Patent Grant
11777983
The present disclosure generally relates to methods and systems for rapidly indexing and querying a database implemented using an object storage system. Some embodiments described herein relate specifically to methods and systems for rapidly determining security ratings based on data stored in a database implemented using an object storage system.
Key-value databases associate a value or values with a unique primary key. Such databases generally support point queries, such as retrieving the value(s) associated with a single key. Key-value databases may also support range queries, such as retrieving values associated with a range of ordered keys. Further, such databases may support prefix queries, whereby values associated with keys having a specified prefix are retrieved.
Key-value databases are generally implemented using filesystems on low-latency storage media such as solid-state drives or high-performance, magnetic hard drives. These low-latency storage media options may achieve query execution times within an acceptable range for many applications. However, storing large volumes of data on these devices is costly, especially when data replication, fault-tolerance, and read scalability considerations are taken into account.
Object storage systems (e.g., Amazon S3, Google Cloud Storage, etc.) generally associate a key with a block of binary data (e.g., an object), which may be of arbitrary size. Object storage systems are generally capable of storing large volumes of data at relatively low cost and with extremely high reliability. Such systems are also generally capable of supporting high read request rates for each object stored.
Compared to filesystems, however, object stores may be understood to have several significant limitations. First, requests to object storage systems generally take place over networks, and therefore suffer much higher request latencies and lower bandwidth than requests to local filesystems. For example, a command that a local file system executes in 2 milliseconds may execute in 50 milliseconds on an object storage system. Second, objects stored in an object storage system are generally immutable. Thus, in contrast to filesystems, which generally permit stored files to be modified, an object storage system may not permit any changes to stored data objects. However, an object storage system may permit an existing key (already associated with a stored data object) to be assigned to a new object, and the system may return the new object rather than the old object when queried using the key shared by the new and old objects. Third, the memory consistency guarantees provided by object storage systems are generally weaker than those of filesystems. For example, when a new version of an existing object is associated with the key assigned to the old version of the object, subsequent reads or queries against that same key may return either version of the object.
Many tools, including some tools used to rapidly produce evaluations (e.g., ratings) of the cybersecurity of an organization's network assets, would benefit greatly from the ability to make key-value point, range, and/or prefix queries into databases containing large quantities (e.g., trillions) of records with low latency (e.g., latencies of tens of milliseconds or less). Thus, there exists a current need for techniques for storing large volumes of key-value data on an object storage system, while overcoming the above-described limitations of existing object storage systems and providing acceptable query latency and throughput.
In general, one innovative aspect of the subject matter described in the present disclosure can be embodied in a system for generating security ratings, the system including a security database, an orchestrator module, and a ratings engine. The security database may include a manifest and a distributed index including a plurality of security records, wherein each of the security records includes a key and a value, each of the keys includes a network identifier of a network asset, and each of the values includes security information associated with the network asset identified by the key of the respective security record, wherein a keyspace of permissible values of the keys of the security records is partitioned into a plurality of key ranges, and wherein the manifest includes references to a plurality of segments of the distributed index, wherein the manifest and the segments are stored in an object storage system, wherein each of the segments is associated with a respective one of the key ranges and indexes a respective group of security records having keys within the associated key range. The orchestrator module may be configured to receive a request for a security rating of an entity, generate a query having a query key value matching a network identifier associated with the entity and/or network identifiers of a plurality of network assets of the entity, the query representing a request for each security record of the database having a respective key that matches the query key value, and submit the query to the security database, wherein the security database is configured to respond to the query by searching the manifest to identify one or more of the segments of the distributed index, each of the identified segments being associated with a respective key range that matches the query key value, and searching each of the identified segments of the distributed index to identify each of the security records having a respective key that matches the query key value; and a ratings engine configured to determine a security rating of the entity based on the identified security records.
Other embodiments of this aspect include corresponding methods, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the method. A system of one or more computers can be configured to perform particular actions by virtue of having software, firmware, hardware, or a combination of them installed on the system (e.g., instructions stored in one or more storage devices) that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions.
The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. In some embodiments, the identified segments are searched in parallel. In some embodiments, each key in the keyspace belongs to exactly one of the partitions of the keyspace. In some embodiments, the system further includes a data collector configured to collect additional security information, generate additional security records including the additional security information, and store the additional security records in the security database. In some embodiments, the system further includes an automapper configured to identify entities associated with specified network assets.
In general, another innovative aspect of the subject matter described in the present disclosure can be embodied in a database writing method, including obtaining a plurality of records to be stored in a database, wherein each record includes a respective key and value, and wherein a keyspace of permissible keys for the records is partitioned into a plurality of key ranges; dividing the records into a plurality of groups, wherein a respective one of the key ranges is assigned to each group, and wherein all the records within each group have keys that fall within the key range assigned to the group; for each group of records, generating a respective segment of a distributed index of the database, wherein each segment is associated with the key range assigned to the group of records indexed by the segment, and wherein each segment is searchable to find records indexed by the segment having keys that match a key query; storing the segments as respective objects in an object storage system; generating a manifest of the distributed index, wherein the manifest is searchable to find segments associated with key ranges that match the key query; and storing the manifest as an object in the object storage system.
Other embodiments of this aspect include corresponding systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the method. A system of one or more computers can be configured to perform particular actions by virtue of having software, firmware, hardware, or a combination of them installed on the system (e.g., instructions stored in one or more storage devices) that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions.
The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. In some embodiments, each segment of the distributed index is implemented as a respective tree including one or more internal nodes and one or more leaf nodes. In some embodiments, a particular segment of the distributed index is associated with a particular key range, each of the internal nodes of the particular segment represents a respective subrange of keys within the particular key range, and each of the internal nodes includes a plurality of references to other nodes of the tree. In some embodiments, each of the leaf nodes of a particular segment of the distributed index includes the values of a respective subset of the group of records assigned to the particular segment. In some embodiments, each of the leaf nodes of a particular segment of the distributed index includes one or more references to locations in a respective data file of values of a respective subset of the group of records assigned to the particular segment, and the respective data file is distinct from a file including the nodes of the particular segment.
In some embodiments, the plurality of records is a first plurality of records, the segments are first segments, and the method further includes updating the database to include a second plurality of records by: generating one or more second segments to index the second plurality of records; and storing the second segments as respective objects in the object storage system. In some embodiments, the manifest is a first manifest, and updating the database to include the second plurality of records further includes: generating a second manifest, wherein the second manifest is searchable to find first and second segments associated with key ranges that match the key query; and storing the second manifest as an object in the object storage system.
In some embodiments, the segments of the distributed index include a plurality of segments associated with a particular key range, and the actions of the method further include compacting the plurality of segments associated with the particular key range, thereby reducing a total number of segments associated with the particular key range. In some embodiments, the key of a particular record includes a network identifier of a network asset, and the value of the particular record includes security information associated with the network asset.
In general, another innovative aspect of the subject matter described in the present disclosure can be embodied in a database reading method, including: receiving, by a database, a query indicating a query key value, wherein the database includes a plurality of records each including a respective key and value, wherein the keys of the records are drawn from a keyspace of permissible keys, and wherein the query represents a request for each record of the database having a respective key that matches the query key value; searching a manifest of a distributed index of the database, wherein the manifest includes references to a plurality of segments of a distributed index, wherein the manifest and the segments are stored in an object storage system, wherein the keyspace is partitioned into a plurality of key ranges, wherein each of the segments is associated with a respective one of the key ranges and indexes a respective group of records having key values within the associated key range, and wherein the searching of the manifest identifies one or more of the segments of the distributed index, each of the identified segments being associated with a respective key range that matches the query key value; searching each of the identified segments of the distributed index to identify each record of the database having a respective key that matches the query key value; and providing the identified records to an issuer of the query.
Other embodiments of this aspect include corresponding systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the method. A system of one or more computers can be configured to perform particular actions by virtue of having software, firmware, hardware, or a combination of them installed on the system (e.g., instructions stored in one or more storage devices) that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions.
The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. In some embodiments, the identified segments are searched in parallel. In some embodiments, each key in the keyspace belongs to exactly one of the partitions of the keyspace. In some embodiments, each segment of the distributed index is implemented as a respective tree including one or more internal nodes and one or more leaf nodes. In some embodiments, the internal nodes include ranges of keys and the leaf nodes include key-value pairs. In some embodiments, the key of a particular record includes a network identifier of a network asset, and the value of the particular record includes security information associated with the network asset.
The details of one or more embodiments of the subject matter described in this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter will become apparent from the description, the drawings, and the claims.
The foregoing Summary, including the description of some embodiments, motivations therefor, and/or advantages thereof, is intended to assist the reader in understanding the present disclosure, and does not in any way limit the scope of any of the claims.
In the drawings, like reference characters generally refer to the same parts throughout the different views. Also, the drawings are not necessarily to scale, emphasis instead generally being placed upon illustrating the principles of the invention. In the following description, various embodiments of the present invention are described with reference to the following drawings, in which:
The present disclosure describes some embodiments of methods and techniques for implementing a database capable of efficiently storing and querying key-value pairs of records using an object storage system, rather than a traditional file system or distributed file system.
According to some embodiments, the values represent externally observable evidence of cybersecurity incidents and observations of an entity's cybersecurity, and each key represents data that can be used to attribute such values to a particular entity. In some embodiments, each key may represent an IP address or domain name corresponding to a particular entity.
As used herein, the term “object storage system” may refer to a device or set of devices (e.g., a set of devices connected by a communication network) that manages data as objects. As discussed above, an object storage system generally associates keys with objects, which may be of arbitrary size. Object storage systems are generally capable of storing large volumes of data at relatively low cost and with high reliability, and are also generally capable of supporting high read request rates for stored objects. Objects stored in an object storage system are generally immutable, and may be stored in storage devices that are accessible via a communication network.
As used herein, the term “security rating” may refer to, for example, any absolute or relative ranking, listing, scoring, description, or classification of an entity with respect to characteristics of its security state, or any combination of the foregoing.
The present disclosure describes a novel architecture and related data structures for a database that stores its records in an object storage system. As described below, this database architecture and related data structures provide for significant improvements to computer-related technology, and constitute specific implementations of solutions to problems that arise with object storage systems and, more generally, database software. In other words, the disclosed database architecture and related data structures provide solutions to problems in the software arts. For example, the disclosed database architecture not only uses an object storage system to store database records, but also uses the disclosed data structures to improve upon the high request latencies that tend to occur in conventional databases implemented using object storage systems. In addition, the disclosed database architecture also improves upon issues related to memory consistency that have been historically problematic for databases implemented using object storage systems. Thus, the improved logical structures and processes described herein constitute improvements to computer-related technology for reasons similar to those articulated by the Federal Circuit in Enfish, LLC v. Microsoft Corp, and are not abstract ideas.
For each identified network asset of the entity, the system 100 may retrieve a set of security-related events from a security database 120. This security database 120 may index data objects representing security events according to multiple fields, which may include (without limitation) IP addresses, hostnames, and/or URLs. The indexed data objects may be stored on a distributed object storage system. The architecture of the security database 120 may enable the system 100 to quickly retrieve security events matching an entity of interest (e.g., in milliseconds or tens of milliseconds), even when the security database is implemented using one or more server devices having low-cost hardware. In some cases, the retrieved data are augmented with additional network observations made at the time of the query to improve the freshness of the generated security rating.
