[go: up one dir, main page]

WO2023070196A1 - Suivi d'interactions d'analystes de sécurité avec des services web - Google Patents

Suivi d'interactions d'analystes de sécurité avec des services web Download PDF

Info

Publication number
WO2023070196A1
WO2023070196A1 PCT/CA2022/051554 CA2022051554W WO2023070196A1 WO 2023070196 A1 WO2023070196 A1 WO 2023070196A1 CA 2022051554 W CA2022051554 W CA 2022051554W WO 2023070196 A1 WO2023070196 A1 WO 2023070196A1
Authority
WO
WIPO (PCT)
Prior art keywords
web
analyst
ticket
instructions
based service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CA2022/051554
Other languages
English (en)
Inventor
Tahseen Shabab
Hassan Khan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PenfieldAi Inc
Original Assignee
PenfieldAi Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PenfieldAi Inc filed Critical PenfieldAi Inc
Publication of WO2023070196A1 publication Critical patent/WO2023070196A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to software for monitoring analyst interactions with software. More specifically, the present invention relates to methods and systems for monitoring analyst interactions with web-based computer security tools and services for a security incident resolution.
  • the security analyst may also then check another website to see if the downloaded file has been flagged as malicious software or is a security threat (e.g., the downloaded file may have a virus payload or may have been known as a potential entry point for malicious actors). Similar steps may be required by playbooks for resolving other types of security incidents and these steps may require accessing different web services and interacting with such services through a web browser. These web-based services often take a query and provide result (e.g., “is this URL malicious” is a query and a response could be “yes/no”). As such, the security analyst would be required to enter data into the web service and the web service would provide a result based on the data entered.
  • result e.g., “is this URL malicious” is a query and a response could be “yes/no”.
  • the present invention provides systems and methods relating to the tracking and storing of interactions between a security analyst and at least one web-based service.
  • a browser extension monitors the activation of one or more web-based services. When one of these web-based services is activated as a step to resolving an open ticket for a security incident, the extension identifies that open ticket. All the data relating to the interaction is associated with the ticket and is stored accordingly in a database. The extension also determines which pre-existing set of instructions is relevant for resolving the security incident. This set is retrieved from a database and the extension monitors the analyst’s actions relating to resolving the open ticket.
  • the present invention provides a method for tracking steps taken in resolving a computer security related issue, the method comprising: a) detecting when at least one web-based service is accessed, said at least one webbased service being from a predetermined plurality of specific web-based services is to be monitored; b) continuously monitoring data entered on or actions performed on said at least one web-based service; c) determining which ticket for a reported security issue relates to said at least one web-based service whose accessing was detected in step a); d) selecting a predetermined set of instructions for addressing said reported security issue from a database of sets of instructions for addressing computer security related issues; wherein when said data entered on or actions performed on said at least one webbased service deviates from said predetermined set of instructions selected in step d), at least one mitigation strategy is implemented.
  • the present invention provides a system for tracking steps taken in resolving a computer security related issue, the system comprising: a detection module for detecting an activation or an accessing of at least one web-based service, said at least one web-based service being from a predetermined plurality of specific web-based services to be monitored; a ticket ID module for identifying a ticket ID for a reported security related issue to which said activation or said accessing of said at least one web-based service relates;
  • an assessment module for assessing data entered on and/or actions performed on said at least one web-based service; wherein said data entered on and/or actions performed on said at least one web-based service is assessed based on a selected predetermined set of instructions for addressing said reported security issue.
  • FIGURE 1 is a diagram illustrating a logic flow and a structural diagram of one aspect of the present invention
  • FIGURE 2 is a flow diagram for an intelligent context tagging module as used by one implementation of the present invention
  • FIGURE 3 is a flow diagram for a quality assurance module according to one implementation of the present invention.
  • FIGURE 4 provides an overview of a workflow for an automated reporting module as used by one implementation of the present invention
  • FIGURE 5 illustrates an architecture that may be used in conjunction with the present invention
  • FIGURE 6 shows another architecture that may be also be used in conjunction with the present invention
  • FIGURE 7 illustrates a block diagram of a system for implementing one aspect of the present invention.
  • a system and method for tracking a security analyst’s interactions with specific web-based services is provided.
