公开(公告)号：US08402546B2

公开(公告)日：2013-03-19

申请号：US12274309

申请日：2008-11-19

申请人： Adar Greenshpon ,  Ron Karidi ,  Yair Helman ,  Shai Aharon Rubin

发明人： Adar Greenshpon ,  Ron Karidi ,  Yair Helman ,  Shai Aharon Rubin

IPC分类号： H04L29/06

CPC分类号： H04L63/1433 ,  G06F21/577

摘要： Security risk for a single IT asset and/or a set of IT assets in a network such as an enterprise or corporate network may be estimated and represented in a visual form by categorizing risk into different discrete levels. The IT assets may include both computing devices and users. The risk categorization uses a security assessment of an IT asset that is generated to indicate the type of security problem encountered, the severity of the problem, and the fidelity of the assessment. The asset value of an IT asset to the enterprise is also assigned. Security risk is then categorized (and a numeric risk value provided) for each IT asset for different problem types by considering the IT asset value along with the severity and fidelity of the security assessment. The security risk for the enterprise is estimated using the numeric risk value and then displayed in visual form.

摘要翻译： 通过将风险分为不同的离散级别，可以以视觉形式估计和表示单个IT资产和/或网络中企业或公司网络中的一组IT资产的安全风险。 IT资产可能包括计算设备和用户。 风险分类使用IT资产的安全评估来产生，以指示遇到的安全问题的类型，问题的严重性和评估的忠实度。 IT资产对企业的资产价值也被分配。 然后通过考虑IT资产价值以及安全性评估的严重性和保真度，为不同问题类型的每个IT资产对安全风险进行分类（并提供数值风险值）。 使用数字风险值估算企业的安全风险，然后以视觉形式显示。

公开(公告)号：US20100125912A1

公开(公告)日：2010-05-20

申请号：US12274309

申请日：2008-11-19

申请人： Adar Greenshpon ,  Ron Karidi ,  Yair Helman ,  Shai Aharon Rubin

发明人： Adar Greenshpon ,  Ron Karidi ,  Yair Helman ,  Shai Aharon Rubin

IPC分类号： G06F12/14 ,  G06N5/04

CPC分类号： H04L63/1433 ,  G06F21/577

摘要： Security risk for a single IT asset and/or a set of IT assets in a network such as an enterprise or corporate network may be estimated and represented in a visual form by categorizing risk into different discrete levels. The IT assets may include both computing devices and users. The risk categorization uses a security assessment of an IT asset that is generated to indicate the type of security problem encountered, the severity of the problem, and the fidelity of the assessment. The asset value of an IT asset to the enterprise is also assigned. Security risk is then categorized (and a numeric risk value provided) for each IT asset for different problem types by considering the IT asset value along with the severity and fidelity of the security assessment. The security risk for the enterprise is estimated using the numeric risk value and then displayed in visual form.

摘要翻译： 通过将风险分为不同的离散级别，可以以视觉形式估计和表示单个IT资产和/或网络中企业或公司网络中的一组IT资产的安全风险。 IT资产可能包括计算设备和用户。 风险分类使用IT资产的安全评估来产生，以指示遇到的安全问题的类型，问题的严重性和评估的忠实度。 IT资产对企业的资产价值也被分配。 然后通过考虑IT资产价值以及安全性评估的严重性和保真度，为不同问题类型的每个IT资产对安全风险进行分类（并提供数值风险值）。 使用数字风险值估算企业的安全风险，然后以视觉形式显示。

公开(公告)号：US20090199265A1

公开(公告)日：2009-08-06

申请号：US12141897

申请日：2008-06-18

申请人： Efim Hudis ,  Eyal Zangi ,  Moshe Sapir ,  Tomer Weisberg ,  Yair Helman ,  Shai Aharon Rubin ,  Yosef Dinerstein ,  Lior Arzi

发明人： Efim Hudis ,  Eyal Zangi ,  Moshe Sapir ,  Tomer Weisberg ,  Yair Helman ,  Shai Aharon Rubin ,  Yosef Dinerstein ,  Lior Arzi

IPC分类号： H04L9/00 ,  G06F12/14 ,  G06N5/02

CPC分类号： G06F21/577 ,  G06F21/6209 ,  G06F2221/2145 ,  G06F2221/2151 ,  G06N5/025 ,  H04L63/1433

摘要： Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components.

