US20120159626A1 - Geographical intrusion response prioritization mapping system - Google Patents
Geographical intrusion response prioritization mapping system Download PDFInfo
- Publication number
- US20120159626A1 US20120159626A1 US13/342,146 US201213342146A US2012159626A1 US 20120159626 A1 US20120159626 A1 US 20120159626A1 US 201213342146 A US201213342146 A US 201213342146A US 2012159626 A1 US2012159626 A1 US 2012159626A1
- Authority
- US
- United States
- Prior art keywords
- intrusion
- network
- computing device
- intruded
- potentially
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/52—Network services specially adapted for the location of the user terminal
Definitions
- This invention relates to a system and method to geographically map intrusions into a network in near or post real time for a physically focused response.
- systems and methods for geographically mapping an intrusion into a network having one or more network points include receiving intrusion information, identifying an intrusion into a point of the network, correlating the intrusion information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the intrusion.
- FIG. 1 is a block diagram of an exemplary environment in which the systems and methods of the present invention may be implemented;
- FIG. 2 is a block diagram of an exemplary embodiment of a mapping computer
- FIG. 3 is a flowchart of an exemplary method for geographically mapping response information
- FIG. 4 is an exemplary screenshot of records in an intrusion database containing intrusion information
- FIG. 5 is an exemplary screenshot of records in an ARP database
- FIG. 6 is an exemplary screenshot of records in a location database
- FIG. 7 is an exemplary screenshot of records in a map database containing information for mapping intrusions
- FIG. 8 is an exemplary screenshot of a map geographically mapping vulnerabilities consistent with the present invention.
- FIG. 9 is a flowchart showing an exemplary method for updating a geographic map with progress information.
- an “intrusion” is an unauthorized use, attempt, or successful entry into a digital, computerized, or automated system, requiring a response from a human administrator or response team to mitigate any damage or unwanted consequences of the entry.
- introduction of a virus and the unauthorized entry into a system by a hacker are each “intrusions” within the spirit of the present invention.
- An “intrusion response” is a response by systems or human operators to limit or mitigate damage from the intrusion or prevent future intrusions.
- a “vulnerability” is a prospective intrusion, that is, a location in a digital, computerized, or automated system, at which an unauthorized use, attempt, or successful entry is possible or easier than at other points in the system.
- a specific weakness may be identified in a particular operating system, such as Microsoft's WindowsTM operating system when running less than Service Pack 6. Then, all computers running the Windows operating system with less than Service Pack 6 will therefore have this vulnerability.
- this and other vulnerabilities may be identified by commercially available software products. While methods of locating such vulnerabilities are outside the scope of the present invention, one of ordinary skill in the art will recognize that any of the vulnerabilities identified or located by such software products, now known or later developed, are within the spirit of the present invention.
- a “mitigation response” is the effort undertaken to reduce unwanted consequences or to eliminate the intrusion.
- a response may entail sending a human computer administrator to the site of the location to update software, install anti-virus software, eliminate a virus, or perform other necessary tasks.
- a response may entail installing a patch to the vulnerable computer, such as across a network.
- the present invention does not contemplate any specific responses. Instead, any response to an intrusion requiring the organization of resources is within the scope and spirit of the present invention.
- FIG. 1 is a block diagram of one exemplary environment in which the systems and methods of the present invention may be implemented.
- system 100 employs mapping computer 102 .
- system 100 may also employ databases such as intrusion database 104 , Address Routing Protocol (ARP) database 106 , location database 108 , and map database 110 , each in electronic communication with mapping computer 102 .
- System 100 also includes a display 114 , such as a video display, for displaying the geographic information correlated and mapped by computer 102 using the methods discussed herein, and a network 112 , in electronic communication with computer 102 , in which the intrusions may occur.
- ARP Address Routing Protocol
- intrusion database 104 may contain information identifying an intrusion in the system, such as, for example, the intrusion type, description, and point of possible entry or exit (i.e., network point or computer).
- ARP database 106 may contain network location or identification information such as the IP and/or MAC address for one or more network points representing a potential point of entry or exit (i.e., network point or computer).
- Location database 108 may contain geographical information such as the physical address or GPS coordinates of a potential point of entry or exit.
- map database 110 may correlate and contain information from the intrusion, ARP, and location databases as described below to map the intrusions.
- FIG. 2 is a block diagram illustrating an exemplary mapping computer 102 for use in system 100 , consistent with the present invention.
- Computer 102 includes a bus 202 or other communication mechanism for communicating information, and a processor 204 coupled to bus 202 for processing information.
- Computer 102 also includes a main memory, such as a random access memory (RAM) 206 , coupled to bus 202 for storing information and instructions during execution by processor 204 .
- RAM 206 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 204 .
- Computer system 102 further includes a read only memory (ROM) 208 or other storage device coupled to bus 202 for storing static information and instructions for processor 204 .
- a mass storage device 210 such as a magnetic disk or optical disk, is provided and coupled to bus 202 for storing information and instructions.
- Computer 102 may be coupled via bus 202 to a display 212 , such as a cathode ray tube (CRT), for displaying information to a computer user.
- Display 212 may, in one embodiment, operate as display 114 .
- Computer 102 may further be coupled to an input device 214 , such as a keyboard, is coupled to bus 202 for communicating information and command selections to processor 204 .
- an input device 214 such as a keyboard
- cursor control 216 is Another type of user input device
- Cursor control 216 typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), which allow the device to specify positions in a plane.