Referring to
The orchestrator 113 may receive requests for security information from user devices 102 of users of the system 100, and manage the system's responses to such requests. Any suitable security information may be requested, including (without limitation) the security ratings of entities of interest, information regarding security events associated with an entity of interest, among others. As described above, such requests may identify the entity of interest using any suitable identification data. In some embodiments, the orchestrator 113 prioritizes such requests (e.g., in an internal request queue) and coordinates with other system components (e.g., data collector 111, automapper 112, ratings engine 114, and/or security database 120) to identify network assets of the entity of interest, retrieve records of security events associated with the entity of interest, determine a security rating of the entity of interest, store (e.g., cache) the determined security rating, and/or generate a security report responsive to the request. The orchestrator may send the requested security information (e.g., the security rating and/or security report) to the user device 102 that requested it.
The orchestrator 113 may receive requests for security information (e.g., from user devices 102) and/or send requested security information (e.g., to user devices 102) via a communication network 106. Network 106 may include one or more wide area networks (“WANs”) (e.g., the Internet), one or more local area networks (“LANs”) (e.g., intranets), and/or one or more other networks of any type that supports communication between two or more electronic devices.
The orchestrator 113 may be implemented using any suitable software executing on any suitable computer system. In some embodiments, the orchestrator includes a server application executing on a computer system (e.g., a relatively small computing device) composed of commodity hardware.
Still referring to
Still referring to
The automapper 112 may identify network assets of an entity using any suitable data and/or techniques, including (without limitation) previously curated data, domain name system (DNS) records, observations of DNS queries, data obtained from network registrars, observations of network traffic, links to web pages (e.g., HTML links), and/or legal records. In some embodiments, the automapper 112 obtains such data (e.g., previously curated data) from the security database 120. In some embodiments, the automapper 112 communicates with an Internet Assigned Numbers Authority (IANA) or Regional Internet Registry (RIR) to determine an Internet Protocol (IP) address range associated with an entity or a domain name. For example, the automapper 112 may determine a domain name for a website of an entity, retrieve the IP address of the website (e.g., the IP address assigned to the domain name) from a domain name server, and provide that IP address to the IANA. In response, the IANA may provide the automapper 112 with a range of IP addresses assigned to the same domain name or entity to which the IP address is assigned. The above-described IP address ranges may include one or more IP addresses. For example, when a single IP address is assigned to a domain name or entity, the IP address “range” may include only the single IP address.
The process of identifying the network assets of an entity (“mapping” the network assets to the entity) may be performed automatically, semi-automatically, or manually. Examples of implementations and features of some embodiments of the automapper 112 are described in U.S. patent application Ser. No. 14/021,585 (see discussion of “analysis system”), Ser. No. 16/015,686 (see discussion of “mapping system”), Ser. No. 16/549,764 (see discussion of “inferencing system”), and Ser. No. 16/583,991 (see discussion of “entity-asset association system”).
Still referring to
In some embodiments, the ratings engine 114 may store a set of security ratings (e.g., recently determined security ratings and/or frequently queried security ratings) in a cache. Upon receipt of a request for an entity's security rating, the ratings engine 114 may check the cache to determine whether a security rating for the entity is stored in the cache and not stale. If so, the ratings engine 114 may return the cached security rating rather than recalculating the entity's security rating. If not, the ratings engine may retrieve the entity's security information from the security database 120 and calculate the entity's security rating based on the retrieved security information.
Examples of implementations and features of some embodiments of the ratings engine 114 are described in at least U.S. patent application Ser. No. 13/240,572 (see discussion of “ratings processing system,” etc.), U.S. patent application Ser. No. 14/944,484, U.S. patent application Ser. No. 15/142,677, and U.S. patent application Ser. No. 16/514,771.
In some embodiments, the security characteristics of an entity's network(s) can be evaluated to assess the entity's cybersecurity states. Specifically, the security characteristics can be evaluated to determine the entity's security rating. The entity's security rating can be provided to the entity as a measure of that entity's risk of security breaches and/or past security record.
In some embodiments, the security rating for each individual entity can be determined. In some embodiments, for security ratings purposes in parent-child entity relationships (e.g., parent company and subsidiary company), a security rating associated with a particular entity may be associated with another associated entity (e.g., a parent or a child of that entity). In some embodiments, a security rating associated with a particular entity may be included in the determination of the security rating of other associated entities (e.g., a parent or a child of that entity).
In some embodiments, determining security risk of entities uses externally observable information as proxies for (i) the effectiveness of the overall security performance of the policies and controls that entity implements and exercises and/or (ii) the vulnerability of the entity to security risk. This externally observable information can be categorized into observable subject areas, or “vectors”, which can each be independently determined and/or characterized. For example, one possible proxy for entity vulnerability is the number of entity-owned IP addresses which are reported by third parties to be malicious. The greater the number of reports, the more likely the particular entity was vulnerable and had been compromised. Examples of subject areas (“vectors”) may include:
In some embodiments, received data for an entity can include two or more subject areas (e.g., of those listed above). In some cases, determining the security rating for an entity can include determining the relationship between the first subject area and the second subject area. This relationship can be stored in a database and accessed for use. For example, the number of botnet infections of an entity may be correlated with the number of potentially exploited devices associated with the entity. This correlation can be stored and referenced in the future. In some embodiments, the security characteristic of an entity is associated with, related to, or equal to the security rating of that entity (e.g., on a scale from 300 to 900, as provided by BitSight Technologies, Inc., Boston, Mass.).
In some embodiments, to compute the security ratings for an entity, obtained data pertaining to the IT assets owned by that entity may be aggregated. For example, IT assets can include the IP addresses controlled by the entity and obtained data can include the activity associated with those IP addresses. To determine externally observable information about IP address-based assets, one or more IP addresses can be associated with an entity. The data may be processed to determine additional information. For example, processing may yield a list of IP addresses for an entity that has demonstrated suspicious or malicious behavior or fails to follow best security practices for the given reference data point. Similar methods can be used for other types of assets, e.g., domain-based assets, or other information for which an asset can be determined to be associated to an organization. Using these techniques, information about that asset can be associated with the entity.
The exemplary security ratings systems and methods may be configured to account for differences in data sources and types. In some embodiments, each data source may have a potentially unique insight of an entity and, therefore, there can be two or more techniques used to take advantage of the respective data. Data source-specific modeling techniques may be applied to some or all of the data sources to demonstrate feasibility and validate the approach for each data source and modeling technique.
In some embodiments, the combination of two or more vectors may produce a security rating that reflects the effectiveness of an entity's security efforts. The determination of individual vectors and the overall security rating can be influenced by security best-practices as promoted by standardized and accepted cybersecurity frameworks. In some embodiments, evidence of security compromise can be used to understand the specific impact the individual vectors have on the security rating of the entity. For instance, correlation between sources of externally observed information can be used to determine the impact of vectors. For example, the vectors representing evidence of compromised workstations (owned or controlled by an entity) may represent a significant portion of the entity's ability to implement security controls correctly, and thus may influence the entity's security rating more than other types of information.
Still referring to
When records are added to the database, they may be stored in objects within the database's object storage system. Once an object is inserted into the security database 120, the object may be immutable, such that it may never be updated. One advantage of storing database records in immutable objects is that potential errors due to eventual consistency can be avoided. For example, read operations in the security database 120 may either succeed (and return consistent values) or fail (because the operation attempted to read a stale object), but may not appear to succeed whilst returning inconsistent values.
Further, the database 120 may be versioned and each version may be immutable. A versioned database has the advantage of multi-version concurrency control, meaning readers may consistently read from one version of the database while the database is being written to by another process. Multiple database versions also facilitate reversions to previous versions of the database if corruption occurs.
The security database 120 may include a manifest 121 and index 122, both of which are further described below. Like the records, the index may be stored in objects within the database's object storage system. Some embodiments of the index 122 described herein may be capable of working around the above-described limitations of object storage systems, while enabling new records to be efficiently added to the database 120 (e.g., at regular intervals) and enabling individual records (or sets of records associated with the same key) to be retrieved quickly.
The index 122 may be partitioned according to the range of key values. Range-partitioning the index 122 in this manner may enable the system 100 to generate the index 122 in parallel (e.g., on clusters of multiple computers). Within each partition of the index 122, the database records may be stored as key-value pairs organized in one or more segments. Each segment may include a key dictionary and a set of values. In some embodiments, a segment's key dictionary may be stored in a file (e.g., “dictionary file”), and the segment's set of values may be stored in a different file (e.g., “data file”). In some embodiments, the key dictionary may be organized as a tree (e.g., a B+ tree or any other suitable tree-based data structure).
Within a segment's data file, the values of the segment's records may be stored in sorted order according to the records' keys. In some embodiments, the dictionary translates each key into a byte offset within the sorted data file, which facilitates the retrieval of the record(s) associated with a given key without processing the entire data file. Furthermore, one advantage of sorting the records in this manner is that adjacent records tend to be similar, which makes the sorted data file highly compressible. Thus, in some embodiments, a segment's sorted records are grouped into blocks within the data file, each block is compressed, and the dictionary translates each key into a byte offset within the block-compressed data file.
As discussed above, the index 122 may be range-partitioned. The manifest 121 may comprise and/or function as a global partition map. For example, the manifest 121 may keep track of the range of keys assigned to each partition and may store the locations of the partitions (e.g., using pointers or any other suitable addressing technique). When the database receives a query for the records associated with a key K, the database controller may interrogate the manifest 121 to determine which partition PK of the index 122 contains the records associated with the query key K and where the partition PK is stored. The database controller may then query each segment in the partition PK for records associated with the query key K.
As discussed above, each segment may include a key dictionary, which may be stored in the object storage system of the database 120. Querying a segment may involve searching the segment's key dictionary. For example, if the key dictionary is organized as a tree, querying the key dictionary may involve traversing the tree (e.g., using a standard tree traversal algorithm suitable for the type of tree used to store the key dictionary). Conceptually, each link traversal within the key dictionary may involve dereferencing a pointer to locate the tree node to which the link points. When the key dictionary is stored in an object storage system, dereferencing a pointer to a tree node may involve requesting data from the object storage system over an internal network. However, in some embodiments, the key dictionaries are organized into relatively shallow trees (e.g., trees of two or three levels on average), and therefore the number of pointers dereferenced (and the number of network requests made to the object storage system) while traversing the key dictionary is also relatively low, yielding a modest latency for the task of searching the dictionary.
The architecture of the database facilitates parallel searching of the index, which can further improve the latency of individual queries and/or facilitate the performance of multiple key queries in parallel. For example, when performing an individual query, the different segments within a partition may be searched in parallel to further decrease the latency of the query. Likewise, when processing multiple queries, different partitions may be searched in parallel (e.g., to process different queries in parallel), and different segments within each partition may be searched in parallel (e.g., to process different queries within the same partition of the key range in parallel, or decrease the latency of an individual query within the query set). In addition, the database's query bandwidth may be improved by replicating the manifest 121 and the segments of the index 122 and distributing the replicas (e.g., to different computers of the underlying object data storage system).
The architecture of the database also facilitates rapid range queries (and prefix queries). As discussed above, the records within a segment are sorted in order according to their keys (and optionally compressed). Thus, range queries (or prefix queries) within a segment can be performed by locating the records R1 associated with the first key K1 in the query range, locating the records associated RN with the last key KN in the query range, and reading all the records between R1 and RN from the segment's data file. Different segments within the partition may be searched in parallel to further decrease the latency of the range (or prefix) query. In cases where the keys targeted by a range (or prefix) query fall within the key ranges associated with two or more distinct partitions, those partitions may be searched in parallel to further decrease the latency of the range query. The rapid handling of range (or prefix) queries may be particularly beneficial in the context of searching for security records corresponding to an entity's network assets, because the set of network identifiers assigned to an entity's network assets often include one or more contiguous ranges of network identifiers and/or all the network identifiers corresponding to one or more network ID prefixes.
