SYSTEM AND METHOD FOR GENERATING AND REFINING CYBER THREAT INTELLIGENCE DATA
First Claim
1. A method of refining cyber threat intelligence data, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:
- sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source;
obtaining original first cyber threat intelligence data from the first cyber threat intelligence source, the original first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the first version of the threat list, wherein the original first cyber threat intelligence data includes an original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and an original first event log relating to communications characterized by the original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;
obtaining original second cyber threat intelligence data from the second cyber threat intelligence source, the original second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the first version of the threat list, wherein the original second cyber threat intelligence data includes an original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and an original second event log relating to communications characterized by the original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;
determining (i) an original plurality of instances of traffic attributes from the original first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the original plurality of instances of traffic attributes, the reputation score for each instance in the original plurality of instances of traffic attributes being determined based on factors including at least;
the instances of traffic attributes in the original first and second sets of instances of traffic attributes;
the communications logged in the original first and second event logs;
an origin of the original first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the original second cyber threat intelligence data which originates either internal or external to the carrier network;
creating a second version of the threat list including at least the traffic attributes from the original plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score;
sending the second version of the threat list to the first cyber threat intelligence source and to the second cyber threat intelligence source;
obtaining new first cyber threat intelligence data from the first cyber threat intelligence source, the new first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the second version of the threat list, wherein the new first cyber threat intelligence data includes a new first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a new first event log relating to communications characterized by the new set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;
obtaining new second cyber threat intelligence data from the second cyber threat intelligence source, the new second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the second version of the threat list, wherein the new second cyber threat intelligence data includes a new second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a new second event log relating to communications characterized by the new set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;
determining (i) a new plurality of instances of traffic attributes from the new first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the new plurality of instances of traffic attributes, the reputation score for each instance in the new plurality of instances of traffic attributes being determined based on factors including at least;
the instances of traffic attributes in the new first and second sets of instances of traffic attributes;
the communications logged in the new first and second event logs;
an origin of the new first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the new second cyber threat intelligence data which originates either internal or external to the carrier network;
creating a third version of the threat list including at least the traffic attributes from the new plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of refining cyber threat intelligence data, comprising: sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source; obtaining original first cyber threat intelligence data from the first source; obtaining original second cyber threat intelligence data from the second source; creating a second version of the threat list based on at least the original first cyber threat intelligence data and the original second cyber threat intelligence data; sending the second version of the threat list to the first source and to the second source; obtaining new first cyber threat intelligence data from the first source; obtaining new second cyber threat intelligence data from the second source; and creating a third version of the threat list based on at least the new first cyber threat intelligence data and the new second cyber threat intelligence data.
157 Citations
54 Claims
-
1. A method of refining cyber threat intelligence data, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:
-
sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source; obtaining original first cyber threat intelligence data from the first cyber threat intelligence source, the original first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the first version of the threat list, wherein the original first cyber threat intelligence data includes an original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and an original first event log relating to communications characterized by the original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious; obtaining original second cyber threat intelligence data from the second cyber threat intelligence source, the original second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the first version of the threat list, wherein the original second cyber threat intelligence data includes an original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and an original second event log relating to communications characterized by the original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious; determining (i) an original plurality of instances of traffic attributes from the original first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the original plurality of instances of traffic attributes, the reputation score for each instance in the original plurality of instances of traffic attributes being determined based on factors including at least; the instances of traffic attributes in the original first and second sets of instances of traffic attributes; the communications logged in the original first and second event logs; an origin of the original first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the original second cyber threat intelligence data which originates either internal or external to the carrier network; creating a second version of the threat list including at least the traffic attributes from the original plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score; sending the second version of the threat list to the first cyber threat intelligence source and to the second cyber threat intelligence source; obtaining new first cyber threat intelligence data from the first cyber threat intelligence source, the new first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the second version of the threat list, wherein the new first cyber threat intelligence data includes a new first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a new first event log relating to communications characterized by the new set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious; obtaining new second cyber threat intelligence data from the second cyber threat intelligence source, the new second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the second version of the threat list, wherein the new second cyber threat intelligence data includes a new second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a new second event log relating to communications characterized by the new set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious; determining (i) a new plurality of instances of traffic attributes from the new first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the new plurality of instances of traffic attributes, the reputation score for each instance in the new plurality of instances of traffic attributes being determined based on factors including at least; the instances of traffic attributes in the new first and second sets of instances of traffic attributes; the communications logged in the new first and second event logs; an origin of the new first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the new second cyber threat intelligence data which originates either internal or external to the carrier network; creating a third version of the threat list including at least the traffic attributes from the new plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score. - View Dependent Claims (2, 3, 4, 5, 6, 17, 18)
-
-
7. (canceled)
-
8. (canceled)
-
9. (canceled)
-
10. (canceled)
-
11. (canceled)
-
12. (canceled)
-
13. (canceled)
-
14. (canceled)
-
15. (canceled)
-
16. (canceled)
-
19. (canceled)
-
20. (canceled)
-
21. (canceled)
-
22. A method of generating a cyber threat intelligence report, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:
-
obtaining first cyber threat intelligence data from a first cyber threat intelligence source controlled by the carrier network operator, the first cyber threat intelligence data includes a first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a first event log relating to communications characterized by the set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious; obtaining second cyber threat intelligence data from a second cyber threat intelligence source not controlled by the carrier network operator, the second cyber threat intelligence data includes a second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a second event log relating to communications characterized by the set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious; determining (i) a plurality of instances of traffic attributes from the first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the plurality of instances of traffic attributes, the reputation score for each instance in the plurality of instances of traffic attributes being determined based on factors including at least; the instances of traffic attributes in the first and second sets of instances of traffic attributes; the communications logged in the first and second event logs; and the internal origin of the first cyber threat intelligence data controlled by the carrier network and the external origin of the second cyber threat intelligence data not controlled by the carrier network; generating a cyber threat intelligence report including at least the traffic attributes with a reputation score below a predetermined threshold reputation score; and delivering the cyber threat intelligence report to at least one network element in or outside of the carrier network. - View Dependent Claims (30, 35, 38, 50, 51, 52, 53, 54)
-
-
23. (canceled)
-
24. (canceled)
-
25. (canceled)
-
26. (canceled)
-
27. (canceled)
-
28. (canceled)
-
29. (canceled)
-
31. (canceled)
-
32. (canceled)
-
33. (canceled)
-
34. (canceled)
-
36. (canceled)
-
37. (canceled)
-
39. (canceled)
-
40. (canceled)
-
41. (canceled)
-
42. (canceled)
-
43. (canceled)
-
44. (canceled)
-
45. (canceled)
-
46. (canceled)
-
47. (canceled)
-
48. (canceled)
-
49. (canceled)
Specification