Systems and methods for secure propagation of statistical models within threat intelligence communities

US 10,594,713 B2
Filed: 11/10/2017
Issued: 03/17/2020
Est. Priority Date: 11/10/2017
Status: Active Grant

First Claim

Patent Images

1. A method of securely propagating analytical models for detection of security threats and/or malicious actions among members of a threat intelligence community, comprising:

determining and encoding attributes of security data common to, accessible by, and/or shared between the members of the threat intelligence community, the attributes including one or more measurements or features selected as indicating, identifying, predicting and/or mitigating potential malicious actions or security threats;

developing or selecting an analytical model for detection of the potential malicious actions or security threats using the encoded attributes of the security data and a derivation data schema;

encrypting the derivation data schema of the model;

translating the model into one or more common exchange formats for sharing the model with at least selected ones of the members of the threat intelligence community;

transmitting the encrypted derivation data schema of the model to the at least selected ones of the members of the threat intelligence community;

after receipt, decoding the derivation data schema at the selected ones of the members of the threat intelligence community and applying the derivation data schema to security data to determine if the encoded attributes are found;

if the encoded attributes are found, applying a remedial or mitigating action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems/method of securely propagating analytical models for detection of security threats and/or malicious actions among a threat intelligence community can be provided. Attributes of security data accessed members of the threat intelligence community can be determined and encoded. Analytical model(s) can be developed for detection of potential malicious actions using the encoded attributes of the security data and a derivation data schema, and this derivation data schema can be encrypted. The model(s) can be translated into common exchange formats for sharing the model with community members. The encrypted derivation data schema can be transmitted to the community members. After receipt, the derivation data schema can be decoded by the community members, and the derivation data schema can be applied to security data to determine if the encoded attributes are found. If the encoded attributes are derived, remedial or mitigating action can be taken.

152 Citations

14 Claims

1. A method of securely propagating analytical models for detection of security threats and/or malicious actions among members of a threat intelligence community, comprising:
- determining and encoding attributes of security data common to, accessible by, and/or shared between the members of the threat intelligence community, the attributes including one or more measurements or features selected as indicating, identifying, predicting and/or mitigating potential malicious actions or security threats;
  
  developing or selecting an analytical model for detection of the potential malicious actions or security threats using the encoded attributes of the security data and a derivation data schema;
  
  encrypting the derivation data schema of the model;
  
  translating the model into one or more common exchange formats for sharing the model with at least selected ones of the members of the threat intelligence community;
  
  transmitting the encrypted derivation data schema of the model to the at least selected ones of the members of the threat intelligence community;
  
  after receipt, decoding the derivation data schema at the selected ones of the members of the threat intelligence community and applying the derivation data schema to security data to determine if the encoded attributes are found;
  
  if the encoded attributes are found, applying a remedial or mitigating action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - updating the derivation data schema as new attacks or threats are detected by the selected ones of the members of the threat intelligence community to provide an updated derivation data schema,encrypting the updated derivation data schema, andsharing the encrypted updated derivation data schema with other members of the threat intelligence community.
  - 3. The method of claim 1, wherein developing or selecting the analytical model comprises deriving a predictive model in a common exchange format.
  - 4. The method of claim 1, wherein encrypting the derivation data schema comprises applying an asymmetric cryptographic function to encrypt the derivation data schema.
  - 5. The method of claim 1, wherein determining and encoding attributes comprises identifying features of the security data indicative of known security threats.
  - 6. The method of claim 5, wherein the features comprise:
    - URL'"'"'s, hashes, IP addresses, hosts logged into, processed executed, windows registry keys added, files accessed and/or logs sent or deleted.
  - 7. The method of claim 1, further comprising updating the encoded attributes and/or the derivation data schema based at least in part on the found encoded attributes.

8. A system for securely propagating analytical models for detection of security threats and/or malicious actions among members of a threat intelligence community, comprising:
- at least one processor; and
  
  a non-transitory computer readable storage medium having instructions stored therein, the instructions, when executed by the at least one processor, cause the system to;
  
  determine and encode attributes of security data common to, accessible by, and/or shared between the members of the threat intelligence community, the attributes including one or more measurements or features selected as indicating, identifying, predicting and/or mitigating potential malicious actions or security threats;
  
  develop an analytical model for detection of the potential malicious actions or security threats using the encoded attributes of the security data and a derivation data schema;
  
  encrypt the derivation data schema of the model;
  
  translate the model into one or more common exchange formats for sharing the model with at least selected ones of the members of the threat intelligence community; and
  
  transmit the encrypted derivation data schema of the model to the at least selected ones of the members of the threat intelligence community;
  
  wherein after receipt of the model and encrypted derivation data schema, the selected ones of the members of the threat intelligence community decode the derivation data schema and apply the derivation data schema to security data according to the model to determine if the encoded attributes are found, and if the encoded attributes are derived, apply a remedial or mitigating action.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the selected ones of the members of the threat intelligence community update the derivation data schema as new attacks or threats are detected to provide an updated derivation data schema, encrypt the updated derivation data schema, and share the encrypted updated derivation data schema with other members of the threat intelligence community.
  - 10. The system of claim 8, wherein developing the analytical model comprises deriving a predictive model in a common exchange format.
  - 11. The system of claim 8, wherein encrypting the derivation data schema comprises applying an asymmetric cryptographic function to encrypt the derivation data schema.
  - 12. The system of claim 8, wherein determining and encoding attributes comprises identifying features of the security data indicative of known security threats.
  - 13. The system of claim 12, wherein the features comprise:
    - URL'"'"'s, hashes, IP addresses, hosts logged into, files accessed and/or logs sent or deleted.
  - 14. The system of claim 8, wherein the encoded attributes and/or the derivation data schema are updated based at least in part on the encoded attributes format.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Inventors
McLean, Lewis
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/809,273
Publication Number

US 20190149564A1
Time in Patent Office

858 Days
Field of Search

713171, 713165, 713188, 726 23, 726 25
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Systems and methods for secure propagation of statistical models within threat intelligence communities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

152 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure propagation of statistical models within threat intelligence communities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

152 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links