WO2015134572A1 - Rapport de cybermenace sur la sécurité internet - Google Patents

Rapport de cybermenace sur la sécurité internet Download PDF

Info

Publication number
WO2015134572A1
WO2015134572A1 PCT/US2015/018641 US2015018641W WO2015134572A1 WO 2015134572 A1 WO2015134572 A1 WO 2015134572A1 US 2015018641 W US2015018641 W US 2015018641W WO 2015134572 A1 WO2015134572 A1 WO 2015134572A1
Authority
WO
WIPO (PCT)
Prior art keywords
incident
incidents
computer
analyst
client
Prior art date
Application number
PCT/US2015/018641
Other languages
English (en)
Inventor
David B. AMSLER
Original Assignee
Foreground Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Foreground Security filed Critical Foreground Security
Publication of WO2015134572A1 publication Critical patent/WO2015134572A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention generally relates to network security and in particular to an automated system and method for detecting, evaluating and reporting network threats.
  • security portals typically do not have this comprehensive approach reflected to the customer in an easily readable, graphics intensive illustration that shows real-time threat data, the root cause analysis, metrics based on analysts assigned to monitor and security company assets, and the vulnerabilities associated with those assets. Summary
  • Embodiments of the present invention serve to increate automation, analysis, and reporting of analysis to customers through several functions, programs.
  • Systems and methods according to the teachings of the present invention provide advancements in areas that traditional security reporting and operations portals do not provide.
  • Embodiments of the invention may provide Real-Time Labeling, Sorting, Ranking of Incidents, by way of example.
  • One embodiment may comprise a threat intelligence product that feeds portal real-time incident information providing situation awareness of sorted, categorized/labeled and ranked for our analysts.
  • a threat intelligence system may include analyst profiles stored which have inputs about analyst capabilities, background, and the like, that allow intelligent decision making by an incident routing system so that incidents that arrive at an analyst's desk match not only a skill level, but familiarity with customer assets affected by the incident.
  • a threat intelligence system may comprise built-in links and direct software calls to various brands of security devices that are presented to the analyst so that a simple "click” will allow them to "pivot” into security devices to investigate incidents alerted to them by our threat intelligence programs.
  • a threat intelligence system may allow triage of alerted incidents through simultaneous editing and work flow on incidents with real-time chat, spell checking, customer checks to make sure tickets are for the customer intended, and war-room response to involve a full suite of analysis by using contextual searches on previous written tickets.
  • Believability and Reliability may be provided.
  • a system may include functionality that takes input from the analyst that is sent to a threat intelligence program in order to help with believability and reliability rankings of the incident alerts that our analysts see.
  • Scenario Based Ticket Creation may be provided.
  • a system may provide an input form with various menus that allow an analyst to build an illustrated incident scenario such as type of attack, type of asset, time based analysis, and transaction base analysis that provides overview through graphical entity illustrations to the client.
  • Customizable Views may be provided.
  • a system may provide a module-based, customized view in which customers have over 30 different types of data views that can be displayed from parabolic graphics, 3D views of geo- locations, etc.
  • Link Analysis may be provided, wherein a system provides a robust illustration of incidents that characterize incidents in terms of entities, relationship based computer to computer transactions based on data flow analysis, exploit used, success rate, compromise rate, and ranking of the data stream used in the incident, by way of example.
  • Root Cause Analysis may be provided.
  • a system may provide insight into the root cause of the incident that was reported.
  • the incident may be categorized based on analyzing the timeline and/or sequence of events, confirmation of an exploit and or attempted exploit of the computer system, and human analysis of the event.
  • Vulnerability Data Association may be provided.
  • a system may provide an interface and logical mapping of enterprise IT assets across incidents, ranking those assets per a level of criticality to business units and or business objectives of the customer.
  • Vulnerability data may be paired with asset information and incident information in order to provide the customer with a holistic view of their security posture.
  • Asset Management may be provided.
  • a system may provide an ability to receive in different file formats, and/or export from leading IT Asset Products the asset lists for customer enterprise computer systems and infrastructure, so that assets are linked to the computer systems that are described in the incident that is being reported to the customer.
  • Metrics may be provided, wherein by way of example, a system is enriched with a program that drives calculations of metrics on the analyst's over a period of time, allowing customers to be served by not only the correct analyst for their business vertical, but serve to allow the customer insight into threat intelligence operations by systems and methods of the invention, and the talent that serves a contract between a provider of embodiments of the invention and the customer.
  • One method aspect of the invention may include a computer-implemented method for detecting and reporting an internet threat.
