Systems and methods for automated retrieval, processing, and distribution of cyber-threat information

US 10,574,677 B2
Filed: 11/05/2018
Issued: 02/25/2020
Est. Priority Date: 04/20/2015
Status: Active Grant

First Claim

Patent Images

1. A device for managing cyber-threat to an entity system, comprising:

a network adapter configured to receive;

first cyber-threat information in a non-standard format from a network component of the entity system, the network component of the entity system being configured to expose an Application Program Interface (API) to collect at least a portion of the first cyber-threat information; and

second cyber-threat information in a standard format from a distributor external to the entity system, the distributor being configured to collect and share the second cyber-threat information in the standard format; and

at least one processor configured to perform operations comprising;

filtering the first cyber-threat information and the second cyber-threat information based on exclusion criteria to exclude from further processing;

after completion of filtering, converting the first cyber-threat information into processed first cyber-threat information in the standard format, the standard format comprising;

a first data marking indicating a categorization of the first cyber-threat information;

a second data marking indicating an expiration of the first cyber-threat information; and

a context comprising detection and remediation procedures for cyber-attacks associated with the first cyber-threat information;

combining the processed first cyber-threat information and the second cyber-threat information into combined cyber-threat information;

automatically instructing the network component of the entity system to reconfigure the network component in response to the combined cyber-threat information; and

transmitting the combined cyber-threat information to the distributor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for automated retrieval, processing, and/or distribution of cyber-threat information using a cyber-threat device. Consistent with disclosed embodiments, the cyber-threat device may receive cyber-threat information in first formats from internal sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may receive cyber-threat information second formats from external sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may process the received cyber-threat information in the first formats and the second formats into a standard format using a processing component of the cyber-threat device. The cyber-threat device may provide the processed items of cyber-threat information to a distributor using a distributing component of the cyber-threat device. The cyber-threat device may automatically report information concerning the processed items of cyber-threat information to a device of a user with a reporting component of the cyber-threat device.

Citations

20 Claims

1. A device for managing cyber-threat to an entity system, comprising:
- a network adapter configured to receive;
  
  first cyber-threat information in a non-standard format from a network component of the entity system, the network component of the entity system being configured to expose an Application Program Interface (API) to collect at least a portion of the first cyber-threat information; and
  
  second cyber-threat information in a standard format from a distributor external to the entity system, the distributor being configured to collect and share the second cyber-threat information in the standard format; and
  
  at least one processor configured to perform operations comprising;
  
  filtering the first cyber-threat information and the second cyber-threat information based on exclusion criteria to exclude from further processing;
  
  after completion of filtering, converting the first cyber-threat information into processed first cyber-threat information in the standard format, the standard format comprising;
  
  a first data marking indicating a categorization of the first cyber-threat information;
  
  a second data marking indicating an expiration of the first cyber-threat information; and
  
  a context comprising detection and remediation procedures for cyber-attacks associated with the first cyber-threat information;
  
  combining the processed first cyber-threat information and the second cyber-threat information into combined cyber-threat information;
  
  automatically instructing the network component of the entity system to reconfigure the network component in response to the combined cyber-threat information; and
  
  transmitting the combined cyber-threat information to the distributor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The device of claim 1, wherein the operations further comprise extracting, from the combined cyber-threat information, information identifying the combined cyber-threat information based on stored identification criteria.
  - 3. The device of claim 1, wherein the operations further comprise enforcing policy rules specifying at least one of:
    - a user authorized to access the combined cyber-threat information;
      
      a type of combined cyber-threat information that may be accessed;
      
      methods of access to the combined cyber-threat information;
      