摘要翻译： 本文描述的主题的方面涉及用于评估安全性的机制。 在一些方面，提供了分析引擎，其管理安全系统的各个组件之间的执行，信息存储和数据传递。 当数据可用于分析时，分析引擎确定要执行哪些安全组件以及执行安全组件的顺序，在某些情况下，并行执行两个或多个组件。 然后，分析引擎按照所确定的顺序执行组件，并将组件的输出传递到组件，这是由组件之间的依赖关系决定的。 直到产生或更新安全评估为止。 分析引擎简化了创建和集成各种安全组件的工作。

公开(公告)号：US08990947B2

公开(公告)日：2015-03-24

申请号：US12141897

申请日：2008-06-18

申请人： Efim Hudis ,  Eyal Zangi ,  Moshe Sapir ,  Tomer Weisberg ,  Yair Helman ,  Shai Aharon Rubin ,  Yosef Dinerstein ,  Lior Arzi

发明人： Efim Hudis ,  Eyal Zangi ,  Moshe Sapir ,  Tomer Weisberg ,  Yair Helman ,  Shai Aharon Rubin ,  Yosef Dinerstein ,  Lior Arzi

IPC分类号： G06F21/57 ,  G06F21/62 ,  G06N5/02 ,  H04L29/06

CPC分类号： G06F21/577 ,  G06F21/6209 ,  G06F2221/2145 ,  G06F2221/2151 ,  G06N5/025 ,  H04L63/1433

摘要： Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components.

摘要翻译： 本文描述的主题的方面涉及用于评估安全性的机制。 在一些方面，提供了分析引擎，其管理安全系统的各个组件之间的执行，信息存储和数据传递。 当数据可用于分析时，分析引擎确定要执行哪些安全组件以及执行安全组件的顺序，在某些情况下，并行执行两个或多个组件。 然后，分析引擎按照所确定的顺序执行组件，并将组件的输出传递到组件，这是由组件之间的依赖关系决定的。 直到产生或更新安全评估为止。 分析引擎简化了创建和集成各种安全组件的工作。

公开(公告)号：US08424094B2

公开(公告)日：2013-04-16

申请号：US11824732

申请日：2007-06-30

申请人： John Neystadt ,  Efim Hudis ,  Yair Helman ,  Alexandra Faynburd

发明人： John Neystadt ,  Efim Hudis ,  Yair Helman ,  Alexandra Faynburd

IPC分类号： G06F21/00

CPC分类号： H04L63/1425 ,  H04L63/308

摘要： An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint's understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted.

摘要翻译： 与安全事件相关联的法医证据的自动收集由一种安排提供，其中使企业网络中称为端点的不同安全产品能够使用称为安全性评估的抽象通过公共通信信道共享与安全相关的信息。 通常，安全性评估被配置为指示端点对于可能包括用户，计算机，IP地址和网站URI（通用资源标识符）的环境中的对象的检测到的安全事件的理解。 安全评估由端点发布到信道中，并由订阅端点接收。 安全评估使得接收端点进入更全面或详细的证据收集模式。 此外，与检测前已经收集到的安全事件相关的任何法医证据将被标记为保留，以免另外删除。

公开(公告)号：US20090328222A1

公开(公告)日：2009-12-31

申请号：US12146440

申请日：2008-06-25

申请人： Yair Helman ,  Efim Hudis ,  Lior Arzi

发明人： Yair Helman ,  Efim Hudis ,  Lior Arzi

IPC分类号： G06F21/00

CPC分类号： H04L63/1425 ,  G06F21/554

摘要： Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”. ESAS is configured with the capabilities to map between objects, including users and machines in the enterprise network, so that security assessments applicable to one object domain can be used to generate security assessments in another object domain.

摘要翻译： 在企业安全评估共享（“ESAS”）系统中的对象类型映射可以对企业网络进行攻击，并更好地检测安全事件，并提高响应能力。 ESAS系统分布在共享通用通信通道的企业网络中包含不同安全产品的端点之间。 端点将产生一个上下文意义的临时赋值，称为安全评估，当检测到潜在的安全事件时，该评估将被发布。 安全评估确定感兴趣的对象，安全事件的类型及其严重性。 还提供了一种由被称为“保真度”的属性表示的对检测的置信度。 配置ESAS配置能够在企业网络中的对象（包括用户和计算机）之间进行映射，以便可以使用适用于一个对象域的安全评估来生成另一对象域中的安全性评估。

公开(公告)号：US08490187B2

公开(公告)日：2013-07-16

申请号：US12408453

申请日：2009-03-20

申请人： Shai A. Rubin ,  Yosef Dinerstein ,  Efim Hudis ,  Yair Helman ,  Uri Barash ,  Arie Friedman

发明人： Shai A. Rubin ,  Yosef Dinerstein ,  Efim Hudis ,  Yair Helman ,  Uri Barash ,  Arie Friedman

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F7/04 ,  G06F3/048

CPC分类号： G06F21/56 ,  G06F3/0484 ,  G06F21/554 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/1425

摘要： Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets.

