Systems and methods for automated retrieval, processing, and distribution of cyber-threat information

US 10,225,268 B2
Filed: 04/19/2016
Issued: 03/05/2019
Est. Priority Date: 04/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method for automated retrieval, processing, and distribution of cyber-threat information from a plurality of sources using a network device, comprising:

receiving cyber-threat information in one or more first formats from at least one internal source of cyber-threat information using an accessing component of the network device, wherein the at least one internal source comprises at least one network component of an entity system;

receiving cyber-threat information in one or more second formats from at least one external source of cyber-threat information using the accessing component of the network device;

applying exclusion criteria to prevent a processing component from processing the received cyber-threat information into a standard format if the received cyber-threat information satisfies the exclusion criteria;

processing the received cyber-threat information in the one or more first formats and the one or more second formats into the standard format using the processing component of the network device, wherein the standard format comprises;

a first data marking that indicates a categorization of the received cyber-threat information in the one or more first formats and the one or more second formats;

a second data marking that indicates an expiration of the received cyber-threat information in one or more first formats and the one or more second formats;

a first context comprising an identifier of the processed cyber-threat information, wherein the identifier is generated by a cryptographic hash function;

a second context comprising detection and remediation procedures for cyber-threats associated with the received cyber-threat information; and

at least one observable comprising standardized descriptions of the received cyber-threat information;

providing the processed cyber-threat information to a distributor using a distributing component of the network device;

automatically instructing the at least one network component of the entity system to reconfigure the at least one network component in response to the processed cyber-threat information; and

automatically reporting information concerning the processed cyber-threat information to a user device using a reporting component of the network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for automated retrieval, processing, and/or distribution of cyber-threat information using a cyber-threat device. Consistent with disclosed embodiments, the cyber-threat device may receive cyber-threat information in first formats from internal sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may receive cyber-threat information second formats from external sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may process the received cyber-threat information in the first formats and the second formats into a standard format using a processing component of the cyber-threat device. The cyber-threat device may provide the processed items of cyber-threat information to a distributor using a distributing component of the cyber-threat device. The cyber-threat device may automatically report information concerning the processed items of cyber-threat information to a device of a user with a reporting component of the cyber-threat device.

Citations

26 Claims

1. A method for automated retrieval, processing, and distribution of cyber-threat information from a plurality of sources using a network device, comprising:
- receiving cyber-threat information in one or more first formats from at least one internal source of cyber-threat information using an accessing component of the network device, wherein the at least one internal source comprises at least one network component of an entity system;
  
  receiving cyber-threat information in one or more second formats from at least one external source of cyber-threat information using the accessing component of the network device;
  
  applying exclusion criteria to prevent a processing component from processing the received cyber-threat information into a standard format if the received cyber-threat information satisfies the exclusion criteria;
  
  processing the received cyber-threat information in the one or more first formats and the one or more second formats into the standard format using the processing component of the network device, wherein the standard format comprises;
  
  a first data marking that indicates a categorization of the received cyber-threat information in the one or more first formats and the one or more second formats;
  
  a second data marking that indicates an expiration of the received cyber-threat information in one or more first formats and the one or more second formats;
  
  a first context comprising an identifier of the processed cyber-threat information, wherein the identifier is generated by a cryptographic hash function;
  
  a second context comprising detection and remediation procedures for cyber-threats associated with the received cyber-threat information; and
  
  at least one observable comprising standardized descriptions of the received cyber-threat information;
  
  providing the processed cyber-threat information to a distributor using a distributing component of the network device;
  
  automatically instructing the at least one network component of the entity system to reconfigure the at least one network component in response to the processed cyber-threat information; and
  