  • Software is installed on the security analyst’s machine that detects when one of a specific number of web-based services is activated/launched. All of the analyst’s interactions with the web-based service are logged, along with any data that the analyst may have entered. The interactions and the data are analyzed to determine which security incident is being addressed by the analyst. Once the specific incident is identified, the characteristics of that specific incident are then retrieved and, based on those characteristics, the specific set of instructions/processes for resolving that incident is found. The analyst’s actions on the web-based services are then continuously analyzed in light of the specific set of instructions.
  • remediation strategies may include providing hints or guidance as to the correct next steps in the incident resolution process based on the set of instructions, marking the incident (and its resolution) for further analysis by other analysts, and highlighting potential issues in the analyst’s actions based on the set of instructions.
  • the system and method are embodied in a browser extension that is installed on the analyst’s machine.
  • the browser extension monitors the analyst’s actions on the browser.
  • a web-based service one of a specific set of web-based services
  • the extension begins to log that analyst’s actions using that web-based service in a database.
  • the extension analyzes the data entered into the service to determine which open ticket is being addressed/resolved by the analyst.
  • the extension again determines which security incident (as determined by the open ticket) is being addressed and the logs for that interaction are associated with that specific open ticket/incident.
  • any security incident reported by a client or which needs resolution by an analyst is assigned a ticket in a ticketing system.
  • Each ticket when opened, is provided with information about the security incident to be addressed. This may include the client’s identity, details about the incident (e.g., date, time, place, network ID where the incident occurred, identities of users involved, etc., etc.), and details about the circumstances surrounding the incident (e.g., files downloaded, URLs for the download locations, software used, software/permissions operative when the incident occurred, etc., etc.).
  • the analyst can then, using the information from the open ticket, analyze the situation and, based on the results of the analysis, may take/implement steps to address/minimize any security issues.
  • the security incident e.g., the file downloaded was safe, no data breach was detected, etc., etc.
  • the ticket is then closed.
  • the analyst may escalate the ticket to a different level or to a different department for more specific measures.
  • any interactions that an analyst has with a web-based service is associated with a specific open ticket. This ensures that any data logged for those interactions is associated with the specific security incident for that ticket. The logged data can then be analyzed, if necessary, for various reasons such as performance assessment, assessment of steps taken to resolve the incident, and assessment of instructions for resolving similar incidents. Once the interactions have been associated with a specific open ticket, the characteristics of the security incident can then be automatically analyzed to determine which predetermined set of instructions are to be followed to address the security incident.
  • This predetermined set of instructions is preferably a set of instructions that have been distilled from past experience with similar incidents and which have been formulated by various other analysts as being the preferred method for addressing similar incidents. It should be clear that there are many “playbooks” in a database and that each incident type, depending on the circumstances, would have at least one set of instructions for addressing the incident.
  • a browser extension is installed on the web browser used by security analysts and the extension is acli vated for the web pages/web services that are used for the security incident resolution process. These web pages/ web services may be provided as a predefined list or they may be based on URL patterns or they may be explicitly specified by the security analyst.
  • the browser extension starts monitoring all the activity and interaction of the analyst and logs such activity. This interaction includes all the web-based services queried for incident resolution, the queries made to these webbased services for incident resolution, the responses received, and the order of the queries made.
  • the system of the present invention matches the analyst’s activity with the steps detailed in the retrieved set of instructions that have been predefined in the so-called “playbook” for that type of security incident. If the analyst's activities deviate from those defined in the set of instructions (e.g., if the analyst’s activity does not match the activity detailed in the set of instructions, if the query made to the web-based service has incorrect information, if the order of the steps executed by the analyst does not match the order of the steps in the set of instructions, if the analyst misses a step in the retrieved set of instructions) the system of the present invention can then initiate the implementation of mitigation strategies.
  • the system of the present invention can then initiate the implementation of mitigation strategies.
  • the mi tigat ion strategies implemented by the system may range from advising the analyst as to what the deviation was from the set of instructions to marking the open ticket for further assessment by other analysts (i.e., marking the ticket for a quality assurance review).
