US009038177B1

(12) United States Patent (10) Patent No.: US 9,038,177 B1

Tierney (45) Date of Patent: May 19, 2015
(54) METHOD AND SYSTEM FOR 5,253,341. A 10, 1993 Rozmanith et al.
IMPLEMENTING MULTI-LEVEL, DATA 5,278.982 A 1/1994 Daniels et al.
FUSION 5,297,031 A 3, 1994 Gutterman et al.
5,313,616 A 5/1994 Cline et al.
5,347,518 A 9, 1994 L.
(75) Inventor: Sean M. Tierney, Fair Lawn, NJ (US) 5,455,946 A 10/1995 Vishan et al.
5,471,613 A 11/1995 Banning et al.
(73) Assignee: JPMORGAN CHASE BANK, N.A., 5,471,629 A 1 1/1995 Risch
New York, NY (US) 5,600,836 A 2, 1997 Alter
5,627,886 A * 5/1997 Bowman ....................... 379,111
(*) Notice: Subject to any disclaimer, the term of this 3. A 2. soughessy
patent is extended or adjusted under 35 5.644,762 A 7, 1997 Soeder
U.S.C. 154(b) by 264 days. (Continued)
(21) Appl. No.: 13/191,924 FOREIGN PATENT DOCUMENTS

WO WO96,34350 10, 1996

Related U.S. Application Data WO WOO2,46980 6, 2002
(60) Provisional application No. 61/418,020, filed on Nov. OTHER PUBLICATIONS
30, 2010. 2.40 General—Reviews and Abstracts, SPI Database of Software
(51) Technologies, p. 1-5, Feb. 1, 1974.
51) Int. Cl. Continued
G06F 2/14 (2006.01) ( )
(52) Helio (2006.01) Primary Examiner — Matthew Henning
CPC. Itout 63/1408 (2013.01). Hou 2906891 (74) Attorney, Agent, or Firm Hunton & Williams LLP
(2013.01) (s.7) ABSTRACT
(58) Field of Classification Search An embodi fth ion invol
CPC ............ H04L 63/1408. H04L 63/1416.63/1425
H04L An embodiment of the present invention involves a computer
implemented method and system for implementing data
See application file for complete search history. fusion comprising aggregating data from a plurality of
Sources via one or more computer networks, wherein the data
(56) References Cited comprises at least unstructured data; extracting one or more
features from the aggregated data; enriching the extracted
U.S. PATENT DOCUMENTS data by compiling the data into one or more categories; gen
erating one or more datasets based on the enriched data for
3,872,448 A 3/1975 Mitchell, Jr. identifying potentially fraudulent activity; and identifying
4,573,127 A 2, 1986 Korf
5,046,002 A 9, 1991 Takashi et al. one or more proposed actions to address the potentially
5,159,687 A 10/1992 Richburg fraudulent activity using a graphical interface.
5,168,444 A 12/1992 Cukor et al.
5,202,986 A 4, 1993 Nickel 18 Claims, 3 Drawing Sheets

112
Bisons:
A source nei Stas
Intellig
telligence
Morey Mules w
infected 8stems
Wictim Ascs
EMikers o
als Suspect
Cruncan
SS Channels

Asset Data
victim Data -
targetingsta K
Turing
E. k
Corinuous
Improvement
2
 US 9,038,177 B1
Page 2

(56) References Cited 6,336,122 B1 1/2002 Lee et al.