  automatically reporting information concerning the processed cyber-threat information to a user device using a reporting component of the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the accessing component of the network device receives cyber-threat information in the one or more first formats through an Application Program Interface (API) exposed by the at least one network component of the entity system.
  - 3. The method of claim 2, wherein the at least one network component of the entity system comprises a plurality of network components, and the one or more first formats comprises a plurality of first formats.
  - 4. The method of claim 3, wherein the plurality of first formats comprises one or more of a Common Log Format, Combined Log Format, or PST file.
  - 5. The method of claim 2, wherein the at least one network component of the entity system comprises at least one of a firewall appliance, router, intrusion detection system, fraud detection system, email appliance, webserver, proxy server, or security incident and event manager.
  - 6. The method of claim 2, wherein the at least one network component of the entity system comprises at least one of a host system providing an email client, antivirus software, or anti-malware detector.
  - 7. The method of claim 2, wherein the cyber-threat information in the one or more first formats comprises at least one of a webserver log, an anti-spam log, an anti-virus log, an email delivery log, or a system log.
  - 8. The method of claim 2, wherein the accessing component of the cyber-threat device implements one or more of a web service or a file system service to receive the cyber-threat information in the one or more first formats.
  - 9. The method of claim 8, wherein the implemented one or more of a web service comprises one or more of JSON-WSP or SOAP-WSDL.
  - 10. The method of claim 8, wherein the implemented one or more of a web service is implemented as a representational state transfer web service.
  - 11. The method of claim 2, wherein the network device implements the accessing component using a scripting language, and wherein the accessing component calling libraries correspond to the APIs exposed by the network components to receive cyber-threat information in the one or more first formats.
  - 12. The method of claim 2, further comprising displaying a user interface on a device by a display component of the network device.
  - 13. The method of claim 12, further comprising enabling, by the display component, direct access to the at least one network component without authorization.
  - 14. The method of claim 12, further comprising enabling, by the user interface, configuring of one or more of the access component, processing component, distributing component, reporting component, or policy engine.
  - 15. The method of claim 14, wherein configuring the policy engine comprises one or more of managing a policy for at least one source of cyber-threat information, category of item of cyber-threat information, or item of cyber-threat information.
  - 16. The method of claim 1, wherein the at least one external source of cyber-threat information comprises cyber-threat information generated by one or more of a commercial security provider, governmental regulatory agency, or governmental security agency.
  - 17. The method of claim 1, wherein the standard format comprises an extensible description of cyber-threat information specifying observables and context for cyber-threat information.
  - 18. The method of claim 17, wherein the data markings include source information and handling restrictions for each item of the cyber-threat information in the one or more first formats and the one or more second formats.
  - 19. The method of claim 1, wherein the processing component of the cyber-threat device applies the exclusion criteria to further determine acceptable cyber-threat information from the retrieved cyber-threat information in the one or more first formats and the retrieved cyber-threat information in the one or more second formats.
  - 20. The method of claim 1, wherein the distributor exposes an API for receiving the processed cyber-threat information.
  - 21. The method of claim 20, wherein the distributor receives the processed cyber-threat information using a web service.
  - 22. The method of claim 1, wherein reporting component configuration information configures the reporting component with one or more of reporting targets, reporting criteria, or reporting frequencies.
  - 23. The method of claim 22, wherein the reporting component configuration information configures the reporting component to automatically instruct one or more network components of the entity system to modify a network component configuration.
  - 24. The method of claim 23, wherein automatically instructing one or more network components to update a network component configuration comprises instructing an email appliance to update a blacklist.
  - 25. The method of claim 1, further comprising specifying one or more users authorized to access cyber-threat information, cyber-threat information that may be accessed, methods of access to cyber-threat information, or permissible uses of accessed items of cyber-threat information, by a policy engine of the network device.
  - 26. The method of claim 1, wherein processing component configuration information of the processing component specifies:
    - one or more identification criteria for cyber-threat information in the one or more first formats and the one or more second formats orone or more processing rules for cyber-threat information in the one or more first formats and the one or more second formats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Weilbacher, Nathan
Primary Examiner(s)
Zaidi, Syed A

Application Number

US15/133,132
Publication Number

US 20160308890A1
Time in Patent Office

1,050 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for automated retrieval, processing, and distribution of cyber-threat information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for automated retrieval, processing, and distribution of cyber-threat information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links