  • the mi tigat ion strategy may include alerting the analyst as to his or her mistakes or differences from the retrieved set of instructions or actively suggesting steps to take for the analyst, with the steps being either designed to correct the analyst's deviation from the set of instructions or designed to move the incident resolution process forward.
  • the system can actually guide the analyst by providing detail step-by-step instructions from the set of instructions.
  • the system can then determine where in the process (based on the set of instructions) the analyst is. The system can then determine the next steps in the process and can guide the analyst accordingly. Such guidance to the analyst can be provided using notifications or by way of an augmented user interface.
  • FIG. 1 shows a combined logic flow diagram and structural diagram of one implementation of the present invention.
  • the system has a browser extension component and a controller/database component.
  • the browser extension component runs in the analyst’s browser and the controller component runs on a server that may be remote from the analyst's machine.
  • the server operates at a company that provides digital security services to clients and operates at least one Security Operations Center.
  • the browser extension is installed for the browser software that the analyst uses or will use when executing an incident resolution process. After the extension has been installed, the analyst will need to login to the server to thereby allows his or her browser extension to access the database on the server.
  • the browser extension accesses or loads a list of web-based services and/or tools whose activation will alert the browser extension that a security incident resolution process is in progress.
  • This list of web-based services and/or tools may be a predefined or customized depending on the configuration of the system. In one implementation, different clients/customers may require different tools/web-based services and, as such, depending on the customer whose security incident is being addressed, different tools or services may be monitored. It should be clear that any communications between the analyst's machine and the server, as well as any interactions between the analyst and the web-based service, including queries and their responses, will be encrypted. As noted above, any interactions between the analyst and the web-based service, along with the timestamp of the interaction and the analyst’s idcnlilicr are logged and sent to the server for storage in the database.
  • One module used by present invention has the function of identifying the tickets/incidents that an analyst's web-based interactions are used for.
  • most security incident tools require specific identifiers (or context) to perform analyses (e.g., the URL where the file was downloaded from and the digital hash of the binary file that was downloaded).
  • this information i.e., the identifiers/context
  • the analyst assigned to address/resolve the incident is provided with the context as necessary.
  • the system has to determine the identity of the incident/ticket that is being addressed.
  • the purpose of intelligent context tagging module is to therefore correlate the actions of the analyst (by way of the web-based service) to a specific ticket and, accordingly, to a specific security incident.
  • the intelligent context tagging module used in the present invention is used to appropriately idenli fy which actions correspond to which open ticket.
  • the tagging module executes this function by matching context specific identifiers provided through the ticket with data entered by the analyst into the web-based service. If this matching does not result in an identified ticket, the analyst may be provided with a list of open tickets assigned to the analyst and the analyst can then select which ticket is being addressed.
  • the process executed by the context tagging module is illustrated in the flowchart of Figure 2. As can be seen, the process begins by identifying open tickets (i.e., tickets that have not been resolved and which are assigned to the specific analyst). Once a specific web-based service that is being monitored is activated/launched, the input to that service is monitored and stored. The input to the service provided by the analyst is analyzed by the context tagging module and this input (or portions thereof) are compared to the various data points from the information associated with the open tickets. As an example, if the security incident is that of an unauthorized downloading of a file with name XX. YY, this filename is entered into the web-based service.
  • the same filename is compared to the data associated with the various open tickets. Once the filename is matched with a specific open ticket, that specific open ticket is associated with the particular use/launch of the specific web-based service. After the relevant open ticket has been identified with the particular use of a web-based service, the data for that specific use of the web-based service (including the time/date stamp, the data entered, the result of the use of the service) are associated with that specific ticket. The data from the specific use of the web-based service can then be stored in the database.
  • the context tagging module can provide the analyst with a list of open tickets. The analyst can then select which ticket is to be associated with the analyst's specific use of the web-based service. Once the specific ticket is identified, all the data relating to that use of the web-based service can then be associated with that specific ticket.
