System and method for determining a threat based on correlation of indicators of compromise from other sources

US 10,027,696 B1
Filed: 03/27/2017
Issued: 07/17/2018
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. An electronic device, comprising:

a communication interface;

processing circuitry; and

a memory coupled to the processing circuitry, the memory includesa first logic that, when executed by the processing circuitry, organizes (i) a first plurality of indicators of compromise (IOCs) received from a first source via the communication interface, where each of the first plurality of IOCs being caused by a known origin of a malicious attack, and (ii) one or more IOCs received from a second source via the communication interface, the second source being different from the first source where an origin of the one or more IOCs is unknown, anda second logic that, when executed by the processing circuitry, (i) conducts an analysis that evaluates whether the one or more IOCs have at least a degree of correlation with the first plurality of IOCs, and (ii) determine a threat level signifying a degree of confidence that the one or more IOCs received from the second source are caused by the known origin of the first plurality of IOCs.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an electronic device features processing circuitry and memory that includes a first logic and a second logic. When executed by the processing circuitry, the first logic organizes (i) a first plurality of indicators of compromise (IOCs) received from a first source, where the first plurality of IOCs being caused by a known origin of a malicious attack, and (ii) one or more IOCs received from a second source that is different from the first source and an origin of the one or more IOCs is unknown. The second logic conducts a predictive analysis that evaluates whether the one or more IOCs have at least a degree of correlation with the first plurality of IOCs, and determines a threat level. The threat level signifies a degree of confidence that IOCs received from the second source are caused by the known origin of the first plurality of IOCs.

734 Citations

34 Claims

1. An electronic device, comprising:
- a communication interface;
  
  processing circuitry; and
  
  a memory coupled to the processing circuitry, the memory includesa first logic that, when executed by the processing circuitry, organizes (i) a first plurality of indicators of compromise (IOCs) received from a first source via the communication interface, where each of the first plurality of IOCs being caused by a known origin of a malicious attack, and (ii) one or more IOCs received from a second source via the communication interface, the second source being different from the first source where an origin of the one or more IOCs is unknown, anda second logic that, when executed by the processing circuitry, (i) conducts an analysis that evaluates whether the one or more IOCs have at least a degree of correlation with the first plurality of IOCs, and (ii) determine a threat level signifying a degree of confidence that the one or more IOCs received from the second source are caused by the known origin of the first plurality of IOCs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 21, 22, 23, 24, 25, 32, 33)
- - 2. The electronic device of claim 1, wherein the known origin of the malicious attack corresponds to an electronic mail message detected by the first source as including potential malware.
  - 3. The electronic device of claim 2, wherein the known origin of the malicious attack corresponds to a text message detected by the first source as including potential malware.
  - 4. The electronic device of claim 1, wherein the communication interface includes a wireless transceiver for establishing a communicative coupling to a network and receiving at least one the first plurality of IOCs or the one or more IOCs via the network.
  - 5. The electronic device of claim 1, wherein the second logic determines whether the one or more IOCs received from the second source have the degree of correlation to the first plurality of IOCs received from the first source in response to a triggering event that signifies a likelihood that the one or more IOCs from the second source are caused by an undetected malicious electronic message present at the second source.
  - 6. The electronic device of claim 5, wherein the triggering event includes a shift in volume of a given type of IOC at the second source.
  - 7. The electronic device of claim 1, wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs that is set for the analysis is varied based on an operating state of the electronic device.
  - 8. The electronic device of claim 1, wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs for the analysis is set to a first level when the electronic device is in a first operating state, the first level requires the one or more IOCs to be in a same chronological order and present within the first plurality of IOCs.
  - 9. The electronic device of claim 8, wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs for the analysis is set to a second level when the electronic device is in a second operating state, the second level requires a portion of the one or more IOCs to be present within the first plurality of IOCs without the portion of the one or more IOCs being in the same chronological order as present within the first plurality of IOCs.
  - 10. The electronic device of claim 1 further comprising alert generation logic to (i) determine a first type of response to be initiated in response to determining a first threat level in which the correlation between the one or more IOCs and the first plurality of IOCs during the analysis is equal to or exceeds the first level and (ii) determine a second type of response to be initiated in response to determining a second threat level in which the correlation between the one or more IOCs and the first plurality of IOCs during the analysis is equal to or exceeds the second threat level and is less than the first threat level, the second type of response including an alert to security personnel of the second source and the first type of response includes a plurality of alerts sent through different mediums.
  - 20. The electronic device of claim 1, wherein each of the first plurality of IOCs being malicious behaviors that suggest a presence of malware on a particular network device or particular network devices.
  - 21. The electronic device of claim 1, wherein the first plurality of IOCs include anomalous behaviors associated with a previously detected malicious electronic message.
  - 22. The electronic device of claim 21, wherein the first plurality of IOCs include metadata associated with one or more previously detected malicious electronic messages.
  - 23. The electronic device of claim 22, wherein the metadata includes profile information associated with one or more intended recipients of the one or more previously detected malicious electronic messages.
  - 24. The electronic device of claim 23, wherein the profile information comprises information associated identifying a type of company and a type of industry targeted by each of the one or more previously detected malicious electronic messages.
  - 25. The electronic device of claim 22, wherein the metadata includes an arrival time.
  - 32. The electronic device of claim 1 further comprising remediation logic that operates to generate actions to remediate the malicious attack.
  - 33. The electronic device of claim 10, wherein the memory further comprises the alert generation logic and remediation logic that operates to generate actions to remediate the malicious attack.