- computer 102 executes instructions for geographic mapping of intrusion information. Either alone or in combination with another computer system, computer 102 thus permits the geographic mapping of intrusions in response to processor 204 executing one or more sequences of instructions contained in RAM 206 . Such instructions may be read into RAM 206 from another computer-readable medium, such as storage device 210 . Execution of the sequences of instructions contained in RAM 206 causes processor 204 to perform the functions of mapping computer 102 , and/or the process stages described herein. In an alternative implementation, hard-wired circuitry may be used in place of, or in combination with software instructions to implement the invention. Thus, implementations consistent with the principles of the present invention are not limited to any specific combination of hardware circuitry and software.
- Non-volatile media includes, for example, optical or magnetic disks, such as storage device 210 .
- Volatile media includes dynamic memory, such as RAM 206 .
- Transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 202 . Transmission media may also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.
- Computer-readable media include, for example, a floppy disk, flexible disk, hard disk, magnetic tape, or any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, carrier wave, or any other medium from which a computer may read.
- carrier waves are the signals which carry the data to and from computer 102 .
- Various forms of computer-readable media may be involved in carrying one or more sequences of one or more instructions to processor 204 for execution.
- the instructions may initially be carried on the magnetic disk of a remote computer.
- the remote computer may load the instructions into a dynamic memory and send the instructions over a telephone line using a modem.
- a modem local to computer 102 may receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal.
- An infra-red detector coupled to bus 202 may receive the data carried in the infra-red signal and place the data on bus 202 .
- Bus 202 carries the data to main memory 206 , from which processor 204 retrieves and executes the instructions.
- the instructions received by main memory 206 may optionally be stored on storage device 210 either before or after execution by processor 204 .
- Computer 102 may also include a communication interface 218 coupled to bus 202 .
- Communication interface 218 provides a two-way data communication coupling to a network link 220 that may be connected to network 112 .
- Network 112 may be a local area network (LAN), wide area network (WAN), or any other network configuration.
- communication interface 218 may be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line.
- Computer 102 may communicate with a host 224 via network 112 .
- communication interface 218 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN.
- Wireless links may also be implemented.
- communication interface 218 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
- Network link 220 typically provides data communication through one or more networks to other data devices.
- network 112 may communicate with an Internet Service Provider (ISP) 226 .
- ISP Internet Service Provider
- network link 220 may provide a connection to data equipment operated by the ISP 226 .
- ISP 226 provides data communication services from another server 230 or host 224 to computer 102 .
- Network 112 may use electric, electromagnetic or optical signals that carry digital data streams.
- Computer 102 may send messages and receive data, including program code, through network 112 , network link 220 and communication interface 218 .
- server 230 may download an application program to computer 102 via network 112 and communication interface 218 .
- one such downloaded application geographically maps vulnerability or intrusion information, such as, for example, by executing methods 300 and/or 900 , to be described below.
- the received code may be executed by processor 204 as it is received and/or stored in storage device 210 , or other non-volatile storage for later execution.
- computer system 102 may establish connections to multiple servers on Internet 228 and/or network 112 .
- Such servers may include HTML-based Internet applications to provide information to computer system 102 upon request in a manner consistent with the present invention.
- display 114 may, in one embodiment, be implemented as display 212 ( FIG. 2 ), directly connected to computer 102 .
- display 114 may be connected to computer 102 via network 112 .
- display 114 may be a display connected to another computer on network 112 , or may be a stand-alone display device such as a video projector connected to computer 102 via network 112 .
- databases 104 , 106 , 108 , and 110 may each reside within computer 102 or may reside in any other location, such as on network 112 , so long as they are in electronic communication with computer 102 .
- ARP database 106 may be a technical table such as the type typically resident in router points in a computer network, in which information such as the MAC address, IP address and Router (IP/MAC address) is kept.
- location database 108 is a static database in which the physical location of routers or network points is located. Such location information may include router (IP/MAC) address, and router (or network point) physical address (geographic location), such as GPS coordinates. Accordingly, one of ordinary skill in the art will recognize that ARP database 106 and location database 108 may be kept in accordance with any now known or later developed methods for implementing and maintaining ARP information at router points, or physical location information, respectively.
- databases 104 , 106 , 108 , and 110 may be implemented as a single database, or may be implemented as any number of databases.
- system 100 may include multiple ARP databases, such as having one for each router (not shown) in the system.
- system 100 may include multiple intrusion, location, and map databases.
- databases 104 , 106 , 108 , and 110 may be implemented as a single database containing all of the described information.
- system 100 may include any number (one or more) of databases so long as the information discussed herein may be retrieved and correlated as discussed herein.
- databases 104 , 106 , 108 , and 110 may be implemented using any now known or later developed database schemes or database software.
- each of the databases may be implemented using a relational database scheme, and/or may be built using Microsoft AccessTM or Microsoft ExcelTM software. While, more likely, one or more databases will be implemented to take into account other factors outside the scope of the present invention (for example, ARP database 106 may require specific format or implementation dependent on the router within which it resides), one of ordinary skill in the art will recognize that any implementation (and location) of the present databases is contemplated within the scope and spirit of the present invention.
- FIG. 3 shows a method 300 for execution, such as by computer 102 , for geographic mapping of intrusion information, consistent with the present invention.
- Method 300 begins by receiving intrusion information, stage 302 , such as from a computer administrator, as the output of software designed to detect intrusions, from an intrusion detection system, router, network management system, security information manager, or from any other source.
- the intrusion information may include an identification (such as the IP address) of the computer where the intrusion started or ended, the name and description of the intrusion, and possibly other data.
- the intrusion information Upon receipt of the intrusion information, it is stored in intrusion database 104 , stage 304 .
- FIG. 4 shows one embodiment of intrusion information 400 within intrusion database 104 .
