System and method for threat risk scoring of security threats

US 10,095,866 B2
Filed: 11/09/2015
Issued: 10/09/2018
Est. Priority Date: 02/24/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a device to;

inspect one or more network activities on a network;

generate metadata associated with malware activity based on inspecting the one or more network activities;

extract one or more threat events on the network based on the metadata;

detect one or more incidents based on a correlation between a first threat event, of the one or more threat events, and a second threat event of the one or more threat events,the correlation being determined based on the metadata and a kill chain progression of the one or more threat events;

generate risk scores for the one or more incidents based on the kill chain progression,the risk scores being based on one or more asset values for one or more targeted devices, anda first score, associated with a first stage of the kill chain progression, of the risk scores being lower than a second score, associated with a second stage of the kill chain progression, of the risk scores; and

mitigate the one or more incidents based on the risk scores,the mitigation including quarantining data associated with the one or more network activities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system configured to generate a risk score for a threat activity including a digital device. The digital device configured to extract one or more threat events on a network based on metadata for one or more targeted digital devices on the network. Further, the digital device is configured to detect one or more incidents based on a correlation between at least a first threat event of the one or more threat events and a second threat event of the one or more threat events. And, the digital device is configured to generate a risk score for each of said one or more incidents.

104 Citations

View as Search Results

20 Claims

1. A system comprising:
- a device to;
  
  inspect one or more network activities on a network;
  
  generate metadata associated with malware activity based on inspecting the one or more network activities;
  
  extract one or more threat events on the network based on the metadata;
  
  detect one or more incidents based on a correlation between a first threat event, of the one or more threat events, and a second threat event of the one or more threat events,the correlation being determined based on the metadata and a kill chain progression of the one or more threat events;
  
  generate risk scores for the one or more incidents based on the kill chain progression,the risk scores being based on one or more asset values for one or more targeted devices, anda first score, associated with a first stage of the kill chain progression, of the risk scores being lower than a second score, associated with a second stage of the kill chain progression, of the risk scores; and
  
  mitigate the one or more incidents based on the risk scores,the mitigation including quarantining data associated with the one or more network activities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the device, when inspecting the one or more network activities, is to:
    - inspect the one or more network activities using at least one of;
      
      static analysis,sandbox detonation, ormachine learning.
  - 3. The system of claim 1, wherein the device, when inspecting the one or more network activities, is to:
    - inspect one or more protocols.
  - 4. The system of claim 1, wherein the device, when inspecting the one or more network activities, is to:
    - inspect one or more applications; and
      
      wherein the device, when generating the metadata, is to;
      
      generate the metadata based on inspecting the one or more applications.
  - 5. The system of claim 1, wherein the one or more threat events are time stamped.
  - 6. The system of claim 1, wherein the device is further to:
    - correlate the one or more threat events based on a time stamp for each of the one or more threat events.
  - 7. The system of claim 1, wherein the device is further to:
    - correlate the one or more threat events based on an Internet protocol address for each of the one or more threat events.
  - 8. The system of claim 1, wherein the device is further to:
    - correlate the one or more threat events over a period of time.
  - 9. The system of claim 1, wherein the risk scores are based on a threat severity value associated with the one or more incidents.
  - 10. The system of claim 1, wherein the risk scores are based on a threat relevance value associated with the one or more incidents.
  - 11. The system of claim 1, where the device is further to:
    - process the data associated with the one or more network activities in an emulated environment.

12. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  inspect one or more network activities on a network;
  
  generate metadata associated with malware activity based on inspecting the one or more network activities;
  
  extract one or more threat events on the network from the metadata;
  
  detect one or more incidents based on a correlation between a first threat event of the one or more threat events, and a second threat event of the one or more threat events,the correlation being determined based on the metadata and a kill chain progression of the one or more threat events;
  
  generate a risk score for each incident of the one or more incidents based on the kill chain progression,the risk score being based on an asset value for a targeted device, anda first score, associated with a first stage of the kill chain progression, being lower than a second score associated with a second stage of the kill chain progression; and
  
  mitigate the one or more incidents based on the risk score,the mitigation including quarantining data associated with the one or more network activities.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer-readable medium of claim 12, wherein, the one or more instructions, that cause the one or more processors to inspect the one or more network activities, cause the one or more processors to:
    - inspect the one or more network activities using at least one of;
      
      a static analysis,a sandbox detonation, ormachine learning.
  - 14. The non-transitory computer-readable medium of claim 12, wherein the one or more instructions, that cause the one or more processors to inspect the one or more network activities, cause the one or more processors to:
    - inspect one or more protocols.
  - 15. The non-transitory computer-readable medium of claim 12, wherein the one or more instructions, that cause the one or more processors to inspect the one or more network activities, cause the one or more processors to:
    - inspect one or more applications; and
      
      where the one or more instructions, that cause the one or more processors to generate the metadata, cause the one or more processors to;
      
      generate the metadata based on inspecting the one or more applications.
  - 16. The non-transitory computer-readable medium of claim 12, wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - correlate the one or more threat events over a period of time.

17. A method, comprising:
- inspecting, by a device, one or more network activities on a network;
  
  generating, by the device, metadata associated with malware activity based on inspecting the one or more network activities;
  
  extracting, by the device, one or more threat events on the network from the metadata;
  
  detecting, by the device, one or more incidents based on a correlation between a first threat event of the one or more threat events and a second threat event of the one or more threat events,the correlation being determined based on a kill chain progression of the one or more threat events; and
  
  generating, by the device, a risk score for each incident of the one or more incidents based on the kill chain progression,the risk score being based on an asset value of a targeted device; and
  
  mitigating, by the device, the one or more incidents based on the risk score,the mitigating including quarantining data associated with the one or more network activities.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein mitigating the one or more incidents comprises:
    - sending an alert to an administrator.
  - 19. The method of claim 17, wherein mitigating the one or more incidents comprises:
    - flag the data associated with the one or more network activities.
  - 20. The method of claim 17, wherein the risk score is determined in real time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Gong, Fengmin, Jas, Frank, MacFarlane, Druce
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/936,593
Publication Number

US 20160078229A1
Time in Patent Office

1,065 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

H04L 41/06   Management of faults, event...

H04L 43/04   Processing captured monitor...

H04L 43/06   Generation of reports

H04L 43/18   Protocol analysers

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

System and method for threat risk scoring of security threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for threat risk scoring of security threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links