The architecture of the database 120 also facilitates the process of adding (e.g., regularly adding) new records to the index 122. Existing segments of the index 122 may be stored as objects in the object storage system of the database 120 and, as such, may be immutable. However, new records (e.g., new security information records associated with network assets for which the index 122 already stores one or more records, or new security information records associated with network assets of which the index 122 does not yet contain any records) may be added to the index 122 by creating a new segment that includes the new records and inserting the new segment into the index partitions corresponding to the new records' keys.
In some embodiments, the database controller may add new records to the index 122 in batches from time to time (e.g., regularly, periodically, etc.). When a batch of new records is ready to be stored in the index 122, the database controller may partition the new records into subsets based on their keys (e.g., using a map-reduce process) such that each subset corresponds to the key range of one of the index's partitions, create new segments containing each of the subsets of new records, and write the new segments to the corresponding partitions.
To reduce the latency of database queries, the database may perform a compaction process on each of the partitions from time to time (e.g., regularly, periodically, etc.), whereby at least some of the segments within each partition are merged into a single, new segment. In some embodiments, the segments within a partition may be organized hierarchically, with smaller segments (e.g., segments storing relatively fewer records and/or segments storing their records in trees having relatively fewer levels) being assigned to the lower levels of the hierarchy and larger segments (e.g., segments storing relatively more records and/or segments storing their records in trees having relatively more levels) being assigned to the higher levels of the hierarchy. In such embodiments, when the number of segments at the lowest level L0 of the partition's segment hierarchy exceeds a threshold number, the segments at level L0 may be merged (e.g., using an N-way sorted merge algorithm) into a new, larger segment, which may be inserted into the partition's segment hierarchy at the next higher level L1. Likewise, when the number of segments at the level L1 of the partition's segment hierarchy exceeds a threshold number, the segments at level L1 may be merged into a new, larger segment, which may be inserted into the partition's segment hierarchy at the next higher level L2, and so on. This hierarchical compaction process may allow the number of segments within each partition to grow logarithmically with the number of records in the partition, which confers the benefit of limiting the database's write amplification (the number of times each record is ultimately copied) to a logarithmic factor.
To maintain database consistency, the manifest 121 may be stored in a single atomic object within the database's underlying object storage system. One of ordinary skill in the art will appreciate that as new segments are added to the index (to accommodate storage of new records or through the compaction process), the new segments are not visible to clients of the database 120 until a new manifest 121 identifying the new segments is created and stored (e.g., “committed”) to the object storage system. In addition, storing prior versions of the manifest in the underlying object storage system permits a form of multi-version concurrency control, such that database users can concurrently read from a consistent, current version of the database at the same time a background process assembles the next version of the database.
Writing to the Database
Referring to
In the example of
In the example of
Database “readers” (e.g., processes that read data from the database 200) may use the key ranges in the current manifest 202 to first determine which partition (e.g., partition 221, partition 222, partition 223) to read. The reader may then examine all segments of the identified partition using, for example, the read process described below with reference to
An example of a process by which a database 200 may be constructed is now described. Records may be received (step 1) by the database 200. These records may be provided, for example, by a data collector 111 and/or an orchestrator 113, as described above. Each record may include externally observable evidence of one or more cybersecurity incidents and/or other observations of an entity's cybersecurity posture. For each record, a key and value may be computed. The keys may be used later, for example, to retrieve all values associated with one or more specified keys. In some cases, the keys may be used in determining which entities are affected by a particular cybersecurity observation or incident. According to some embodiments, the key is represented by a string of bytes of fixed or variable length. Any suitable process for computing the keys for the records may be used. The key computation process may generate keys such that a total ordering exists on the space of possible keys (“keyspace”). In some embodiments, the key contains a network identifier (e.g., an IP address or a domain name system (DNS) name) of a network asset. The record's value may be the original record itself, a portion of the original record, or a value derived from the original record, according to some embodiments.
To facilitate parallel processing of records on clusters of multiple computers, the keyspace of the records may be partitioned (step 2), such that each partition contains a certain range of keys, and each possible key belongs to exactly one partition. The partition ranges may be chosen to yield partitions that contain approximately equal numbers of the received records. According to some embodiments, the key ranges may be determined a priori if the keys are drawn from a known distribution. In some embodiments, the key ranges may be estimated by selecting a random sample of input records. Alternatively, the key ranges may be computed by sorting the entire set of records and dividing the sorted records into sets of roughly equal size.
The records may be partitioned and sorted (step 3). In some embodiments, the records are processed in batches on a distributed data processing system. Each batch of records may be divided into partitions according to key. The individual partitions of the various batches of records may be processed in parallel on clusters of multiple computers, using standard frameworks (e.g., the map reduce process) to reduce the overall time required for processing. Within each partition of each batch of records, the records may be sorted by key, according to some embodiments.
The partitioned, sorted records may then be inserted into segments (step 4). For each partition of each batch of records, an empty segment may be generated. The keys and values of the sorted records within each partition of each batch of records may then be inserted into the corresponding segment, which may be implemented using a data structure that facilitates efficient access to any randomly chosen key-value pair. This data structure may be a tree (e.g., a B+ tree or a tree similar to a B+ tree). In some embodiments, internal nodes of the tree may contain ranges of keys, and leaf nodes of the tree may contain key-value pairs. The number of keys per node of the tree may be chosen to optimize the number of nodes examined by a given query compared to the time required to retrieve a node. In some cases, the preferred number of keys per node is determined experimentally. For example, query performance for a set of queries (e.g., benchmark queries) may be observed as the number of keys “d” per node is varied, and the value of this parameter (d) that yields the best query performance may be selected. Alternatively, the preferred number of keys (d) per node may be estimated by minimizing the following expression:
t=(s+k*d/r)*log(N)/log(d+1),
where “t” is the query time, “k” is the size of a key in bytes, “r” is the network bandwidth in bytes/second, “s” is the round-trip network latency, and “N” is the number of nodes in the tree.
Alternatively, the keys of a segment's records may be stored in one structure (e.g., the key dictionary 210, which may be stored as an object), and the values of the segment's records may be stored in a separate structure (e.g., the data file 212, which may be stored as an object). In this case, the values in the key dictionary's underlying structure may be references (e.g., pointers or byte offsets) into the data file 212 containing the values of the segment's records. In some embodiments, the values of a segment's records may be organized in blocks and compressed to reduce the storage space occupied by the segment's data file 212. The block size of the blocks of the data file 212 may be chosen to optimize the tradeoff between the latency of requesting a single block and the time needed to transfer the data within the block and decompress the data. In some cases, the preferred block size is determined experimentally. For example, query performance for a set of queries (e.g., benchmark queries) may be observed as the block size “b” is varied, and the value of this parameter (b) that yields the best query performance may be selected. Alternatively, the preferred block size (b) may be estimated by minimizing the following expression:
t=(s+(b/r)+(b/z))*m,
where “t” is the query time, “s” is the round-trip network latency, “r” is the network bandwidth in bytes/second, “z” is the decompression bandwidth in bytes/second, and “m” is the number of blocks.
After all the records have been inserted into their corresponding segments, each partition of the database 200 may contain one or more segments. While all the keys within all segments of a given partition of the database 200 are within the key range assigned to that partition, there may be no other relation between the sets of keys stored within one segment of a partition and the sets of keys stored within another segment of the partition. Alternatively, the segments within a partition may contain disjoint ranges of a secondary key (e.g., a version indicator assigned to the record, for example, a timestamp of the record).
Referring to
The process of updating the security database 200 may involve not only the insertion of new segments into the distributed index 201, but also the creation of a new manifest 202. As described above, a manifest (e.g., current manifest 202, previous manifests 204) may store the key ranges of each partition of the keyspace (the universe of permissible key values) and also contain references to the segment objects within the partitions. Whenever the database is updated (e.g. by appending new segments to a partition), a new manifest may be constructed by reading the current manifest into memory, inserting new references to the new segments into the manifest, and inserting the manifest back into the object store under a new, distinct, version-indicating key. In this way, existing manifests (e.g., previous manifests 204) may remain immutable, such that the existing manifests are never modified.
The immutability of previous manifests 204 generally confers two benefits. First, any given manifest may represent a consistent snapshot view of the database, even if the database is concurrently being updated by another process. Thus, the immutability of previous manifests provides a form of multi-version concurrency control. A reader making a particular query using a particular manifest will always read the same records, regardless of subsequent updates (e.g., modifications) to the database. Second, it is possible to roll back the database to a previous state simply by referencing a previous version of the manifest.
An existing key-value pair in the database 200 may be updated by inserting a new record with the same primary key into the appropriate partition. Readers may read all versions of a record and discard all but the latest version. Subsequent compactions of the data store may remove older record versions, reducing storage space. Similarly, a record may be deleted by inserting a special deletion marker having the same primary key as the to-be-deleted record. According to some embodiments, an array of values, rather than a single value, may be associated with each key. As such, updates may append a value to the array of values associated with a given key.
The above-described batch process for inserting new data into the database by constructing new segments of the distributed index is generally very efficient, particularly in comparison to writing new data to the database by random insertions. (Since objects within the database's object storage system are immutable, modifying an existing record involves an inefficient process of downloading the entire object in which the record is stored, modifying the record in the downloaded object, and then uploading the modified object for storage as a new object.) In contrast, pursuant to the batch-based approach, from time to time new records may be collected, partitioned, and sorted by key using a parallel processing framework on clusters of multiple machines (e.g. map reduce). The new segments may be then inserted into the object storage system, and a new manifest may be constructed with references to both the previously existing and new segments as shown in
Reading From the Database
In this example, the reader 502 then examines the pointer in node 9 to determine the position and length of the next node to read. In this example, node 9 comprises a pointer to node 8 as shown in
In this example, the reader then examines the keys in node 8, finds the insertion point of the target key ‘e’ in the key array of node 8 (in this case, the target key ‘e’ precedes sole key ‘j’ stored in node 8, so the insertion point of the target key ‘e’ is the first insertion point in node 8), and reads the corresponding pointer to the next node, which, according to the values array, is node 4 as shown in
In this example, the reader 502 then makes a third ranged GET request for bytes representing node 4, and the object store returns node 4 to the reader. The third request and response are represented by paired arrows 514. The reader 502 then examines the keys in node 4, finds the insertion point of the target key ‘e’ in the key array of node 4 (in this case, the target key ‘e’ is between the first key ‘d’ and the second key ‘g’ stored in node 4, so the insertion point of the target key ‘e’ is the second insertion point in node 4), and reads the corresponding pointer to node 2.
In this example, the reader then makes a fourth ranged GET request for the bytes representing node 2, and the object store returns node 2 to the reader. The fourth request and response are represented by the paired arrows 516. The reader then examines the key array of node 2 in search for the target key ‘e’ and finds a match at position 2 of the key array of node 2. Thus, the result of the query is the second value in the value array of node 2, which is 10.
