Systems and methods for intelligent phishing threat detection and phishing threat remediation in a cyber security threat detection and mitigation platform
US-2024414198-A1 · Dec 12, 2024 · US
Techniques for sharing network security event information
US9680846B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9680846-B2 |
| Application number | US-201514819443-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 6, 2015 |
| Priority date | Feb 1, 2012 |
| Publication date | Jun 13, 2017 |
| Grant date | Jun 13, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.
First claim
Opening claim text (preview).
I claim: 1. An apparatus comprising: at least one computer; a database representing groups, the database identifying respective clients that are members of each group; instructions stored on a non-transitory, machine-readable media that when executed cause the at least one computer to: receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash, process the operand iteratively using different cryptographic keys to produce respective second hashes; identify a match between one of the second hashes and the first hash; identify one of the groups based at least on the match identified between the one of the second hashes and the first hash; identify a second client that is a member of the identified group; query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client; responsive to results of the query, identify a threat level associated with the data from the network of the first client; and report the identified threat level to the first client via the wide area network. 2. The apparatus of claim 1 , wherein: the database stores the security event data associated with the network of the second client that is a member of the identified group; the instructions when executed, cause the at least one computer to update the security event data responsive to data submitted by the respective clients that are members of the identified group; and the query is performed based in part on the security event data stored in the database. 3. The apparatus of claim 1 , wherein: the instructions, when executed, cause the at least one computer to direct the query to a predetermined network destination respective to each client that is a member of the identified group, and to update the security event data responsive to the data submitted by the respective clients that are members of the identified group in response to the query. 4. The apparatus of claim 3 , wherein the instructions when executed, cause the at least one computer to assess a threat level represented by the data from the network of a first client against a threshold, and provided that the threat level meets the threshold, to responsively query the predetermined network destination respective to each client that is a member of the identified group. 5. The apparatus of claim 1 , wherein the instructions when executed cause the at least one computer to update the threat level in dependence on at least one of the data received from the network of the first client or the results of the query. 6. The apparatus of claim 1 , wherein: the first client is a member of the identified group; the database stores the cryptographic keys in association with the groups; and the instructions when executed, cause the at least one computer to query security event data associated with a network of each other client that is a member of the identified group and to identify the threat level in dependence thereon. 7. The apparatus of claim 1 , wherein the instructions when executed, cause the at least one computer to provide a user interface respective to each of the clients, the user interface to permit a network administrator for the respective client to update group membership of the respective client, and to responsively update the database to reflect the updated group membership. 8. The apparatus of claim 1 , wherein the instructions when executed, cause the at least one computer to send a preconfigured remedial measure to the network of the first client in response to the detected correlation with the security event data, the preconfigured remedial measure to directly implement one or more network rules on a computer in order to impede a network threat represented by the data received from the network of the first client. 9. The apparatus of claim 1 , wherein the data received from the network of the first client is in the form of a query received from the network of the first client, and wherein the instructions when executed are to cause the at least one computer to report the updated threat level as part of a response to the query received from the network of the first client. 10. A method of processing security event data from a first client network, the method comprising causing at least one computer to: maintain a database representing groups, the database identifying respective clients that are members of each group; receive data from a network of a first client via a wide area network, the data received from the network of the first client including an operand and a first hash; process the operand iteratively using different cryptographic keys to produce respective second hashes; identify a match between one of the second hashes and the first hash; identify one of the groups based at least on the match identified between the one of the second hashes and first hash, and identify a second client that is a member of the identified group; query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client; responsive to results of the query; identify a threat level associated with the data from the network of the first client; and report the identified threat level to the first client via the wide area network. 11. The method of claim 10 , wherein: the database stores the security event data associated with the network of the second client that is a member of the identified group; and the method further comprises causing the at least one computer to update the security event data responsive to data submitted by the respective clients that are members of the identified group, and performing the query based in part on the security event data stored in the database. 12. The method of claim 10 , wherein the method further comprises causing the at least one computer to direct the query to a predetermined network destination respective to each client that is a member of the identified group, and to update the security event data responsive to the data submitted by the respective clients that are members of the identified group in response to the query. 13. The method of claim 12 , wherein the method further comprises causing the at least one computer to assess a threat level represented by the data from the network of a first client against a threshold and, provided that the threat level meets the threshold, to responsively query the predetermined network destination respective to each client that is a member of the identified group. 14. The method of claim 10 , wherein: the first client is a member of the identified group; the database stores the cryptographic keys in association with the groups; and the method further comprises causing the at least one computer to query security event data associated with a network of each other client that is a member of the identified group and identify the threat level in dependence thereon. 15. The method of claim 10 , wherein the method further comprises causing the at least one computer to provide a user interface respective to each of the clients, the user interface to permit a network administrator for the respective client to update group membership of the respective client, and to responsively update the database to reflect the updated group membership. 16. The method of claim 10 , wherein the method further comprises causing the at least one computer
Assignees
Inventors
Classifications
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
Indexing; Web crawling techniques · CPC title
using context · CPC title
Grouping of entities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9680846B2 cover?
- This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a s…
- Who is the assignee on this patent?
- Servicenow Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jun 13 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).