Collaborative and Adaptive Threat Intelligence for Computer Security

US 20150373043A1
Filed: 06/18/2015
Published: 12/24/2015
Est. Priority Date: 06/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method for collaborative and adaptive threat intelligence, comprising:

receiving data collected on a first customer network;

training one or more local models with at least the received data, wherein the one or more local models are related to security;

determining an amount of data to transmit to a centralized controller based at least on a result of the training one or more local models;

transmitting the determined amount of data to the centralized controller;

receiving, from the centralized controller, result data that is a result of one or more global models trained on the centralized controller using data collected on a plurality of customer networks including the first customer network;

adjusting the one or more local models using the received result data; and

training the one or more adjusted local models.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Collaborative and adaptive threat intelligence. Data collected on a first customer network is received. One or more local models are trained with at least the received data, where the one or more local models are related to security. An amount of data to transmit to a centralized controller is determined based at least on a result of the training one or more local models and the determined amount of data is transmitted to the centralized controller. Result data is received from the centralized controller that is a result of one or more global models trained on the centralized controller using data collected on multiple customer networks including the first customer network. The one or more local models are adjusted using the received result data and the one or more adjusted local models are trained.

277 Citations

21 Claims

1. A method for collaborative and adaptive threat intelligence, comprising:
- receiving data collected on a first customer network;
  
  training one or more local models with at least the received data, wherein the one or more local models are related to security;
  
  determining an amount of data to transmit to a centralized controller based at least on a result of the training one or more local models;
  
  transmitting the determined amount of data to the centralized controller;
  
  receiving, from the centralized controller, result data that is a result of one or more global models trained on the centralized controller using data collected on a plurality of customer networks including the first customer network;
  
  adjusting the one or more local models using the received result data; and
  
  training the one or more adjusted local models.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the result data received from the centralized controller includes one or more probability threat scores for one or more features respectively.
  - 3. The method of claim 2, wherein adjusting the one or more local models includes using the received one or more probability threat scores as input into the one or more local models.
  - 4. The method of claim 2, further comprising:
    - adjusting the one or more probability threat scores based at least on the received data collected on the first customer network; and
      
      wherein adjusting the one or more local models includes using the adjusted one or more probability threat scores as input into the one or more local models.
  - 5. The method of claim 1, wherein the result data includes information specifying a feature modification of a feature of the one or more local models, and wherein adjusting the one or more local models includes modifying the feature of the one or more local models in accordance with the specified feature modification.
  - 6. The method of claim 1, wherein prior to transmitting the determined amount of data to the centralized controller, anonymizing at least a portion of that determined amount of data.
  - 7. The method of claim 6, wherein anonymizing at least a portion of that determined amount of data includes removing or obfuscating one or more of the following attributes in the data:
    - username, IP address, home address, social security number, credit card number, email address, and name.

8. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations comprising:
- receiving data collected on a first customer network;
  
  training one or more local models with at least the received data, wherein the one or more local models are related to security;
  
  determining an amount of data to transmit to a centralized controller based at least on a result of the training one or more local models;
  
  transmitting the determined amount of data to the centralized controller;
  
  receiving, from the centralized controller, result data that is a result of one or more global models trained on the centralized controller using data collected on a plurality of customer networks including the first customer network;
  
  adjusting the one or more local models using the received result data; and
  
  training the one or more adjusted local models.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory machine-readable storage medium of claim 8, wherein the result data received from the centralized controller includes one or more probability threat scores for one or more features respectively.
  - 10. The non-transitory machine-readable storage medium of claim 9, wherein adjusting the one or more local models includes using the received one or more probability threat scores as input into the one or more local models.
  - 11. The non-transitory machine-readable storage medium of claim 9, wherein the non-transitory machine-readable storage medium further provides instructions that, if executed by the processor, will cause said processor to perform the following operations:
    - adjusting the one or more probability threat scores based at least on the received data collected on the first customer network; and
      
      wherein adjusting the one or more local models includes using the adjusted one or more probability threat scores as input into the one or more local models.
  - 12. The non-transitory machine-readable storage medium of claim 8, wherein the result data includes information specifying a feature modification of a feature of the one or more local models, and wherein adjusting the one or more local models includes modifying the feature of the one or more local models in accordance with the specified feature modification.
  - 13. The non-transitory machine-readable storage medium of claim 8, wherein prior to transmitting the determined amount of data to the centralized controller, anonymizing at least a portion of that determined amount of data.
  - 14. The non-transitory machine-readable storage medium of claim 13, wherein anonymizing at least a portion of that determined amount of data includes removing or obfuscating one or more of the following attributes in the data:
    - username, IP address, home address, social security number, credit card number, email address, and name.

15. An apparatus for collaborative and adaptive threat intelligence, comprising:
- a processor; and
  
  a non-transitory machine-readable storage medium containing instructions executable by said processor whereby said apparatus is operative to;
  
  receive data collected on a first customer network;
  
  train one or more local models with at least the received data, wherein the one or more local models are related to security;
  
  determine an amount of data to transmit to a centralized controller based at least on a result of the training one or more local models;
  
  transmit the determined amount of data to the centralized controller;
  
  receive, from the centralized controller, result data that is a result of one or more global models trained on the centralized controller using data collected on a plurality of customer networks including the first customer network;
  
  adjust the one or more local models using the received result data; and
  
  train the one or more adjusted local models.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein the result data received from the centralized controller includes one or more probability threat scores for one or more features respectively.
  - 17. The apparatus of claim 16, wherein adjustment of the one or more local models includes use of the one or more probability threat scores to be received as input into the one or more local models.
  - 18. The apparatus of claim 16, wherein the non-transitory machine-readable storage medium further contains instructions executable by said processor whereby said apparatus is further operative to:
    - adjust the one or more probability threat scores based at least on the received data collected on the first customer network; and
      
      wherein adjusting the one or more local models includes using the adjusted one or more probability threat scores as input into the one or more local models.
  - 19. The apparatus of claim 15, wherein the result data includes information specifying a feature modification of a feature of the one or more local models, and wherein adjusting the one or more local models includes modifying the feature of the one or more local models in accordance with the specified feature modification.
  - 20. The apparatus of claim 15, wherein prior to transmission of the determined amount of data to the centralized controller, the apparatus is further operative to anonymize at least a portion of that determined amount of data.
  - 21. The apparatus of claim 15, wherein anonymization of at least a portion of that determined amount of data includes removal or obfuscation of one or more of the following attributes in the data:
    - username, IP address, home address, social security number, credit card number, email address, and name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Niara, Inc. (Hewlett-Packard Enterprise Company)
Inventors
Wang, Jisheng, Palkar, Prasad, Shen, Min-yi, Ramachandran, Sriram

Granted Patent

US 10,469,514 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6254   by anonymising data, e.g. d...

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Collaborative and Adaptive Threat Intelligence for Computer Security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

277 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Collaborative and Adaptive Threat Intelligence for Computer Security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

277 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links