each of the one or more attack paths. 9 . A system, comprising: one or more processors; and a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, for an organization, first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; determining, based on the first domain activity data and the second domain activity data of the first data construct, one or more anomalous correlated event paths through which security events have progressed through at least one of the first network domain or the second network domain, each anomalous correlated event path including one or more assets of the organization; generating one or more first data constructs that include at least one of (i) the first domain activity data, (ii) the second domain activity data, or (iii) data describing the one or more anomalous correlated event paths; receiving external threat data including events, alerts, or both for one or more organizations different from the organization; generating a second data construct that includes data from the one or more first data constructs and at least a portion of the external threat data; determining, based on the one or more anomalous correlated event paths and the threat data, a risk associated with each of one or more outcomes for the organization; generating a visualization of the one or more anomalous correlated event paths and each risk; generating a third data construct that specifies a course of action determined based on at least one of one or more anomalous correlated event paths and each risk; and providing the third data construct to a course of action module that implements the course of action, wherein the first data construct, the second data construct, and the third data construct have a common data structure. 10 . The system of claim 9 , wherein the first network domain is an information technology domain and the second network domain is an operational technology domain. 11 . The system of claim 9 , wherein the visualization includes a Sankey diagram that illustrates a plurality of paths between particular threats and the one or more outcomes. 12 . The system of claim 11 , wherein the path between each particular threat and the one or more outcomes includes at least one asset and at least one business process of the organization. 13 . The system of claim 11 , wherein each path includes a link between a particular threat and a particular asset, and wherein a width of the link is based on a likelihood of the particular threat affecting the particular asset. 14 . The system of claim 9 , wherein the visualization presents a number of security events for at least one of the first network domain or the second network domain for a particular period of time. 15 . The system of claim 9 , wherein the visualization presents a number of security events for each of the one or more assets for a particular period of time. 16 . The system of claim 9 , wherein the visualization presents an amount of security events that have taken each of the one or more attack paths. 17 . A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, for an organization, first domain activity data from a first network domain and second domain activity data from a second network domain, the first domain activity data and the second domain activity data including events, alerts, or both from the respective first and second network domains; determining, based on the first domain activity data and the second domain activity data of the first data construct, one or more anomalous correlated event paths through which security events have progressed through at least one of the first network domain or the second network domain, each anomalous correlated event path including one or more assets of the organization; generating one or more first data constructs that include at least one of (i) the first domain activity da
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Vulnerability analysis · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
involving event detection and direct action · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2019089727A1 cover?
- Systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on re…
- Who is the assignee on this patent?
- Accenture Global Solutions Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Mar 21 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).