US2015237064A1PendingUtilityA1

Method and apparatus for predicting the impact of security incidents in computer systems

Assignee: LEE THOMASPriority: Jun 12, 2012Filed: Nov 17, 2014Published: Aug 20, 2015
Est. expiryJun 12, 2032(~5.9 yrs left)· nominal 20-yr term from priority
Inventors:Thomas Lee
H04L 63/1433H04L 67/10G06F 21/40G06F 2221/2101G06F 21/565
52
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems or methods gather information within a network of computers regarding the distribution of documents to calculate the impact of a cyber security incident for a given computer. Specific embodiments analyze word usage within data files and to determine that data files are different versions of a document and use presence of documents on a given computer to determine the impact of a security breach at that computer.

Claims

exact text as granted — not AI-modified
1 . A computer implemented method for predicting and outputting an impact of a security breach at a particular computer in an enterprise comprising:
 a. electronically accessing data files available at a plurality of computers in the enterprise,   b.   reading the contents of the data files and identifying data files having a threshold similarity as different versions of a document, thereby determining a plurality of documents, wherein each said document is a collection of similar data files;   d. accessing data indicating group assignments of computers in said plurality of computers, the group assignments indicating criteria of the computers,   d. calculating a document security value of each said documents based upon the document's distribution with respect to said computers and groups;   e. predicting the impact of a security breach to said particular computer by combining document security values of documents present on said particular computer;   f. outputting the predicted impact.   
     
     
         2 . The method of  claim 5  wherein the distance function comprises:
     D   n,m =√{square root over (Σ( w   n   /N   n   −w   m   /N   m ) 2 )}
 
 where D n,m  is a distance between data files n and m and where w n  and w m  are the number of times a word w appears in said data file n and m, and where N n  and N m  are values for said data file n and m, calculated with the equation: 
 
       
         
           
             
               
                 
                   N 
                   f 
                 
                 = 
                 
                   
                     ∑ 
                     f 
                   
                    
                   
                     w 
                     f 
                   
                 
               
               , 
             
           
         
       
       which is the sum of all words in said data file f. 
     
     
         3 . (canceled) 
     
     
         4 . The method of  claim 1  further comprising determining an impact (I c ) for a computer (c) by: 
       
         
           
             
               
                 I 
                 c 
               
               = 
               
                 
                   ∑ 
                   c 
                 
                  
                 
                   V 
                   d 
                 
               
             
           
         
       
       where (V d ) is a security value for a document (d). 
     
     
         5 . The method of  claim 1  further comprising:
 calculating similarity between said data files based upon distance between said data files within a space defined by word dimensions, where the value of a data file in a word dimension is the number of times the word or a variation is found in said data file. 
 
     
     
         6 . The method of  claim 1  further comprising:
 automatically and continuously discovering new data files and new documents within the enterprise. 
 
     
     
         7 . A computer implemented method for predicting and outputting an impact of a security breach at a particular computer in a computer enterprise comprising:
 accessing data files on a plurality of computers in the enterprise,   identifying data files having a threshold similarity as different versions of a document by reading and comparing data file contents and storing document identifiers for documents;   accessing group assignments of said computers, the group assignments assigning a computer to one or more of a plurality of groups, a particular group indicating rank, department, business function, user, or other criteria related to the computers,   calculating a document security value of a document based upon the document's distribution within the enterprise,   determining the impact of a security breach to said particular computer by combining document security values of documents present on said particular computer, and   outputting the impact.   
     
     
         8 . The method of  claim 7 , further comprising determining an impact (I c ) for a computer (c) by: 
       
         
           
             
               
                 
                   I 
                   c 
                 
                 = 
                 
                   
                     ∑ 
                     c 
                   
                    
                   
                     V 
                     d 
                   
                 
               
               , 
             
           
         
       
       where (V d ) is a security value for a document (d). 
     
     
         9 . The method of  claim 7 , further wherein:
 accessing data files comprises reading data files from storage operatively connected to said computers.   
     
     
         10 . The method of  claim 7 , further comprising:
 calculating similarity between said data files based upon distance between said data files within a space defined by word dimensions, where the value of a data file in a word dimension is the number of times the word is found in said data file.   
     
     
         11 . A system for predicting and outputting an impact of a security breach at a particular computer in a computer network comprising:
 a computer application for accessing data files at a plurality of computers in the network and identifying data files having a threshold similarity as different versions of a document by comparing data file contents;   a documents computer application for storing and receiving identifications of a plurality of documents and a plurality of data files representing different versions of the documents;   a groups computer application for storing and receiving identifications of a plurality of computer groups and a plurality of computer devices identifications of computer devices assigned to each group;   wherein groups indicate department, business function, user, user rank, user security level, etc., or other criteria related to the computers,   a document security value determination computer application for calculating a document security value of a document based upon the document's distribution; and   an impact prediction computer application for determining impact of a security breach to a particular computer by combining document security values of documents available at the particular computer.   
     
     
         12 . The system of  claim 11  further comprising:
 a plurality of agents running on a plurality of said computers devices to read data files. 
 
     
     
         13 . The system of  claim 11  further comprising:
 a database ( 40 ) having a schema ( 60 ) for storing data about computers, data files, documents and their values; 
 an analysis computer ( 50 ) for calculating distance (similarity) between data files, values of documents and impacts to computers; 
 
     
     
         14 . The system of  claim 11  further comprising:
 a table ( 100 ) for data files linked to computers; 
 a linking table ( 120 ) for storing the number of times each word can be found in a data file; 
 a word table ( 130 ) listing all parsed words found within all data files; 
 a document table ( 140 ) used to identify data files that are different versions of the same document and to store a security value for the document; and 
 a group table ( 150 ) used to identify assignments to a plurality of groups indicating computer devices' user's rank, department or business function, and for storing a value ( 160 ) of a group.

Join the waitlist — get patent alerts

Track US2015237064A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.