      orpermissible uses of accessed items of the combined cyber-threat information.
  - 4. The device of claim 1, wherein the network adapter is further configured with a credential for accessing at least one of an internal cyber-threat information source, an external cyber-threat information source, or the distributor.
  - 5. The device of claim 4, wherein the credential comprises an authentication token supporting authentication.
  - 6. The device of claim 1, wherein the network adapter is further configured to call an API library to receive the first cyber-threat information.
  - 7. The device of claim 1, wherein the network component of the entity system comprises a firewall appliance, router, email appliance, webserver, or proxy server.
  - 8. The device of claim 1, wherein the standard format comprises an extensible cyber-threat information description specifying observables and context for the first and second cyber-threat information.
  - 9. The device of claim 1, wherein the first data marking comprises source information and handling restrictions for the first and second cyber-threat information.
  - 10. The device of claim 1, wherein the operations further comprise applying the exclusion criteria to further determine acceptable cyber-threat information from the first and second cyber-threat information.
  - 11. The device of claim 1, wherein the first cyber-threat information comprises a blacklist to configure an email appliance.
  - 12. The device of claim 1, further comprising an I/O interface configured to display a user interface on a user device.
  - 13. The device of claim 12, wherein the user interface is configured to receive user instructions to modify a configuration of at least one of the network adapter, the processor, or the I/O interface.
  - 14. The device of claim 12, wherein the user interface is configured to display flow of the first and second cyber-threat information over the network component of the entity system.

15. A device for managing cyber-threat to an entity system, comprising:
- a network adapter configured to receive;
  
  first cyber-threat information in a non-standard format from a network component of the entity system, the network component of the entity system being configured to expose an Application Program Interface (API) to collect at least a portion of the first cyber-threat information; and
  
  second cyber-threat information in a standard format from a distributor external to the entity system, the distributor being configured to collect and share the second cyber-threat information in the standard format;
  
  at least one processor configured to perform operations comprising;
  
  filtering the first cyber-threat information and the second cyber-threat information based on exclusion criteria to exclude from further processing;
  
  after completion of filtering, converting the first cyber-threat information into processed first cyber-threat information in the standard format, the standard format comprising;
  
  a first data marking indicating a categorization of the first cyber-threat information;
  
  a second data marking indicating an expiration of the first cyber-threat information; and
  
  a context comprising detection and remediation procedures for cyber-attacks associated with the first cyber-threat information;
  
  combining the processed first cyber-threat information and the second cyber-threat information into combined cyber-threat information;
  
  automatically instructing the network component of the entity system to reconfigure the network component in response to the combined cyber-threat information; and
  
  transmitting the combined cyber-threat information to the distributor; and
  
  a non-transitory memory configured to store the first cyber-threat information, the second cyber-threat information, and the combined cyber-threat information.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The device of claim 15, wherein the non-transitory memory is further configured to store the first cyber-threat information in the non-standard format.
  - 17. The device of claim 15, wherein the non-transitory memory is further configured to store the combined cyber-threat information in the standard format.
  - 18. The device of claim 15, wherein the operations further comprise automatically generating reports to reporting targets, wherein the reporting targets are stored in the non-transitory memory.
  - 19. The device of claim 15, wherein the network component of the entity system comprises a firewall appliance, router, email appliance, webserver, or proxy server.

20. A method for managing cyber-threat to an entity system, comprising:
- receiving using a network adapter of a cyber-threat management device;
  
  first cyber-threat information in a non-standard format from a network component of the entity system, the network component of the entity system being configured to expose an Application Program Interface (API) to collect at least a portion of the first cyber-threat information; and
  
  second cyber-threat information in a standard format from a distributor external to the entity system, the distributor being configured to collect and share the second cyber-threat information in the standard format;
  
  filtering, using one or more processors of the cyber-threat management device, the first cyber-threat information and the second cyber-threat information based on exclusion criteria to exclude from further processing;
  
  after completion of filtering, converting, using the one or more processors, the first cyber-threat information into processed first cyber-threat information in the standard format, the standard format comprising;
  
  a first data marking indicating a categorization of the first cyber-threat information;
  
  a second data marking indicating an expiration of the first cyber-threat information; and
  
  a context comprising detection and remediation procedures for cyber-attacks associated with the first cyber-threat information;
  
  combining, using the one or more processors, the processed first cyber-threat information and the second cyber-threat information into combined cyber-threat information;
  
  automatically instructing, using the one or more processors, the network component of the entity system to reconfigure the network component in response to the combined cyber-threat information; and
  
  transmit, using the network adapter of the cyber-threat management device, the combined cyber-threat information to the distributor; and
  
  storing to a non-transitory memory the first cyber-threat information, the second cyber-threat information, and the combined cyber-threat information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Weilbacher, Nathan
Primary Examiner(s)
Zaidi, Syed A

Application Number

US16/181,292
Publication Number

US 20200028859A1
Time in Patent Office

477 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for automated retrieval, processing, and distribution of cyber-threat information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for automated retrieval, processing, and distribution of cyber-threat information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links