Threat Indicator Analytics System

US 20160269434A1
Filed: 08/29/2014
Published: 09/15/2016
Est. Priority Date: 06/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying a compromise to a system;

performing a snapshot of the system and, based at least in part on the snapshot, identifying one or more potential indicators of compromise, wherein each of the potential indicators of compromise are associated with a system process or a presence of a file on the system;

determining that one or more potential indicators of compromise are potential threat indicators, wherein the determining is based on matching the potential indicators of compromise with stored security threat information;

for each potential indicator of compromise that is a potential threat indicator;

identifying one or more corresponding actions performed by the system;

determining a credibility of each action performed by the system;

determining a composite credibility of the potential indicator of compromise, based on the credibility of each action; and

determining that the potential indicator of compromise is an actual threat indicator, based on the composite credibility.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing threat intelligence information. One of the methods includes receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats, identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed, determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component, and communicating the indicators of compromise to the management process orchestration server.

67 Citations

View as Search Results

20 Claims

1. A method, comprising:
- identifying a compromise to a system;
  
  performing a snapshot of the system and, based at least in part on the snapshot, identifying one or more potential indicators of compromise, wherein each of the potential indicators of compromise are associated with a system process or a presence of a file on the system;
  
  determining that one or more potential indicators of compromise are potential threat indicators, wherein the determining is based on matching the potential indicators of compromise with stored security threat information;
  
  for each potential indicator of compromise that is a potential threat indicator;
  
  identifying one or more corresponding actions performed by the system;
  
  determining a credibility of each action performed by the system;
  
  determining a composite credibility of the potential indicator of compromise, based on the credibility of each action; and
  
  determining that the potential indicator of compromise is an actual threat indicator, based on the composite credibility.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein identifying one or more potential indicators of compromise includes analyzing the snapshot to identify one or more of currently running processes, recently ended processes, or recently modified objects.
  - 3. The method of claim 1, wherein identifying one or more actions performed by the system includes identifying actions related to one or more of process spawning, file access or modification, or registry access or modification.
  - 4. The method of claim 1, wherein determining the credibility of each action performed by the system includes determining a credibility score for each action in regard to the system process.
  - 5. The method of claim 4, wherein determining the composite credibility of the potential indicator of compromise includes determining a composite credibility score for the potential indicator of compromise by accessing a model that combines the credibility scores for the actions.
  - 6. The method of claim 5, wherein the model includes interaction terms between the actions, to a multiple degree.
  - 7. The method of claim 5, wherein the model includes a time decay function between actions.
  - 8. The method of claim 5, wherein determining that the potential indicator of compromise is an actual threat indicator includes determining that the composite credibility score for the potential indicator of compromise meets a predetermined threshold.
  - 9. The method of claim 1, further comprising prioritizing an actual security threat indicator, based at least in part on its potential effectiveness in preventing or mitigating a security threat.

10. A computer implemented method for analyzing threat intelligence information comprising:
- receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats;
  
  identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed;
  
  determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component; and
  
  communicating the indicators of compromise to the management process orchestration server.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 wherein the management process orchestration server analyzes the indicators of compromise and generates a response process.
  - 12. The method of claim 11 wherein the management process orchestration server executes the response process by communicating instructions to a network switching controller, wherein the network switching controller implements a network topology change to redirect network traffic.
  - 13. The method of claim 10, wherein determining the composite credibility based on the actions includes determining a composite credibility score for the indicator of compromise by accessing a model that combines credibility scores for the actions.

14. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  identifying a compromise to a system;
  
  performing a snapshot of the system and, based at least in part on the snapshot, identifying one or more potential indicators of compromise, wherein each of the potential indicators of compromise are associated with a system process or a presence of a file on the system;
  
  determining that one or more potential indicators of compromise are potential threat indicators, wherein the determining is based on matching the potential indicators of compromise with stored security threat information;
  
  for each potential indicator of compromise that is a potential threat indicator;
  
  identifying one or more corresponding actions performed by the system;
  
  determining a credibility of each action performed by the system;
  
  determining a composite credibility of the potential indicator of compromise, based on the credibility of each action; and
  
  determining that the potential indicator of compromise is an actual threat indicator, based on the composite credibility.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein identifying one or more potential indicators of compromise includes analyzing the snapshot to identify one or more of currently running processes, recently ended processes, or recently modified objects.
  - 16. The system of claim 14, wherein identifying one or more actions performed by the system includes identifying actions related to one or more of process spawning, file access or modification, or registry access or modification.
  - 17. The system of claim 14, wherein determining the credibility of each action performed by the system includes determining a credibility score for each action in regard to the system process.
  - 18. The system of claim 17, wherein determining the composite credibility of the potential indicator of compromise includes determining a composite credibility score for the potential indicator of compromise by accessing a model that combines the credibility scores for the actions.
  - 19. The system of claim 18, wherein the model includes at least one of interaction terms between the actions, to a multiple degree, and a time decay function between actions.
  - 20. The system of claim 18, wherein determining that the potential indicator of compromise is an actual threat indicator includes determining that the composite credibility score for the potential indicator of compromise meets a predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
DiValentin, Louis William, Carver, Matthew, Lefebvre, Michael L.

Granted Patent

US 9,794,279 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Threat Indicator Analytics System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Threat Indicator Analytics System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links