Rating threat submitter

US 10,104,112 B2
Filed: 04/18/2014
Issued: 10/16/2018
Est. Priority Date: 04/18/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a computing system, cause the computing system to:

receive information about a threat observable from a threat submitter device via a network, wherein the threat observable is detected by the threat submitter device;

provide threat data about the threat observable to a plurality of participant devices in a threat exchange system;

receive usage information from at least one participant device of the plurality of participant devices about the threat data, the usage information generated by rules-based automation of the at least one participant device and indicating a usage of the threat data by the at least one participant device; and

update, by a rating engine, a rating of the threat submitter device based on the received usage information generated by the rules-based automation of the at least one participant device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments disclosed herein relate to update a rating of threat submitters. Information is received of threat observables from threat submitters. Information about the threat observables is provided to one or more entities. Feedback about a threat observable is received from one of the entities. A rating of the threat submitter associated with the feedback is updated.

17 Citations

20 Claims

1. A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a computing system, cause the computing system to:
- receive information about a threat observable from a threat submitter device via a network, wherein the threat observable is detected by the threat submitter device;
  
  provide threat data about the threat observable to a plurality of participant devices in a threat exchange system;
  
  receive usage information from at least one participant device of the plurality of participant devices about the threat data, the usage information generated by rules-based automation of the at least one participant device and indicating a usage of the threat data by the at least one participant device; and
  
  update, by a rating engine, a rating of the threat submitter device based on the received usage information generated by the rules-based automation of the at least one participant device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory machine-readable storage medium of claim 1, further comprising instructions that, if executed by the at least one processor, cause the computing system to:
    - positively update the rating of the threat submitter device in response to a determination that the usage information indicates that the threat data was used by the at least one participant device to discover a threat.
  - 3. The non-transitory machine-readable storage medium of claim 1, further comprising instructions that, if executed by the at least one processor, cause the computing system to:
    - negatively update the rating of the threat submitter device in response to a determination that the usage information indicates at least one of;
      
      thatthe threat data was not used by the at least one participant device; and
      
      the threat data was incorrect.
  - 4. The non-transitory machine-readable storage medium of claim 1, wherein the rating is associated with a category, wherein the usage information is received from one of a set of participant devices that are also associated with the category.
  - 5. The non-transitory machine-readable storage medium of claim 4, wherein another rating associated with another category is not updated based on the usage information.
  - 6. The non-transitory machine-readable storage medium of claim 1, wherein the rating represents a confidence that the threat submitter device is submitting useful threat data.
  - 7. The non-transitory machine-readable storage medium of claim 6, wherein the rating is further based on a uniqueness of the threat data submitted by the threat submitter device.
  - 8. The non-transitory machine-readable storage medium of claim 6, wherein the update of the rating is further based on another rating of another threat submitter device associated with a high rating.
  - 9. The non-transitory machine-readable storage medium of claim 1, further comprising instructions that, if executed by the at least one processor, cause the computing system to:
    - leave the rating unchanged in response to a determination that the threat data was duplicative.

10. A method comprising:
- receiving, by a threat management device, threat observable information about a threat observable from a threat submitter device via a network, wherein the threat observable is detected by the threat submitter device;
  
  providing, by the threat management device, the threat observable information to a plurality of participant devices in a threat exchange system;
  
  receiving, by the threat management device, usage information from at least one participant device of the plurality of participant devices about the threat observable information, the usage information automatically generated by the at least one participant device and indicating a usage of the threat observable information by the at least one participant device;
  
  updating, by a rating engine of the threat management device, a rating for the threat submitter device based on the usage information received from the at least one participant device, wherein the updated rating represents a confidence that the threat submitter device is submitting useful threat data based on an analysis of the usage information received from the at least one participant device;
  
  receiving, by the threat management device, other threat observable information about another threat observable from the threat submitter device;
  
  determining, by the threat management device, a threat score for the other threat observable based at least in part on the updated rating for the threat submitter device.
- View Dependent Claims (11, 12, 19, 20)
- - 11. The method of claim 10, wherein the rating is positively updated in response to a determination that the usage information indicates that the threat data was used by the at least one participant device.
  - 12. The method of claim 10, wherein the rating is negatively updated in response to a determination that the usage information indicates that the threat data was not used by the at least one participant device.
  - 19. The method of claim 10, further comprising:
    - generating, by rules-based automation of the at least one participant device, the usage information without user intervention.
  - 20. The method of claim 10, further comprising:
    - determining, by the at least one participant device, that the threat data is duplicative; and
      
      in response to determining that the threat data is duplicative, leaving the rating unchanged.

13. A computing system comprising:
- a processor;
  
  a communication engine executed by the processor to receive threat data from a threat submitter device via a network;
  
  a score engine executed by the processor to score the threat data for at least one participant device in a threat exchange system, wherein the communication engine is further to provide the score to the at least one participant device;
  
  wherein the communication engine is further to receive usage information of the threat data the usage information automatically generated by the at least one participant device and indicating a usage of the threat data by the at least one participant device;
  
  a rating engine executed by the processor to update a rating for the threat submitter device based on the usage information generated by the rules-based automation of the at least one participant device.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computing system of claim 13, wherein the rating represents a confidence that the threat submitter device is submitting useful threat information to the threat exchange system, and wherein the threat score represents a likelihood that if a threat observable associated with the threat data is observed, a malicious behavior has occurred.
  - 15. The computing system of claim 13, wherein the rating is positively updated in response to a determination that the usage information indicates that the threat data was used by the at least one participant device.
  - 16. The computing system of claim 13, wherein the rating is negatively updated in response to a determination that the usage information indicates that the threat data was not used by the at least one participant device.
  - 17. The computing system of claim 13, wherein the usage information is generated without user intervention by rules-based automation of the at least one participant device.
  - 18. The computing system of claim 13, wherein the rating is unchanged in response to a determination that the threat data was duplicative.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
entIT Software LLC (Open Text Corporation)
Inventors
Singla, Anurag, Sander, Tomas, Ross, Edward
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/116,912
Publication Number

US 20170142147A1
Time in Patent Office

1,642 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1433 Vulnerability analysis

Rating threat submitter

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rating threat submitter

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links