More generally, to retrieve the value associated with a key (e.g., to make a point query), a reader may first examine the manifest object to determine which partition of the distributed index contains the key. The reader may then examine each segment within that partition. For each segment, the reader may traverse the structure used to implement the segment (e.g. B+ tree) by making requests (e.g., ranged HTTP(S) requests) over a network to the object storage system. The use of ranged requests may greatly reduce the latency of each query, because only the nodes of the segment retrieved pursuant to the ranged requests may be limited to the set of nodes relevant to the query, which generally represent a small fraction of the total data volume of the segment.
The time devoted to each network request may be determined by two factors. The first factor is the latency between the client and server (e.g., the round-trip time for a request to pass between the reader's device (e.g., the “client”) and the database's device (e.g., the “server”). This latency may be independent from the size of the data requested. The second factor is the bandwidth of the network through which the client and server communicate (e.g., the number of bytes per second which can be transferred over the network). The size of the nodes within a segment and the number of keys within a node (also known in the art as “the branching factor”) may be chosen to achieve the minimum possible query time by optimizing the total number of requests (e.g., latency) against the total data transferred (e.g., bandwidth).
To make a range query (e.g., retrieve all values for keys falling within a specified range of keys), the reader may first locate the first key-value pair in the segment(s) of the appropriate partition of the distributed index using the traversal process described above with reference to
Similarly, to make a prefix query, the reader may first locate the smallest key that matches the given prefix. The reader may then continue to read key-value pairs until it encounters a key whose prefix does not match the prefix query.
To improve throughput, a concurrent reader may be used to make queries. While a standard reader scans through each segment for a given partition sequentially, the concurrent reader may scan N segments simultaneously, where N is a tuning parameter determined by the system or provided by the user. To facilitate concurrent segment scans, the concurrent reader may first read the manifest to determine which segments are available to scan for a given partition. After constructing the segment list, the concurrent reader may create M scanners, where M is a tuning parameter determined by the system or provided by the user. If there are not enough scanners to support reading all the relevant segments in parallel, the concurrent reader may distribute (e.g., evenly distribute) the remaining segments among the scanners.
These scanners may be implemented using separate threads in a single-node environment, or using separate devices in a distributed environment. Once initialized, the scanners may be able to read their assigned segments in parallel, with the concurrent reader collecting the results either on disk or in memory. In addition to collecting the results, the concurrent reader may also monitor for any scanners which may need to continue scanning at the next partition. If any scanners need to continue scanning at a subsequent partition, the concurrent reader may repeat the initial process of building the segment list and distributing segments to the scanners. This process may repeat until all of the relevant data have been scanned by the reader.
Compacting the Distributed Index of the Database
The compaction process may begin by reading the manifest to obtain the full list of partitions and the segments contained therein. The compaction process may then iterate through each partition, using one or more scanners to perform a full scan of each of the segments contained within each partition. Similar to the above-described version filter of a reader, the compaction process may invoke a version filter on the scanned records. This version filter may allow the compaction process to discard all outdated record versions.
Upon completion of the read operation, the compaction process may create a single new segment in the object store. This new segment may then be updated with all of the records that passed through the compaction filter. Once the compaction process has completed writing the records into the new segment, it will atomically update the manifest by removing a reference to the existing segments and inserting a reference to the newly compacted segment.
When there is a large volume of data in the object store, it may be impractical for the compaction process to perform a full compaction over every partition listed in the manifest. Additionally, compactions over older and larger segments tend to have diminishing returns, as the records in those segments are not typically updated with the same frequency as more recent segments. Therefore, the compaction process may be adapted to only compact a subset of the total partitions in the manifest, and/or a subset of the segments within various partitions, according to some embodiments.
According to some embodiments, the compaction process begins by selecting 1/P of the total partitions in the object store for compaction. By using a deterministic round-robin strategy, compaction may be guaranteed to compact the total set of partitions within a timeframe determined by both the value of P and the schedule of the compaction process. Once a set of partitions has been selected, the compaction process may then select from the set of segments assigned to those partitions. The compaction process may determine which segments to select based on the following factors: (1) how often the records in that segment have been compacted, and/or (2) the total number of segments available for compaction.
To determine how often a segment has been compacted, the compaction process may store a numerical value alongside each segment in the manifest. This value (the “level), may indicate how many times the segment has been compacted. A brand new segment may therefore have a level value of zero, while a segment compacted twice may have a value of two as shown in
According to some embodiments, the default compaction strategy, leveled compaction, uses these level values to balance the work that any given compaction process performs. The compaction process may select all level zero segments for a set of partitions, according to some embodiments. These segments are typically numerous and relatively small, making them excellent targets for compaction. In addition to the level zero segments, a user may also choose to allow for additional levels to be compacted by selecting various thresholds, such as total number of segments or segment sizes. By using these compaction levels, users can create compaction schedules according to their application requirements (e.g., performing larger compactions out-of-band, frequent processing of level zero segments, etc.).
Further Description of Some Embodiments
Some examples have been described in which databases having improved database architectures as described herein are used by a security rating system to rapidly generate security ratings for entities. However, the database techniques described herein may be advantageously used in other contexts. In general, these techniques may provide performance benefits for any applications in which high speed, high bandwidth, highly reliable access to a large database is desired and the use of low cost devices to host the database is preferred.
In some examples, some or all of the processing described above can be carried out on a personal computing device, on one or more centralized computing devices, or via cloud-based processing by one or more servers. In some examples, some types of processing occur on one device and other types of processing occur on another device. In some examples, some or all of the data described above can be stored on a personal computing device, in data storage hosted on one or more centralized computing devices, or via cloud-based storage. In some examples, some data are stored in one location and other data are stored in another location. In some examples, quantum computing can be used. In some examples, functional programming languages can be used. In some examples, electrical memory, such as flash-based memory, can be used.
The memory 720 stores information within the system 700. In some implementations, the memory 720 is a non-transitory computer-readable medium. In some implementations, the memory 720 is a volatile memory unit. In some implementations, the memory 720 is a nonvolatile memory unit.
The storage device 730 is capable of providing mass storage for the system 700. In some implementations, the storage device 730 is a non-transitory computer-readable medium. In various different implementations, the storage device 730 may include, for example, a hard disk device, an optical disk device, a solid-date drive, a flash drive, or some other large capacity storage device. For example, the storage device may store long-term data (e.g., database data, file system data, etc.). The input/output device 740 provides input/output operations for the system 700. In some implementations, the input/output device 740 may include one or more of a network interface devices, e.g., an Ethernet card, a serial communication device, e.g., an RS-232 port, and/or a wireless interface device, e.g., an 802.11 card, a 3G wireless modem, or a 4G wireless modem. In some implementations, the input/output device may include driver devices configured to receive input data and send output data to other input/output devices, e.g., keyboard, printer and display devices 760. In some examples, mobile computing devices, mobile communication devices, and other devices may be used.
In some implementations, at least a portion of the approaches described above may be realized by instructions that upon execution cause one or more processing devices to carry out the processes and functions described above. Such instructions may include, for example, interpreted instructions such as script instructions, or executable code, or other instructions stored in a non-transitory computer readable medium. The storage device 730 may be implemented in a distributed way over a network, such as a server farm or a set of widely distributed servers, or may be implemented in a single computing device.
Although an example processing system has been described in
The term “system” may encompass all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers. A processing system may include special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit). A processing system may include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
A computer program (which may also be referred to or described as a program, software, a software application, a module, an engine, a software module, a script, or code) can be written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, and it can be deployed in any form, including as a standalone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
The processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit).
Computers suitable for the execution of a computer program can include, by way of example, general or special purpose microprocessors or both, or any other kind of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory or a random access memory or both. A computer generally includes a central processing unit for performing or executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks. However, a computer need not have such devices. Moreover, a computer can be embedded in another device, e.g., a mobile telephone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device (e.g., a universal serial bus (USB) flash drive), to name just a few.
Computer readable media suitable for storing computer program instructions and data include all forms of nonvolatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
To provide for interaction with a user, embodiments of the subject matter described in this specification can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input. In addition, a computer can interact with a user by sending documents to and receiving documents from a device that is used by the user; for example, by sending web pages to a web browser on a user's user device in response to requests received from the web browser.
Embodiments of the subject matter described in this specification can be implemented in a computing system that includes a back end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification, or any combination of one or more such back end, middleware, or front end components. The components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet.
The computing system can include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of what may be claimed, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or variation of a sub-combination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. For example, the actions recited in the claims can be performed in a different order and still achieve desirable results. As one example, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous. Other steps or stages may be provided, or steps or stages may be eliminated, from the described processes. Accordingly, other implementations are within the scope of the following claims.
Terminology
The phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting.
The term “approximately”, the phrase “approximately equal to”, and other similar phrases, as used in the specification and the claims (e.g., “X has a value of approximately Y” or “X is approximately equal to Y”), should be understood to mean that one value (X) is within a predetermined range of another value (Y). The predetermined range may be plus or minus 20%, 10%, 5%, 3%, 1%, 0.1%, or less than 0.1%, unless otherwise indicated.
The indefinite articles “a” and “an,” as used in the specification and in the claims, unless clearly indicated to the contrary, should be understood to mean “at least one.” The phrase “and/or,” as used in the specification and in the claims, should be understood to mean “either or both” of the elements so conjoined, i.e., elements that are conjunctively present in some cases and disjunctively present in other cases. Multiple elements listed with “and/or” should be construed in the same fashion, i.e., “one or more” of the elements so conjoined. Other elements may optionally be present other than the elements specifically identified by the “and/or” clause, whether related or unrelated to those elements specifically identified. Thus, as a non-limiting example, a reference to “A and/or B”, when used in conjunction with open-ended language such as “comprising” can refer, in one embodiment, to A only (optionally including elements other than B); in another embodiment, to B only (optionally including elements other than A); in yet another embodiment, to both A and B (optionally including other elements); etc.
As used in the specification and in the claims, “or” should be understood to have the same meaning as “and/or” as defined above. For example, when separating items in a list, “or” or “and/or” shall be interpreted as being inclusive, i.e., the inclusion of at least one, but also including more than one, of a number or list of elements, and, optionally, additional unlisted items. Only terms clearly indicated to the contrary, such as “only one of or “exactly one of,” or, when used in the claims, “consisting of,” will refer to the inclusion of exactly one element of a number or list of elements. In general, the term “or” as used shall only be interpreted as indicating exclusive alternatives (i.e. “one or the other but not both”) when preceded by terms of exclusivity, such as “either,” “one of,” “only one of,” or “exactly one of.” “Consisting essentially of,” when used in the claims, shall have its ordinary meaning as used in the field of patent law.
As used in the specification and in the claims, the phrase “at least one,” in reference to a list of one or more elements, should be understood to mean at least one element selected from any one or more of the elements in the list of elements, but not necessarily including at least one of each and every element specifically listed within the list of elements and not excluding any combinations of elements in the list of elements. This definition also allows that elements may optionally be present other than the elements specifically identified within the list of elements to which the phrase “at least one” refers, whether related or unrelated to those elements specifically identified. Thus, as a non-limiting example, “at least one of A and B” (or, equivalently, “at least one of A or B,” or, equivalently “at least one of A and/or B”) can refer, in one embodiment, to at least one, optionally including more than one, A, with no B present (and optionally including elements other than B); in another embodiment, to at least one, optionally including more than one, B, with no A present (and optionally including elements other than A); in yet another embodiment, to at least one, optionally including more than one, A, and at least one, optionally including more than one, B (and optionally including other elements); etc.