  • each analyst interaction with a web-based service will be assessed to determine which ticket the interaction relates to. In most implementations, the analyst interactions with the web-based service will include data that can be used to determine which ticket the interaction is to be associated with.
  • the hash/name of a file, an IP address, or an email address may be entered into the web-based service to assess/address the reported security issue. This data can then be cross-referenced or correlated with data associated with the various tickets in the ticket database. Once the correct ticket has been identified, that ticket identification is associated/tagged for the specific interaction. The record of that interaction can then be stored in the database with the correct ticket ID.
  • Another module used by the present invention matches the actions of an analyst with those defined in the set of instructions specific to the type of security incident being addressed.
  • the quality assurance module first uses the data contained in the security incident ticket to identify the correct playbook or set of instructions specific to the type of security incident being addressed.
  • the steps detailed in the playbook are transformed into specific steps or corresponding activities to be executed as a series of interactions with specific web-based services.
  • This translation also generates the input of the queries generated by the web-based services. As an example, if the security incident is that of an unauthorized file download from a suspicious URL, the translation will associate the URL from where the file was downloaded with the query for the web-based service for checking suspicious URLs. As well, this translation will associate the digital hash of the file downloaded with a query to a web-based service that checks whether the digital hash corresponds to the digital has of a computer virus or of some other malicious software.
  • data from past successful resolutions may be used to determine the steps required to resolve the security incident. Using data from past successful resolutions may also involve providing not just the steps to be taken but the specific sequence that those steps are to be taken.
  • mitigation strategies may be employed. Such mitigation strategies may include actions as detailed above.
  • the search for the relevant resolutions in the database can be performed by assessing the circumstances surrounding the resolved security issues and the circumstances surrounding the current security issue. Once the circumstances for the current security issue has been matched with the circumstances of one or more resolved security issues, the best match may then be determined to be the most relevant resolved security issue. The steps that led to that resolved security issue can then be used to assess the analyst interactions. As noted above, once the analyst interactions deviate from the set of instructions/actions that led to the resolution in the previously resolved security issue, then mitigation strategies are implemented.
  • the system would look for resolved security issues that also involved phishing emails. Not only that but preferably, the system would also search for resolved security issues that involved the same organization as person X and, if possible, URL Y.
  • the context of the current security issue can then be used as a template for searching for resolved security issues whose resolution steps can be used to assess the analyst’s interactions.
  • the process executed by the quality assurance module is illustrated. As can be seen, the process begins by determining or identifying the open ticket that the analyst is working to resolve.
  • This may take the form of analyzing the data entered into the web-based service or receiving this data from another module (e.g. the context tagging module).
  • the relevant set of instructions for that type of security incident is found and retrieved from a database.
  • executable instructions or steps that need to be converted or transformed into executable instructions the steps can be converted/transformed into a resoludon template.
  • the steps in the resolution template are then matched with the steps being executed or already executed by the analyst. Once the steps lead to a resolution of the incident, the ticket is then closed.
  • mitigation strategies are implemented (e.g. flagging the ticket for a quality assurance assessment).
  • Another module used by the present invention is the automated reporting module. While not part of the main functionality of the invention, this module does provide a benefit to analysts. Since the analyst’s interactions with each web-based service is noted and stored, along with the data entered, the data received, as well as any further actions taken in resolving incidents, these stored records are used by the automated reporting module. The module takes the stored records for each ticket and creates automated human readable reports that detail each step taken to resolve the security incident, including which web-based services were used, data entered for the services, results from those services, as well as the sequence of steps taken to resolve the incident. It should be clear that the predefined format for the automated reports may be configured according to each analyst’s needs.
  • FIG. 4 an overview of the workflow for the automated reporting module is illustrated.
  • a ticket is at the root of each report.
  • the tools used to resolve the ticket are presented in sequence (chaining) and, for each tool used, the actions and context are embedded in the stored data for the ticket. These data points are then extracted and placed into specific fields in the relevant templates.