- computer 102 then retrieves, for computers (or network points) at which an intrusion started or ended, ARP information for that computer (or network point) from ARP database 106 , stage 306 .
- the intrusion information (such as the IP address) may be used as a key to retrieve the appropriate record from ARP database 106 .
- the ARP information may include the MAC address, and router IP/MAC address or any other network address information of the network point at which the intrusion started or ended, as necessary.
- FIG. 5 shows one exemplary embodiment 500 of the ARP information within ARP database 106 .
- computer 102 may also retrieve geographic location information for the computer at which the intrusion started or ended, from location database 108 , stage 308 .
- the intrusion data such as IP address
- the ARP data such as the router IP/MAC address
- the location information retrieved may include such information as the physical location (e.g., mailing address or GPS coordinates) for the identified network point or computer.
- FIG. 6 shows one exemplary embodiment 600 of the location information within location database 108 .
- map database 110 Once this information has been retrieved from databases 104 , 106 , and 108 , it is stored in map database 110 , stage 310 .
- the retrieved information is preferably correlated such that all information for a particular intrusion is stored in a record for that intrusion.
- FIG. 7 shows an exemplary screenshot 700 of records of map information for mapping intrusions, such as may be stored in map database 110 .
- map database records may contain the intrusion information, the network address (such as the IP or MAC address from ARP database 106 ), and the physical location, such as the mailing address or GPS information (from location database 108 ).
- map database records may also include a status of the intrusion and an indication of the response person or team assigned to respond to the intrusion.
- computer 102 Upon correlating this information within map database 110 , computer 102 then maps the location of the intrusion, stage 312 .
- the location information for each record is imported into a commercially available mapping program such as MapPointTM by Microsoft, to visually locate the intrusion points with network 112 on a map.
- the map may represent each of the intrusions as a symbol on the map, for example, as a push pin.
- An exemplary map 800 using this push pin approach is shown as FIG. 8 .
- each pushpin 802 , 804 shows the location of a point of intrusion requiring a response.
- map 800 Using map 800 , response teams or system administrators will be able to identify “pockets” of intrusions and will be able to better prioritize and more efficiently schedule response personnel to respond and mitigate or eliminate the intrusion, based on geographic location. In addition, by continually updating the map and watching it change over time, system operators will be able to geographically view the spread, if any, of an intrusion. Furthermore, by also tracking system updates, the administrator will be able to identify new entry points.
- FIG. 9 shows a flowchart of a method 900 for updating the geographic map with progress information.
- Method 900 begins with a response team or system administrator sending an update to the system to advise of a new status of a intrusion, stage 902 .
- the response team may advise the system that the intruded computer must be replaced, and be rendered inactive until it is replaced, (i.e., the intrusion is “open”) or may advise the system that the intruded computer has been upgraded and is no longer compromised.
- each intrusion record in the database may contain a field to identify the status of the intrusion (see FIG. 7 ). Possible status indicators may reflect that the intrusion is “new,” “open” (i.e., not yet responded to), “assigned to a response team,” “closed” (i.e., responded to and fixed), or any other status that may be of use to the organization for which the system has been implemented.
- map computer 102 can update map 800 to reflect the updated status of the intrusion.
- map 800 can show the status information is to display color-coded push pin symbols to reflect the status.
- a red push pin may signify an “open” or “new” intrusion
- a yellow push pin may signify a intrusion that has been assigned, but not yet fixed
- a green push pin may signify a closed intrusion.
- database 104 may maintain vulnerability information rather than intrusion information. Therefore, using database 104 , computer 102 , through the execution of methods 300 and 900 , may geographically map vulnerabilities and update the status of responses to those vulnerabilities.
- methods and systems are further described in U.S. patent application Ser. No. ______, entitled “Geographical Vulnerability Mitigation Response Mapping System,” filed concurrently herewith, the contents of which is incorporated by reference herein in its entirety.
- any symbol or representation may be used to identify an intrusion on the map, including, but not limited to, a push-pin symbol. These symbols and representations may be used to identify the quantity of intrusions in that area of the map, such as by varying the color of the symbol to identify such quantity.
- the symbol or representation may be linked to the underlying data such that a user, using an input device, may select a symbol on the map causing computer 102 to display the status, quantity, address, or other information corresponding to the selected symbol.
Abstract
Description
- This invention relates to a system and method to geographically map intrusions into a network in near or post real time for a physically focused response.
- When an intrusion in computer or telecommunications systems is proactively discovered to have a potential impact on an environment, response resources must be directed to a physical location. In practice, this requires extensive efforts to correlate existing threat information, router traffic information and physical location of the router and impacted/suspect device, dramatically reducing response time. For example, today, most responses to an intrusion require manual review of TCP/IP switch information, manual drawing of network “maps” and, most importantly, trying to mitigate an intrusion in a sequential or business prioritization order while these efforts are being undertaken. These response schemes do not allow for an organization's management to easily identify the geographical location of the problem(s) and the location(s) at which resources are most needed. Furthermore, current response schemes do not allow an organization's response or management team timely access to geographical view(s) of the location of the intrusions together with information relating to the status or progress of the response to the intrusion.
- Consistent with the invention, systems and methods for geographically mapping an intrusion into a network having one or more network points include receiving intrusion information, identifying an intrusion into a point of the network, correlating the intrusion information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the intrusion.
- Additional objects and advantages will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objects and advantages will be realized and attained by means of the elements and combinations particularly pointed out in the appended claims.
- The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate several embodiments of the invention and together with the description, serve to explain the principles of the invention.
