Cost prioritized evaluations of indicators of compromise
First Claim
1. A method of threat management in a network of machines, the method comprising:
- at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls;
receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device;
determining modified respective costs associated with the one or more of the plurality of IOCs;
dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and
determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.
-
Citations
36 Claims
-
1. A method of threat management in a network of machines, the method comprising:
at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls; receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device; determining modified respective costs associated with the one or more of the plurality of IOCs; dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A system of threat management in a network of machines, wherein:
-
the system is a server or a client machine within the network of machines, and the system comprises; one or more processors; and memory storing instructions that when executed by the one or more processors cause the processors to perform operations including; receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device; determining modified respective costs associated with the one or more of the plurality of IOCs; dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
-
receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; determining whether a threat is present in a network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device; determining modified respective costs associated with the one or more of the plurality of IOCs; dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A method of threat management in a network of machines, the method comprising:
at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls; receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; sending queries into a linear communication orbit comprising a sequence of machines within the network of machines; collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.
-
35. A system of threat management in a network of machines, wherein:
the system is a server or a client machine within the network of machines, and the system comprises; one or more processors; and memory storing instructions that when executed by the one or more processors cause the processors to perform operations including; receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; sending queries into a linear communication orbit comprising a sequence of machines within the network of machines; collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.
-
36. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
-
receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs; sending queries into a linear communication orbit comprising a sequence of machines within the network of machines; collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.
-
Specification