Protecting threat indicators from third party abuse

US 10,367,829 B2
Filed: 11/19/2015
Issued: 07/30/2019
Est. Priority Date: 11/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-based method for detecting threats based on obfuscated threat indicators, the method comprising:

receiving, from a server, an obfuscated threat indicator associated with an identified cyber-threat that was determined by the server to be above a threshold level of quality, the obfuscated threat indicator having been generated by the server responsive to determining that the identified-cyber-threat is above the threshold level of quality by;

including a threat data source of a threat indicator and excluding raw information of the threat indicator;

identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the client-side event is attributed;

determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one entity identifier; and

in response to determining that the third-party system experienced the cyber-threat;

generating descriptive information associated with the obfuscated threat indicator; and

transmitting the descriptive information to the third-party system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat analytics system expends significant resources to acquire, structure, and filter the threat indicators provided to the client-side monitoring systems. To protect the threat indicators from misuse, the threat analytics system only provides enough information about the threat indicators to the client-side systems to allow the client-side systems to detect past and ongoing threats. Specifically, the threat analytics system provides obfuscated threat indicators to the client-side monitoring systems. The obfuscated threat indicators enable the client-side systems to detect threats while protecting the threat indicators from misuse or malicious actors.

54 Citations

View as Search Results

16 Claims

1. A computer-based method for detecting threats based on obfuscated threat indicators, the method comprising:
- receiving, from a server, an obfuscated threat indicator associated with an identified cyber-threat that was determined by the server to be above a threshold level of quality, the obfuscated threat indicator having been generated by the server responsive to determining that the identified-cyber-threat is above the threshold level of quality by;
  
  including a threat data source of a threat indicator and excluding raw information of the threat indicator;
  
  identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the client-side event is attributed;
  
  determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one entity identifier; and
  
  in response to determining that the third-party system experienced the cyber-threat;
  
  generating descriptive information associated with the obfuscated threat indicator; and
  
  transmitting the descriptive information to the third-party system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-based method of claim 1, further comprising obfuscating the entity identifier by excluding raw information related to the entity.
  - 3. The computer-based method of claim 1, further comprising reporting the cyber-threat to the third-party system when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 4. The computer-based method of claim 1, wherein generating the descriptive information comprises de-obfuscating the obfuscated threat indicator using a decryption key.
  - 5. The computer-based method of claim 1, wherein the threat data source is not a client.
  - 6. The computer-based method of claim 1, wherein the obfuscated threat indicator was generated using a hashing algorithm.
  - 7. The computer-based method of claim 1, wherein the obfuscated threat indicator was generated using an encryption algorithm.
  - 8. The computer-based method of claim 1, further comprising:
    - purging the obfuscated threat indicator when the obfuscated threat indicator expires, andsubsequently receiving a second obfuscated threat indicator associated with the identified cyber-threat, the second obfuscated threat indicator being different from the obfuscated threat indicator.

9. A computer program product for detecting threats based on obfuscated threat indicators, the computer program product comprising a non-transitory computer-readable storage medium containing computer program code for:
- receiving, from a server, an obfuscated threat indicator associated with an identified cyber-threat that was determined by the server to be above a threshold level of quality, the obfuscated threat indicator having been generated by the server responsive to determining that the identified cyber-threat is above the threshold level of quality by;
  
  including a threat data source of a threat indicator and excluding raw information of the threat indicator;
  
  identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the client-side event is attributed;
  
  obfuscating the entity identifier by excluding raw information related to the entity;
  
  determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one obfuscated entity identifier; and
  
  in response to determining that the third-party system experienced the cyber-threat;
  
  generating descriptive information associated with the obfuscated threat indicator; and
  
  transmitting the descriptive information to the third-party system.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer program product of claim 9, further comprising reporting the cyber-threat to the third-party system when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 11. The computer program product of claim 9, wherein generating the descriptive information comprises de-obfuscating the obfuscated threat indicator using a decryption key.
  - 12. The computer program product of claim 9, wherein the threat data source is not a client.
  - 13. The computer program product of claim 9, further comprising:
    - purging the obfuscated threat indicator when the obfuscated threat indicator expires, andsubsequently receiving a second obfuscated threat indicator associated with the identified cyber-threat, the second obfuscated threat indicator being different from the obfuscated threat indicator.

14. A computer-based method for transmitting threat information to client modules, the method comprising:
- generating, at a server, obfuscated threat indicators associated with identified cyber-threats that are determined to be above a threshold level of quality, each respective obfuscated threat indicator having been generated responsive to determining that a respective cyber-threat is above the threshold level of quality by;
  
  including a threat data source of a threat indicator and excluding raw information of the threat indicator;
  
  determining, by the server, that the obfuscated threat indicators are available for transmission to a client module;
  
  determining, by the server, whether a threat detection report associated with the obfuscated threat indicators was received from the client module; and
  
  transmitting, by the server, the obfuscated threat indicators to the client module in response to determining that the threat detection report was received from the client module.
- View Dependent Claims (15, 16)
- - 15. The computer-based method of claim 14, further comprising process the threat detection report to evaluate a relevance between the obfuscated threat indicators and a client system associated with the client module.
  - 16. The computer-based method of claim 14, wherein transmitting the obfuscated threat indicators comprises obfuscating the additional threat indicators prior to transmission and transmitting the obfuscated threat indicators to the client module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Anomali, Inc.
Original Assignee
Anomali, Inc.
Inventors
Huang, Wei, Zhou, Yizheng, Njemanze, Hugh
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/946,088
Publication Number

US 20170149802A1
Time in Patent Office

1,349 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Protecting threat indicators from third party abuse

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting threat indicators from third party abuse

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links