-
FIG. 1 is a block diagram of an exemplary environment in which the systems and methods of the present invention may be implemented; -
FIG. 2 is a block diagram of an exemplary embodiment of a mapping computer; -
FIG. 3 is a flowchart of an exemplary method for geographically mapping response information; -
FIG. 4 is an exemplary screenshot of records in an intrusion database containing intrusion information; -
FIG. 5 is an exemplary screenshot of records in an ARP database; -
FIG. 6 is an exemplary screenshot of records in a location database; -
FIG. 7 is an exemplary screenshot of records in a map database containing information for mapping intrusions; -
FIG. 8 is an exemplary screenshot of a map geographically mapping vulnerabilities consistent with the present invention; and -
FIG. 9 is a flowchart showing an exemplary method for updating a geographic map with progress information. - Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
- As used herein, an “intrusion” is an unauthorized use, attempt, or successful entry into a digital, computerized, or automated system, requiring a response from a human administrator or response team to mitigate any damage or unwanted consequences of the entry. For example, the introduction of a virus and the unauthorized entry into a system by a hacker are each “intrusions” within the spirit of the present invention. An “intrusion response” is a response by systems or human operators to limit or mitigate damage from the intrusion or prevent future intrusions. One of ordinary skill in the art will recognize that, within the spirit and scope of the present invention, “intrusions” of many types and natures are contemplated.
- In addition, as used herein, a “vulnerability” is a prospective intrusion, that is, a location in a digital, computerized, or automated system, at which an unauthorized use, attempt, or successful entry is possible or easier than at other points in the system. For example, a specific weakness may be identified in a particular operating system, such as Microsoft's Windows™ operating system when running less than Service Pack 6. Then, all computers running the Windows operating system with less than Service Pack 6 will therefore have this vulnerability. One of ordinary skill in the art will recognize that this and other vulnerabilities may be identified by commercially available software products. While methods of locating such vulnerabilities are outside the scope of the present invention, one of ordinary skill in the art will recognize that any of the vulnerabilities identified or located by such software products, now known or later developed, are within the spirit of the present invention.
- In addition, as used herein, a “mitigation response” is the effort undertaken to reduce unwanted consequences or to eliminate the intrusion. For example, such a response may entail sending a human computer administrator to the site of the location to update software, install anti-virus software, eliminate a virus, or perform other necessary tasks. In addition, a response may entail installing a patch to the vulnerable computer, such as across a network. One of ordinary skill in the art will recognize that the present invention does not contemplate any specific responses. Instead, any response to an intrusion requiring the organization of resources is within the scope and spirit of the present invention.
- For the ease of discussion, the following discussion will focus on the systems and methods of the present invention in terms of mapping “intrusions.”
-
FIG. 1 is a block diagram of one exemplary environment in which the systems and methods of the present invention may be implemented. As shown inFIG. 1 ,system 100 employsmapping computer 102. In addition,system 100 may also employ databases such asintrusion database 104, Address Routing Protocol (ARP)database 106,location database 108, andmap database 110, each in electronic communication withmapping computer 102.System 100 also includes adisplay 114, such as a video display, for displaying the geographic information correlated and mapped bycomputer 102 using the methods discussed herein, and anetwork 112, in electronic communication withcomputer 102, in which the intrusions may occur. - In one embodiment,
intrusion database 104 may contain information identifying an intrusion in the system, such as, for example, the intrusion type, description, and point of possible entry or exit (i.e., network point or computer).ARP database 106 may contain network location or identification information such as the IP and/or MAC address for one or more network points representing a potential point of entry or exit (i.e., network point or computer).Location database 108 may contain geographical information such as the physical address or GPS coordinates of a potential point of entry or exit. Finally,map database 110 may correlate and contain information from the intrusion, ARP, and location databases as described below to map the intrusions. -
FIG. 2 is a block diagram illustrating anexemplary mapping computer 102 for use insystem 100, consistent with the present invention.Computer 102 includes abus 202 or other communication mechanism for communicating information, and aprocessor 204 coupled tobus 202 for processing information.Computer 102 also includes a main memory, such as a random access memory (RAM) 206, coupled tobus 202 for storing information and instructions during execution byprocessor 204.RAM 206 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed byprocessor 204.Computer system 102 further includes a read only memory (ROM) 208 or other storage device coupled tobus 202 for storing static information and instructions forprocessor 204. Amass storage device 210, such as a magnetic disk or optical disk, is provided and coupled tobus 202 for storing information and instructions. -
Computer 102 may be coupled viabus 202 to adisplay 212, such as a cathode ray tube (CRT), for displaying information to a computer user.Display 212 may, in one embodiment, operate asdisplay 114. -
Computer 102 may further be coupled to aninput device 214, such as a keyboard, is coupled tobus 202 for communicating information and command selections toprocessor 204. Another type of user input device is acursor control 216, such as a mouse, a trackball or cursor direction keys for communicating direction information and command selections toprocessor 204 and for controlling cursor movement ondisplay 212.Cursor control 216 typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), which allow the device to specify positions in a plane. - According to one embodiment,
