SECURITY THREAT INFORMATION ANALYSIS

US 20160261640A1
Filed: 05/16/2016
Published: 09/08/2016
Est. Priority Date: 08/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

determining, by one or more computers in an analysis system, one or more intelligence types;

categorizing, by at least one of the computers and for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;

identifying, by at least one of the computers and for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and

associating, by at least one of the computers and for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;

determining, by at least one of the computers and for each of the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;

determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;

determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;

determining, by at least one of the computers, a group of the subsets that include particular data a third party system should receive from the analysis system, including;

determining, for a first third party system, a first group includes the first subset; and

determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;

assigning, by at least one of the computers and for each subset in each of the groups, a priority to the respective subset; and

sending, by at least one of the computers and to a third party system, the subsets in the group of the subsets using the respective priorities including;

sending, to the first third party system, the subsets in the first group, including the first subset, using the respective priorities; and

sending, to the second third party system, the subsets in the second group, including the third subset, using the respective priorities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing data that includes security threat information. One of the methods includes identifying intelligence types that each categorizes a subset of data, associating, for each of the intelligence types, each of the subsets of data, which are categorized by the respective intelligence type, with the respective intelligence type, determining rules for a third party that each indicate that the third party should receive data associated with particular types of potential security threats and priority information for the data, determining, for each of the potential security threats indicated in the rules, a group of the subsets that include information associated with the respective potential security threat, assigning, for each subset in each of the groups, a priority to the respective subset using the priority information, and providing the determined subsets to the third party using the respective priorities.

Citations

20 Claims

1. A computer-implemented method comprising:
- determining, by one or more computers in an analysis system, one or more intelligence types;
  
  categorizing, by at least one of the computers and for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
  
  identifying, by at least one of the computers and for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and
  
  associating, by at least one of the computers and for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
  
  determining, by at least one of the computers and for each of the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, a group of the subsets that include particular data a third party system should receive from the analysis system, including;
  
  determining, for a first third party system, a first group includes the first subset; and
  
  determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
  
  assigning, by at least one of the computers and for each subset in each of the groups, a priority to the respective subset; and
  
  sending, by at least one of the computers and to a third party system, the subsets in the group of the subsets using the respective priorities including;
  
  sending, to the first third party system, the subsets in the first group, including the first subset, using the respective priorities; and
  
  sending, to the second third party system, the subsets in the second group, including the third subset, using the respective priorities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein sending, by at least one of the computers and to the particular third party system, the subsets in the group of the subsets using the respective priorities comprises sending the subsets in the group of the subsets for presentation according to the respective priorities.
  - 3. The method of claim 1 comprising:
    - receiving, by at least one of the computers, the datasets from one or more sources; and
      
      parsing, by at least one of the computers, each of the datasets into the subsets of data, wherein identifying the respective intelligence types that each categorize a subset of data in the respective dataset comprises identifying the respective intelligence types that each categorize one of the parsed subsets.
  - 4. The method of claim 1 comprising determining that the fourth subset comprises information with an older timestamp than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information with the older timestamp than the third subset.
  - 5. The method of claim 1 comprising determining that the fourth subset comprises information from a less reputable source than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information from a less reputable source than the third subset.
  - 6. The method of claim 5 comprising determining that content in the fourth subset varies from content in the third subset by more than a threshold amount, wherein determining that the fourth subset comprises information from the less reputable source than the third subset is responsive to determining that content in the fourth subset varies from content in the third subset by more than the threshold amount.
  - 7. The method of claim 1 comprising:
    - determining that a fifth subset from the categorized subsets comprises information about the same threat as a sixth different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset; and
      
      merging the fifth subset with the sixth subset to create a merged subset in response to determining that the fifth subset from the categorized subsets comprises information about the same threat as the sixth different subset, wherein;
      
      determining the group of the subsets that include particular data the third party system should receive from the analysis system, comprises determining, for another third party system, a third group that includes the merged subset; and
      
      sending the subsets in the group of the subsets using the respective priorities comprises sending, to the other third party system, the subsets in the third group, including the merged subset, using the respective priorities.
  - 8. The method of claim 7 comprising determining that the fifth subset varies from the sixth subset by less than a threshold amount, wherein merging the fifth subset with the sixth subset is responsive to determining that the fifth subset varies from the sixth subset by less than the threshold amount.
  - 9. The method of claim 1 comprising:
    - determining that a fifth subset from the subsets comprises information about the same threat as a sixth subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
      
      determining that the fifth subset varies from the sixth subset by more than a threshold amount; and
      
      linking the fifth subset with the sixth subset prior to determining the group of the subsets and in response to determining that the fifth subset varies from the sixth subset by more than the threshold amount.
  - 10. The method of claim 1, wherein determining the one or more intelligence types comprises determining at least one of a) an observable intelligence type, b) an indicator of compromise intelligence type, c) a vulnerability intelligence type, d) an exploit intelligence type, e) an adversary tactics, techniques, and procedures intelligence type, f) a threat actor intelligence type, g) a threat campaign intelligence type, or h) a courses of action intelligence type.
  - 11. The method of claim 1, wherein:
    - at least one of the datasets from the multiple datasets comprises a data feed; and
      
      categorizing, for each dataset from the multiple datasets that each include information about potential security threats, each subset of data in the respective dataset comprises parsing, by a parser, data from the data feed to generate the subsets of data for the data feed.

12. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  determining, by at least one of the computers in an analysis system, one or more intelligence types;
  
  categorizing, by at least one of the computers and for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
  
  identifying, by at least one of the computers and for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and
  
  associating, by at least one of the computers and for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
  
  determining, by at least one of the computers and for each of the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, a group of the subsets that include particular data a third party system should receive from the analysis system, including;
  
  determining, for a first third party system, a first group includes the first subset; and
  
  determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
  
  assigning, by at least one of the computers and for each subset in each of the groups, a priority to the respective subset; and
  
  sending, by at least one of the computers and to a third party system, the subsets in the group of the subsets using the respective priorities including;
  
  sending, to the first third party system, the subsets in the first group, including the first subset, using the respective priorities; and
  
  sending, to the second third party system, the subsets in the second group, including the third subset, using the respective priorities.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12 wherein sending, by at least one of the computers and to the particular third party system, the subsets in the group of the subsets using the respective priorities comprises sending the subsets in the group of the subsets for presentation according to the respective priorities.
  - 14. The system of claim 12 the operations comprising:
    - receiving, by at least one of the computers, the datasets from one or more sources; and
      
      parsing, by at least one of the computers, each of the datasets into the subsets of data, wherein identifying the respective intelligence types that each categorize a subset of data in the respective dataset comprises identifying the respective intelligence types that each categorize one of the parsed subsets.
  - 15. The system of claim 12 the operations comprising determining that the fourth subset comprises information with an older timestamp than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information with the older timestamp than the third subset.
  - 16. The system of claim 12 the operations comprising determining that the fourth subset comprises information from a less reputable source than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information from a less reputable source than the third subset.
  - 17. The system of claim 16 the operations comprising determining that content in the fourth subset varies from content in the third subset by more than a threshold amount, wherein determining that the fourth subset comprises information from the less reputable source than the third subset is responsive to determining that content in the fourth subset varies from content in the third subset by more than the threshold amount.
  - 18. The system of claim 12 the operations comprising:
    - determining that a fifth subset from the categorized subsets comprises information about the same threat as a sixth different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset; and
      
      merging the fifth subset with the sixth subset to create a merged subset in response to determining that the fifth subset from the categorized subsets comprises information about the same threat as the sixth different subset, wherein;
      
      determining the group of the subsets that include particular data the third party system should receive from the analysis system, comprises determining, for another third party system, a third group that includes the merged subset; and
      
      sending the subsets in the group of the subsets using the respective priorities comprises sending, to the other third party system, the subsets in the third group, including the merged subset, using the respective priorities.
  - 19. The system of claim 18 the operations comprising determining that the fifth subset varies from the sixth subset by less than a threshold amount, wherein merging the fifth subset with the sixth subset is responsive to determining that the fifth subset varies from the sixth subset by less than the threshold amount.

20. A non-transitory computer storage medium encoded with instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
- determining, by at least one of the computers in an analysis system, one or more intelligence types;
  
  categorizing, by at least one of the computers and for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
  
  identifying, by at least one of the computers and for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and
  
  associating, by at least one of the computers and for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
  
  determining, by at least one of the computers and for each of the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, a group of the subsets that include particular data a third party system should receive from the analysis system, including;
  
  determining, for a first third party system, a first group includes the first subset; and
  
  determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
  
  assigning, by at least one of the computers and for each subset in each of the groups, a priority to the respective subset; and
  
  sending, by at least one of the computers and to a third party system, the subsets in the group of the subsets using the respective priorities including;
  
  sending, to the first third party system, the subsets in the first group, including the first subset, using the respective priorities; and
  
  sending, to the second third party system, the subsets in the second group, including the third subset, using the respective priorities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Modi, Shimon, Schall, Stephen A.

Granted Patent

US 9,762,617 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/577   Assessing vulnerabilities a...

G06F 40/205   Parsing

H04L 41/16   using machine learning or a...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

SECURITY THREAT INFORMATION ANALYSIS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY THREAT INFORMATION ANALYSIS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links