6,356,920 B1 3/2002 Vandersluis
U.S. PATENT DOCUMENTS 6,377,691 B1 4/2002 Swift et al.
6,381,609 B1 4/2002 Breitbart et al.
5,668,989 A 9, 1997 Mao 6,385,618 B1 5/2002 Ng et al.
570471 A 12/1997 Subramanyam 6,393,023 B1 5, 2002 Shimizu et al.
5,719,826 A 2/1998 Lips 6,397.221 B1 5, 2002 Greef et al.
5,737,735 A 4, 1998 Soeder 6.405,209 B2 6/2002 Obendorf
5,740.442 A 4, 1998 Cox et al. 6,411,957 B1 6/2002 Dijkstra
5,748,878 A 5, 1998 Rees et al. 6,418,446 B1 7/2002 Lection et al.
5,752,034 A 5, 1998 Srivastava 6,418.448 B1 7/2002 Sarkar
5,758.061 A 5, 1998 Plum 6,418.451 B1 7/2002 Maimone
5,758.336 A 5/1998 Brady 6,446,062 B1 9/2002 Levine et al.
5,758,346 A 5, 1998 Baird 6,449,623 B1 9/2002 Bohannon et al.
5,761,668 A 6, 1998 Adamchick 6,453,310 B1 9/2002 Zander
5,764.972 A 6, 1998 Crouse et al. 6,456,995 B1 9/2002 Salo et al.
5.765,145 A 6, 1998 Masiello 6,467,052 B1 10/2002 Kaler et al.
5,765.55 A 6, 1998 Nakamura 6,477.540 B1 1 1/2002 Singh et al.
5,774,553 A 6, 1998 Rosen 6,490,581 B1 12/2002 Neshatfar et al.
5,774,877 A 6, 1998 Patterson, Jr. 6,502,095 B2 12/2002 Breitbart et al.
5,784.557 A 7/1998 Oprescu 6,502,104 B2 12/2002 Fung et al.
5.7874O2 A 7, 1998 Potter et al. 6,532.467 B1 3/2003 Brocklebank et al.
5,794.04s A 8/1998 Brady 6,535,894 B1 3/2003 Schmidt et al.
5,797,117 A 8/1998 Gregovich 6,539,337 B1 3/2003 Provan et al.
5,806,063 A 9, 1998 Dickens 6,539,383 B2 3/2003 Charlet et al.
5,806,067 A 9, 1998 Connor 6,539,397 B1 3/2003 Doan et al.
5,808.889 A 9/1998 Burgess 6,539,398 B1 3/2003 Hannan et al.
5,809,500 A 9, 1998 Nolan 6,557,039 B1 4/2003 Leong et al.
5,812,849 A 9/1998 Nykiel et al. 6,564.048 B1 5/2003 Sugita
5,828,883. A 10, 1998 Hall 6,571,249 B1 5/2003 Garrecht et al.
5,828,890 A 10/1998 Rehbocket al. 6,574,640 B1 6/2003 Stahl
5,832,523 A 11/1998 Kanai et al. 6,578,129 B1 6/2003 Da Silva, Jr. et al.
5,835,770 A 11/1998 Shum et al. 6,591.260 B1 7/2003 Schwarzhoff et al.
5.835,909. A 11, 1998 Alter 6,601,075 B1 7/2003 Huang et al.
5,838,979 A 1/1998 Hartet al. 6,611,869 B1* 8/2003 Eschelbeck et al. .......... TO9,228
5,845,286 A 12/1998 Colizza 6,624,761 B2 9/2003 Fallon
5,845,293 A 12/1998 Veghte et al. 6,651,076 B1 1 1/2003 Asano
5,852,824 A 12/1998 Brown 6,665,086 B2 12/2003 Hull et al.
5,867.495 A 2, 1999 Elliott et al. .................. 370,352 6,678,705 B1 1/2004 Berchtold et al.
5,872,976 A 2f1999 Yee et al. 6,681,380 B1 1/2004 Britton et al.
5.878.422 A 3, 1999 Roth et al. 6,691,139 B2 2/2004 Ganesh et al.
5897.633 A 4, 1999 Nolan 6,697.835 B1 2/2004 Hanson et al.
5,903,895 A 5, 1999 Hoffman et al. 6,701,514 B1 3/2004 Haswell et al.
5,907,846 A 5/1999 Berner et al. 6,711,594 B2 3/2004 Yano et al.
5,915, 116 A 6, 1999 Hochman et al. 6,714,219 B2 3/2004 Lindhorst et al.
5.920.719 A 7, 1999 Sutton et al. 6,757,673 B2 6/2004 Makus et al.
5926,814 A 7, 1999 Fridman 6,763,384 B1 7/2004 Gupta et al.
5,930,506 A 7, 1999 Bieler 6,880,010 B1 4/2005 Webb et al.
5,930,782 A 7/1999 Shaughnessy 6,910,064 B1 6/2005 Astarabadi et al.
5.950.197 A 9, 1999 Beam 6,918,013 B2 7/2005 Jacobs et al.
5,978.477 A 11/1999 Hullet al. 6,920,467 B1 7/2005 Yoshimoto
6,009.405 A 12/1999 Leymann et al. 6,925.470 B1 8/2005 Sangudi et al.
6,012,087 A 1/2000 Freiwald et al. 6,934,934 B1 8/2005 Osborne, II et al.
6,014,671 A 1/2000 Castelli et al. 6,938,072 B2 8/2005 Berman et al.
6,026,237 A 2/2000 Berry et al. 6,961,731 B2 11/2005 Holbrook
6,029,002 A 2/2000 Afifi et al. 7,010,757 B2 3/2006 Stana et al.
6,029, 175 A 2/2000 Chow et al. 7,043,496 B2 5/2006 Yanagi
6,058,393 A 5, 2000 Meier et al. 7,161,506 B2 1/2007 Fallon
6,065,009 A 5/2000 Leymann et al. 7,200,757 B1 4/2007 Muralidhar et al.
6,081.808 A 6/2000 Blackman et al. 7,266,705 B2 9, 2007 Peck et al.
6.108,698 A 8/2000 Teneveral 7,275,066 B2 9/2007 Priestley
6.25,390 A 9, 2000 Touboul 7,400.274 B2 7/2008 Fallon et al.
6.138,112 A 10/2000 Slutz 7,417,568 B2 8/2008 Fallon et al.
6,138,158 A 10/2000 Boyle et al. 7,606,788 B2 10/2009 Samar
6,145,121 A 1 1/2000 Levy et al. 7,607,023 B2 10/2009 Nakamura et al.
6,163,776 A 12/2000 Periwal 7,630,879 B2 12/2009 Liu
6,167,534 A 12/2000 Straathofetal. 8,082.349 B1* 12/2011 Bhargava et al. ............. 709,227
6,188.400 B1 2/2001 House et al. 8,327,335 B2 * 12/2012 Noble et al. .................. 717/127
6,226,652 Bi 52001 Percivaletal. 2002, 0007287 A1 1/2002 Straube et al.
6,237,143 B1 5/2001 Fontana et al. 2002fOO29228 A1 3/2002 Rodriguez et al.
6,243,862 B1 6, 2001 Lebow 2002fOO38226 A1 3/2002 Tyus
6.256,635 B1 7/2001 Arrouye et al. 2002fOO38320 A1 3, 2002 Brook
6,263,121 B1 7/2001 Melen et al. 2002/0049666 A1 4/2002 Reuter et al.
6,266,683 B1 7/2001 Yehuda et al. 2002/0065695 A1 5/2002 Francoeur et al.
6,269.479 B1 7/2001 Puram 2002/0083.034 A1 6/2002 Orbanes et al.
6.279,008 B1 8/2001 Tung Ng et al. 2002fOO91702 A1 7, 2002 Mullins
6,301,701 B1 10/2001 Walker et al. 2002/01 16205 A1 8/2002 Ankireddipally et al.
6,311,320 B1 10/2001 Jibbe 2002/0124177 A1 9/2002 Harper et al.
6,311,327 B1 10/2001 O’Brien et al. 2002/0143774 A1 10, 2002 Vandersluis
 US 9,038,177 B1
Page 3