computer 102 executes instructions for geographic mapping of intrusion information. Either alone or in combination with another computer system,computer 102 thus permits the geographic mapping of intrusions in response toprocessor 204 executing one or more sequences of instructions contained inRAM 206. Such instructions may be read intoRAM 206 from another computer-readable medium, such asstorage device 210. Execution of the sequences of instructions contained inRAM 206 causesprocessor 204 to perform the functions of mappingcomputer 102, and/or the process stages described herein. In an alternative implementation, hard-wired circuitry may be used in place of, or in combination with software instructions to implement the invention. Thus, implementations consistent with the principles of the present invention are not limited to any specific combination of hardware circuitry and software. - The term “computer-readable medium” as used herein refers to any media that participates in providing instructions to
processor 204 for execution. Such a medium may take many forms, including but not limited to, non-volatile, volatile media, and transmission media. Non-volatile media includes, for example, optical or magnetic disks, such asstorage device 210. Volatile media includes dynamic memory, such asRAM 206. Transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprisebus 202. Transmission media may also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications. - Common forms of computer-readable media include, for example, a floppy disk, flexible disk, hard disk, magnetic tape, or any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, carrier wave, or any other medium from which a computer may read. For the purposes of this discussion, carrier waves are the signals which carry the data to and from
computer 102. - Various forms of computer-readable media may be involved in carrying one or more sequences of one or more instructions to
processor 204 for execution. For example, the instructions may initially be carried on the magnetic disk of a remote computer. The remote computer may load the instructions into a dynamic memory and send the instructions over a telephone line using a modem. A modem local tocomputer 102 may receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector coupled tobus 202 may receive the data carried in the infra-red signal and place the data onbus 202.Bus 202 carries the data tomain memory 206, from whichprocessor 204 retrieves and executes the instructions. The instructions received bymain memory 206 may optionally be stored onstorage device 210 either before or after execution byprocessor 204. -
Computer 102 may also include acommunication interface 218 coupled tobus 202.Communication interface 218 provides a two-way data communication coupling to anetwork link 220 that may be connected tonetwork 112.Network 112 may be a local area network (LAN), wide area network (WAN), or any other network configuration. For example,communication interface 218 may be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line.Computer 102 may communicate with ahost 224 vianetwork 112. As another example,communication interface 218 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation,communication interface 218 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information. - Network link 220 typically provides data communication through one or more networks to other data devices. In this embodiment,
network 112 may communicate with an Internet Service Provider (ISP) 226. For example,network link 220 may provide a connection to data equipment operated by theISP 226.ISP 226, in turn, provides data communication services from anotherserver 230 or host 224 tocomputer 102.Network 112 may use electric, electromagnetic or optical signals that carry digital data streams. -
Computer 102 may send messages and receive data, including program code, throughnetwork 112,network link 220 andcommunication interface 218. In this embodiment,server 230 may download an application program tocomputer 102 vianetwork 112 andcommunication interface 218. Consistent with the present invention, one such downloaded application geographically maps vulnerability or intrusion information, such as, for example, by executingmethods 300 and/or 900, to be described below. The received code may be executed byprocessor 204 as it is received and/or stored instorage device 210, or other non-volatile storage for later execution. - Although
computer system 102 is shown inFIG. 2 as connectable toserver 230, those skilled in the art will recognize thatcomputer system 102 may establish connections to multiple servers onInternet 228 and/ornetwork 112. Such servers may include HTML-based Internet applications to provide information tocomputer system 102 upon request in a manner consistent with the present invention. - Returning to
FIG. 1 ,display 114 may, in one embodiment, be implemented as display 212 (FIG. 2 ), directly connected tocomputer 102. In an alternative embodiment,display 114 may be connected tocomputer 102 vianetwork 112. For example,display 114 may be a display connected to another computer onnetwork 112, or may be a stand-alone display device such as a video projector connected tocomputer 102 vianetwork 112. - In addition,
databases computer 102 or may reside in any other location, such as onnetwork 112, so long as they are in electronic communication withcomputer 102. In one embodiment,ARP database 106 may be a technical table such as the type typically resident in router points in a computer network, in which information such as the MAC address, IP address and Router (IP/MAC address) is kept. - In one embodiment,
location database 108 is a static database in which the physical location of routers or network points is located. Such location information may include router (IP/MAC) address, and router (or network point) physical address (geographic location), such as GPS coordinates. Accordingly, one of ordinary skill in the art will recognize thatARP database 106 andlocation database 108 may be kept in accordance with any now known or later developed methods for implementing and maintaining ARP information at router points, or physical location information, respectively. - In an alternative embodiment,
databases system 100 may include multiple ARP databases, such as having one for each router (not shown) in the system. Similarly,system 100 may include multiple intrusion, location, and map databases. Furthermore, in one embodiment,databases system 100 may include any number (one or more) of databases so long as the information discussed herein may be retrieved and correlated as discussed herein. - Finally,
databases ARP database 106 may require specific format or implementation dependent on the router within which it resides), one of ordinary skill in the art will recognize that any implementation (and location) of the present databases is contemplated within the scope and spirit of the present invention. -
FIG. 3 shows amethod 300 for execution, such as bycomputer 102, for geographic mapping of intrusion information, consistent with the present invention.Method 300 begins by receiving intrusion information,stage 302, such as from a computer administrator, as the output of software designed to detect intrusions, from an intrusion detection system, router, network management system, security information manager, or from any other source. In one embodiment, the intrusion information may include an identification (such as the IP address) of the computer where the intrusion started or ended, the name and description of the intrusion, and possibly other data. Upon receipt of the intrusion information, it is stored inintrusion database 104,stage 304.FIG. 4 shows one embodiment ofintrusion information 400 withinintrusion database 104. - Returning to
FIG. 3 ,computer 102 then retrieves, for computers (or network points) at which an intrusion started or ended, ARP information for that computer (or network point) fromARP database 106,stage 306. In one embodiment, the intrusion information (such as the IP address) may be used as a key to retrieve the appropriate record fromARP database 106. The ARP information may include the MAC address, and router IP/MAC address or any other network address information of the network point at which the intrusion started or ended, as necessary.FIG. 5 shows oneexemplary embodiment 500 of the ARP information withinARP database 106. - In addition,
computer 102 may also retrieve geographic location information for the computer at which the intrusion started or ended, fromlocation database 108,stage 308. In one embodiment, the intrusion data (such as IP address) and/or the ARP data (such as the router IP/MAC address) may be used as a key to identify a record corresponding to the location database record(s), corresponding to the network point. The location information retrieved may include such information as the physical location (e.g., mailing address or GPS coordinates) for the identified network point or computer.FIG. 6 shows oneexemplary embodiment 600 of the location information withinlocation database 108. - Once this information has been retrieved from
databases map database 110,stage 310. Withinmap database 110, the retrieved information is preferably correlated such that all information for a particular intrusion is stored in a record for that intrusion. For example,FIG. 7 shows anexemplary screenshot 700 of records of map information for mapping intrusions, such as may be stored inmap database 110. As shown, map database records may contain the intrusion information, the network address (such as the IP or MAC address from ARP database 106), and the physical location, such as the mailing address or GPS information (from location database 108). In addition, map database records may also include a status of the intrusion and an indication of the response person or team assigned to respond to the intrusion. - Upon correlating this information within
map database 110,computer 102 then maps the location of the intrusion,stage 312. In one embodiment, the location information for each record is imported into a commercially available mapping program such as MapPoint™ by Microsoft, to visually locate the intrusion points withnetwork 112 on a map. In one embodiment, the map may represent each of the intrusions as a symbol on the map, for example, as a push pin. Anexemplary map 800 using this push pin approach is shown asFIG. 8 . Withinmap 800, eachpushpin - Using
map 800, response teams or system administrators will be able to identify “pockets” of intrusions and will be able to better prioritize and more efficiently schedule response personnel to respond and mitigate or eliminate the intrusion, based on geographic location. In addition, by continually updating the map and watching it change over time, system operators will be able to geographically view the spread, if any, of an intrusion. Furthermore, by also tracking system updates, the administrator will be able to identify new entry points. -
FIG. 9 shows a flowchart of amethod 900 for updating the geographic map with progress information.Method 900 begins with a response team or system administrator sending an update to the system to advise of a new status of a intrusion,stage 902. For example, the response team may advise the system that the intruded computer must be replaced, and be rendered inactive until it is replaced, (i.e., the intrusion is “open”) or may advise the system that the intruded computer has been upgraded and is no longer compromised. - Once this information is received, the map database record for the identified intrusion is updated,
stage 904. For example, each intrusion record in the database may contain a field to identify the status of the intrusion (seeFIG. 7 ). Possible status indicators may reflect that the intrusion is “new,” “open” (i.e., not yet responded to), “assigned to a response team,” “closed” (i.e., responded to and fixed), or any other status that may be of use to the organization for which the system has been implemented. - Once the map database record has been updated,
map computer 102 can update map 800 to reflect the updated status of the intrusion. For example, one way that map 800 can show the status information is to display color-coded push pin symbols to reflect the status. In one embodiment, a red push pin may signify an “open” or “new” intrusion, a yellow push pin may signify a intrusion that has been assigned, but not yet fixed, and a green push pin may signify a closed intrusion. By mapping this information together with the locations of the intrusions, administrators can better track the progress of their response teams, and more fluidly schedule responses to new intrusions as they arise. - One of ordinary skill in the art will recognize that, while the present invention discusses the systems and methods for mapping intrusions of a system, similar systems and methods may be utilized to map vulnerabilities to the system. For example, referring to