  • each analysis tool generates its own template report that includes the actions and context for that tool. The reports for these tools are then aggregated into a full report for the ticket.
  • a further module used by the system is the analyst guidance module.
  • This module operates with the context tagging module and the quality assurance module. Once the ticket being addressed has been identified and the relevant set of instructions has been retrieved, the guidance module can then determine where, in the set of instructions, the analyst’s process is. Based on that assessment, the guidance module then provides detailed and step by step instructions to address the security incident based on the retrieved set of instructions. As should be clear, depending on how detailed the set of instructions are, each possible result for each possible interaction with a web-based service may be mapped out in the set of instructions. Such detailed instructions can then be used by the guidance module to guide the analyst through each interaction with web-based services. Of course, if the analyst deviates from the set of instructions or ignores the guidance, then the mitigation strategies may be implemented.
  • each analyst machine may be involved in resolving multiple reported security issues and these reported security issues may involve multiple activations and/or accesses to multiple web-based services.
  • each analyst machine has a resolution service relating to one reported security issue - once the reported security issue has been resolved, the steps for that resolution are logged.
  • the steps taken to resolve each reported security issue are entered into one or more logs and the multiple logs generated can be collated/collected with a log dispatcher.
  • the log dispatcher for each analyst machine then uploads its respective logs to a server by way of a network.
  • a log collector and merger module receives and collects all the uploaded logs. These received logs can then collated, organized, and categorized as needed and as desired. Once properly organized, the received logs can then be stored in the interaction database. As can be seen, each log can be associated with specific data that uniquely identifies each log, including the users involved in the security issue, the tools used to resolve the issue, the various interaction data generated for the security issue, as well as a time stamp for each log. These data points can then be used to uniquely identify each log. It should be clear that the web-based service accessed by the analyst can generate the logs and can send these logs to the analyst machines. The logs can then be uploaded to a server and stored as above.
  • each of the logs in the database can then be accessed and each log can be sent to a system that implements the invention to assess the analyst’s performance in resolving the security issue.
  • a stream of analyst interactions can thus be created from each log and these analyst interactions can be assessed by the system of the present invention as detailed above.
  • each analyst machine accesses the network to get to the web-based services by way of a middlebox.
  • the web-based services may be accessible through the Internet (where the web-based services are cloud-based) or through an internal network (where the web-based services are locally hosted and are operating on an internal server).
  • the middlebox through which all network accesses are routed, then analyzes each access and determines the surrounding circumstances for each of the accesses. This means that the middlebox analyzes each network interaction, determines the analyst performing the interaction, which web-based service is being accessed, what actions are being taken, what data is being sent, what data is being received, etc., etc.
  • the middlebox can also perform the function of determining which ticket relates to which interaction and can also tag the interaction appropriately. Once each interaction has been tagged appropriately, the interaction and its associated data can then be stored in an interaction database. [0037] It should be clear that the architecture in Figure 6 can be used in a real-time/near real-time system. Once the interaction has been appropriately tagged, components of the system can then perform the assessment of an analyst’s interaction to determine whether they deviate from a selected set of i nstructions for resolving the relevant security issue. As noted above, once a deviation from the instructions is determined, mitigation strategies can be implemented.
  • the architecture in Figure 6 can be used in a system that is not real time/near real-time.
  • the interactions stored in the database can be streamed to the system of the present in venlion and the interactions can then be assessed quickly as they have already been tagged appropriately.
  • FIG. 7 a block diagram of one implementation of the present invention is illustrated. As can be imagined, the architectures illustrated in Figures 5 and 6 can be used to feel the system illustrated in Figure 7.
  • the system in Figure 7 has a number of modules for implementing the functions of the present invention.
  • the Detect module can receive a stream of log entries or analyst interactions to determine if a specific web-service has been accessed or acli vated. Once such an accessing or an activation has been detected, then the Ticket ID module and the assessment module can be activated.
  • the Ticket ID module receives the stream of log entries or analyst i nleraclions and determines the correct ticket to which the interaction or log entry relates to. As noted above, each reported security issue is assigned a ticket and once the correct ticket is identified, the interaction/log entry can be associated with that ticket.
  • the assessment module is also activated. This module assesses the incoming log entries/analyst interactions in light of a selected set of instructions for resolving a present reported security issue.
  • the assessment module may also search for the predetermined set of instructions by which the analyst interactions are to be assessed against. Once a deviation from this set of instructions has been detected, the assessment module may pass on the circumstances of the current reported security issue to the mitigation module.
  • the mi t i gat i o n module implements one or more mitigation strategies once a deviation has been detected.
  • the deviation to be detected is the deviation from the set of instructions for resolving the reported security issue.
  • the mitigation module can thus perform actions including flagging the ticket, report the analyst, alerting other analysts, alerting management, or any other actions designed to in i t i gat e potential analyst/issue resolution problems in the future.
  • the various aspects of the present invention may be implemented as software modules in an overall software system.
  • the present invention may thus take the form of computer executable instructions that, when executed, implements various software modules with predefined functions.
  • the embodiments of the invention may be executed by a computer processor or similar device programmed in the manner of method steps, or may be executed by an electronic system which is provided with means for executing these steps.
  • an electronic memory means such as computer diskettes, CD-ROMs, Random Access Memory (RAM), Read Only Memory (ROM) or similar computer software storage media known in the art, may be programmed to execute such method steps.
  • electronic signals representing these method steps may also be transmitted via a communicarion network.
  • Embodiments of the invention may be implemented in any conventional computer programming language. For example, preferred embodiments may be implemented in a procedural programming language (e.g., "C” or “Go") or an object-oriented language (e.g., "C++", “java”, “PHP”, “PYTHON” or “C#”). Alternative embodiments of the invention may be implemented as pre-programmed hardware elements, other related components, or as a combination of hardware and software components. [0046] Embodiments can be implemented as a computer program product for use with a computer system.
  • a procedural programming language e.g., "C” or “Go”
  • object-oriented language e.g., "C++”, “java”, “PHP”, “PYTHON” or "C#”
  • Alternative embodiments of the invention may be implemented as pre-programmed hardware elements, other related components, or as a combination of hardware and software components.
  • Embodiments can be implemented as a computer program product for use with a computer system.
  • Such implementations may include a series of computer instructions fixed either on a tangible medium, such as a computer readable medium (e.g., a diskette, CD-ROM, ROM, or fixed disk) or transmittable to a computer system, via a modem or other interface device, such as a communications adapter connected to a network over a medium.
  • the medium may be either a tangible medium (e.g., ophcal or electrical communications lines) or a medium implemented with wireless techniques (e.g., microwave, infrared or other transmission techniques).
  • the series of computer instructions embodies all or part of the functionality previously described herein. Those skilled in the art should appreciate that such computer instructions can be written in a number of programming languages for use with many computer architectures or operating systems.
  • Such instructions may be stored in any memory device, such as semiconductor, magnetic, optical or other memory devices, and may be transmitted using any communications technology, such as optical, infrared, microwave, or other transmission technologies.
  • a computer program product may be distributed as a removable medium with accompanying printed or electronic documentation (e.g., shrink-wrapped software), preloaded with a computer system (e.g., on system ROM or fixed disk), or distributed from a server over a network (e.g., the Internet or World Wide Web).
  • some embodiments of the invention may be implemented as a combination of both software (e.g., a computer program product) and hardware. Still other embodiments of the invention may be implemented as entirely hardware, or entirely software (e.g., a computer program product).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Systèmes et procédés relatifs au suivi et au stockage d'interactions entre un analyste de sécurité et au moins un service web. Une extension de navigateur surveille l'activation d'un ou plusieurs services web. Lorsqu'un de ces services web est activé en tant qu'étape de résolution d'ouverture d'un ticket lors d'un incident de sécurité, l'extension identifie ce ticket ouvert. Toutes les données relatives à l'interaction sont associées au ticket et stockées en conséquence dans une base de données. L'extension détermine également quel ensemble préexistant d'instructions convient pour résoudre l'incident de sécurité. Cet ensemble est extrait d'une base de données et l'extension surveille les actions de l'analyste concernant la résolution d'ouverture de ticket. Lorsque les actions de l'analyste divergent de l'ensemble d'instructions, des stratégies spécifiques d'atténuation peuvent être implémentées.
PCT/CA2022/051554 2021-10-27 2022-10-21 Suivi d'interactions d'analystes de sécurité avec des services web Ceased WO2023070196A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163272475P 2021-10-27 2021-10-27
US63/272,475 2021-10-27