The use of “including,” “comprising,” “having,” “containing,” “involving,” and variations thereof, is meant to encompass the items listed thereafter and additional items.
Use of ordinal terms such as “first,” “second,” “third,” etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another or the temporal order in which acts of a method are performed. Ordinal terms are used merely as labels to distinguish one claim element having a certain name from another element having a same name (but for use of the ordinal term), to distinguish the claim elements.
This application is a Continuation of and claims priority to U.S. patent application Ser. No. 17/132,512 titled “Systems and Methods for Rapidly Generating Security Ratings” and filed on Dec. 23, 2020, which is a Divisional of U.S. patent application Ser. No. 16/779,437 titled “Systems and Methods for Rapidly Generating Security Ratings” and filed on Jan. 31, 2020 now issued as U.S. Pat. No. 10,893,067, each of which is hereby incorporated by reference herein in its entirety, and the subject matter of this application is related to the subject matter of U.S. patent application Ser. No. 15/377,574 titled “Methods and Systems for Creating, De-Duplicating, and Accessing Data Using an Object Storage System” and filed on Dec. 13, 2016 (now U.S. Pat. No. 9,705,932); U.S. patent application Ser. No. 14/021,585 titled “Security Risk Management” and filed on Sep. 9, 2013 (now U.S. Pat. No. 9,438,615); U.S. patent application Ser. No. 13/240,572 titled “Information Technology Security Assessment System” and filed on Sep. 22, 2011; U.S. patent application Ser. No. 14/944,484 titled “Information Technology Security Assessment System” and filed on Nov. 18, 2015 (now U.S. Pat. No. 9,973,524); U.S. patent application Ser. No. 15/142,677 titled “Security Assessment Using Service Provider Digital Asset Information” and filed on Apr. 29, 2016 (now U.S. Pat. No. 9,830,569); U.S. patent application Ser. No. 16/015,686 titled “Methods for Mapping IP Addresses and Domains to Organizations using User Activity Data” and filed on Jun. 22, 2018 (now U.S. Pat. No. 10,425,380); U.S. patent application Ser. No. 16/549,764 titled “Systems and Methods for Inferring Entity Relationships via Network Communications of Users or User Devices” and filed on Aug. 23, 2019; U.S. patent application Ser. No. 16/583,991 titled “Systems and Methods for Network Asset Discovery and Association thereof with Entities” and filed on Sep. 26, 2019; U.S. patent application Ser. No. 16/514,771 titled “Systems and methods for generating security improvement plans for entities” and filed on Jul. 17, 2019, each of which is hereby incorporated by reference herein in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5867799 | Lang et al. | Feb 1999 | A |
| 6016475 | Miller et al. | Jan 2000 | A |
| 6745150 | Breiman | Jun 2004 | B1 |
| 6785732 | Bates et al. | Aug 2004 | B1 |
| 6792401 | Nigro et al. | Sep 2004 | B1 |
| 7062572 | Hampton | Jun 2006 | B1 |
| D525264 | Chotai et al. | Jul 2006 | S |
| D525629 | Chotai et al. | Jul 2006 | S |
| 7100195 | Underwood | Aug 2006 | B1 |
| 7194769 | Lippmann et al. | Mar 2007 | B2 |
| 7290275 | Baudoin et al. | Oct 2007 | B2 |
| D604740 | Matheny et al. | Nov 2009 | S |
| 7650570 | Torrens et al. | Jan 2010 | B2 |
| 7747778 | King et al. | Jun 2010 | B1 |
| 7748038 | Olivier et al. | Jun 2010 | B2 |
| 7827607 | Sobel et al. | Nov 2010 | B2 |
| D630645 | Tokunaga et al. | Jan 2011 | S |
| 7971252 | Lippmann et al. | Jun 2011 | B2 |
| 8000698 | Wolman et al. | Aug 2011 | B2 |
| D652048 | Joseph | Jan 2012 | S |
| D667022 | LoBosco et al. | Sep 2012 | S |
| 8359651 | Wu et al. | Jan 2013 | B1 |
| 8370933 | Buckler | Feb 2013 | B1 |
| 8429630 | Nickolov et al. | Apr 2013 | B2 |
| D682287 | Cong et al. | May 2013 | S |
| D688260 | Pearcy et al. | Aug 2013 | S |
| 8504556 | Rice et al. | Aug 2013 | B1 |
| 8505094 | Xuewen et al. | Aug 2013 | B1 |
| D691164 | Lim et al. | Oct 2013 | S |
| D694252 | Helm | Nov 2013 | S |
| D694253 | Helm | Nov 2013 | S |
| 8584233 | Yang et al. | Nov 2013 | B1 |
| 8601575 | Mullarkey et al. | Dec 2013 | B2 |
| 8621621 | Burns et al. | Dec 2013 | B1 |
| 8661146 | Alex et al. | Feb 2014 | B2 |
| D700616 | Chao | Mar 2014 | S |
| 8677481 | Lee | Mar 2014 | B1 |
| 8752183 | Heiderich et al. | Jun 2014 | B1 |
| 8775402 | Baskerville et al. | Jul 2014 | B2 |
| 8806646 | Daswani et al. | Aug 2014 | B1 |
| 8825662 | Kingman et al. | Sep 2014 | B1 |
| 8949988 | Adams et al. | Feb 2015 | B2 |
| 8966639 | Roytman et al. | Feb 2015 | B1 |
| D730918 | Park et al. | Jun 2015 | S |
| 9053210 | Elnikety et al. | Jun 2015 | B2 |
| 9075990 | Yang | Jul 2015 | B1 |
| D740847 | Yampolskiy et al. | Oct 2015 | S |
| D740848 | Bolts et al. | Oct 2015 | S |
| D741351 | Kito et al. | Oct 2015 | S |
| D746832 | Pearcy et al. | Jan 2016 | S |
| 9241252 | Dua et al. | Jan 2016 | B2 |
| 9244899 | Greenbaum | Jan 2016 | B1 |
| 9294498 | Yampolskiy et al. | Mar 2016 | B1 |
| D754690 | Park et al. | Apr 2016 | S |
| D754696 | Follett et al. | Apr 2016 | S |
| D756371 | Bertnick et al. | May 2016 | S |
| D756372 | Bertnick et al. | May 2016 | S |
| D756392 | Yun et al. | May 2016 | S |
| D759084 | Yampolskiy et al. | Jun 2016 | S |
| D759689 | Olson et al. | Jun 2016 | S |
| 9372994 | Yampolskiy et al. | Jun 2016 | B1 |
| 9373144 | Ng et al. | Jun 2016 | B1 |
| D760782 | Kendler et al. | Jul 2016 | S |
| 9384206 | Bono et al. | Jul 2016 | B1 |
| 9401926 | Dubow et al. | Jul 2016 | B1 |
| 9407658 | Kuskov et al. | Aug 2016 | B1 |
| 9420049 | Talmor et al. | Aug 2016 | B1 |
| 9424333 | Bisignani et al. | Aug 2016 | B1 |
| 9479526 | Yang | Oct 2016 | B1 |
| D771103 | Eder | Nov 2016 | S |
| D771695 | Yampolskiy et al. | Nov 2016 | S |
| D772276 | Yampolskiy et al. | Nov 2016 | S |
| 9501647 | Yampolskiy et al. | Nov 2016 | B2 |
| D773507 | Sagrillo et al. | Dec 2016 | S |
| D775635 | Raji et al. | Jan 2017 | S |
| D776136 | Chen et al. | Jan 2017 | S |
| D776153 | Yampolskiy et al. | Jan 2017 | S |
| D777177 | Chen et al. | Jan 2017 | S |
| 9560072 | Xu | Jan 2017 | B1 |
| D778927 | Bertnick et al. | Feb 2017 | S |
| D778928 | Bertnick et al. | Feb 2017 | S |
| D779512 | Kimura et al. | Feb 2017 | S |
| D779514 | Baris et al. | Feb 2017 | S |
| D779531 | List et al. | Feb 2017 | S |
| D780770 | Sum et al. | Mar 2017 | S |
| D785009 | Lim et al. | Apr 2017 | S |
| D785010 | Bachman et al. | Apr 2017 | S |
| D785016 | Berwick et al. | Apr 2017 | S |
| 9620079 | Curtis | Apr 2017 | B2 |
| D787530 | Huang | May 2017 | S |
| D788128 | Wada | May 2017 | S |
| 9641547 | Yampolskiy et al. | May 2017 | B2 |
| 9646110 | Byrne et al. | May 2017 | B2 |
| D789947 | Sun | Jun 2017 | S |
| D789957 | Wu et al. | Jun 2017 | S |
| 9680855 | Schultz et al. | Jun 2017 | B2 |
| 9680858 | Boyer et al. | Jun 2017 | B1 |
| D791153 | Rice et al. | Jul 2017 | S |
| D791834 | Eze et al. | Jul 2017 | S |
| D792427 | Weaver et al. | Jul 2017 | S |
| D795891 | Kohan et al. | Aug 2017 | S |
| 9736019 | Hardison et al. | Aug 2017 | B2 |
| D796523 | Bhandari et al. | Sep 2017 | S |
| D801989 | Iketsuki et al. | Nov 2017 | S |
| D803237 | Wu et al. | Nov 2017 | S |
| D804528 | Martin et al. | Dec 2017 | S |
| D806735 | Olsen et al. | Jan 2018 | S |
| D806737 | Chung et al. | Jan 2018 | S |
| D809523 | Lipka et al. | Feb 2018 | S |
| D809989 | Lee et al. | Feb 2018 | S |
| D812633 | Saneii | Mar 2018 | S |
| D814483 | Gavaskar et al. | Apr 2018 | S |
| D815119 | Chalker et al. | Apr 2018 | S |
| D815148 | Martin et al. | Apr 2018 | S |
| D816105 | Rudick et al. | Apr 2018 | S |
| D816116 | Selassie | Apr 2018 | S |
| 9954893 | Zhao et al. | Apr 2018 | B1 |
| D817970 | Chang et al. | May 2018 | S |
| D817977 | Kato et al. | May 2018 | S |
| D818475 | Yepez et al. | May 2018 | S |
| D819687 | Yampolskiy et al. | Jun 2018 | S |
| 10044750 | Livshits et al. | Aug 2018 | B2 |
| 10079854 | Scott et al. | Sep 2018 | B1 |
| 10142364 | Baukes et al. | Nov 2018 | B2 |
| D835631 | Yepez et al. | Dec 2018 | S |
| 10180966 | Lang et al. | Jan 2019 | B1 |
| 10185924 | McClintock et al. | Jan 2019 | B1 |
| 10210329 | Malik et al. | Feb 2019 | B1 |
| 10217071 | Mo et al. | Feb 2019 | B2 |
| 10230753 | Yampolskiy et al. | Mar 2019 | B2 |
| 10230764 | Ng et al. | Mar 2019 | B2 |
| 10235524 | Ford | Mar 2019 | B2 |
| D847169 | Sombreireiro et al. | Apr 2019 | S |
| 10257219 | Geil et al. | Apr 2019 | B1 |