公开(公告)号：US20090217381A1

公开(公告)日：2009-08-27

申请号：US12038805

申请日：2008-02-27

申请人： Yair Helman ,  Efim Hudis

发明人： Yair Helman ,  Efim Hudis

IPC分类号： G06F11/00

CPC分类号： G06F21/577 ,  G06F21/552

摘要： An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to received security assessments. Manual operations are supported by the specialized endpoint including manual approval of actions, security assessment cancellation, and manual injection of security assessments into the security assessment channel.

摘要翻译： 企业级共享安排使用称为安全评估的语义抽象来共享称为端点的不同安全产品之间的安全相关信息。 安全评估被定义为由更广泛的语境意义的端点对关于感兴趣的对象收集的信息的暂时分配。 端点可以将安全评估发布到安全评估通道上，并订阅其他端点发布的安全评估子集。 通过订阅所有安全评估，记录安全性评估以及记录端点采取的响应于接收到的安全性评估的本地动作，将特定端点耦合到作为集中审核点执行的通道。 手动操作由专门的终端支持，包括手动批准动作，安全评估取消以及将安全评估手动注入安全评估通道。

公开(公告)号：US20080229421A1

公开(公告)日：2008-09-18

申请号：US11717978

申请日：2007-03-14

申请人： Efim Hudis ,  Yair Helman ,  Joseph Malka ,  Uri Barash

发明人： Efim Hudis ,  Yair Helman ,  Joseph Malka ,  Uri Barash

IPC分类号： G06F11/00

CPC分类号： H04L63/1433 ,  G06F21/552

摘要： Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.

摘要翻译： 企业安全环境中的端点被配置为自适应地从其正常的数据收集模式切换到长期的，详细的数据收集模式，其中对所收集的详细数据应用高级分析。 这种自适应数据收集和分析是在接收到特定类型的安全评估时触发的，其中安全性评估被定义为由更广泛的语境意义的端点对收集到的信息（即某些上下文中的数据）的暂时分配 关于感兴趣的对象。 专用端点耦合到安全评估通道，并通过订阅所有安全评估，记录安全性评估以及记录端点响应于环境中检测到的安全事件而采取的本地操作，作为集中审核点执行。 安排专门的终端，对历史安全评估进行各种分析和处理。

公开(公告)号：US08839419B2

公开(公告)日：2014-09-16

申请号：US12098416

申请日：2008-04-05

申请人： Efim Hudis ,  Yair Helman ,  Tomer Weisberg ,  Oren Yossef ,  Ziv Rafalovich

发明人： Efim Hudis ,  Yair Helman ,  Tomer Weisberg ,  Oren Yossef ,  Ziv Rafalovich

IPC分类号： G06F21/00 ,  G06F21/57 ,  G06F21/55 ,  H04L29/06

CPC分类号： G06F21/577 ,  G06F21/55 ,  H04L63/20

摘要： A security investigation system uses a central server to distribute requests for security information regarding an asset, receive responses, and manage the information in the responses in a case object. Requests may be distributed to various servers, each of which may have an agent that may receive the request, search various databases, logs, and other locations, and generate a response. A case object may be continually updated in some embodiments. The case object may be viewed, analyzed, and other requests generated using automated or manual tools. A case object may be sanitized for analysis without compromising sensitive information.

摘要翻译： 安全调查系统使用中央服务器来分发关于资产的安全信息的请求，接收响应以及在案件对象中的响应中管理信息。 请求可以分发到各种服务器，每个服务器可以具有可以接收请求的代理，搜索各种数据库，日志和其他位置，并产生响应。 在一些实施例中，可以不断地更新案例对象。 可以使用自动或手动工具生成案例对象，查看，分析和其他请求。 病例对象可以在不损害敏感信息的情况下进行消毒以进行分析。