(56) References Cited Beginning of 4.6 Software Evaluation, Tests and Measurements and
RMFI/O Time Validation; Association of Computing Machinery, p.
U.S. PATENT DOCUMENTS 519.
Chen. The Entity-Relationship Model Toward a Unified View of
2002/0144101 A1 10/2002 Wang et al. Data, ACM Transactions on Database Systems, vol. 1, No. 1, pp.
2002/0178439 A1 11, 2002 Rich et al. 9-36, Mar. 1976.
2002/0188712 A1* 12/2002 Caslin et al. .................. 709,223 Computer Dictionary Online, Definition of Cache, retrieved from
2002/0188765 A1 12/2002 Fong et al. Computer-Dictionary-Online.org, 2 pages, 2007.
2003, OO14421 A1 1/2003 Jung Dingle, Web Cache Coherence, Computer Networks and ISDN Sys
2003, OO18666 A1 1/2003 Chen et al. tems, vol. 28, Issues 7-11, p. 907 (1999).
2003/0O27561 A1 2/2003 Iyer ERDraw An XML-based ER-diagram DraWing and Translation
2003/0046313 A1 3/2003 Leung et al. Tool.
2003/0050931 A1 3/2003 Harman et al. Gauging Software Readiness with Defect Tracking IEEE May/Jun.
2003, OO65644 A1 4/2003 Horman et al. 1997.
2003, OO69975 A1 4/2003 Abjanic et al. Genetic Algorithms for Optimal Logical Database Design Informa
2003/0070003 A1* 4/2003 Chong et al. .................. TO9,330 tion and Software Technology, vol. 36, No. 12, p. 725-732, 1994.
2003/007 O158 A1 4/2003 Lucas et al. Gryphon An Information Flow Based Approach to Message Broker
2003, OO88593 A1 5, 2003 Stickler ing, International Symposium on software Reliability, Jun. 20, 2005.
2003/O120566 A1 6/2003 Lipschutz et al. Hacigumus et al., Executing SQL Over encrypted Data in the Data
2003/O121008 A1 6, 2003 Tischer
2003/O126151 A1 7/2003 Jung base-Service-Provider Model, Jun. 4-6, 2002, ACM Sigmod, Madi
2003. O131007 A1 7/2003 Schirmer et al. son, Wisconsin, pp. 216-227.
2003. O140045 A1 7/2003 Heninger et al. Hilbert, et al. An Approach to Large Scale Collection of Application
2003. O140308 A1 7/2003 Murthy et al. Usage Data Over the Internet, Software Engineering 1998, Proceed
2003. O145047 A1 7/2003 Upton ings of the 1998 International Conference, Abstract, Apr. 1998.
2003. O163603 A1 8/2003 Fry et al. Improving Index Performance through Pre-fetching School of Com
2003.0167266 A1 9, 2003 Saldanha et al. puter Science Carnegie Mellon University, Dec. 2000.
2003.0167445 A1 9, 2003 Suet al. Kosaraju, S.R., Efficient Tree Pattern Matching, 30th Annual Sym
2003/01771-18 A1 9, 2003 Moon et al. posium on Foundations of Computer Science, Oct. 30, 1989, pp.
2003/0177341 A1 9, 2003 Devillers 178-183, ISBN-0-8186-1982-1.
2003/019 1849 A1 10/2003 Leong et al. Lietal. Scalable Web Caching of Frequently Updated Objects using
2003/0217033 A1 11/2003 Sandler et al.
2003/0217083 A1 1 1/2003 Taylor Reliable Multicast, 12 pages (1999).
2003/0218633 A1 11/2003 Mikhail et al. Liet al., Time-Based Language Models, CIKM '03, Nov. 3-8, 2003,
2003/0233278 A1* 12/2003 Marshall ......................... TO5/14 New Orleans, Louisiana, USA, Copyright 2003 ACM; pp. 469-475.
2004/0010699 A1 1/2004 Shao et al. Microsoft Press Computer Dictionary. Third Edition, Definition of
2004/006.0006 A1 3/2004 Lindbladet al. Cache, 1997.
2004/O122872 A1 6/2004 Pandya et al. Model for Worldwide Tracking of Distributed Objects, VRIJE
2004/O153972 A1 8/2004 Jaepel et al. Universiteit-Amsterdam.
2004/0243567 A1* 12/2004 Levy ................................. 707/3 Newton, Definition of 'server', Newtons Telecom Dictionary, 1999,
2005/0027658 A1 2/2005 Moore et al. pp. 702-703.
2005, OO60345 A1 3/2005 Doddington Programmer's Guide Monitor Client Library 12.5 Document ID
2005, OO65964 A1 3/2005 Ziemann et al. 3286501-1250-01, Rev. (http://manual. Sybase.com/onlinebooks/
2005, OO65965 A1 3/2005 Ziemann et al. group-as isg1250c/clilibi ...) May 2001.
2005, OO65987 A1 3/2005 Telknowski et al.
2005, 0132225 A1 6/2005 Gearhart ....................... T13 201 Quantitative Monitoring of Software Development by Time-Based
2006/0206941 A1* 9, 2006 Collins .... T26,25 and Intercheckpoint Monitoring, Software Engineering Journal, vol.
2006/0236395 A1 * 10, 2006 Barker et al. .. 726/23 5, Issue 1, p. 43-49. Abstract, Jan. 1990.
2008/0010225 A1 1/2008 Gonsalves et al. r TO6/11 Storing Semistructured Date with Stored pp. 431-442 (1999).
2009, 0299784 A1 12, 2009 Guller et al. TAXA Tree Algebra for XML University of Michigan, Ann arbor, MI
2011/0231924 A1* 9, 2011 Devdhar et al. ................. T26/11 pp. 149-164 (2002).
Timber A native XML database the VLBD Journal (2002) pp. 274
OTHER PUBLICATIONS 291 Published Online Dec. 19, 2002.
Transactions in a Distributed Object Environment, Department of
A Generalized Search Tree for Database Systems, Jan. 19, 1996. Electrical and Computer Engineering, Jun. 19, 2005.
A Probabilistic Approach to fault Diagnosis in Linear Light waves Tree-Structured Indexes Module 2 Lectures 3 and 4.
Network, Department of Electrical Engineering, May 1992, pp. Wang et al., A System for Approximate Tree Matching, IEEE Trans
1-122. actions on Knowledge and Data Engineering, vol. 6, No. 4, pp.
An Analysis of Several Software Defect Models IEEE Transactions 559-571, Aug. 1994.
on Software Engineering, vol. 14. No. 9 Sep. 1988. White, How Computers Work, 4th Edition, Sep. 1998.
Answers Corporation, definition of Schema, Synonyms from Zaki, Efficiently Mining Frequent Trees in a Forest, SIGKDD 2002
Answers.com, (www.answers.com/schema) and database schema— Edmonton, Alberta, Canada, Jul. 23-26, 2002.
Information from Answers.com (www.answers.com/topic? database
schema-technology) (2008). * cited by examiner
U.S. Patent May 19, 2015 Sheet 2 of 3 US 9,038,177 B1

–(lJeu1ixa?)ue,ld
U.S. Patent May 19, 2015 Sheet 3 of 3 US 9,038,177 B1

Processor 310

Internal Data
Source Fused Dataset
330 Aggregator Module 320

External
Source
al
Xtraction
Decision
Fusi
Module SO Communication
332 314 Module 322 Network 340

Enrich - Data
interface
Fusion
324
Module 316

Enrich
Feature Other Module
Fusion 326
Module 318

Database(s) Database(s)
350 352

Figure 3
 US 9,038,177 B1
1. 2
METHOD AND SYSTEM FOR wherein the plurality of Sources comprises a combination of
IMPLEMENTING MULTI-LEVEL, DATA internal sources including one or more of the following: net
FUSION work telemetry, Vulnerability assessment, asset inventory,
Video and move-money data; wherein the one or more fea
CROSS REFERENCE TO RELATED tures comprises one or more of information source, network,
APPLICATIONS device, Vulnerability, threats, exposure, actors, victims and
targets; wherein the one or more categories comprises threat
This application claims priority to provisional application, data, attack data, network data, Vulnerability data, asset data,
U.S. patent application No. 61/418,020, filed Nov.30, 2010, victim data and targeting detail; wherein the step of enriching
the contents of which are incorporated herein by reference in 10 further comprises identifying a burst activity; wherein the
its entirety. step of enriching further comprises identifying a dip activity;
wherein the step of enriching further comprises intersecting
FIELD OF THE INVENTION Source information, destination information and enrichment
data; wherein the one or more proposed actions is displayed
The present invention relates generally to data aggregation 15 as a graphical representation; and wherein the one or more
and analysis, and more specifically to a method and system proposed actions comprises initiating an investigation.
for implementing multi-level data fusion based on compre
hensive information from various structured and unstructured BRIEF DESCRIPTION OF THE DRAWINGS
Sources to provide useful tools for addressing security, fraud
investigations and other concerns. In order to facilitate a fuller understanding of the present
inventions, reference is now made to the appended drawings.
BACKGROUND OF THE INVENTION These drawings should not be construed as limiting the
present inventions, but are intended to be exemplary only.
Analysts working in information security, fraud investiga FIG. 1 is an exemplary flowchart illustrating a method for
tions and related fields face several significant challenges in 25 implementing multi-level data fusion, according to an
their efforts to collect, process and analyze data in order to embodiment of the present invention.
produce timely, accurate and meaningful intelligence. Sig FIG. 2 is an exemplary illustration of data enrichment for
nificant issues include an organization’s capability to aggre multi-level data fusion, according to an embodiment of the
gate and correlate Volumes of data in order to produce situ present invention.
ational awareness and Support data driven decision making. 30 FIG. 3 is an exemplary diagram of a system for providing
Other drawbacks may also be present. multi-level data fusion, according to an embodiment of the
present invention.
SUMMARY OF THE INVENTION
DETAILED DESCRIPTION OF EXEMPLARY
Accordingly, one aspect of the invention is to address one 35 EMBODIMENT(S)
or more of the drawbacks set forth above. According to an
embodiment of the present invention, an automated computer Key capabilities of a multi-level fusion process of an
implemented method for implementing data fusion com embodiment of the present invention may include automa
prises the steps of aggregating data from a plurality of sources tion, artificial intelligence and the novel application of data
via one or more computer networks, wherein the data com 40 collection and extraction mechanisms.
prises at least unstructured data; extracting one or more fea Multi-level fusion generally involves the combination of
tures from the aggregated data; enriching the extracted data datasets to improve the performance of a system. Objectives
by compiling the data into one or more categories; generating may include identification, detection, and tracking. As
one or more datasets based on the enriched data for identify applied to an embodiment of the present invention, multi
ing potentially fraudulent activity; and identifying one or 45 level fusion may include low, intermediate, and high level
more proposed actions to address the potentially fraudulent fusion. Low level or data fusion may include combining raw
activity using a graphical interface. datasets. Intermediate or feature fusion may combine features
According to an exemplary embodiment of the present from multiple raw datasets and/or temporal fusion of multiple
invention, an automated computer implemented System for samples from a single source. High level fusion is also known
implementing data fusion comprises: a data aggregator for 50 as decision fusion, which may combine inputs from multiple
aggregating data from a plurality of sources via one or more experts in the form of confidence ratings, ranking, decisions,
computer networks, wherein the data comprises at least etc.
unstructured data; a feature extraction module for extracting An embodiment of the present invention may be a holistic,
one or more features from the aggregated data; a data enrich end-to-end solution based on discrete modules which may be
ment module for enriching the extracted data by compiling 55 added, removed, or upgraded over the lifecycle of the system.
the data into one or more categories; a dataset module for An embodiment of the present invention may use automation,
generating one or more datasets based on the enriched data for artificial intelligence, and hardware and Software to provide
identifying potentially fraudulent activity; and a decision enhanced features and minimize human dependencies. Core
module for identifying one or more proposed actions to system capabilities may include data aggregation and corre
address the potentially fraudulent activity using a graphical 60 lation to provide a fused dataset for situational awareness and
interface. decision Support.
According to an exemplary embodiment of the present FIG.1 illustrates an exemplary flowchart for implementing
invention, an automated computer implemented method and multi-level data fusion, according to an embodiment of the
system implements data fusion wherein the plurality of present invention. For example, various data sources may be
Sources comprises a combination of external sources includ 65 identified, modeled and collections mechanism may be built.
ing one or more of the following: external network telemetry, An exemplary approach may be dependant on the data type
malware data, external mail lists, blogs, news and RSS feeds: and source. However, as data complexity increases, the com
 US 9,038,177 B1
3 4
plexity of harvesting may also increase. At Data Aggregator of activity. For example, data enrichment may be used to
step 110, data may be aggregated from various sources, as detect bursts or dips in activities. Bursts may include high
shown by 112, including external network telemetry, mal Volume activity within a short span of time. Dips may include
ware data, external mail lists, blogs, news, RSS feeds, con low Volume activity in a short span of time. By detecting
tract intelligence services, confidential intelligence, law Sudden changes in activity from a source or an account, an
enforcement and/or other sources of intelligence and data. In embodiment of the present invention may assist in detecting,
addition, at DataAggregator step 110, data may also be aggre new behaviors, network attack, data theft, fraud and/or other
gated from internal intelligence, as shown by 114. Such as event. For example, a certain levelofactivity may be expected
network telemetry, Vulnerability assessment, asset inventory, from a single IP address from a normal user. However, if a
logs, video, telecom, move-money data and/or other sources 10 particularly high number of transactions are occurring over a
of internal intelligence and data. At DataAggregator step 110. short span of time, an embodiment of the present invention
data may be received from various sources and the relevant may be alerted of such bursts in activity. This may indicate
information may be identified. For example, at Data Aggre automation or machine driven activity when human interac
gator step 110, an email may be received and the relevant tion is expected. The change or anomalous behavior may be
information, such as attachments, body, Subject, email 15 used to determine actions/reactions.
header, sender, recipient and/or other information, may be Feature Enrichment step 140 may accept data from Data
extracted. Enrichment step 130 as an input to produce a series of action
Data Aggregator step 110 may aggregate various types of able reports and other useful output. For example, actionable
data, including structured and unstructured data. Structured reports may include lists of websites to block an organization
data may include information in a particular format, such as a from viewing, lists of bank accounts which have been victim
table, database, etc. Unstructured data may refer generally to ized, and money mules or participants in money laundering
unformatted data, Such as email content, conversations, news schemes. Other outputs 142 may include attack telemetry,
articles, RSS feeds, social networking content, chats and targets and victims, Vulnerability exposure, data exposure,
other types of prose material. Also, unstructured data may illicit money movement and/or other outputs. Likewise, Fea
include data in different formats, including video, images, 25 ture Enrichment step 140 may result in a Fused Dataset 150
Voice data, etc. For example, audio recordings from customer and actionable intelligence. A feature enriched report may
service centers, call centers, Fraud Hotlines, investigation include attacker, victim, and specific indicators of the attack
interviews may be processed by an embodiment of the present or Suspicious activity garnered from the disparate datasets.
invention. A transcript may be produced using speech-to-text For example, Subscriber email lists may provide names and
software with the result pushed through a natural speech text 30 accounts of individuals receiving fraudulent deposits. This
processing stream enabling the fusion system to harvest key data may be used to derive various lists. For example, an
information. The audio recording itself may be analyzed for exemplary list may identify potential account holders sus
voice identification providing for the correlation of known pected of money laundering. Another exemplary list may
and frequent callers. Additional features that may be include potential fraud victims. Correlation across lists may
extracted may include the call center identification and loca 35 highlight ongoing movement of illicit funds and identify pat
tion, operator's identification, the number the call was made terns or trends in money flow. These lists may be passed to
from, the number of the call center, conversation, result, fraud investigators for action.
action, etc. According to another example, IP addresses harvested
Another example may involve video recordings from any from Subscription data feeds, email lists and other sources
Source. Examples may include Surveillance video from Auto 40 may identify IP addresses and URLs known or suspected to
mated Teller Machines (ATM), retail banking, building secu be involved in malicious activity, such as distribution of mal
rity, interviews, interrogations and other sources. These ware, data leakage and/or unauthorized activity. These details
recordings may be processed for facial recognition, behavior may be aggregated in a report (or other format) and sent to an
analysis and activity identification. These features may be appropriate team or other entity to take an appropriate action,
extracted, tagged and/or stored with additional features Such 45 Such as block an organization’s computer systems from
as time, date, location and/or other information. accessing those sites or investigate systems that have visited
At Feature Extraction step 120, data may be extracted and those sites to identify infection and compromise.
classified into a useful format. For example, data may be Another example of enrichment through feature fusion
classified by various categories, as shown by 122. Such as may include intersecting datasets. Additional insights may be
information Source, networks, devices, Vulnerabilities, 50 gleaned by intersecting certain data sets. Such as source infor
threats, exposure, actors, victims, targets and/or other fea mation, destination information and/or enrichment data. FIG.
tures. Data passed from Feature Extraction step 120 to Data 2 is an exemplary illustration of data enrichment for multi
Enrichment step 130 may resultinhomogenous dataset, some level fusion, according to an embodiment of the present
of which may be illustrated as: Threat, Attack, Network, invention. Specifically, FIG. 2 is an exemplary illustration of
Vulnerability, Asset, etc. 55 intersecting datasets. Source information 210 may be interms
At Data Enrichment step 130, the extracted data from Fea of traffic flow, where source is an initiating IP address. For
ture Extraction Module 120 may be compiled. As a result, example “SI may indicate IP addresses internal to a com
Data Enrichment step 130 may generate outputs 134, includ pany enterprise and “SE may indicate IP addresses external
ing block list, Botnets, infection sites, Suspect commercial to the company. Other examples may include SI(1) which
channels, infected systems, victim accounts, money mules 60 indicates company desktop networks, SI(2) which indicates
and/or other outputs. Data Enrichment step 130 may also company server LAN and SI(3) which indicates company
involve storing data in an organized format, including threat DMZ. Company DMZ may include a protected network seg
data, attack data, network data, Vulnerability data, asset data, ment which exposes a company's services to an un-trusted
victim data, targeting data and/or other categories, as repre website or other source. Other sources may be identified and
sented by 132. 65 applied as well.
Data enrichment may be used to comprehend and analyze Destination information 220 may also be in terms of traffic
variances in Volume, acceleration/deceleration, and Velocity flow, where destination is a terminating IP address. For
 US 9,038,177 B1
5 6
example, “DI may indicate IP addresses internal to a com Situational awareness may be displayed via a graphical user
pany enterprise and “DE” may indicate IP addresses external interface or sent to a recipient as a report or other format.
to a company. Other examples may include DI(1) which Decision Fusion step 160 may generate an Autonomic
indicates company desktop networks, DI(2) which indicates Response 170. Investigation 180, Incidents of Interest 190
company server LAN, DI(3) which indicates company DMZ and/or other output. Examples of Autonomic Responses, as
and DE(1) which indicates company website. Other destina shown by 172, may include evaluate intelligence source,
tions may be identified and applied as well. reimage system, dismiss threat, issue fraud alert, lock
Enrichment 230 may include additional attributes which account, identify and/or contact fraud actors, identify and/or
may be used to correlate traffic patterns to types of activity or contact victimized accounts, etc. Examples of investigations,
threat classifications. Examples of enrichment datasets may 10 as shown by 182, may include issuing a suspicious activity
include EI(1) which indicates internal darknet and EI(2) report and identifying money mule and/or other network. In
which indicates external darknet. Darknets may refer to addition, a feedback from Decision Fusion step 160 to Data
Aggregator step 110 may provide tuning and continuous
machines or websites unreachable by other computers on the improvement via 162, which may occur via adaptive algo
Internet. If a darknet is active, it is likely misconfigured or 15 rithms.
malicious. Other examples of enrichment datasets may For example, an expert System program may analyze the
include EI(3) which represents online logs, EI(4) which rep fused data to identify potential exposure of Personally Iden
resents outgoing logs, EI(5) which represents firewall logs, tifiable Information (PII). The system may use specific crite
EI(6) which represents antivirus (AV) infected hosts, EI(7) ria to evaluate antivirus Scanning results, network flows and
which represents phishing URLs, EE(1) which also repre proxy logs. The system may identify a host that has had
sents phishing URLs, EE(2) which represents botnet drone several malware infections and has been sending uncharac
lists, EE(3) which represents infection URLs and EE(4) teristically large volumes of data out of the firm. The desti
which represents mule and account takeover (ATO) feeds. nation IP addresses may be listed as a Botnet Command and
Other enrichment datasets may be identified and applied as Control Server. The system may programmatically initiate a
well. 25 scan of the target host for PII, open a case and notify an
By intersecting various combinations of Source informa investigator.
tion and destination information with enrichment data, an FIG.3 is an exemplary diagram of a system 300 for imple
embodiment of the present invention may reveal certain menting multi-level data fusion, according to an embodiment
datasets of interest. For example, the intersection of internal of the present invention. For example, Processor 310 may
assets S1(1) initiating communication with internal servers 30 include various modules and interfaces for analyzing data and
D1(2) may represent expected internal LAN/WAN traffic. identifying fraudulent and potentially fraudulent events,
According to another example, the intersection of any inter according to an embodiment of the present invention. Proces
nal asset SE (SI) initiating communication with external/ sor 310 may include Data Aggregator 312, Feature Extraction
internal systems (DE) where the traffic is logged by a Darknet Module 314, Enrich-Data Fusion Module 316, Enrich-Fea
Sensor (EI(1)) may include traffic not configured to use com 35 ture Fusion Module 318, Fused Dataset Module 320, Deci
pany web proxies and thereby represent mis-configured or sion Fusion Module 322, Interface 324 and/or other modules,
infected assets. According to another example, the intersec interfaces and/or processors, as represented by Other Module
tion of external/Internet systems (SE) initiating communica 326. While a single illustrative block, module or component is
tion with company website web servers DE(1) may represent shown, these illustrative blocks, modules or components may
systems visiting the company website. The intersection of 40 be multiplied for various applications or different application
company website visitors (SE and DE(1)) with retail online environments. In addition, the modules or components may
banking logs (EI(3)) may represent likely company online be further combined into a consolidated unit. Other architec
banking customers. The intersection of company online tures may be realized. The modules and/or components may
banking customers (SE and DE(1) and EI(3)) with internally be further duplicated, combined and/or separated across mul
logged phishing URLs may represent customers redirected 45 tiple systems at local and/or remote locations.
