What technology area does this patent fall under?

Primary CPC classification G06F21/552. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jul 18 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Techniques for sharing network security event information

US9710644B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9710644-B2
Application number	US-201514615202-A
Country	US
Kind code	B2
Filing date	Feb 5, 2015
Priority date	Feb 1, 2012
Publication date	Jul 18, 2017
Grant date	Jul 18, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

First claim

Opening claim text (preview).

We claim: 1. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to: receive information representing a possible threat to a first network; receive information representing a profile associated with the first network; access a stored database having records of possible threats to multiple, diverse networks; access a stored database having information representing profiles associated with respective, diverse networks; determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic; transmit a notification message to a destination associated with a second network from the subset to identify the possible threat to the first network; and sanitize information conveyed by the notification message to the destination, by formatting said notification message in a manner to remove IP addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks from information included in the notification message that represents one or more possible threats to one or more of (i) the first network or (ii) one of the respective, diverse networks. 2. The apparatus of claim 1 , wherein the instructions when executed are to further cause the at least one computer to: responsive to the determination, rank the possible threat to the first network; and transmit a notification message to a destination associated with the first network, the notification message to identify the possible threat to the first network. 3. The apparatus of claim 2 , wherein the instructions when executed are to further cause the at least one computer to, responsive to the determination, query a database to determine at least one remedial action associated with the possible threat to the first network, and transmit a notification message to the destination associated with the first network to identify the at least one remedial action. 4. The apparatus of claim 1 , further embodied as one or more servers. 5. The apparatus of claim 4 , wherein the instructions when executed are further to cause the one or more servers to retrieve the information representing the profile associated with the first network from a database maintained by the one or more servers in response to the receipt of the information representing the possible threat to the first network, to thereby receive said information representing the profile associated with the first network. 6. The apparatus of claim 1 , wherein the at least one characteristic includes an industry identifier. 7. The apparatus of claim 1 , wherein the at least one characteristic includes a group membership, and wherein the instructions when executed are further to dynamically determine group membership at a time when the stored database having the records is accessed. 8. The apparatus of claim 1 , wherein the instructions when executed are further to update stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network. 9. The apparatus of claim 8 , wherein the instructions when executed are, responsive to update of stored ranking information associated with the records, to transmit a notification message to a destination associated with a first one of the respective, diverse network that is a member of the subset and that first reported a possible threat determined to be correlated with the possible threat to the first network, and wherein the notification message is to indicate an upgraded threat severity based on the information representing the possible threat to the first network. 10. The apparatus of claim 1 , wherein the instructions when executed are further to receive group membership information for the first network from a network administrator associated with the first network, and further, where the apparatus is to permit each network to have multiple group memberships. 11. The apparatus of claim 1 , wherein the instructions when executed are further to update stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network. 12. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to: receive information representing a possible threat to a first network; receive information representing a profile associated with the first network; access a stored database having records of possible threats to multiple, diverse networks; access a stored database having information representing profiles associated with respective, diverse networks; determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic; responsive to the determination, rank the possible threat to the first network; and transmit a notification message to a destination associated with a third network to identify the possible threat to the first network, wherein the third network is associated with a profile that in the at least one characteristic matches (a) the profile associated with the first network and (b) each profile associated with a network corresponding to the subset; determine the correlation by identifying at least one first internet protocol (IP) address associated with the possible threat to the first network and also with the possible threats to the subset of one or more of the respective, diverse networks; wherein the information representing the possible threat to the first network and the possible threats to the one or more respective, diverse networks in the subset also collectively include one or more second IP addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks; and sanitize information conveyed by the notification message to the destination, by formatting said notification message in a manner where no second IP address is included. 13. A method, comprising: receiving, with at least one computer, information representing a possible threat to a first network; receiving, with the at least one computer, information representing a profile associated with the first network; accessing, with the at least one computer, a stored database having records of possible threats to multiple, diverse networks; accessing, with the at least one computer, a stored database having information representing profiles associated with respective, diverse networks; using the at least one computer to determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the inform

Assignees

Servicenow Inc

Inventors

Classifications

H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
G06F21/552Primary
involving long-term monitoring or reporting · CPC title

Patent family

Related publications grouped by family.

View patent family 53545834

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9710644B2 cover?: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered…
Who is the assignee on this patent?: Servicenow Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/552. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jul 18 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).