Threat intelligence on a data exchange layer

US 10,484,398 B2
Filed: 09/29/2014
Issued: 11/19/2019
Est. Priority Date: 09/29/2013
Status: Active Grant

First Claim

Patent Images

1. A threat intelligence apparatus adapted for use on a data exchange layer (DXL), comprising:

a network interface;

a DXL client engine comprising a DXL application programming interface (API) operable for communicatively coupling the apparatus to a DXL via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints; and

one or more logic elements comprising a threat intelligence engine operable for;

aggregating reputation data for a network object via a plurality of DXL messages;

computing a composite reputation for the network object;

receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and

providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.

34 Citations

25 Claims

1. A threat intelligence apparatus adapted for use on a data exchange layer (DXL), comprising:
- a network interface;
  
  a DXL client engine comprising a DXL application programming interface (API) operable for communicatively coupling the apparatus to a DXL via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints; and
  
  one or more logic elements comprising a threat intelligence engine operable for;
  
  aggregating reputation data for a network object via a plurality of DXL messages;
  
  computing a composite reputation for the network object;
  
  receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and
  
  providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein the DXL message for providing the composite reputation is a DXL response message directed to the private topic of the plurality of private topics.
  - 3. The apparatus of claim 1, wherein the DXL message for providing the composite reputation is a DXL message with an object reputation topic.
  - 4. The apparatus of claim 3, wherein the DXL message for providing the composite reputation comprises an expiry.
  - 5. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining permissions for a DXL message source;
      
      determining that the source has permission to act as a provider of object reputation data; and
      
      permitting object reputation data from the source to be included in the aggregating.
  - 6. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining permissions for a DXL message source;
      
      determining that the source does not have permission to act as a provider of object reputation data; and
      
      blocking object reputation data from the source from being included in the aggregating.
  - 7. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining a weighted permission for a DXL message source;
      
      determining that the weighted permission is sufficient for the source to act as a provider of object reputation data; and
      
      permitting object reputation data from the source to be included in the aggregating, comprising weighting data provided by the source according to the weighted permission.
  - 8. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - receiving a plurality of determinations that the network object is suspect but has not been blocked; and
      
      assigning the composite reputation a score configured to block the network object on a network or subject the network object to additional scrutiny or deep analysis.
  - 9. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - receiving a DXL message indicating that the network object has been blocked by a DXL endpoint; and
      
      publishing a DXL message indicating that the network object should be blocked by all DXL endpoints on the DXL.
  - 10. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - receiving a DXL message indicating that the network object has been blocked by a DXL endpoint; and
      
      publishing a DXL message indicating that the network object should be blocked by a class of DXL endpoints on a network.
  - 11. The apparatus of claim 1, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining that the network object is a new object on a network, and that the new object has been encountered multiple times in a designated time span; and
      
      assigning the composite reputation a suspicious score.
  - 12. The apparatus of claim 1, further comprising a reputation store.
  - 13. The apparatus of claim 12, wherein the reputation store is a self-replicating NoSQL database.

14. One or more non-transitory computer-readable mediums having stored thereon executable instructions for providing a threat intelligence engine comprising a DXL application programming interface (API) operable for:
- communicatively coupling to a data exchange layer (DXL) via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints;
  
  subscribing to a DXL object reputation topic;
  
  aggregating reputation data for a network object via a plurality of object reputation DXL messages;
  
  computing a composite reputation for the network object;
  
  receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and
  
  providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more non-transitory computer-readable mediums of claim 14, wherein the DXL message for providing the composite reputation is a DXL response message directed to the private topic of the DXL endpoint.
  - 16. The one or more non-transitory computer-readable mediums of claim 14, wherein the DXL message for providing the composite reputation is a DXL message with an object reputation topic.
  - 17. The one or more non-transitory computer-readable mediums of claim 14, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining permissions for a DXL message source;
      
      determining that the source has permission to act as a provider of object reputation data; and
      
      permitting object reputation data from the source to be included in the aggregating.
  - 18. The one or more non-transitory computer-readable mediums of claim 14, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining a weighted permission for a DXL message source;
      
      determining that the weighted permission is sufficient for the source to act as a provider of object reputation data; and
      
      permitting object reputation data from the source to be included in the aggregating, comprising weighting data provided by the source according to the weighted permission.
  - 19. The one or more non-transitory computer-readable mediums of claim 14, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - receiving a plurality of determinations that the network object is suspect but has not been blocked; and
      
      assigning the composite reputation a score configured to block the network object on a network or subject the network object to additional scrutiny or deep analysis.
  - 20. The one or more non-transitory computer-readable mediums of claim 14, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - receiving a DXL message indicating that the network object has been blocked by a DXL endpoint; and
      
      publishing a DXL message indicating that the network object should be blocked by all DXL endpoints on the DXL.
  - 21. The one or more non-transitory computer-readable mediums of claim 14, wherein aggregating reputation data for the network object via the plurality of DXL messages comprises:
    - determining that the network object is a new object on a network, and that the new object has been encountered multiple times in a designated time span; and
      
      assigning the composite reputation a suspicious score.
  - 22. The one or more non-transitory computer-readable mediums of claim 14, further comprising a reputation store.
  - 23. The one or more non-transitory computer-readable mediums of claim 22, wherein the reputation store is a self-replicating NoSQL database.

24. A method of providing a server engine, comprising a DXL application programming interface (API) in a threat intelligence engine apparatus, and further comprising:
- communicatively coupling to a data exchange layer (DXL) via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints;
  
  subscribing to a DXL object reputation topic;
  
  aggregating reputation data for a network object via a plurality of object reputation DXL messages;
  
  computing a composite reputation for the network object;
  
  receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and
  
  providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising:
    - determining permissions for a DXL message source;
      
      determining that the source has permission to act as a provider of object reputation data; and
      
      permitting object reputation data from the source to be included in the aggregating.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Smith, Christopher, McDonald, Edward T., Hanson, II, Don R.
Primary Examiner(s)
Thiaw, Catherine

Application Number

US14/912,743
Publication Number

US 20160197941A1
Time in Patent Office

1,877 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/168 above the transport layer

Threat intelligence on a data exchange layer

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Threat intelligence on a data exchange layer

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links