| 10305854 | Alizadeh-Shabdiz et al. | May 2019 | B2 |
| 10331502 | Hart | Jun 2019 | B1 |
| 10339321 | Tedeschi | Jul 2019 | B2 |
| 10339484 | Pai et al. | Jul 2019 | B2 |
| 10348755 | Shavell et al. | Jul 2019 | B1 |
| 10412083 | Zou et al. | Sep 2019 | B2 |
| D863335 | Hardy et al. | Oct 2019 | S |
| D863345 | Hardy et al. | Oct 2019 | S |
| 10469515 | Helmsen et al. | Nov 2019 | B2 |
| 10491619 | Yampolskiy et al. | Nov 2019 | B2 |
| 10491620 | Yampolskiy et al. | Nov 2019 | B2 |
| 10521583 | Bagulho Monteiro Pereira | Dec 2019 | B1 |
| D872574 | Deylamian et al. | Jan 2020 | S |
| 10540374 | Singh et al. | Jan 2020 | B2 |
| D874506 | Kang et al. | Feb 2020 | S |
| D880512 | Greenwald et al. | Apr 2020 | S |
| D894939 | Braica | Sep 2020 | S |
| 10764298 | Light et al. | Sep 2020 | B1 |
| 10776483 | Bagulho Monteiro Pereira | Sep 2020 | B2 |
| 10796260 | Brannon et al. | Oct 2020 | B2 |
| D903693 | Li et al. | Dec 2020 | S |
| D905712 | Li et al. | Dec 2020 | S |
| D908139 | Hardy et al. | Jan 2021 | S |
| 10896394 | Brannon et al. | Jan 2021 | B2 |
| 10909488 | Hecht et al. | Feb 2021 | B2 |
| D918955 | Madden, Jr. et al. | May 2021 | S |
| D920343 | Bowland | May 2021 | S |
| D920353 | Boutros et al. | May 2021 | S |
| D921031 | Tessier et al. | Jun 2021 | S |
| D921662 | Giannino et al. | Jun 2021 | S |
| D921674 | Kmak et al. | Jun 2021 | S |
| D921677 | Kmak et al. | Jun 2021 | S |
| D922397 | Modi et al. | Jun 2021 | S |
| D924909 | Nasu et al. | Jul 2021 | S |
| 11126723 | Bagulho Monteiro Pereira | Sep 2021 | B2 |
| 11379773 | Vescio | Jul 2022 | B2 |
| 20010044798 | Nagral et al. | Nov 2001 | A1 |
| 20020083077 | Vardi | Jun 2002 | A1 |
| 20020133365 | Grey et al. | Sep 2002 | A1 |
| 20020164983 | Raviv et al. | Nov 2002 | A1 |
| 20030011601 | Itoh et al. | Jan 2003 | A1 |
| 20030050862 | Bleicken et al. | Mar 2003 | A1 |
| 20030074248 | Braud et al. | Apr 2003 | A1 |
| 20030123424 | Jung | Jul 2003 | A1 |
| 20030187967 | Walsh et al. | Oct 2003 | A1 |
| 20040003284 | Campbell et al. | Jan 2004 | A1 |
| 20040010709 | Baudoin et al. | Jan 2004 | A1 |
| 20040024859 | Bloch et al. | Feb 2004 | A1 |
| 20040088570 | Roberts et al. | May 2004 | A1 |
| 20040098375 | DeCarlo | May 2004 | A1 |
| 20040133561 | Burke | Jul 2004 | A1 |
| 20040133689 | Vasisht | Jul 2004 | A1 |
| 20040193907 | Patanella | Sep 2004 | A1 |
| 20040193918 | Green et al. | Sep 2004 | A1 |
| 20040199791 | Poletto et al. | Oct 2004 | A1 |
| 20040199792 | Tan et al. | Oct 2004 | A1 |
| 20040221296 | Ogielski et al. | Nov 2004 | A1 |
| 20040250122 | Newton | Dec 2004 | A1 |
| 20040250134 | Kohler et al. | Dec 2004 | A1 |
| 20050065807 | DeAngelis et al. | Mar 2005 | A1 |
| 20050066195 | Jones | Mar 2005 | A1 |
| 20050071450 | Allen et al. | Mar 2005 | A1 |
| 20050076245 | Graham et al. | Apr 2005 | A1 |
| 20050080720 | Betz et al. | Apr 2005 | A1 |
| 20050108415 | Turk et al. | May 2005 | A1 |
| 20050131830 | Juarez et al. | Jun 2005 | A1 |
| 20050138413 | Lippmann et al. | Jun 2005 | A1 |
| 20050160002 | Roetter et al. | Jul 2005 | A1 |
| 20050234767 | Bolzman et al. | Oct 2005 | A1 |
| 20050278726 | Cano et al. | Dec 2005 | A1 |
| 20060036335 | Banter et al. | Feb 2006 | A1 |
| 20060107226 | Matthews et al. | May 2006 | A1 |
| 20060173992 | Weber et al. | Aug 2006 | A1 |
| 20060212925 | Shull et al. | Sep 2006 | A1 |
| 20060253581 | Dixon et al. | Nov 2006 | A1 |
| 20060271564 | Meng Muntz et al. | Nov 2006 | A1 |
| 20070016948 | Dubrovsky et al. | Jan 2007 | A1 |
| 20070067845 | Wiemer et al. | Mar 2007 | A1 |
| 20070113282 | Ross | May 2007 | A1 |
| 20070136622 | Price et al. | Jun 2007 | A1 |
| 20070143851 | Nicodemus et al. | Jun 2007 | A1 |
| 20070179955 | Croft et al. | Aug 2007 | A1 |
| 20070198275 | Malden et al. | Aug 2007 | A1 |
| 20070214151 | Thomas et al. | Sep 2007 | A1 |
| 20070282730 | Carpenter et al. | Dec 2007 | A1 |
| 20080017526 | Prescott et al. | Jan 2008 | A1 |
| 20080033775 | Dawson et al. | Feb 2008 | A1 |
| 20080047018 | Baudoin et al. | Feb 2008 | A1 |
| 20080091834 | Norton | Apr 2008 | A1 |
| 20080140495 | Bhamidipaty et al. | Jun 2008 | A1 |
| 20080140728 | Fraser et al. | Jun 2008 | A1 |
| 20080148408 | Kao et al. | Jun 2008 | A1 |
| 20080162931 | Lord et al. | Jul 2008 | A1 |
| 20080172382 | Prettejohn | Jul 2008 | A1 |
| 20080175266 | Alperovitch et al. | Jul 2008 | A1 |
| 20080208995 | Takahashi et al. | Aug 2008 | A1 |
| 20080209565 | Baudoin et al. | Aug 2008 | A2 |
| 20080222287 | Bahl et al. | Sep 2008 | A1 |
| 20080262895 | Hofmeister et al. | Oct 2008 | A1 |
| 20080270458 | Gvelesiani | Oct 2008 | A1 |
| 20090044272 | Jarrett | Feb 2009 | A1 |
| 20090064337 | Chien | Mar 2009 | A1 |
| 20090094265 | Vlachos et al. | Apr 2009 | A1 |
| 20090125427 | Atwood et al. | May 2009 | A1 |
| 20090132861 | Costa et al. | May 2009 | A1 |
| 20090161629 | Purkayastha et al. | Jun 2009 | A1 |
| 20090193054 | Karimisetty et al. | Jul 2009 | A1 |
| 20090216700 | Bouchard et al. | Aug 2009 | A1 |
| 20090228830 | Herz et al. | Sep 2009 | A1 |
| 20090265787 | Baudoin et al. | Oct 2009 | A9 |
| 20090276835 | Jackson et al. | Nov 2009 | A1 |
| 20090293128 | Lippmann et al. | Nov 2009 | A1 |
| 20090299802 | Brennan | Dec 2009 | A1 |
| 20090300768 | Krishnamurthy et al. | Dec 2009 | A1 |
| 20090319420 | Sanchez et al. | Dec 2009 | A1 |
| 20090323632 | Nix | Dec 2009 | A1 |
| 20090328063 | Corvera et al. | Dec 2009 | A1 |
| 20100017880 | Masood | Jan 2010 | A1 |
| 20100024033 | Kang et al. | Jan 2010 | A1 |
| 20100042605 | Cheng et al. | Feb 2010 | A1 |
| 20100057582 | Artin et al. | Mar 2010 | A1 |
| 20100114634 | Christiansen et al. | May 2010 | A1 |
| 20100186088 | Banerjee et al. | Jul 2010 | A1 |
| 20100205042 | Mun | Aug 2010 | A1 |
| 20100218256 | Thomas et al. | Aug 2010 | A1 |
| 20100262444 | Atwal et al. | Oct 2010 | A1 |
| 20100275263 | Bennett et al. | Oct 2010 | A1 |
| 20100281124 | Westman et al. | Nov 2010 | A1 |
| 20100281151 | Ramankutty et al. | Nov 2010 | A1 |
| 20100309206 | Xie et al. | Dec 2010 | A1 |
| 20110137704 | Mitra et al. | Jun 2011 | A1 |
| 20110145168 | Dirnstorfer et al. | Jun 2011 | A1 |
| 20110145576 | Bettan | Jun 2011 | A1 |
| 20110148880 | De Peuter | Jun 2011 | A1 |
| 20110185403 | Dolan et al. | Jul 2011 | A1 |
| 20110213742 | Lemmond et al. | Sep 2011 | A1 |
| 20110219455 | Bhagwan et al. | Sep 2011 | A1 |
| 20110225085 | Takeshita et al. | Sep 2011 | A1 |
| 20110231395 | Vadlamani et al. | Sep 2011 | A1 |
| 20110239300 | Klein et al. | Sep 2011 | A1 |
| 20110249002 | Duplessis et al. | Oct 2011 | A1 |
| 20110282997 | Prince et al. | Nov 2011 | A1 |
| 20110296519 | Ide et al. | Dec 2011 | A1 |
| 20120008974 | Kawai et al. | Jan 2012 | A1 |
| 20120036263 | Madden et al. | Feb 2012 | A1 |
| 20120036580 | Gorny et al. | Feb 2012 | A1 |
| 20120059823 | Barber et al. | Mar 2012 | A1 |
| 20120089745 | Turakhia | Apr 2012 | A1 |
| 20120158725 | Molloy et al. | Jun 2012 | A1 |
| 20120166458 | Laudanski et al. | Jun 2012 | A1 |
| 20120174219 | Hernandez et al. | Jul 2012 | A1 |
| 20120198558 | Liu et al. | Aug 2012 | A1 |
| 20120215892 | Wanser et al. | Aug 2012 | A1 |
| 20120221376 | Austin | Aug 2012 | A1 |
| 20120255027 | Kanakapura et al. | Oct 2012 | A1 |
| 20120291129 | Shulman et al. | Nov 2012 | A1 |
| 20130014253 | Neou et al. | Jan 2013 | A1 |
| 20130055386 | Kim et al. | Feb 2013 | A1 |
| 20130060351 | Imming et al. | Mar 2013 | A1 |
| 20130080505 | Nielsen et al. | Mar 2013 | A1 |
| 20130086521 | Grossele et al. | Apr 2013 | A1 |
| 20130086687 | Chess et al. | Apr 2013 | A1 |
| 20130091574 | Howes et al. | Apr 2013 | A1 |
| 20130124644 | Hunt et al. | May 2013 | A1 |
| 20130124653 | Vick et al. | May 2013 | A1 |
| 20130142050 | Luna | Jun 2013 | A1 |
| 20130173791 | Longo | Jul 2013 | A1 |
| 20130212479 | Willis et al. | Aug 2013 | A1 |
| 20130227078 | Wei et al. | Aug 2013 | A1 |
| 20130227697 | Zandani | Aug 2013 | A1 |
| 20130263270 | Cote et al. | Oct 2013 | A1 |
| 20130276056 | Epstein | Oct 2013 | A1 |
| 20130282406 | Snyder et al. | Oct 2013 | A1 |
| 20130291105 | Yan | Oct 2013 | A1 |
| 20130298244 | Kumar et al. | Nov 2013 | A1 |
| 20130305368 | Ford | Nov 2013 | A1 |
| 20130333038 | Chien | Dec 2013 | A1 |
| 20130347116 | Flores et al. | Dec 2013 | A1 |
| 20140006129 | Heath | Jan 2014 | A1 |
| 20140019196 | Wiggins et al. | Jan 2014 | A1 |
| 20140052998 | Bloom et al. | Feb 2014 | A1 |
| 20140101006 | Pitt | Apr 2014 | A1 |