from a phishing site to company website and are likely phish Data Aggregator 312 may aggregate data from various
ing victims. The intersection of company online banking sources, such as internal source 330, external source 332
customers (SE and DE(1) and EI(3)) with externally tracked and/or other sources represented by 324. The data may
infected, botnet systems (EE(2)) may represent likely com include structured and unstructured data. Certain data may
promised accounts. 50 then be extracted from the aggregated data and further clas
Analysis at Fused Dataset step 150 by community detec sified in a useful format by Feature Extraction Module 314.
tion algorithms may identify a set of computers infected with The extracted feature data may then be compiled into catego
a piece of malware. Further analysis may identify an addi ries and further used to generate actionable reports at Enrich
tional set of computers with similar characteristics but are not Data Fusion Module 316. The resulting data may then be
yet infected. The organization incident handlers may under 55 enriched by further aggregating the data by similar/like fea
stand which systems need to be cleaned and which ones need tures at Enrich-Feature Fusion Module 318. Fused Datasets
to be remediated before the infection spreads further. Module 320 may then output the resulting data. An algorithm
Decision Fusion step 160 may apply a series of artificial may be applied by Decision Fusion Module 322 to identify
intelligence algorithms to the Fused Data from Fused Dataset appropriate actions, such as autonomic responses, investiga
step 150. Initially, the results may be categorized as issues 60 tions, identification of incidents of interest and/or other
requiring investigations, information security incidents of actions.
interest, and autonomic responses. In addition, the process For example, System 110 may access and/or maintain
may be adjusted to facilitate additional categories. In addition Database 350 and/or other database 352. While a single data
to supporting Decision Fusion 160, Fused Dataset 150 may be base is illustrated in the exemplary figure, the system may
leveraged by other programs to produce situational aware 65 include multiple databases at the same location or separated
ness, as shown by 152. This may be delivered in the form of through multiple locations. The databases may be further
audio or visual queues, charts, graphs, and other formats. combined and/or separated. In addition, the databases may be
 US 9,038,177 B1
7 8
supported by Processor 310 or an independent service pro system of an embodiment of the present invention may notify
vider. For example, an independent service provider may money movement organizations, such as Western Union and
Support the one or more databases and/or other functionality Moneygram, who may place the cards on a fraud watch list.
at a remote location. Other architectures may be realized. The While the exemplary embodiments illustrated herein may
components of the exemplary system diagrams may be dupli show the various embodiments of the invention (or portions
cated, combined, separated and/or otherwise modified, as thereof) collocated, it is to be appreciated that the various
desired by various applications of the embodiments of the components of the various embodiments may be located at
present invention as well as different environments and plat distant portions of a distributed network, Such as a local area
forms. Various users 342, 344 may access Processor 310 network, a wide area network, a telecommunications net
through Communication Network 340. 10 work, an intranet and/or the Internet, or within a dedicated
An exemplary use case may involve identification of a object handling system. Thus, it should be appreciated that
skimming Suspect. For example, there may be a scenario the components of the various embodiments may be com
where multiple instances of debit card skimmers are found at bined into one or more devices or collocated on a particular
retail bank branches in a specific geography. As Surveillance node of a distributed network, Such as a telecommunications
Video is processed by an embodiment of the present inven 15 network, for example. As will be appreciated from the fol
tion, entities may be identified by the correlation of their lowing description, and for reasons of computational effi
appearance, facial recognition from ATM cameras and the ciency, the components of the various embodiments may be
debit card used to access the bank vestibule or ATM. Com arranged at any location within a distributed network without
parisons may be made with other images matching in appear affecting the operation of the respective system.
ance and correlated to the use of the specific debit card. Data and information maintained by Processor 310 may be
Anomalies may be detected which may enable the system to stored and cataloged in Databases 350,352 which may com
distinguish the legitimate owner of the debit card from the prise or interface with a searchable database. Databases 350,
Suspect. Analysis of additional video may determine other 352 may comprise, include or interface to a relational data
ATMs which potentially have skimmers. An embodiment of base. Other databases, such as a query format database, a
the present invention may then open a case with the pertinent 25 Standard Query Language (SQL) format database, a storage
detail including a picture of the suspect from the ATM cam area network (SAN), or another similar data storage device,
era, a list of impacted ATMs and/or other relevant informa query format, platform or resource may be used. Databases
tion. 350, 352 may comprise a single database or a collection of
Another exemplary use case may involve reimaging of an databases, dedicated or otherwise. In one embodiment, Data
infected desktop. An embodiment of the present invention 30 bases 350,352 may store or cooperate with other databases to
may receive a message from an email list identifying several store the various data and information described herein. In
Zeus malware domains and/or other types of crime ware and some embodiments, Databases 350,352 may comprise a file
viruses. Analysis of network flows and proxy logs may indi management system, program or application for storing and
cate that every time the user accesses his bank account, the maintaining data and information used or generated by the
computer sends a Small amount of data to the Suspect 35 various features and functions of the systems and methods
domains. An embodiment of the present invention may spawn described herein. In some embodiments, Databases 350, 352
a PII scan which returns a negative result. In response, an may store, maintain and permit access to customer informa
embodiment of the present invention may open an IT request tion, transaction information, account information, and gen
to reinstall the operating system on the Suspect system. eral information used to process transactions as described
Another exemplary use case may involve detection of a 40 herein. In some embodiments, Databases 350, 352 is con
money mule network. According to this example, an analyst nected directly to Processor 310, which, in some embodi
may be notified by an intelligence source of an IP address ments, it is accessible through a network, Such as communi
used by a known money mule handler. The analyst may input cation network, for example.
the IP address into a system of an embodiment of the present Communication Network 340 may be comprised of, or
invention. The system's evaluation of the IP address against 45 may interface to any one or more of the Internet, an intranet,
online banking logs may identify several accounts which may a Personal Area Network (PAN), a Local Area Network
been accessed from that IP address and a single device token, (LAN), a Wide Area Network (WAN), a Metropolitan Area
Such as a Smartphone, laptop, personal computer, mobile Network (MAN), a storage area network (SAN), a frame
device, etc. Further analysis using the identified device token relay connection, an Advanced Intelligent Network (AIN)
may identify additional accounts accessed using the same 50 connection, a synchronous optical network (SONET) con
device token but from different IP addresses. An embodiment nection, a digital T1, T3. E1 or E3 line, a Digital Data Service
of the present invention may apply a community detection (DDS) connection, a Digital Subscriber Line (DSL) connec
algorithm seeded with the known IP addresses and device tion, an Ethernet connection, an Integrated Services Digital
token. The results may include a Voluminous list of accounts Network (ISDN) line, a dial-up port such as a V.90, a V.34 or
with fraudulent deposits and withdrawals. Enriching the out 55 a V.34bis analog modem connection, a cable modem, an
put by filtering against known benign activity may reduce Asynchronous Transfer Mode (ATM) connection, a Fiber
errors and improve accuracy. In response, an embodiment of Distributed Data Interface (FDDI) connection, or a Copper
the present invention may place the identified accounts on Distributed Data Interface (CDDI) connection.
Fraud Alert Status, open a case containing the pertinent data Communication Network 340 may also comprise, include
and notify an investigator. 60 or interface to any one or more of a Wireless Application
Another exemplary use case may involve credit cards. Protocol (WAP)link, a General Packet Radio Service (GPRS)
According to this example, an embodiment of the present link, a Global System for Mobile Communication (GSM)
invention may receive a list of compromised credit card num link, a Code Division Multiple Access (CDMA) link or a