FIG. 1 ,database 104 may maintain vulnerability information rather than intrusion information. Therefore, usingdatabase 104,computer 102, through the execution ofmethods - One of ordinary skill in the art will recognize that any symbol or representation may be used to identify an intrusion on the map, including, but not limited to, a push-pin symbol. These symbols and representations may be used to identify the quantity of intrusions in that area of the map, such as by varying the color of the symbol to identify such quantity. In addition, the symbol or representation may be linked to the underlying data such that a user, using an input device, may select a symbol on the
map causing computer 102 to display the status, quantity, address, or other information corresponding to the selected symbol. - Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
Claims (22)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/342,146 US20120159626A1 (en) | 2004-08-12 | 2012-01-02 | Geographical intrusion response prioritization mapping system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/916,873 US8091130B1 (en) | 2004-08-12 | 2004-08-12 | Geographical intrusion response prioritization mapping system |
US13/342,146 US20120159626A1 (en) | 2004-08-12 | 2012-01-02 | Geographical intrusion response prioritization mapping system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/916,873 Continuation US8091130B1 (en) | 2004-08-12 | 2004-08-12 | Geographical intrusion response prioritization mapping system |
Publications (1)
Publication Number | Publication Date |
---|---|
US20120159626A1 true US20120159626A1 (en) | 2012-06-21 |
Family
ID=45374697
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/916,873 Active 2028-01-10 US8091130B1 (en) | 2004-08-12 | 2004-08-12 | Geographical intrusion response prioritization mapping system |
US13/342,146 Abandoned US20120159626A1 (en) | 2004-08-12 | 2012-01-02 | Geographical intrusion response prioritization mapping system |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/916,873 Active 2028-01-10 US8091130B1 (en) | 2004-08-12 | 2004-08-12 | Geographical intrusion response prioritization mapping system |
Country Status (1)
Country | Link |
---|---|
US (2) | US8091130B1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070112512A1 (en) * | 1987-09-28 | 2007-05-17 | Verizon Corporate Services Group Inc. | Methods and systems for locating source of computer-originated attack based on GPS equipped computing device |
US8572734B2 (en) | 2004-08-12 | 2013-10-29 | Verizon Patent And Licensing Inc. | Geographical intrusion response prioritization mapping through authentication and flight data correlation |
US8631493B2 (en) * | 2004-08-12 | 2014-01-14 | Verizon Patent And Licensing Inc. | Geographical intrusion mapping system using telecommunication billing and inventory systems |
US8082506B1 (en) * | 2004-08-12 | 2011-12-20 | Verizon Corporate Services Group Inc. | Geographical vulnerability mitigation response mapping system |
US9008617B2 (en) * | 2006-12-28 | 2015-04-14 | Verizon Patent And Licensing Inc. | Layered graphical event mapping |
US9632673B1 (en) * | 2013-06-14 | 2017-04-25 | Telos Corporation | Cyber domain visualization systems and methods |
US20240048565A1 (en) * | 2018-01-31 | 2024-02-08 | Wells Fargo Bank, N.A. | System and apparatus for geographically targeted fraudulent access mapping and avoidance |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040260945A1 (en) * | 2003-06-20 | 2004-12-23 | Amit Raikar | Integrated intrusion detection system and method |
US20050075119A1 (en) * | 2002-04-10 | 2005-04-07 | Sheha Michael A. | Method and system for dynamic estimation and predictive route generation |
Family Cites Families (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4729737A (en) | 1986-06-02 | 1988-03-08 | Teledyne Industries, Inc. | Airborne laser/electronic warfare training system |
US5515285A (en) | 1993-12-16 | 1996-05-07 | Car Trace, Incorporated | System for monitoring vehicles during a crisis situation |
US5848373A (en) * | 1994-06-24 | 1998-12-08 | Delorme Publishing Company | Computer aided map location system |
US6456306B1 (en) | 1995-06-08 | 2002-09-24 | Nortel Networks Limited | Method and apparatus for displaying health status of network devices |
GB9516762D0 (en) | 1995-08-16 | 1995-10-18 | Phelan Sean P | Computer system for identifying local resources |
US6430274B1 (en) | 1996-06-27 | 2002-08-06 | Worldcomm Inc. | Validation query based on a supervisory signal |
US7342581B2 (en) | 1996-07-18 | 2008-03-11 | Computer Associates Think, Inc. | Method and apparatus for displaying 3-D state indicators |
US6456852B2 (en) | 1997-01-08 | 2002-09-24 | Trafficmaster Usa, Inc. | Internet distributed real-time wireless location database |
US5940598A (en) | 1997-01-28 | 1999-08-17 | Bell Atlantic Network Services, Inc. | Telecommunications network to internetwork universal server |
US6088804A (en) * | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
US6163604A (en) | 1998-04-03 | 2000-12-19 | Lucent Technologies | Automated fraud management in transaction-based networks |
US6813777B1 (en) | 1998-05-26 | 2004-11-02 | Rockwell Collins | Transaction dispatcher for a passenger entertainment system, method and article of manufacture |
US6054987A (en) | 1998-05-29 | 2000-04-25 | Hewlett-Packard Company | Method of dynamically creating nodal views of a managed network |
US6832247B1 (en) | 1998-06-15 | 2004-12-14 | Hewlett-Packard Development Company, L.P. | Method and apparatus for automatic monitoring of simple network management protocol manageable devices |
US6377987B1 (en) | 1999-04-30 | 2002-04-23 | Cisco Technology, Inc. | Mechanism for determining actual physical topology of network based on gathered configuration information representing true neighboring devices |
US6691161B1 (en) | 1999-05-11 | 2004-02-10 | 3Com Corporation | Program method and apparatus providing elements for interrogating devices in a network |
GB2350983B (en) | 1999-06-10 | 2001-10-03 | 3Com Corp | Network problem indication |
US6917288B2 (en) * | 1999-09-01 | 2005-07-12 | Nettalon Security Systems, Inc. | Method and apparatus for remotely monitoring a site |
US6694364B1 (en) | 2000-06-16 | 2004-02-17 | Cisco Technology, Inc. | System and method for suppressing out-of-order side-effect alarms in heterogeneous integrated wide area data and telecommunication networks |
US20030018769A1 (en) * | 2000-07-26 | 2003-01-23 | Davis Foulger | Method of backtracing network performance |
US6941359B1 (en) | 2001-02-14 | 2005-09-06 | Nortel Networks Limited | Method and system for visually representing network configurations |
GB2372667B (en) | 2001-02-21 | 2003-05-07 | 3Com Corp | Apparatus and method for providing improved stress thresholds in network management systems |
WO2002069561A2 (en) | 2001-02-27 | 2002-09-06 | Visa International Service Association | Distributed quantum encrypted pattern generation and scoring |