Publications (1)

Publication Number Publication Date
WO2023070196A1 true WO2023070196A1 (fr) 2023-05-04

Family

ID=86160407

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2022/051554 Ceased WO2023070196A1 (fr) 2021-10-27 2022-10-21 Suivi d'interactions d'analystes de sécurité avec des services web

Country Status (1)

Country Link
WO (1) WO2023070196A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7904456B2 (en) * 2006-09-01 2011-03-08 Robert John Hennan Security monitoring tool for computer network
US8903923B2 (en) * 2011-11-09 2014-12-02 International Business Machines Corporation Methods and apparatus for system monitoring
US10193921B2 (en) * 2016-08-12 2019-01-29 Level 3 Communications, Llc Malware detection and prevention system
US10574631B2 (en) * 2015-05-11 2020-02-25 Finjan Mobile, Inc. Secure and private mobile web browser
KR102222377B1 (ko) * 2020-08-25 2021-03-03 주식회사 로그프레소 위협 대응 자동화 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7904456B2 (en) * 2006-09-01 2011-03-08 Robert John Hennan Security monitoring tool for computer network
US8903923B2 (en) * 2011-11-09 2014-12-02 International Business Machines Corporation Methods and apparatus for system monitoring
US10574631B2 (en) * 2015-05-11 2020-02-25 Finjan Mobile, Inc. Secure and private mobile web browser
US10193921B2 (en) * 2016-08-12 2019-01-29 Level 3 Communications, Llc Malware detection and prevention system
KR102222377B1 (ko) * 2020-08-25 2021-03-03 주식회사 로그프레소 위협 대응 자동화 방법

Similar Documents

Publication Publication Date Title
CN107438079B (zh) 一种网站未知异常行为的检测方法
CN109525558B (zh) 数据泄露检测方法、系统、装置及存储介质
CN108304704B (zh) 权限控制方法、装置、计算机设备和存储介质
CN111726357A (zh) 攻击行为检测方法、装置、计算机设备及存储介质
CN106411578A (zh) 一种适应于电力行业的网站监控系统及方法
KR102047929B1 (ko) 웹사이트 검증 방법
CN114528457B (zh) Web指纹检测方法及相关设备
US20250355943A1 (en) System event detection system and method
CN114244564A (zh) 攻击防御方法、装置、设备及可读存储介质
CN113595981A (zh) 上传文件威胁检测方法及装置、计算机可读存储介质
CN109684863B (zh) 数据防泄漏方法、装置、设备及存储介质
Herrerias et al. A log correlation model to support the evidence search process in a forensic investigation
CN108040036A (zh) 一种行业云Webshell安全防护方法
CN110365714A (zh) 主机入侵检测方法、装置、设备及计算机存储介质
CN111031025A (zh) 一种自动化检测验证Webshell的方法及装置
WO2023070196A1 (fr) Suivi d'interactions d'analystes de sécurité avec des services web
Klinkhamhom et al. Threat Hunting for Digital Forensic Using GRR Rapid Response with NIST Framework
CN112714118A (zh) 网络流量检测方法和装置
CN115842716B (zh) 故障服务器的确定方法、装置、设备以及存储介质
Hyder et al. Towards digital forensics investigation of wordpress applications running over kubernetes
Awotipe Log analysis in cyber threat detection
Bruzzese An Analisys of Application Logs with Splunk: developing an App for the synthetic analysis of data and security incidents
KR102330404B1 (ko) 통합 보안 진단 방법 및 장치
CN119966742B (zh) 一种网络威胁数据录入方法、装置、设备及介质
CN119341769B (zh) 应用越权漏洞检测方法、装置、设备和可读存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22884819

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22884819

Country of ref document: EP

Kind code of ref document: A1