Patent application number | Description | Published |
20080229414 | Endpoint enabled for enterprise security assessment sharing - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints utilize an architecture that comprises a common assessment sharing agent and a common assessment generating agent. The common assessment sharing agent is arranged for subscribing to security assessments, publishing security assessments onto a channel, maintaining an awareness of configuration changes on the channel (e.g., when a new endpoint is added or removed), and implementing security features like authorization, authentication and encryption. A common assessment generating engine handles endpoint behavior associated with a security assessment including assessment generation, cancellation, tracking, and rolling-back actions based on assessments that have expired. The common assessment generating engine generates and transmits messages that indicate which local actions are taken. | 09-18-2008 |
20080229421 | Adaptive data collection for root-cause analysis and intrusion detection - Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments. | 09-18-2008 |
20080229422 | Enterprise security assessment sharing - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Its tentative nature is reflected in two of its components: a fidelity field used to express the level of confidence in the assessment, and a time-to-live field for an estimated time period for which the assessment is valid. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to security threats. | 09-18-2008 |
20080244694 | Automated collection of forensic evidence associated with a network security incident - An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint's understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted. | 10-02-2008 |
20080244742 | Detecting adversaries by correlating detected malware with web access logs - An automated arrangement for detecting adversaries is provided by examining a log that contains records of communications into and out of the enterprise network upon the detection of a security incident by which a host computer on an enterprise network becomes compromised. The log is analyzed over a window of time starting before the occurrence of the detected security incident to identify the web site URIs (Uniform Resource Identifiers) and IP (Internet Protocol) addresses (collectively “resources”) that were respectively accessed by the compromised host and/or from which traffic was received by the compromised host. When other host computers in the enterprise are detected as being compromised, a similar analysis is performed and the results of all the analyses are correlated to identify one or more resources that are common to the logged communications of all the compromised machines. | 10-02-2008 |
20080244748 | Detecting compromised computers by correlating reputation data with web access logs - Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised. | 10-02-2008 |
20080256619 | Detection of adversaries through collection and correlation of assessments - An automated arrangement for detecting adversaries is provided in which assessments of detected adversaries are reported to a reputation service from security devices, such as unified threat management systems in deployed customer networks. By using actual deployed networks, the number of available sensors can be very large to increase the scope of the adversary detection, while still observing real attacks and threats including those that are targeted to small sets of customers. The reputation service performs a number of correlations and validations on the received assessments to then return a reputation back to the security device in the enterprise network that can be used for blocking adversaries, but only when multiple, distinct sources report the same adversary in their assessments to thus ensure that the reputation is accurate and reliable. | 10-16-2008 |
20080256622 | Reduction of false positive reputations through collection of overrides from customer deployments - An automated arrangement for reducing the occurrence and/or minimizing the impact of false positives by a reputation service is provided in which overrides for a reputation of an adversary are reported to a reputation service from security devices, such as unified threat management systems, deployed in enterprise or consumer networks. An override is typically performed by an administrator at a customer network to allow the security device to accept traffic from, or send traffic to a given IP address or URL. Such connectivity is allowed—even if such objects have a blacklisted reputation provided by a reputation service—in cases where the administrator recognizes that the blacklisted reputation is a false positive. The reputation service uses the reported overrides to adjust the fidelity (i.e., a confidence level) of that object's reputation, and then provides an updated reputation, which reflects the fidelity adjustment, to all the security devices that use the reputation service. | 10-16-2008 |
20090177514 | SERVICES USING GLOBALLY DISTRIBUTED INFRASTRUCTURE FOR SECURE CONTENT MANAGEMENT - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178108 | ENTERPRISE SECURITY ASSESSMENT SHARING FOR OFF-PREMISE USERS USING GLOBALLY DISTRIBUTED INFRASTRUCTURE - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and off-premise or roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178131 | GLOBALLY DISTRIBUTED INFRASTRUCTURE FOR SECURE CONTENT MANAGEMENT - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178132 | Enterprise Security Assessment Sharing For Consumers Using Globally Distributed Infrastructure - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090199265 | ANALYTICS ENGINE - Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components. | 08-06-2009 |
20090217381 | MANUAL OPERATIONS IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to received security assessments. Manual operations are supported by the specialized endpoint including manual approval of actions, security assessment cancellation, and manual injection of security assessments into the security assessment channel. | 08-27-2009 |
20090328215 | SEMANTIC NETWORKS FOR INTRUSION DETECTION - Semantic networks are generated to model the operational behavior of an enterprise network to provide contextual interpretation of an event or a sequence of events that are observed in that specific enterprise network. In various illustrative examples, different semantic networks may be generated to model different behavior scenarios in the enterprise network. Without the context provided by these semantic networks malicious events may inherently be interpreted as benign events as there is typically always a scenario where such events could be part of normal operations of an enterprise network. Instead, the present semantic networks enable interpretation of events for a specific enterprise network. Such interpretation enables the conclusion that a sequence of events that could possibly be part of normal operations in a theoretical enterprise network is, in fact, abnormal for this specific enterprise network. | 12-31-2009 |
20090328216 | PERSONALIZED HONEYPOT FOR DETECTING INFORMATION LEAKS AND SECURITY BREACHES - A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks. | 12-31-2009 |
20090328222 | MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM - Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”. ESAS is configured with the capabilities to map between objects, including users and machines in the enterprise network, so that security assessments applicable to one object domain can be used to generate security assessments in another object domain. | 12-31-2009 |
20100031354 | Distributive Security Investigation - A security investigation system uses a central server to distribute requests for security information regarding an asset, receive responses, and manage the information in the responses in a case object. Requests may be distributed to various servers, each of which may have an agent that may receive the request, search various databases, logs, and other locations, and generate a response. A case object may be continually updated in some embodiments. The case object may be viewed, analyzed, and other requests generated using automated or manual tools. A case object may be sanitized for analysis without compromising sensitive information. | 02-04-2010 |
20100077450 | PROVIDING SIMPLIFIED INTERNET ACCESS - Aspects of the subject matter described herein relate to providing simplified network access. In aspects, a network access device that controls access to a network is configured to allow communications with a set of specified hosts regardless of whether the requesting user has paid for or authorized payment for the network usage. The user may communicate with such hosts without further configuration, providing payment or other information to the network access device, or the like. If the user attempts to access other hosts, the network access device ensures that the user is authorized (e.g., has paid for, belongs to a partner organization, etc.) before granting the access. | 03-25-2010 |
20100241974 | Controlling Malicious Activity Detection Using Behavioral Models - Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets. | 09-23-2010 |
20110173699 | NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION - A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken. | 07-14-2011 |
20120078857 | COMPARING AND SELECTING DATA CLEANSING SERVICE PROVIDERS - The present invention extends to methods, systems, and computer program products for exploring and selecting data cleansing service providers. Embodiments of the invention permit a user to explore different data cleansing service providers and compare quality results from the different data cleansing service providers. Sample data is mapped to a specified data domain. A list of service providers, for cleansing data for the selected data domain, is provided to a user. The user selects a subset of service providers. The sample data is submitted to the subset of service providers, which return results including allegedly cleansed data. The results are profiled and a comparison of the subset of service providers is presented to the user. The user selects a service provider to use when cleansing further data. | 03-29-2012 |
20120137342 | MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis. | 05-31-2012 |
20120144490 | MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis. | 06-07-2012 |
20130110792 | Contextual Gravitation of Datasets and Data Services | 05-02-2013 |
20130117012 | KNOWLEDGE BASED PARSING - The subject disclosure generally relates to parsing unstructured data based on knowledge of domains related to the unstructured data. A domain identification component can identify a set of domains related to a term in a data set. An inspection component can identify unmatched words, and unmatched related domains. A correlation component can compare the unmatched words to known values for the unmatched domains, and a manager component can match the unmatched words with the unmatched domains based on the comparison. In addition, combinations of the words can be generated based on a set of predetermined rules, and compared to the unmatched domains. Furthermore, delimiter based parsing can be employed to augment the knowledge based parsing. | 05-09-2013 |
20130117202 | KNOWLEDGE-BASED DATA QUALITY SOLUTION - The subject disclosure relates to a knowledge-driven data quality solution that is based on a rich knowledge base. The data quality solution can provide continuous improvement and can be based on continuous (or on-going) knowledge acquisition. The data quality solution can be built once and can be reused for multiple data quality improvements, which can be for the same data or for similar data. The disclosed aspects are easy to use and focus on productivity and user experience. Further, the disclosed aspects are open and extendible and can be applied to cloud-based reference data (e.g., a third party data source) and/or user generated knowledge. According to some aspects, the disclosed aspects can be integrated with data integration services. | 05-09-2013 |