  • the method may comprise collecting a plurality of cyber threat data for an incident from a plurality of threat intelligence sources; weighting the cyber threat data based on past performance by the threat intelligence source providing the data; sorting the cyber threat data by severity and reliability for providing indicators for the incident; connecting to a client system; monitoring incidents of the cyber threats on the client system; retrieving incidents detected on the client system; selecting at least one incident by an analyst; displaying known information about the at least one incident to the analyst; analyzing the incident by the analyst based on the indicators of the cyber threat data; transmitting an incident report to the client system by the analyst, wherein the incident report includes a recommended course of action and modification to the user system; closing the incident report; and updating a database with the closed incident report.
  • Figure 1 is a block diagram illustrating one embodiment of the invention providing Analyst and Customer components
  • Figure 2 is a block diagram illustrating functions of a client side of Figure 1 ;
  • Figure 3 is a block diagram illustrating available client commands
  • Figure 4 illustrates a customizable dashboard according to the teachings of the present invention, by way of non-limiting example
  • Figure 5 illustrates dashboard plug and play modules that draw from data points associated within an incident database, analyst inputs and raw intelligence which provide customizable view points and/or mini dashboards, by way of example;
  • Figure 6 is a flow chart illustrating an asset management functionality of the system, wherein surrounding data is organized and associated to assets in order to provide drill down features of link analysis of Figure 5;
  • Figure 7 is a flow chart illustrating a collection of metrics that help feed the decision-making processes involved in the routing engine referred to in Figure 7;
  • Figure 8 is a flow chart illustrating one computer-implemented method for detecting and reporting an internet threat according to the teachings of the present invention.
  • one system 10 and associated method according to the teachings of the present invention is herein described, by way of example, as comprising two large components that fall in the category of data display components, which are aptly named Analyst and Customer. These two data display functions are both supported by two components named client side 12 and server side 14.
  • the client side 12 is a set of procedural steps taken in the lifecycle of one incident report.
  • a connection 16 to the server side 14 is opened.
  • a list of incidents is retrieved 18 and displayed 20.
  • An analyst selects an incident and all known information is displayed to the analyst.
  • reporting fields are displayed for customer and internal reporting made 24.
  • reporting 24 has finished, the analyst closes the incident 26 and an incident database 28 is updated with the closed report.
  • the server side 14 is an event driven and input driven process in which delivers client-side 12 requested information about the incidents. After receiving the request to open a connection to the client, the server side 14 retrieves a list of incidents from the incident database 28 and passes it to the client. Additional information is made available to the client for all incidents passed in the list. Further, the client has multiple features available as illustrated with reference to Figure 3. When an incident is claimed, it is updated in the database and all clients are informed of the claim. Reports are stored in the database as the client makes fills them out, and when the report is marked as complete in the database, and all clients are informed of the update.
  • the first component that makes up the client side 12 program is called, "Establish Connection.” After authenticating, the socket connection 16 is established with the server side 14. Data are then synced across client and server sides 12, 14. Once all necessary items are set to sync and other objects used only by the client are instantiated, the client requests 18 the list of incidents from the server side 14.
  • the client After connecting to the server side 14, the client receives the list of incidents as an array of objects. Each item in the list represents one incident with several key fields meant to help an analyst quickly differentiate one incident from another. Each incident is parsed 34 into an HTML list 35 item and table row, given a class to help differentiate open incidents from claimed ones, and a click event handler is attached to each one. The list of incidents is then animated into the document for the analyst to interact with. When an incident is clicked, the client requests all additional information about the incident from the server.
  • the data from the server-side 14 are returned as a dictionary of key value pairs. Each pair represents one field and its respective value about the incident. The pairs are parsed into table cells and displayed on the screen. If the incident had already been claimed by another analyst, no other options are made available beyond viewing the information about the incident as well as which analyst is handling it. If an analyst has not already claimed the incident, a claim button 37 is made visible. Clicking the button 37 sends the claim command to the server. The client then reinterprets the incident as being claimed by the analyst. When the incident is marked as claimed 30 by the analyst, the reporting process 24 becomes available.
  • the reporting process 24 becomes available to the analyst. Once the reporting process 24 is available, two fields are displayed, one for a client report, and one for internal reporting. Key press event handlers are attached to each field that sends a command to the server to save the modified report. A close report button 27, as illustrated with reference to Figure 2 is also made visible which when clicked will send a command to the server side 14 closing 26 the completed report. After receiving confirmation from the server side 14, the view is reset and the updated incident list is requested again. A close report functional flow is illustrated with reference again to Figure 3.
