Threat intelligence on a data exchange layer
First Claim
1. A threat intelligence apparatus adapted for use on a data exchange layer (DXL), comprising:
- a network interface;
a DXL client engine comprising a DXL application programming interface (API) operable for communicatively coupling the apparatus to a DXL via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints; and
one or more logic elements comprising a threat intelligence engine operable for;
aggregating reputation data for a network object via a plurality of DXL messages;
computing a composite reputation for the network object;
receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and
providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric.
13 Assignments
0 Petitions
Accused Products
Abstract
In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.
-
Citations
25 Claims
-
1. A threat intelligence apparatus adapted for use on a data exchange layer (DXL), comprising:
-
a network interface; a DXL client engine comprising a DXL application programming interface (API) operable for communicatively coupling the apparatus to a DXL via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints; and one or more logic elements comprising a threat intelligence engine operable for; aggregating reputation data for a network object via a plurality of DXL messages; computing a composite reputation for the network object; receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more non-transitory computer-readable mediums having stored thereon executable instructions for providing a threat intelligence engine comprising a DXL application programming interface (API) operable for:
-
communicatively coupling to a data exchange layer (DXL) via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints; subscribing to a DXL object reputation topic; aggregating reputation data for a network object via a plurality of object reputation DXL messages; computing a composite reputation for the network object; receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of providing a server engine, comprising a DXL application programming interface (API) in a threat intelligence engine apparatus, and further comprising:
-
communicatively coupling to a data exchange layer (DXL) via a DXL broker, wherein the DXL is a messaging bus configured to provide endpoint-to-endpoint communication, brokered by a DXL broker, between loosely-coupled dissimilar DXL endpoints, including the threat intelligence apparatus, on a one-to-many publish-subscribe fabric on which a plurality of private DXL topics are to be established between the dissimilar DXL endpoints; subscribing to a DXL object reputation topic; aggregating reputation data for a network object via a plurality of object reputation DXL messages; computing a composite reputation for the network object; receiving from a DXL endpoint a DXL request message, via a private topic of the plurality of private topics, for a reputation for the network object; and providing the composite reputation via a DXL message through the DXL broker and the one-to-many publish-subscribe fabric. - View Dependent Claims (25)
-
Specification