| 20140108474 | David et al. | Apr 2014 | A1 |
| 20140114755 | Mezzacca | Apr 2014 | A1 |
| 20140114843 | Klein et al. | Apr 2014 | A1 |
| 20140130158 | Wang et al. | May 2014 | A1 |
| 20140137257 | Martinez et al. | May 2014 | A1 |
| 20140146370 | Banner et al. | May 2014 | A1 |
| 20140173066 | Newton et al. | Jun 2014 | A1 |
| 20140173736 | Liu | Jun 2014 | A1 |
| 20140189098 | MaGill et al. | Jul 2014 | A1 |
| 20140204803 | Nguyen et al. | Jul 2014 | A1 |
| 20140237545 | Mylavarapu et al. | Aug 2014 | A1 |
| 20140244317 | Roberts et al. | Aug 2014 | A1 |
| 20140282261 | Ranz et al. | Sep 2014 | A1 |
| 20140283056 | Bachwani et al. | Sep 2014 | A1 |
| 20140283068 | Call et al. | Sep 2014 | A1 |
| 20140288996 | Rence et al. | Sep 2014 | A1 |
| 20140304816 | Klein et al. | Oct 2014 | A1 |
| 20140330616 | Lyras | Nov 2014 | A1 |
| 20140334336 | Chen et al. | Nov 2014 | A1 |
| 20140337086 | Asenjo et al. | Nov 2014 | A1 |
| 20140337633 | Yang et al. | Nov 2014 | A1 |
| 20140344332 | Giebler | Nov 2014 | A1 |
| 20150033331 | Stern et al. | Jan 2015 | A1 |
| 20150033341 | Schmidtler et al. | Jan 2015 | A1 |
| 20150052607 | Al Hamami | Feb 2015 | A1 |
| 20150074579 | Gladstone et al. | Mar 2015 | A1 |
| 20150081860 | Kuehnel et al. | Mar 2015 | A1 |
| 20150156084 | Kaminsky et al. | Jun 2015 | A1 |
| 20150180883 | Aktas et al. | Jun 2015 | A1 |
| 20150195299 | Zoldi et al. | Jul 2015 | A1 |
| 20150207776 | Morin et al. | Jul 2015 | A1 |
| 20150248280 | Pillay et al. | Sep 2015 | A1 |
| 20150261955 | Huang et al. | Sep 2015 | A1 |
| 20150264061 | Ibatullin et al. | Sep 2015 | A1 |
| 20150288706 | Marshall | Oct 2015 | A1 |
| 20150288709 | Singhal et al. | Oct 2015 | A1 |
| 20150310188 | Ford et al. | Oct 2015 | A1 |
| 20150310213 | Ronen et al. | Oct 2015 | A1 |
| 20150317672 | Espinoza et al. | Nov 2015 | A1 |
| 20150331932 | Georges et al. | Nov 2015 | A1 |
| 20150347754 | Born | Dec 2015 | A1 |
| 20150347756 | Hidayat et al. | Dec 2015 | A1 |
| 20150350229 | Mitchell | Dec 2015 | A1 |
| 20150381649 | Schultz et al. | Dec 2015 | A1 |
| 20160014081 | Don, Jr. et al. | Jan 2016 | A1 |
| 20160023639 | Cajiga et al. | Jan 2016 | A1 |
| 20160036849 | Zakian | Feb 2016 | A1 |
| 20160065613 | Cho et al. | Mar 2016 | A1 |
| 20160078382 | Watkins et al. | Mar 2016 | A1 |
| 20160088015 | Sivan et al. | Mar 2016 | A1 |
| 20160104071 | Brueckner | Apr 2016 | A1 |
| 20160119373 | Fausto et al. | Apr 2016 | A1 |
| 20160140466 | Sidebottom et al. | May 2016 | A1 |
| 20160147992 | Zhao et al. | May 2016 | A1 |
| 20160162602 | Bradish et al. | Jun 2016 | A1 |
| 20160171415 | Yampolskiy et al. | Jun 2016 | A1 |
| 20160173520 | Foster et al. | Jun 2016 | A1 |
| 20160173522 | Yampolskiy et al. | Jun 2016 | A1 |
| 20160182537 | Tatourian et al. | Jun 2016 | A1 |
| 20160189301 | Ng et al. | Jun 2016 | A1 |
| 20160191554 | Kaminsky | Jun 2016 | A1 |
| 20160205126 | Boyer et al. | Jul 2016 | A1 |
| 20160212101 | Reshadi et al. | Jul 2016 | A1 |
| 20160241560 | Reshadi et al. | Aug 2016 | A1 |
| 20160248797 | Yampolskiy et al. | Aug 2016 | A1 |
| 20160253500 | Aime et al. | Sep 2016 | A1 |
| 20160259945 | Yampolskiy et al. | Sep 2016 | A1 |
| 20160337387 | Hu et al. | Nov 2016 | A1 |
| 20160344769 | Li | Nov 2016 | A1 |
| 20160344801 | Akkarawittayapoom | Nov 2016 | A1 |
| 20160364496 | Li | Dec 2016 | A1 |
| 20160373485 | Kamble | Dec 2016 | A1 |
| 20160378978 | Singla et al. | Dec 2016 | A1 |
| 20170048267 | Yampolskiy et al. | Feb 2017 | A1 |
| 20170063901 | Muddu et al. | Mar 2017 | A1 |
| 20170104783 | Vanunu et al. | Apr 2017 | A1 |
| 20170142148 | Bu Er et al. | May 2017 | A1 |
| 20170161253 | Silver | Jun 2017 | A1 |
| 20170161409 | Martin | Jun 2017 | A1 |
| 20170213292 | Sweeney et al. | Jul 2017 | A1 |
| 20170221072 | AthuluruTlrumala et al. | Aug 2017 | A1 |
| 20170223002 | Sabin et al. | Aug 2017 | A1 |
| 20170236078 | Rasumov | Aug 2017 | A1 |
| 20170237764 | Rasumov | Aug 2017 | A1 |
| 20170264623 | Ficarra et al. | Sep 2017 | A1 |
| 20170279843 | Schultz et al. | Sep 2017 | A1 |
| 20170289109 | Caragea | Oct 2017 | A1 |
| 20170300911 | Alnajem | Oct 2017 | A1 |
| 20170316324 | Barrett et al. | Nov 2017 | A1 |
| 20170318045 | Johns et al. | Nov 2017 | A1 |
| 20170324555 | Wu et al. | Nov 2017 | A1 |
| 20170324766 | Gonzalez | Nov 2017 | A1 |
| 20170337487 | Nock et al. | Nov 2017 | A1 |
| 20180013716 | Connell et al. | Jan 2018 | A1 |
| 20180088968 | Myhre et al. | Mar 2018 | A1 |
| 20180103043 | Kupreev et al. | Apr 2018 | A1 |
| 20180121659 | Sawhney et al. | May 2018 | A1 |
| 20180123934 | Gissing et al. | May 2018 | A1 |
| 20180124091 | Sweeney et al. | May 2018 | A1 |
| 20180124110 | Hunt et al. | May 2018 | A1 |
| 20180139180 | Napchi et al. | May 2018 | A1 |
| 20180146004 | Belfiore, Jr. et al. | May 2018 | A1 |
| 20180157468 | Stachura | Jun 2018 | A1 |
| 20180191768 | Broda et al. | Jul 2018 | A1 |
| 20180285414 | Kondiles et al. | Oct 2018 | A1 |
| 20180322584 | Crabtree et al. | Nov 2018 | A1 |
| 20180336348 | Ng et al. | Nov 2018 | A1 |
| 20180337938 | Kneib et al. | Nov 2018 | A1 |
| 20180337941 | Kraning et al. | Nov 2018 | A1 |
| 20180349641 | Barday et al. | Dec 2018 | A1 |
| 20180365519 | Pollard et al. | Dec 2018 | A1 |
| 20180375896 | Wang et al. | Dec 2018 | A1 |
| 20190034845 | Mo et al. | Jan 2019 | A1 |
| 20190065545 | Hazel et al. | Feb 2019 | A1 |
| 20190079869 | Baldi et al. | Mar 2019 | A1 |
| 20190089711 | Faulkner | Mar 2019 | A1 |
| 20190098025 | Lim | Mar 2019 | A1 |
| 20190124091 | Ujiie et al. | Apr 2019 | A1 |
| 20190140925 | Pon et al. | May 2019 | A1 |
| 20190141060 | Lim | May 2019 | A1 |
| 20190147378 | Mo et al. | May 2019 | A1 |
| 20190166152 | Steele et al. | May 2019 | A1 |
| 20190179490 | Barday et al. | Jun 2019 | A1 |
| 20190215331 | Anakata et al. | Jul 2019 | A1 |
| 20190238439 | Pugh et al. | Aug 2019 | A1 |
| 20190297106 | Geil et al. | Sep 2019 | A1 |
| 20190303574 | Lamay et al. | Oct 2019 | A1 |
| 20190362280 | Vescio | Nov 2019 | A1 |
| 20190379632 | Dahlberg et al. | Dec 2019 | A1 |
| 20190391707 | Ristow et al. | Dec 2019 | A1 |
| 20190392252 | Fighel et al. | Dec 2019 | A1 |
| 20200012794 | Saldanha et al. | Jan 2020 | A1 |
| 20200053127 | Brotherton et al. | Feb 2020 | A1 |
| 20200065213 | Poghosyan et al. | Feb 2020 | A1 |
| 20200074084 | Dorrans et al. | Mar 2020 | A1 |
| 20200092172 | Kumaran et al. | Mar 2020 | A1 |
| 20200097845 | Shaikh et al. | Mar 2020 | A1 |
| 20200106798 | Lin | Apr 2020 | A1 |
| 20200125734 | Light et al. | Apr 2020 | A1 |
| 20200183655 | Barday et al. | Jun 2020 | A1 |
| 20200272763 | Brannon et al. | Aug 2020 | A1 |
| 20200285737 | Kraus et al. | Sep 2020 | A1 |
| 20200356689 | McEnroe et al. | Nov 2020 | A1 |
| 20200356695 | Brannon et al. | Nov 2020 | A1 |
| 20210064746 | Koide et al. | Mar 2021 | A1 |
| Entry |
|---|
| U.S. Appl. No. 15/271,655 Published as: US 2018/0083999, Self-Published Security Risk Management, filed Sep. 21, 2016. |
| U.S. Appl. No. 15/377,574 U.S. Pat. No. 9,705,932, Methods and Systems for Creating, De-Duplicating, and Accessing Data Using an Object Storage System, filed Dec. 13, 2016. |
| U.S. Appl. No. 14/021,585 U.S. Pat. No. 9,438,615 Published as: US2015/0074579, Security Risk Management, filed Sep. 9, 2013. |
| U.S. Appl. No. 15/216,955 U.S. Pat. No. 10,326,786 Published as: US 2016/0330231, Methods for Using Organizational Behavior for Risk Ratings, filed Jul. 22, 2016. |
| U.S. Appl. No. 15/239,063 U.S. Pat. No. 10,341,370 Published as: US2017/0093901, Security Risk Management, filed Aug. 17, 2016. |
| U.S. Appl. No. 16/405,121 U.S. Pat. No. 10,785,245 Published as: US2019/0260791, Methods for Using Organizational Behavior for Risk Ratings, filed May 7, 2019. |
| U.S. Appl. No. 17/025,930 Published as: US2021/0006581, Methods for Using Organizational Behavior for Risk Ratings, filed Sep. 18, 2020. |
| U.S. Appl. No. 13/240,572 U.S. Pat. No. 10,805,331 Published as: US2016/0205126, Information Technology Security Assessment System, filed Sep. 22, 2011. |
| U.S. Appl. No. 14/944,484 U.S. Pat. No. 9,973,524 Published as: US2016/0323308, Information Technology Security Assessment System, filed Nov. 18, 2015. |
| U.S. Appl. No. 17/069,151 Published as: US2021/0211454, Information Technology Security Assessment System, filed Oct. 13, 2020. |
| U.S. Appl. No. 15/142,677 U.S. Pat. No. 9,830,569 Published as: US2016/0239772, Security Assessment Using Service Provider Digital Asset Information, filed Apr. 29, 2016. |