11. A method for detecting a malicious attack, comprising:
- organizing, by a first logic executed by processing circuitry, both (i) a first plurality of indicators of compromise (IOCs) received from a first source, the first plurality of IOCs being caused by a known origin of a malicious attack, and (ii) one or more IOCs received from a second source being different from the first source where an origin of the one or more IOCs is unknown, andconducting, by a second logic executed by the processing circuitry, an analysis that evaluates whether the one or more IOCs have at least a degree of correlation with the first plurality of IOCs; and
  
  determining a threat level by the second logic executed by the processing circuitry, the threat level signifying a degree of confidence that the one or more IOCs received from the second source are caused by the known origin of the first plurality of IOCs.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 26, 27, 28, 29, 30, 31, 34)
- - 12. The method of claim 11, wherein the known origin of the malicious attack corresponds to an electronic mail message detected by the first source as including potential malware.
  - 13. The method of claim 12, wherein the known origin of the malicious attack corresponds to a text message detected by the first source as including potential malware.
  - 14. The method of claim 11, wherein the determining whether the one or more IOCs received from the second source have the degree of correlation to the first plurality of IOCs received from the first source occurs in response to a triggering event that signifies a likelihood that the one or more IOCs from the second source are caused by an undetected malicious electronic message present at the second source.
  - 15. The method of claim 14, wherein the triggering event includes a shift in volume of a given type of IOC at the second source.
  - 16. The method of claim 11, wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs that is set for the analysis is varied based on an operating state of the electronic device.
  - 17. The method of claim 11, wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs for the analysis is set to a first level when the electronic device is in a first operating state, the first level requires the one or more IOCs to be in a same chronological order and present within the first plurality of IOCs.
  - 18. The method of claim 17, wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs for the analysis is set to a second level when the electronic device is in a second operating state, the second level requires a portion of the one or more IOCs to be present within the first plurality of IOCs without the portion of the one or more IOCs being in the same chronological order as present within the first plurality of IOCs.
  - 19. The method of claim 11 further comprising:
    - determining a first type of response to be initiated in response to determining a first threat level in which the correlation between the one or more IOCs and the first plurality of IOCs during the analysis is equal to or exceeds the first level; and
      
      determining a second type of response to be initiated in response to determining a second threat level in which the correlation between the one or more IOCs and the first plurality of IOCs during the analysis is equal to or exceeds the second threat level and is less than the first threat level, the second type of response including an alert to security personnel of the second source and the first type of response includes a plurality of alerts sent through different mediums.
  - 26. The method of claim 11, wherein each of the first plurality of IOCs being malicious behaviors that suggest a presence of malware on a particular network device or particular network devices.
  - 27. The method of claim 11, wherein the first plurality of IOCs include anomalous behaviors associated with a previously detected malicious electronic message.
  - 28. The method of claim 27, wherein the first plurality of IOCs include metadata associated with one or more previously detected malicious electronic messages.
  - 29. The method of claim 28, wherein the metadata includes profile information associated with one or more intended recipients of the one or more previously detected malicious electronic messages.
  - 30. The method of claim 29, wherein the profile information comprises information associated identifying a type of company and a type of industry targeted by each of the one or more previously detected malicious electronic messages.
  - 31. The method of claim 28, wherein the metadata includes an arrival time.
  - 34. The method of claim 11 further comprising:
    - generating actions to remediate the malicious attack by remediation logic within the first source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Rivlin, Alexandr, Mehra, Divyesh, Uyeno, Henry, Pidathala, Vinay
Primary Examiner(s)
Song, Hosuk

Application Number

US15/470,816
Time in Patent Office

477 Days
Field of Search

726 22- 26, 713187-188
US Class Current
CPC Class Codes

G06F 9/45508   Runtime interpretation or e...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method for determining a threat based on correlation of indicators of compromise from other sources

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

734 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for determining a threat based on correlation of indicators of compromise from other sources

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

734 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links