  • the incident is sorted 36 either by a client-defined filter and or the list is sorted comparing severity, believability, and the time the incident was discovered.
  • the list is then parsed into a browser-friendly format and sent back to the client for display.
  • the client requests additional information about an incident
  • all information known about the incident is retrieved from the database, parsed, and sent back 38 to the client for display.
  • the record is updated in the database 28, and the incident is no longer available to other clients for claiming.
  • the reporting fields associated with the incident are unlocked and the server side 14 sends the client the signal to allow reporting. As the report is filled out on the client side 12, all changes are sent to the server side 14 to be stored to allow
  • the reports are sent along with it to allow analysts to work on multiple incidents at once while preventing data loss.
  • the client sends the command to close the report 26
  • the record is marked as closed and is removed from the display 20. The record is no longer available in the standard filter and must be specially requested by an analyst to view any closed report.
  • Customizable Views are available.
  • a Customizable Dashboard 40 is meant to display metrics, statistics, and live insight into a customer's network. Information is displayed through dynamic widgets 42 that can be moved, resized, removed, or added as the customer sees fit, with a persistent layout that is stored for each user via a profile.
  • the widgets 42 serve as an easy entry point for drilldown on incidents; threat Intel, assets, analysts, etc.
  • Link Analysis 44 is available. Data from analyst reports and information provided by automated analytics is processed, producing a graph showing the links between incidents and other events in the customer's network. Information is displayed as an interactive web, allowing for customer drilldown into the individual events to better analyze the incident.
  • Root Cause Analysis 46 Vulnerability Data Association 48
  • Asset Management 50 The system 10 provides insight into the root cause of the incident that was reported.
  • the forms are generated for the asset, that asset is assigned a category and associated with vulnerability information input previously by a customer.
  • An analyst that examines the timeline then categorizes the incident or sequences of events, confirmation of exploit or attempted exploit.
  • An interface allows the customer to import vulnerability data 48 into the customer portal that is stored in the incident database 28, tied to asset management 50.
  • the display page shows a logical mapping of assets across incidents, ranking those per level of criticality. Analysts are then routed via the server side 14 this information per the metrics and routing functionality.
  • a page is dedicated to allowing the customer to manually add asset information regarding types of devices, and associating priority with each respective device. By providing this information, the customer helps tailor the automated response, affecting how incidents are displayed to an analyst by differentiating critical systems from normal devices.
  • Embodiments of the system are built in module sections of code client side 12 and server side 14, which support the architecture of both system analyst dashboard and customer dashboard.
  • the tickets and analyst part is known as analyst and the customer dashboard is known as customer.
  • the system 10 provides advanced metrics and routing of incident information.
  • block entitled "Send Client Incident List” 38 under the retrieve incident information process flow is where the portal has profiles stored of SOC analysts, measured by key words, years of experience, familiarity with tools,
  • the server side 14 engine makes efficient routing changes and collects metrics on analysts so that incidents match not only skill level but also various other degrees of experience in different categories uses these profiles.
  • the system utilizes a believability and reliability ranking engine that helps to tailor the incident information the is processed and presented the analyst. Parts of this functionality are illustrated with reference again to Figure 3 where all "incident fields" are retrieved as the threat intelligence engine has informed the incident database of previous ranking of believability, and reliability.
  • the analyst can provide human based input to teach the machine learning algorithm of whether the incident was a false positive, the threat intelligence was not correct, and or the threat has since moved and the threat intelligence data needs to be retired because its finite life period has expired, and the information was not used by threat actors recently, etc.
  • the system 10 In order to add in the customer dashboard 40 creation, and the illustration of complex incidents the system 10 also utilizes cutting edge techniques to allow human analysis to illustrate the scenario that correctly describes the incident routed to the analyst.
  • cutting edge techniques to allow human analysis to illustrate the scenario that correctly describes the incident routed to the analyst.
  • FIG 1 referencing an analyst reporting, there are a multitude of drop down menus with entities, attack types, scenario language that is used to build from a form based input the entire attack scenario of the incident going as granular as known malware families and or threat actors that are being tracked by the operations centers that attack certain customer bases.
  • the system 10 starts the display engine with a series of graphical widgets 42 that are event driven consoles, which originate from various data sources.
  • graphical widgets 42 that are event driven consoles, which originate from various data sources.
  • plug and play modules that draw from data points associated within the incident database, analyst inputs and raw intelligence which provide customizable view points and or mini dashboards such as link analysis in the form of parabolic graphs, geo-location view points, threat intelligence highlighted view points, etc.
