System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms
First Claim
1. A method of consolidating threat intelligence data for a computer network, the method to be performed by a computer system comprising:
- collecting threat intelligence data from a plurality of sources and normalizing the collected threat intelligence data into a uniform data format;
grouping normalized threat intelligence data into clusters using unsupervised machine learning algorithms, wherein each cluster comprises a group of data that represents an attribute of the threat intelligence data;
categorizing clusters that are severe to the computer network;
comparing the clusters categorized as severe with a security posture of the computer network to determine clusters that are of interest to the computer system; and
formatting the clusters determined to be of interest to the computer system to a predefined format of the computer network; and
wherein the categorizing the clusters that are severe to the computer network comprises;
retrieving a list of computer assets associated with the computer network;
identifying clusters that affect a computing feature of the computer assets; and
classifying identified clusters that affect a computing feature of the computer asset as severe to the computer network.
6 Assignments
0 Petitions
Accused Products
Abstract
This document discloses a system and method for consolidating threat intelligence data for a computer and its related networks. Massive volumes of raw threat intelligence data are collected from a plurality of sources and are partitioned into a common format for cluster analysis whereby the clustering of the data is done using unsupervised machine learning algorithms. The resulting organized threat intelligence data subsequently undergoes a weighted asset based threat severity level correlation process. All the intermediary network vulnerabilities of a particular computer network are utilized as the critical consolidation parameters of this process. The final processed intelligence data gathered through this high speed automated process is then formatted into predefined formats prior to transmission to third parties.
12 Citations
30 Claims
-
1. A method of consolidating threat intelligence data for a computer network, the method to be performed by a computer system comprising:
- collecting threat intelligence data from a plurality of sources and normalizing the collected threat intelligence data into a uniform data format;
grouping normalized threat intelligence data into clusters using unsupervised machine learning algorithms, wherein each cluster comprises a group of data that represents an attribute of the threat intelligence data;
categorizing clusters that are severe to the computer network;
comparing the clusters categorized as severe with a security posture of the computer network to determine clusters that are of interest to the computer system; and
formatting the clusters determined to be of interest to the computer system to a predefined format of the computer network; andwherein the categorizing the clusters that are severe to the computer network comprises;
retrieving a list of computer assets associated with the computer network;
identifying clusters that affect a computing feature of the computer assets; and
classifying identified clusters that affect a computing feature of the computer asset as severe to the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- collecting threat intelligence data from a plurality of sources and normalizing the collected threat intelligence data into a uniform data format;
-
11. A system for consolidating threat intelligence data for a computer network comprising:
- a processing unit; and
a non-transitory media readable by the processing unit, the media storing instructions that when executed by the processing unit, cause the processing unit to;
collect threat intelligence data from a plurality of sources and normalize the collected threat intelligence data into a uniform data format;
group normalized threat intelligence data into clusters using unsupervised machine learning algorithms, wherein each cluster comprises a group of data that represents an attribute of the threat intelligence data;
categorize dusters that are severe to the computer network;
compare the clusters categorized as severe with a security posture of the computer network to determine clusters that are of interest to the computer system; and
format the clusters determined to be of interest to the computer system to a predefined format of the computer network; andwherein the instructions to categorize the clusters that are severe to the computer network comprises;
instructions for directing the processing unit to;
retrieve a list of computer assets associated with the computer network;
identify dusters that affect a computing feature of the computer assets; and
classify identified clusters that affect a computing feature of the computer asset as severe to the computer network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- a processing unit; and
-
21. A system for consolidating threat intelligence data for a computer network comprising:
- circuitry configured to collect threat intelligence data from a plurality of sources and normalize the collected threat intelligence data into a uniform data format;
circuitry configured to group normalized threat intelligence data into clusters using unsupervised machine learning algorithms, wherein each cluster comprises a group of data that represents an attribute of the threat intelligence data;
circuitry configured to categorize clusters that are severe to the computer network;
circuitry configured to compare the clusters categorized as severe with a security posture of the computer network to determine clusters that are of interest to the computer system; and
circuitry configured to format the clusters determined to be of interest to the computer system to a predefined format of the computer network; andwherein the circuitry configured to categorize the clusters that are severe to the computer network comprises;
circuitry configured to retrieve a list of computer assets associated with the computer network;
circuitry configured to identify clusters that affect a computing feature of the computer assets; and
circuitry configured to classify identified clusters that affect a computing feature of the computer asset as severe to the computer network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- circuitry configured to collect threat intelligence data from a plurality of sources and normalize the collected threat intelligence data into a uniform data format;
Specification