20130117203 | DOMAINS FOR KNOWLEDGE-BASED DATA QUALITY SOLUTION - The subject disclosure relates to a knowledge-driven data quality solution that is based on a rich knowledge base. The data quality solution can provide continuous improvement and can be based on continuous (or on-going) knowledge acquisition. The data quality solution can be built once and can be reused for multiple data quality improvements, which can be for the same data or for similar data. The disclosed aspects are easy to use and focus on productivity and user experience. Further, the disclosed aspects are open and extendible and can be applied to cloud-based reference data (e.g., a third party data source) and/or user generated knowledge. According to some aspects, the disclosed aspects can be integrated with data integration services. | 05-09-2013 |
20130117219 | ARCHITECTURE FOR KNOWLEDGE-BASED DATA QUALITY SOLUTION - The subject disclosure relates to a knowledge-driven data quality solution that is based on a rich knowledge base. The data quality solution can provide continuous improvement and can be based on continuous (or on-going) knowledge acquisition. The data quality solution can be built once and can be reused for multiple data quality improvements, which can be for the same data or for similar data. The disclosed aspects are easy to use and focus on productivity and user experience. Further, the disclosed aspects are open and extendible and can be applied to cloud-based reference data (e.g., a third party data source) and/or user generated knowledge. According to some aspects, the disclosed aspects can be integrated with data integration services. | 05-09-2013 |
20130268531 | Finding Data in Connected Corpuses Using Examples - In one embodiment, datasets are stored in a catalog. The datasets are enriched by establishing relationships among the domains in different datasets. A user searches for relevant datasets by providing examples of the domains of interest. The system identifies datasets corresponding to the user-provided examples. The system them identifies connected subsets of the datasets that are directly linked or indirectly linked through other domains. The user provides known relationship examples to filter the connected subsets and to identify the connected subsets that are most relevant to the user's query. The selected connected subsets may be further analyzed by business intelligence/analytics to create pivot tables or to process the data. | 10-10-2013 |
20130268552 | Brokered Exchange of Private Data - A data broker observes datasets that are opened or created by a user. The data broker looks for related datasets in a data catalog. If a related dataset is found, the data broker asks the user if they want to access the related dataset. If the user is interested, then the data broker asks the data owner if they are willing to share access to the related dataset with the user. The data owner may deny access, allow access, or request the user's identity. If the user does not want to provide his or her identity, then access to the related dataset is denied. If the user does provide his or her identity, then the data owner determines whether or not to share the data with that user. Once the owner approves sharing the related dataset, then the dataset or a link to the dataset is sent to the user. | 10-10-2013 |
20130305371 | NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION - A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken. | 11-14-2013 |
20130305374 | CONTROLLING MALICIOUS ACTIVITY DETECTION USING BEHAVIORAL MODELS - Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets. | 11-14-2013 |
20130332427 | COMPARING AND SELECTING DATA CLEANSING SERVICE PROVIDERS - The present invention extends to methods, systems, and computer program products for exploring and selecting data cleansing service providers. Embodiments of the invention permit a user to explore different data cleansing service providers and compare quality results from the different data cleansing service providers. Sample data is mapped to a specified data domain. A list of service providers, for cleansing data for the selected data domain, is provided to a user. The user selects a subset of service providers. The sample data is submitted to the subset of service providers, which return results including allegedly cleansed data. The results are profiled and a comparison of the subset of service providers is presented to the user. The user selects a service provider to use when cleansing further data. | 12-12-2013 |
20130332988 | Aggregating The Knowledge Base Of Computer Systems To Proactively Protect A Computer From Malware - Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented. | 12-12-2013 |
20140059015 | SELECTING CANDIDATE ROWS FOR DEDUPLICATION - The present invention extends to methods, systems, and computer program products for selecting candidate records for deduplication from a table. A table can be processed to compute an inverse index for each field of the table. A deduplication algorithm can traverse the inverse indices in accordance with a flexible user-defined policy to identify candidate records for deduplication. Both exact matches and approximate matches can be found. | 02-27-2014 |
20140379627 | DOMAINS FOR KNOWLEDGE-BASED DATA QUALITY SOLUTION - The subject disclosure relates to a knowledge-driven data quality solution that is based on a rich knowledge base. The data quality solution can provide continuous improvement and can be based on continuous (or on-going) knowledge acquisition. The data quality solution can be built once and can be reused for multiple data quality improvements, which can be for the same data or for similar data. The disclosed aspects are easy to use and focus on productivity and user experience. Further, the disclosed aspects are open and extendible and can be applied to cloud-based reference data (e.g., a third party data source) and/or user generated knowledge. According to some aspects, the disclosed aspects can be integrated with data integration services. | 12-25-2014 |