  • These modules are not selected all at once by the customer view point but are rather a menu of options that allow over 75 different customizations for preparation of data fed from incident ticketing, analysis, human analysis, threat intelligence, open source intelligence gathering, and "darknet” searching providing trademark, company, brand protection trends as related to OSIM (open source intelligence methodology) employed by analysts and automated resources.
  • OSIM open source intelligence methodology
  • the system 10 also provides a cutting edge presentation layer built around link analysis theory.
  • Reference again to Figure 5 illustrates that the data points from an incident, wherein all entities involved are given graphical characters, are put in a sequence that allow full visual playback for the incident.
  • These data links are graphical characters that hold menu links allowing further drilldown by said customer into computer specific log files, screen captures, analyst notes.
  • the system 10 stores large amounts of what is termed “surrounding data", wherein surrounding data are data about an organizations enterprise including assets, network names, host names, vulnerability data associated with the assets.
  • Figure 6 illustrates the asset management 50 functionality of the system, in which the
  • the system 10 has a flexible parsing engine allowing upload of asset lists in industry standard formats and populates this into the incident database. Vulnerability data about particular assets are linked directly to those assets in the incident database. Presentation of these data is a sub-routine handled by link analysis in Figure 5 where the "surrounding data" is retrieved.
  • the system 10 takes analyst input, illustrated with reference again to Figure 1 , and allows analysts to report on a root cause of the incident. This root cause is associated with the vulnerability data inside the incident database adding to the "surrounding data" collected and or inputted into the system.
  • the system 10 includes a metrics engine 56, illustrated by way of example in Figure 7 titled "Calculate requested metrics across all sets of records". This calculation allows large teams of analysts to be ranked on various attributes from close of incidents, what type of incidents handled over period of time, level of incident handled on daily or weekly basis. Figure 7 allows for collection of metrics that help feed the decision-making processes involved in the routing engine referred to in Figure 3.
  • one method aspect of the invention may include a computer-implemented method 100 for detecting and reporting an internet threat.
  • the method 100 may comprise collecting a plurality of cyber threat data 102 for an incident from a plurality of threat intelligence sources; weighting the cyber threat data 104 based on past performance by the threat intelligence source providing the data; sorting the cyber threat data 104 by severity and reliability for providing indicators for the incident; connecting to a client system;
  • monitoring incidents 1 10 of the cyber threats on the client system retrieving incidents 1 12 detected on the client system; selecting 1 14 at least one incident by an analyst; displaying 1 16 known information about the at least one incident to the analyst;
  • analyzing 1 18 the incident by the analyst based on the indicators of the cyber threat data transmitting 120 an incident report to the client system by the analyst, wherein the incident report includes a recommended course of action and modification to the user system; closing 122 the incident report; and updating 124 a database with the closed incident report.
  • each block in the flowchart or block diagram may represent a module, segment, or portion of code, which comprises one or more executable computer program instructions for implementing the specified logical function or functions.
  • some implementations may include the functions in the blocks occurring out of the order herein presented. By way of non-limiting example, two blocks shown in succession may be executed substantially concurrently, or the blocks may at times be executed in the reverse order, depending upon the functionality involved.
  • These computer program instructions may also be stored in a computer readable medium that may direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other
  • aspects of various embodiments may be embodied as a system, method or computer program product, and accordingly may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, and the like) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a circuit, module or system.
  • aspects of various embodiments may take the form of a computer program product embodied in one or more computer readable media having computer readable program code embodied thereon. It is understood that the computer implemented method herein described operates with readable media relating to non-transitory media, wherein the non-transitory computer-readable media comprise all computer-readable media, with the sole exception being a transitory, propagating signal.
  • a computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, by way of non-limiting example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • the computer readable storage medium may include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that may contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, by way of non-limiting example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that may communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, and the like, or any suitable combination thereof.
  • Computer program code for carrying out operations for aspects of various embodiments may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the C programming language or similar programming languages.
  • the program code may also be written in a specialized language.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (by way of non-limiting example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider an Internet Service Provider

