SYSTEM AND METHOD FOR GENERATING AND REFINING CYBER THREAT INTELLIGENCE DATA

US 20150207809A1
Filed: 07/27/2011
Published: 07/23/2015
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method of refining cyber threat intelligence data, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:

sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source;

obtaining original first cyber threat intelligence data from the first cyber threat intelligence source, the original first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the first version of the threat list, wherein the original first cyber threat intelligence data includes an original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and an original first event log relating to communications characterized by the original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;

obtaining original second cyber threat intelligence data from the second cyber threat intelligence source, the original second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the first version of the threat list, wherein the original second cyber threat intelligence data includes an original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and an original second event log relating to communications characterized by the original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;

determining (i) an original plurality of instances of traffic attributes from the original first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the original plurality of instances of traffic attributes, the reputation score for each instance in the original plurality of instances of traffic attributes being determined based on factors including at least;

the instances of traffic attributes in the original first and second sets of instances of traffic attributes;

the communications logged in the original first and second event logs;

an origin of the original first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the original second cyber threat intelligence data which originates either internal or external to the carrier network;

creating a second version of the threat list including at least the traffic attributes from the original plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score;

sending the second version of the threat list to the first cyber threat intelligence source and to the second cyber threat intelligence source;

obtaining new first cyber threat intelligence data from the first cyber threat intelligence source, the new first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the second version of the threat list, wherein the new first cyber threat intelligence data includes a new first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a new first event log relating to communications characterized by the new set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;

obtaining new second cyber threat intelligence data from the second cyber threat intelligence source, the new second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the second version of the threat list, wherein the new second cyber threat intelligence data includes a new second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a new second event log relating to communications characterized by the new set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;

determining (i) a new plurality of instances of traffic attributes from the new first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the new plurality of instances of traffic attributes, the reputation score for each instance in the new plurality of instances of traffic attributes being determined based on factors including at least;

the instances of traffic attributes in the new first and second sets of instances of traffic attributes;

the communications logged in the new first and second event logs;

an origin of the new first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the new second cyber threat intelligence data which originates either internal or external to the carrier network;

creating a third version of the threat list including at least the traffic attributes from the new plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of refining cyber threat intelligence data, comprising: sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source; obtaining original first cyber threat intelligence data from the first source; obtaining original second cyber threat intelligence data from the second source; creating a second version of the threat list based on at least the original first cyber threat intelligence data and the original second cyber threat intelligence data; sending the second version of the threat list to the first source and to the second source; obtaining new first cyber threat intelligence data from the first source; obtaining new second cyber threat intelligence data from the second source; and creating a third version of the threat list based on at least the new first cyber threat intelligence data and the new second cyber threat intelligence data.

157 Citations

54 Claims

1. A method of refining cyber threat intelligence data, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:
- sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source;
  
  obtaining original first cyber threat intelligence data from the first cyber threat intelligence source, the original first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the first version of the threat list, wherein the original first cyber threat intelligence data includes an original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and an original first event log relating to communications characterized by the original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;
  
  obtaining original second cyber threat intelligence data from the second cyber threat intelligence source, the original second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the first version of the threat list, wherein the original second cyber threat intelligence data includes an original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and an original second event log relating to communications characterized by the original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;
  
  determining (i) an original plurality of instances of traffic attributes from the original first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the original plurality of instances of traffic attributes, the reputation score for each instance in the original plurality of instances of traffic attributes being determined based on factors including at least;
  
  the instances of traffic attributes in the original first and second sets of instances of traffic attributes;
  
  the communications logged in the original first and second event logs;
  
  an origin of the original first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the original second cyber threat intelligence data which originates either internal or external to the carrier network;
  
  creating a second version of the threat list including at least the traffic attributes from the original plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score;
  
  sending the second version of the threat list to the first cyber threat intelligence source and to the second cyber threat intelligence source;
  
  obtaining new first cyber threat intelligence data from the first cyber threat intelligence source, the new first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the second version of the threat list, wherein the new first cyber threat intelligence data includes a new first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a new first event log relating to communications characterized by the new set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;
  
  obtaining new second cyber threat intelligence data from the second cyber threat intelligence source, the new second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the second version of the threat list, wherein the new second cyber threat intelligence data includes a new second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a new second event log relating to communications characterized by the new set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;
  
  determining (i) a new plurality of instances of traffic attributes from the new first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the new plurality of instances of traffic attributes, the reputation score for each instance in the new plurality of instances of traffic attributes being determined based on factors including at least;
  
  the instances of traffic attributes in the new first and second sets of instances of traffic attributes;
  
  the communications logged in the new first and second event logs;
  
  an origin of the new first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the new second cyber threat intelligence data which originates either internal or external to the carrier network;
  
  creating a third version of the threat list including at least the traffic attributes from the new plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score.
- View Dependent Claims (2, 3, 4, 5, 6, 17, 18)
- - 2. The method defined in claim 1, wherein the third version of the threat list differs from the second version of the threat list.
  - 3. The method defined in claim 1, wherein each version of the threat list includes a set of instances of traffic attributes.
  - 4. The method defined in claim 3, wherein the third version of the threat list includes at least one instance of a traffic attribute that is absent from the second version of the threat list.
  - 5. The method defined in claim 3, wherein the second version of the threat list includes at least one instance of a traffic attribute that is absent from the third version of the threat list.
  - 6. The method defined in claim 5, wherein the third version of the threat list includes at least one instance of a traffic attribute that is absent from the second version of the threat list.
  - 17. The method defined in claim 1, wherein the first and second cyber threat intelligence sources comprise network elements of a communications network equipped with traffic activity monitoring capabilities.
  - 18. The method defined in claim 17, wherein the traffic activity monitoring capabilities include one or more of traffic flow monitoring, domain name server (DNS) query monitoring, message monitoring and peer-to-peer (P2P) session monitoring.

7. (canceled)

8. (canceled)

9. (canceled)

10. (canceled)

11. (canceled)

12. (canceled)

13. (canceled)

14. (canceled)

15. (canceled)

16. (canceled)

19. (canceled)

20. (canceled)

21. (canceled)

22. A method of generating a cyber threat intelligence report, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:
- obtaining first cyber threat intelligence data from a first cyber threat intelligence source controlled by the carrier network operator, the first cyber threat intelligence data includes a first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a first event log relating to communications characterized by the set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious;
  
  obtaining second cyber threat intelligence data from a second cyber threat intelligence source not controlled by the carrier network operator, the second cyber threat intelligence data includes a second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a second event log relating to communications characterized by the set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious;
  
  determining (i) a plurality of instances of traffic attributes from the first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the plurality of instances of traffic attributes, the reputation score for each instance in the plurality of instances of traffic attributes being determined based on factors including at least;
  
  the instances of traffic attributes in the first and second sets of instances of traffic attributes;
  
  the communications logged in the first and second event logs; and
  
  the internal origin of the first cyber threat intelligence data controlled by the carrier network and the external origin of the second cyber threat intelligence data not controlled by the carrier network;
  
  generating a cyber threat intelligence report including at least the traffic attributes with a reputation score below a predetermined threshold reputation score; and
  
  delivering the cyber threat intelligence report to at least one network element in or outside of the carrier network.
- View Dependent Claims (30, 35, 38, 50, 51, 52, 53, 54)
- - 30. The method defined in claim 22, wherein the cyber threat intelligence report includes the reputation scores for the respective instances of traffic attributes included in the cyber threat intelligence report.
  - 35. The method defined in claim 30, wherein the cyber threat intelligence report further includes logged event data from the first and second event logs pertaining to the instances of traffic attributes included in the cyber threat intelligence report.
  - 38. The method defined in claim 35, wherein the network element to which the cyber threat intelligence report is delivered is a gateway to a customer network having a plurality of users, and wherein the gateway correlates the logged event data with historical data to identify among the users, those that are potentially compromised.
  - 50. The method defined in claim 22, wherein the second cyber threat intelligence source is controlled by an operator of a customer network having a plurality of users, the customer network being other than the carrier network.
  - 51. The method defined in claim 22, wherein the network element to which the cyber threat intelligence report is delivered is a network element within a customer network having a plurality of users, the customer network being other than the carrier network.
  - 52. The method defined in claim 51, wherein the carrier network provides Internet access to the customer network.
  - 53. The method defined in claim 22, wherein the factors on which is based the reputation score for each instance in the plurality of instances of traffic attributes further includes:
    - a count of how many of cyber threat intelligence sources that have revealed a particular instance of the plurality of instances of traffic attributes.
  - 54. The method defined in claim 22, wherein the factors on which is based the reputation score for each instance in the plurality of instances of traffic attributes further includes:
    - a count of how many of logged events in the first and second event logs pertaining to a particular instance of the plurality of instances of traffic attributes.

23. (canceled)

24. (canceled)

25. (canceled)

26. (canceled)

27. (canceled)

28. (canceled)

29. (canceled)

31. (canceled)

32. (canceled)

33. (canceled)

34. (canceled)

36. (canceled)

37. (canceled)

39. (canceled)

40. (canceled)

41. (canceled)

42. (canceled)

43. (canceled)

44. (canceled)

45. (canceled)

46. (canceled)

47. (canceled)

48. (canceled)

49. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BCE Incorporated
Original Assignee
Tyson Macaulay
Inventors
MACAULAY, Tyson

Granted Patent

US 9,118,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2129   Authenticate client device ...

H04L 12/18   for broadcast or conference...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

SYSTEM AND METHOD FOR GENERATING AND REFINING CYBER THREAT INTELLIGENCE DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

157 Citations

54 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR GENERATING AND REFINING CYBER THREAT INTELLIGENCE DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

54 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others