bers from various intelligence sources. Analysis of card data Time Division Multiple Access (TDMA) link such as a cel
may reveal which accounts are valid and open. The system of 65 lular phone channel, a Global Positioning System (GPS) link,
an embodiment of the present invention may place the card on a cellular digital packet data (CDPD) link, a Research in
Fraud Alert and escalate to a cards investigation team. The Motion, Limited (RIM) duplex paging type device, a Blue
 US 9,038,177 B1
9 10
tooth radio link, or an IEEE 802.11-based radio frequency example. As described herein, a module performing function
link. Communications Network 340 may further comprise, ality may comprise a processor and Vice-versa.
include or interface to any one or more of an RS-232 serial As noted above, the processing machine used to implement
connection, an IEEE-1394 (Firewire) connection, a Fibre the invention may be a general purpose computer. However,
Channel connection, an infrared (IrDA) port, a Small Com the processing machine described above may also utilize any
puter Systems Interface (SCSI) connection, a Universal of a wide variety of other technologies including a special
Serial Bus (USB) connection or another wired or wireless, purpose computer, a computer system including a microcom
digital or analog interface or connection. puter, mini-computer or mainframe for example, a pro
In some embodiments, Communication Network 340 may grammed microprocessor, a micro-controller, a peripheral
comprise a satellite communications network, such as a direct 10 integrated circuit element, a CSIC (Customer Specific Inte
broadcast communication system (DBS) having the requisite grated Circuit) or ASIC (Application Specific Integrated Cir
number of dishes, satellites and transmitter/receiver boxes, cuit) or other integrated circuit, a logic circuit, a digital signal
for example. Communications network may also comprise a processor, a programmable logic device such as a FPGA,
telephone communications network, Such as the Public PLD, PLA or PAL, or any other device or arrangement of
Switched Telephone Network (PSTN). In another embodi 15 devices that is capable of implementing the steps of the pro
ment, communication network 120 may comprise a Personal cess of the invention.
Branch Exchange (PBX), which may further connect to the It is appreciated that in order to practice the method of the
PSTN. invention as described above, it is not necessary that the
In some embodiments, Processor 310 may include any processors and/or the memories of the processing machine be
terminal (e.g., a typical home or personal computer system, physically located in the same geographical place. That is,
telephone, personal digital assistant (PDA) or other like each of the processors and the memories used in the invention
device) whereby a user may interact with a network, Such as may be located in geographically distinct locations and con
communications network that is responsible for transmitting nected so as to communicate in any suitable manner. Addi
and delivering data and information used by the various sys tionally, it is appreciated that each of the processor and/or the
tems and methods described herein. Processor 310 may 25 memory may be composed of different physical pieces of
include, for instance, a personal or laptop computer, a tele equipment. Accordingly, it is not necessary that the processor
phone, or PDA. Processor 310 may include a microprocessor, be one single piece of equipment in one location and that the
a microcontroller or other general or special purpose device memory be another single piece of equipment in another
operating under programmed control. Processor 310 may location. That is, it is contemplated that the processor may be
further include an electronic memory Such as a random access 30 two pieces of equipment in two different physical locations.
memory (RAM) or electronically programmable read only The two distinct pieces of equipment may be connected in any
memory (EPROM), a storage such as a hard drive, a CDROM suitable manner. Additionally, the memory may include two
or a rewritable CDROM or another magnetic, optical or other or more portions of memory in two or more physical loca
media, and other associated components connected over an tions.
electronic bus, as will be appreciated by persons skilled in the 35 To explain further, processing as described above is per
art. Processor 310 may be equipped with an integral or con formed by various components and various memories. How
nectable cathode ray tube (CRT), a liquid crystal display ever, it is appreciated that the processing performed by two
(LCD), electroluminescent display, a light emitting diode distinct components as described above may, in accordance
(LED) or another display screen, panel or device for viewing with a further embodiment of the invention, be performed by
and manipulating files, data and other resources, for instance 40 a single component. Further, the processing performed by one
using a graphical user interface (GUI) or a command line distinct component as described above may be performed by
interface (CLI). Processor 310 may also include a network two distinct components. In a similar manner, the memory
enabled appliance, a browser-equipped or other network-en storage performed by two distinct memory portions as
abled cellular telephone, or another TCP/IP client or other described above may, in accordance with a further embodi
device. 45 ment of the invention, be performed by a single memory
As described above, FIG. 3 shows embodiments of a sys portion. Further, the memory storage performed by one dis
tem of the invention. The system of the invention or portions tinct memory portion as described above may be performed
of the system of the invention may be in the form of a “pro by two memory portions.
cessing machine. Such as a general purpose computer, for Further, various technologies may be used to provide com
example. As used herein, the term “processing machine' is to 50 munication between the various processors and/or memories,
be understood to include at least one processor that uses at as well as to allow the processors and/or the memories of the
least one memory. The at least one memory stores a set of invention to communicate with any other entity; e.g., so as to
instructions. The instructions may be either permanently or obtain further instructions or to access and use remote
temporarily stored in the memory or memories of the pro memory stores, for example. Such technologies used to pro
cessing machine. The processor executes the instructions that 55 vide Such communication might include a network, the Inter
are stored in the memory or memories in order to process data. net, Intranet, Extranet, LAN, an Ethernet, or any client server
The set of instructions may include various instructions that system that provides communication, for example. Such
perform a particular task or tasks. Such as those tasks communications technologies may use any suitable protocol
described above in the flowcharts. Such a set of instructions such as TCP/IP, UDP, or OSI, for example.
for performing a particular task may be characterized as a 60 As described above, a set of instructions is used in the
program, Software program, or simply Software. processing of the invention. The set of instructions may be in
As noted above, the processing machine executes the the form of a program or software. The software may be in the
instructions that are stored in the memory or memories to form of system Software or application Software, for example.
process data. This processing of data may be in response to The software might also be in the form of a collection of
commands by a user or users of the processing machine, in 65 separate programs, a program module within a larger pro
response to previous processing, in response to a request by gram, or a portion of a program module, for example The
another processing machine and/or any other input, for Software used might also include modular programming in
 US 9,038,177 B1
11 12
the form of object oriented programming. The software tells includes any hardware, Software, or combination of hardware
the processing machine what to do with the data being pro and Software used by the processing machine that allows a
cessed. user to interact with the processing machine. A user interface
Further, it is appreciated that the instructions or set of may be in the form of a dialogue screen for example. A user
instructions used in the implementation and operation of the 5 interface may also include any of a mouse, touch screen,
invention may be in a Suitable form Such that the processing keyboard, Voice reader, Voice recognizer, dialogue screen,
machine may read the instructions. For example, the instruc menu box, list, checkbox, toggle Switch, a pushbutton or any
tions that form a program may be in the form of a suitable other device that allows a user to receive information regard
programming language, which is converted to machine lan ing the operation of the processing machine as it processes a
guage or object code to allow the processor or processors to 10 set of instructions and/or provide the processing machine
read the instructions. That is, written lines of programming with information. Accordingly, the user interface is any
code or source code, in a particular programming language, device that provides communication between a user and a
are converted to machine language using a compiler, assem processing machine. The information provided by the user to
bler or interpreter. The machine language is binary coded the processing machine through the user interface may be in
machine instructions that are specific to a particular type of 15 the form of a command, a selection of data, or some other
processing machine, i.e., to a particular type of computer, for input, for example.
example. The computer understands the machine language. As discussed above, a user interface is utilized by the
Any Suitable programming language may be used in accor processing machine that performs a set of instructions such
dance with the various embodiments of the invention. Illus that the processing machine processes data for a user. The
tratively, the programming language used may include user interface is typically used by the processing machine for
assembly language, Ada, APL, Basic, C, C++, COBOL, interacting with a user either to convey information or receive
dBase, Forth, Fortran, Java, Modula-2, Pascal, Prolog, information from the user. However, it should be appreciated
REXX, Visual Basic, and/or JavaScript, for example. Further, that in accordance with Some embodiments of the system and
it is not necessary that a single type of instructions or single method of the invention, it is not necessary that a human user
programming language be utilized in conjunction with the 25 actually interact with a user interface used by the processing
operation of the system and method of the invention. Rather, machine of the invention. Rather, it is contemplated that the
any number of different programming languages may be uti user interface of the invention might interact, i.e., convey and
lized as is necessary or desirable. receive information, with another processing machine, rather
Also, the instructions and/or data used in the practice of the than a human user. Accordingly, the other processing
invention may utilize any compression or encryption tech 30 machine might be characterized as a user. Further, it is con
nique or algorithm, as may be desired. An encryption module templated that a user interface utilized in the system and
might be used to encrypt data. Further, files or other data may method of the invention may interact partially with another
be decrypted using a suitable decryption module, for processing machine or processing machines, while also inter
example. acting partially with a human user.
As described above, the invention may illustratively be 35 Further, although the embodiments of the present inven
embodied in the form of a processing machine, including a tions have been described herein in the context of a particular
computer or computer system, for example, that includes at implementation in a particular environment for a particular
least one memory. It is to be appreciated that the set of purpose, those of ordinary skill in the art will recognize that
instructions, i.e., the Software for example, that enables the its usefulness is not limited thereto and that the embodiments
computer operating system to perform the operations 40 of the present inventions can be beneficially implemented in
described above may be contained on any of a wide variety of any number of environments for any number of purposes.
media or medium, as desired. Further, the data that is pro Accordingly, the claims set forth below should be construed
cessed by the set of instructions might also be contained on in view of the full breadth and spirit of the embodiments of the
any of a wide variety of media or medium. That is, the par present inventions as disclosed herein.
ticular medium, i.e., the memory in the processing machine, 45 The invention claimed is:
utilized to hold the set of instructions and/or the data used in 1. A computer implemented method for implementing data
the invention may take on any of a variety of physical forms fusion, the method comprising the steps of:
or transmissions, for example. Illustratively, the medium may aggregating data from a plurality of Sources via one or
be in the form of paper, paper transparencies, a compact disk, more computer networks, wherein the data comprises at
a DVD, an integrated circuit, a hard disk, a floppy disk, an 50 least unstructured data wherein the unstructured data
optical disk, a magnetic tape, a RAM, a ROM, a PROM, a comprises video, images and Voice data;
EPROM, a wire, a cable, a fiber, communications channel, a extracting one or more features from the aggregated data;
satellite transmissions or other remote transmission, as well enriching the extracted data by compiling the data into one
as any other medium or source of data that may be read by the or more categories to identify one or more variances in
processors of the invention. 55 Volume, acceleration, deceleration and Velocity of activ
Further, the memory or memories used in the processing ity; wherein the step of enriching the extracted data
machine that implements the invention may be in any of a further comprises the step of aggregating the enriched
wide variety of forms to allow the memory to hold instruc extracted data by similar features and generating an
tions, data, or other information, as is desired. Thus, the actionable report in response;
memory might be in the form of a database to hold data. The 60 generating one or more datasets based on the enriched data
database might use any desired arrangement of files such as a for identifying potentially fraudulent activity; and
flat file arrangement or a relational database arrangement, for automatically identifying one or more proposed actions,
example. based at least in part on the actionable report, to address
In the system and method of the invention, a variety of the potentially fraudulent activity using a graphical
“user interfaces” may be utilized to allow a user to interface 65 interface; wherein the one or more proposed actions are
with the processing machine or machines that are used to identified from a group comprising at least an autonomic
implement the invention. As used herein, a user interface response, investigation and incident of interest.
 US 9,038,177 B1
13 14
2. The method of claim 1, wherein the plurality of sources ity; wherein the step of enriching the extracted data
comprises a combination of external sources including one or further comprises the step of aggregating the enriched
more of the following: external network telemetry, malware extracted data by similar features and generating an
data, external mail lists, blogs, news and RSS feeds. actionable report in response:
3. The method of claim 1, wherein the plurality of sources generating one or more datasets based on the enriched data
comprises a combination of internal sources including one or for identifying potentially fraudulent activity; and
more of the following: network telemetry, vulnerability automatically identifying one or more proposed actions,
assessment, asset inventory, video and move-money data. based at least in part on the actionable report, to address
4. The method of claim 1, wherein the one or more features the potentially fraudulent activity using a graphical
comprises one or more of information source, network, 10 interface; wherein the one or more proposed actions are
device, Vulnerability, threats, exposure, actors, victims and identified from a group comprising at least an autonomic
targets. response, investigation and incident of interest.
5. The method of claim 1, wherein the one or more catego 11. The system of claim 10, wherein the plurality of
ries comprises threat data, attack data, network data, Vulner Sources comprises a combination of external sources includ
ability data, asset data, victim data and targeting detail. 15 ing one or more of the following: external network telemetry,
6. The method of claim 1, wherein the step of enriching malware data, external mail lists, blogs, news and RSS feeds.
further comprises identifying a burst activity. 12. The system of claim 10, wherein the plurality of
7. The method of claim 1, wherein the step of enriching Sources comprises a combination of internal sources includ
further comprises identifying a dip activity. ing one or more of the following: network telemetry, vulner
8. The method of claim 1, wherein the one or more pro ability assessment, asset inventory, video and move-money
posed actions is displayed as a graphical representation. data.
9. The method of claim 1, wherein the one or more pro 13. The system of claim 10, wherein the one or more
posed actions comprises initiating an investigation. features comprises one or more of information source, net
10. A computer implemented system for implementing work, device, Vulnerability, threats, exposure, actors, victims
data fusion, the system comprising: 25 and targets.
a processor; and 14. The system of claim 10, wherein the one or more
a memory comprising computer-readable instructions categories comprises threat data, attack data, network data,
which when executed by the processor cause the proces Vulnerability data, asset data, victim data and targeting detail.
Sor to perform the steps comprising: 15. The system of claim 10, wherein the data enrichment
aggregating data from a plurality of sources via one or 30 module identifies a burst activity.
more computer networks, wherein the data comprises at 16. The system of claim 10, wherein the data enrichment
least unstructured data wherein the unstructured data module identifies a dip activity.
comprises video, images and voice data; 17. The system of claim 10, wherein the one or more
extracting one or more features from the aggregated data; proposed actions is displayed as a graphical representation.
enriching the extracted data by compiling the data into one 35 18. The system of claim 10, wherein the one or more
or more categories to identify one or more variances in proposed actions comprises initiating an investigation.
Volume, acceleration, deceleration and velocity of activ