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention concerne un système d'évaluation des risques et de sécurité gérée destiné aux utilisateurs de réseau, lequel système fournit des services de sécurité permettant de traiter de redoutables cybermenaces, créations de logiciel malveillant et techniques d'hameçonnage. Des solutions automatisées en association avec des solutions à commande humaine établissent un positionnement toujours en alerte pour l'anticipation, l'atténuation et la découverte d'incidents ainsi que la réponse à ces incidents. Des évaluations de menaces sont réalisées et rapportées à un système client qui est surveillé. Le système fournit une capacité pour recevoir dans différents formats de fichier, et/ou exporter à partir de produits d'équipements informatiques de premier plan des listes d'actifs pour des infrastructures et systèmes informatiques d'entreprise clients, de sorte que les actifs sont reliés aux systèmes informatiques clients qui sont décrits dans un incident qui est rapporté au client.
PCT/US2015/018641 2014-03-06 2015-03-04 Rapport de cybermenace sur la sécurité internet WO2015134572A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201461948755P 2014-03-06 2014-03-06
US61/948,755 2014-03-06

Publications (1)

Publication Number Publication Date
WO2015134572A1 true WO2015134572A1 (fr) 2015-09-11

Family

ID=54055828

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/018641 WO2015134572A1 (fr) 2014-03-06 2015-03-04 Rapport de cybermenace sur la sécurité internet

Country Status (1)

Country Link
WO (1) WO2015134572A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019060013A1 (fr) * 2017-09-22 2019-03-28 Microsoft Technology Licensing, Llc Dispositifs de suivi de cyberattaques configurables
CN113596041A (zh) * 2021-08-03 2021-11-02 安天科技集团股份有限公司 情报源的质量评估方法、装置、电子设备及存储介质

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020078381A1 (en) * 2000-04-28 2002-06-20 Internet Security Systems, Inc. Method and System for Managing Computer Security Information
WO2004111785A2 (fr) * 2003-06-09 2004-12-23 Industrial Defender, Inc. Gestion et controle d'evenements
US20080184371A1 (en) * 2007-01-29 2008-07-31 Deutsche Telekom Ag method and system for detecting malicious behavioral patterns in a computer, using machine learning
US20090007145A1 (en) * 2007-06-29 2009-01-01 Verizon Business Network Services Inc. Dashboard maintenance/outage correlation
US20110131163A1 (en) * 2009-12-01 2011-06-02 Microsoft Corporation Managing a Portfolio of Experts
US20120246727A1 (en) * 2008-02-04 2012-09-27 Yuval Elovici System that provides early detection, alert, and response to electronic threats
US20130055399A1 (en) * 2011-08-29 2013-02-28 Kaspersky Lab Zao Automatic analysis of security related incidents in computer networks

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020078381A1 (en) * 2000-04-28 2002-06-20 Internet Security Systems, Inc. Method and System for Managing Computer Security Information
WO2004111785A2 (fr) * 2003-06-09 2004-12-23 Industrial Defender, Inc. Gestion et controle d'evenements
US20100064039A9 (en) * 2003-06-09 2010-03-11 Andrew Ginter Event monitoring and management
US20080184371A1 (en) * 2007-01-29 2008-07-31 Deutsche Telekom Ag method and system for detecting malicious behavioral patterns in a computer, using machine learning
US20090007145A1 (en) * 2007-06-29 2009-01-01 Verizon Business Network Services Inc. Dashboard maintenance/outage correlation
US20120246727A1 (en) * 2008-02-04 2012-09-27 Yuval Elovici System that provides early detection, alert, and response to electronic threats
US20110131163A1 (en) * 2009-12-01 2011-06-02 Microsoft Corporation Managing a Portfolio of Experts
US20130055399A1 (en) * 2011-08-29 2013-02-28 Kaspersky Lab Zao Automatic analysis of security related incidents in computer networks

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019060013A1 (fr) * 2017-09-22 2019-03-28 Microsoft Technology Licensing, Llc Dispositifs de suivi de cyberattaques configurables
US10944766B2 (en) 2017-09-22 2021-03-09 Microsoft Technology Licensing, Llc Configurable cyber-attack trackers
CN113596041A (zh) * 2021-08-03 2021-11-02 安天科技集团股份有限公司 情报源的质量评估方法、装置、电子设备及存储介质

Similar Documents

Publication Publication Date Title
US9392003B2 (en) Internet security cyber threat reporting system and method
US11870558B1 (en) Identification of related event groups for IT service monitoring system
US11886464B1 (en) Triage model in service monitoring system
US10942960B2 (en) Automatic triage model execution in machine data driven monitoring automation apparatus with visualization
US11736378B1 (en) Collaborative incident management for networked computing systems
US11580680B2 (en) Systems and interactive user interfaces for dynamic retrieval, analysis, and triage of data items
US11102224B2 (en) Systems and user interfaces for dynamic and interactive investigation of bad actor behavior based on automatic clustering of related data in various data structures
US10721268B2 (en) Systems and user interfaces for dynamic and interactive investigation based on automatic clustering of related data in various data structures
US11924021B1 (en) Actionable event responder architecture
US20210075667A1 (en) Generating actionable alert messages for resolving incidents in an information technology environment
US10503789B2 (en) Systems and methods for discovering social accounts
US9785773B2 (en) Malware data item analysis
US9021260B1 (en) Malware data item analysis
US20180329932A1 (en) Identification of distinguishing compound features extracted from real time data streams
US8626570B2 (en) Method and system for data quality management
US11676345B1 (en) Automated adaptive workflows in an extended reality environment
US11755559B1 (en) Automatic entity control in a machine data driven service monitoring system
WO2015134572A1 (fr) Rapport de cybermenace sur la sécurité internet
CN108509321A (zh) 生成数据立方体的监控方法和系统
US12008046B1 (en) System and method for automated determination of search query parameters for anomaly detection
Green Data mining log file streams for the detection of anomalies

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15758524

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15758524

Country of ref document: EP

Kind code of ref document: A1