| U.S. Appl. No. 15/134,845 U.S. Pat. No. 9,680,858, Annotation Platform for a Security Risk System, filed Apr. 21, 2016. |
| U.S. Appl. No. 15/044,952 U.S. Pat. No. 11,182,720 Published as: US2017/0236077, Relationships Among Technology Assets and Services and the Entities Responsible for Them, filed Feb. 16, 2016. |
| U.S. Appl. No. 15/089,375 U.S. Pat. No. 10,176,445 Published as: US2017/0236079, Relationships Among Technology Assets and Services and the Entities Responsible for Them. |
| U.S. Appl. No. 29/598,298 U.S. Pat. No. D. 835,631, Computer Display Screen With Graphical User Interface, filed Mar. 24, 2017. |
| U.S. Appl. No. 29/598,299 U.S. Pat. No. D. 818,475, Computer Display With Security Ratings Graphical User Interface, filed Mar. 24, 2017. |
| U.S. Appl. No. 29/599,622 U.S. Pat. No. D. 847,169, Computer Display With Security Ratings Graphical User Interface, filed Apr. 5, 2017. |
| U.S. Appl. No. 29/599,620 U.S. Pat. No. D. 846,562, Computer Display With Security Ratings Graphical User Interface, filed Apr. 5, 2017. |
| U.S. Appl. No. 16/015,686 U.S. Pat. No. 10,425,380 Published as: US2018/0375822, Methods for Mapping IP Addresses and Domains to Organizations Using User Activity Data, filed Jun. 22, 2018. |
| U.S. Appl. No. 16/543,075 U.S. Pat. No. 10,554,619 Published as: US2019/0379632, Methods or Mapping IP Addresses and Domains to Organizations Using User Activity Data, filed Aug. 16, 2019. |
| U.S. Appl. No. 16/738,825 U.S. Pat. No. 10,893,021 Published as: US2020/0153787, Methods for Mapping IP Addresses and Domains to Organizations Using User Activity Data, filed Jan. 9, 2020. |
| U.S. Appl. No. 17/146,064 Published as: US202021/0218702, Methods for Mapping IP Addresses and Domains to Organizations Using User Activity Data, filed Jan. 11, 2021. |
| U.S. Appl. No. 15/918,286 U.S. Pat. No. 10,257,219, Correlated Risk in Cybersecurity, filed Mar. 12, 2018. |
| U.S. Appl. No. 16/292,956 U.S. Pat. No. 10,594,723 Published as: US2019/0297106, Correlated Risk in Cybersecurity, filed Mar. 5, 2019. |
| U.S. Appl. No. 16/795,056 U.S. Pat. No. 10,931,705 Published as: US2020/0195681, Correlated Risk in Cybersecurity, filed Feb. 19, 2020. |
| U.S. Appl. No. 17/179,630 Published as US2021/0176269, Correlated Risk in Cybersecurity, filed Feb. 19, 2021. |
| U.S. Appl. No. 16/170,680 U.S. Pat. No. 10,521,583, Systems and Methods for Remote Detection of Software Through Browser Webinjects, filed Oct. 25, 2018. |
| U.S. Appl. No. 16/688,647 U.S. Pat. No. 10,776,483 Published as: US2020/0134174, Systems and Methods for Remote Detection of Software Through Browser Webinjects, filed Nov. 19, 2019. |
| U.S. Appl. No. 17/000,135 U.S. Pat. No. 11,126,723 Published as: US2021/0004457, Systems and Methods for Remote Detection of Software Through Browser Webinjects, filed Aug. 21, 2020. |
| U.S. Appl. No. 17/401,683 Published as: US2021/0374243, Systems and Methods for Remote Detection of Software Through Browser Webinjects, filed Aug. 13, 2021. |
| U.S. Appl. No. 15/954,921 U.S. Pat. No. 10,812,520 Published as: US2019/0319979, Systems and Methods for External Detection of Misconfigured Systems, filed Apr. 17, 2018. |
| U.S. Appl. No. 17/014,495 Published as: US2020/0404017m Systems and Methods for External Detection of Misconfigured Systems, filed Sep. 8, 2020. |
| U.S. Appl. No. 16/549,764 Published as: US2021/0058421, Systems and Methods for Inferring Entity Relationships via Network Communications of Users or User Devices, filed Aug. 23, 2019. |
| U.S. Appl. No. 16/787,650 U.S. Pat. No. 10,749,893, Systems and Methods for Inferring Entity Relationships via Network Communications of Users or User Devices, filed Feb. 11, 2020. |
| U.S. Appl. No. 16/583,991 U.S. Pat. No. 10,848,382, Systems and Methods for Network Asset Discovery and Association Thereof With Entities, filed Sep. 26, 2019. |
| U.S. Appl. No. 17/085,550 U.S. Pat. No. 11,329,878 Published as: US2021/0099347, Systems and Methods for Network Asset Discovery and Association Thereof With Entities, filed Oct. 30, 2020. |
| U.S. Appl. No. 29/666,942 U.S. Pat. No. D. 892,135 Computer Display With Graphical User Interface, filed Oct. 17, 2018. |
| U.S. Appl. No. 16/360,641 U.S. Pat. No. 11,200,323 Published as: US2020/0125734, Systems and Methods for Forecasting Cybersecurity Ratings Based on Event-Rate Scenarios, filed Mar. 21, 2019. |
| U.S. Appl. No. 17/523,166 Published as: US2022/0121753, Systems and Methods for Forecasting Cybersecurity Ratings Based on Event-Rate Scenarios, filed Nov. 10, 2021. |
| U.S. Appl. No. 16/514,771 U.S. Pat. No. 10,726,136, Systems and Methods for Generating Security Improvement Plans for Entities, filed Jul. 17, 2019. |
| U.S. Appl. No. 16/922,673 U.S. Pat. No. 11,030,325 Published as: US2021/0019424, Systems and Methods for Generating Security Improvement Plans for Entities, filed Jul. 7, 2020. |
| U.S. Appl. No. 17/307,577 Published as: US2021/0211454, Systems and Methods for Generating Security Improvement Plans for Entities, filed May 4, 2021. |
| U.S. Appl. No. 29/677,306 U.S. Pat. No. D. 905,702, Computer Display Screen With Corporate Hierarchy Graphical User Interface, filed Jan. 18, 2019. |
| U.S. Appl. No. 16/775,840 U.S. Pat. No. 10,791,140, Systems and Methods for Assessing Cybersecurity State of Entities Based on Computer Network Characterization, filed Jan. 29, 2020. |
| U.S. Appl. No. 17/018,587 U.S. Pat. No. 11,050,779, Systems and Methods for Assessing Cybersecurity State of Entities Based on Computer Network Characterization, filed Sep. 11, 2020. |
| U.S. Appl. No. 16/779,437 U.S. Pat. No. 10,893,067 Published as: US2021/0243221, Systems and Methods for Rapidly Generating Security Ratings, filed Jan. 31, 2020. |
| U.S. Appl. No. 17/132,512 Published as: US2021/0243221, Systems and Methods for Rapidly Generating Security Ratings, filed Dec. 23, 2020. |
| U.S. Appl. No. 17/119,822 U.S. Pat. No. 11,122,073, Systems and Methods for Cybersecurity Risk Mitigation and Management, filed Dec. 11, 2020. |
| U.S. Appl. No. 29/815,855, Computer Display With a Graphical User Interface for Cybersecurity Risk Management, filed Nov. 17, 2021. |
| U.S. Appl. No. 17/392,521 Published as US 2022/0191232, Systems and Methods for Cybersecurity Risk Mitigation and Management, filed Aug. 3, 2021. |
| U.S. Appl. No. 16/802,232 U.S. Pat. No. 10,764,298, Systems and Methods for Improving a Security Profile of an Entity Based on Peer Security Profiles, filed Feb. 26, 2020. |
| U.S. Appl. No. 16/942,452 U.S. Pat. No. 11,265,330 Published as: US2021/0266324, Systems and Methods for Improving a Security Profile of an Entity Based on Peer Security Profiles, filed Jul. 29, 2020. |
| U.S. Appl. No. 29/725,724, Computer Display With Risk Vectors Graphical User Interface, filed Feb. 26, 2020. |
| U.S. Appl. No. 29/736,641 U.S. Pat. No. D. 937,870, Computer Display With Peer Analytics Graphical User Interface, filed Jun. 2, 2020. |
| U.S. Appl. No. 17/039,675 U.S. Pat. No. 11,032,244 Published as: US2021/0099428, Systems and Methods for Determining Asset Importance in Security Risk Management, filed Sep. 30, 2020. |
| U.S. Appl. No. 17/320,997, Published as US 2021/0344647, Systems and Methods for Determining Asset Importance in Security Risk Management, filed May 14, 2021. |
| U.S. Appl. No. 16/884,607 U.S. Pat. No. 11,023,585, Systems and Methods for Managing Cybersecurity Alerts, filed May 27, 2020. |
| U.S. Appl. No. 17/236,594 Published as: US2021/0374246, Systems and Methods for Managing Cybersecurity Alerts, filed Apr. 21, 2021. |
| U.S. Appl. No. 17/710,168 Published as: US2022/0318400, Systems and Methods for Assessing Cybersecurity Risk in a Work From Home Environment, filed Mar. 31, 2022. |
| U.S. Appl. No. 17/945,337, Systems and Methods for Precomputation of Digital Asset Inventories, filed Sep. 15, 2022. |
| U.S. Appl. No. 17/856,217 Published as: US2023/0004655, Systems and Methods for Accelerating Cybersecurity Assessments, filed Jul. 1, 2022. |
| U.S. Appl. No. 18/162,154, Systems and Methods for Assessment of Cyber Resilience, filed Jan. 31, 2023. |
| Number | Date | Country | |
|---|---|---|---|
| 20230164171 A1 | May 2023 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16779437 | Jan 2020 | US |
| Child | 17132512 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 17132512 | Dec 2020 | US |
| Child | 18158594 | US |