US6900822B2 (en) | 2001-03-14 | 2005-05-31 | Bmc Software, Inc. | Performance and flow analysis method for communication networks |
US7392485B2 (en) | 2001-03-30 | 2008-06-24 | Microsoft Corporation | System and method for providing a server control interface |
JP4707288B2 (en) | 2001-09-27 | 2011-06-22 | 富士通株式会社 | Network monitoring apparatus and network monitoring method |
US20030115211A1 (en) | 2001-12-14 | 2003-06-19 | Metaedge Corporation | Spatial intelligence system and method |
US6839852B1 (en) * | 2002-02-08 | 2005-01-04 | Networks Associates Technology, Inc. | Firewall system and method with network mapping capabilities |
US6816090B2 (en) | 2002-02-11 | 2004-11-09 | Ayantra, Inc. | Mobile asset security and monitoring system |
US20030200347A1 (en) * | 2002-03-28 | 2003-10-23 | International Business Machines Corporation | Method, system and program product for visualization of grid computing network status |
US7082535B1 (en) | 2002-04-17 | 2006-07-25 | Cisco Technology, Inc. | System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol |
US7243008B2 (en) | 2002-06-11 | 2007-07-10 | Lockheed Martin | Automated intel data radio |
US20030232598A1 (en) * | 2002-06-13 | 2003-12-18 | Daniel Aljadeff | Method and apparatus for intrusion management in a wireless network using physical location determination |
US7965842B2 (en) | 2002-06-28 | 2011-06-21 | Wavelink Corporation | System and method for detecting unauthorized wireless access points |
AU2003265811A1 (en) | 2002-08-26 | 2004-03-11 | Guardednet, Inc. | Determining threat level associated with network activity |
US8909926B2 (en) * | 2002-10-21 | 2014-12-09 | Rockwell Automation Technologies, Inc. | System and methodology providing automation security analysis, validation, and learning in an industrial controller environment |
US7975043B2 (en) * | 2003-02-25 | 2011-07-05 | Hewlett-Packard Development Company, L.P. | Method and apparatus for monitoring a network |
US7269796B1 (en) | 2003-04-25 | 2007-09-11 | At&T Corp. | Method for infrastructure quick view |
US7703018B2 (en) * | 2003-05-22 | 2010-04-20 | International Business Machines Corporation | Apparatus and method for automating the diagramming of virtual local area networks |
JP4462849B2 (en) | 2003-05-30 | 2010-05-12 | 株式会社日立製作所 | Data protection apparatus, method and program |
US7272795B2 (en) | 2003-06-27 | 2007-09-18 | Microsoft Corporation | Micro-monitor to monitor database environments |
US7260844B1 (en) | 2003-09-03 | 2007-08-21 | Arcsight, Inc. | Threat detection in a network security system |
US7349982B2 (en) | 2004-01-12 | 2008-03-25 | Hewlett-Packard Development Company, L.P. | Enablement of route table entries |
US20050206513A1 (en) * | 2004-03-17 | 2005-09-22 | Fallon Kenneth T | Voice remote command and control of a mapping security system |
US7337043B2 (en) | 2004-06-30 | 2008-02-26 | Rockwell Collins, Inc. | Terrain maneuver advisory envelope system and method |
US20060041345A1 (en) | 2004-08-09 | 2006-02-23 | Darrell Metcalf | System for safely disabling and re-enabling the manual vehicle control input of aircraft and other vehicles |
US7031728B2 (en) | 2004-09-21 | 2006-04-18 | Beyer Jr Malcolm K | Cellular phone/PDA communication system |
US20070079243A1 (en) | 2005-09-23 | 2007-04-05 | Thirdeye Holdings Pty Ltd | Monitoring performance of a computer system |
US20070204033A1 (en) | 2006-02-24 | 2007-08-30 | James Bookbinder | Methods and systems to detect abuse of network services |
-
2004
- 2004-08-12 US US10/916,873 patent/US8091130B1/en active Active
-
2012
- 2012-01-02 US US13/342,146 patent/US20120159626A1/en not_active Abandoned
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050075119A1 (en) * | 2002-04-10 | 2005-04-07 | Sheha Michael A. | Method and system for dynamic estimation and predictive route generation |
US20040260945A1 (en) * | 2003-06-20 | 2004-12-23 | Amit Raikar | Integrated intrusion detection system and method |
Also Published As
Publication number | Publication date |
---|---|
US8091130B1 (en) | 2012-01-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8990696B2 (en) | Geographical vulnerability mitgation response mapping system | |
US9591004B2 (en) | Geographical intrusion response prioritization mapping through authentication and flight data correlation | |
US8631493B2 (en) | Geographical intrusion mapping system using telecommunication billing and inventory systems | |
US8359343B2 (en) | System and method for identifying threat locations | |
US11757905B2 (en) | Unwanted tunneling alert system | |
US20120159626A1 (en) | Geographical intrusion response prioritization mapping system | |
US7472421B2 (en) | Computer model of security risks | |
US10574684B2 (en) | Locally detecting phishing weakness | |
US9008617B2 (en) | Layered graphical event mapping | |
US10511623B2 (en) | Network security system with remediation based on value of attacked assets | |
US7945957B2 (en) | Antiviral network system | |
EP1034646B1 (en) | Method and system for enforcing a communication security policy | |
KR101497610B1 (en) | Real-time identification of an asset model and categorization of an asset to assist in computer network security | |
EP1244967B1 (en) | Method for automatic intrusion detection and deflection in a network | |
US7733803B2 (en) | Systems and methods for modifying network map attributes | |
US20040064726A1 (en) | Vulnerability management and tracking system (VMTS) | |
US20070112512A1 (en) | Methods and systems for locating source of computer-originated attack based on GPS equipped computing device | |
KR101941039B1 (en) | System and method for forecasting cyber threat | |
US20080004805A1 (en) | Method and systems for locating source of computer-originated attack based on GPS equipped computing device | |
EP4152729A1 (en) | Interactive email warning tags | |
Owen | Threat intelligence & siem | |
Gauhar Fatima et al. | A Study on Intrusion Detection | |
KR20230128665A (en) | Method, apparatus and computer program of controling security through database server identification based on network traffic | |
KR20230129079A (en) | Method, apparatus and computer program of controling security based on internet protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: VERIZON PATENT AND LICENSING INC., NEW JERSEY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:VERIZON CORPORATE SERVICES GROUP INC.;REEL/FRAME:028311/0573 Effective date: 20120604 |
|
AS | Assignment |
Owner name: VERIZON CORPORATE SERVICES GROUP INC., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCCONNELL, JAMES TRENT;REEL/FRAME:033390/0544 Effective date: 20040630 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |