Cyberanalysis workflow acceleration
DC CAFCFirst Claim
1. A method comprising:
- receiving a plurality of event logs;
determining, by a computing device, a reportability likelihood for each event log based on at least one algorithm, wherein the reportability likelihood for each event log is based on at least one of;
a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, or a risk score of the event threat indicator;
sorting an event queue of the plurality of event logs based on the reportability likelihood of each of the plurality of event logs; and
transmitting, by the computing device and to an analysis system, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs.
2 Assignments
Litigations
1 Petition
Accused Products
Abstract
A cyber threat intelligence (CTI) gateway device may receive rules for filtering TCP/IP packet communications events that are configured to cause the CTI gateway device to identify communications corresponding to indicators, signatures, and behavioral patterns of network threats. The CTI gateway device may receive packets that compose endpoint-to-endpoint communication events and, for each event, may determine that the event corresponds to criteria specified by a filtering rule. The criteria may correspond to one or more of the network threat indicators, signatures, and behavioral patterns. The CTI gateway may create a log of the threat event and forward the threat event log to a task queue managed by a cyberanalysis workflow application. Human cyberanalysts use the cyberanalysis workflow application to service the task queue by removing the task at the front of the queue, investigating the threat event, and deciding whether the event is a reportable finding that should be reported to the proper authorities. In order to improve the efficiency of the workflow process, tasks in the queue are ordered by the likelihood, or probability, that cyberanalysts will determine the associated threat events to be reportable findings; thus, high-likelihood events are investigated first likelihoods are computed using human-designed algorithms and machine-learned algorithms that are applied to characteristics of the events. Low-likelihood events may be dropped from the work queue to further improve efficiency.
218 Citations
20 Claims
-
1. A method comprising:
-
receiving a plurality of event logs; determining, by a computing device, a reportability likelihood for each event log based on at least one algorithm, wherein the reportability likelihood for each event log is based on at least one of;
a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, or a risk score of the event threat indicator;sorting an event queue of the plurality of event logs based on the reportability likelihood of each of the plurality of event logs; and transmitting, by the computing device and to an analysis system, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving, by a computing device, a plurality of event logs; determining, by the computing device, a first reportability likelihood for each event log based on a human designed algorithm; determining, by the computing device, a second reportability likelihood for each event log based on a machine-learned algorithm; determining, by the computing device, a combined reportability likelihood for each event log based on the first reportability likelihood and the second reportability likelihood; sorting the plurality of event logs based on the combined reportability likelihoods of each of the plurality of event logs; and storing, in an event queue, the plurality of event logs sorted in the event queue based on the combined reportability likelihood of each of the plurality of event logs, wherein the combined reportability likelihood for each event log is based on at least one of;
a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, or a risk score of the event threat indicator. - View Dependent Claims (12, 13, 14)
-
-
15. One or more non-transitory computer-readable media having instructions stored thereon that, when executed by one or more computing devices, cause the one or more computing devices to:
-
receive a plurality of event logs; determine a reportability likelihood for each event log based on at least one algorithm, wherein the reportability likelihood for each event log is based on at least one of;
a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, or a risk score of the event threat indicator;sort the plurality of event logs based on the reportability likelihood of each of the plurality of event logs; and store, in an event queue, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification