Threat Indicator Analytics System
First Claim
1. A method, comprising:
- identifying a compromise to a system;
performing a snapshot of the system and, based at least in part on the snapshot, identifying one or more potential indicators of compromise, wherein each of the potential indicators of compromise are associated with a system process or a presence of a file on the system;
determining that one or more potential indicators of compromise are potential threat indicators, wherein the determining is based on matching the potential indicators of compromise with stored security threat information;
for each potential indicator of compromise that is a potential threat indicator;
identifying one or more corresponding actions performed by the system;
determining a credibility of each action performed by the system;
determining a composite credibility of the potential indicator of compromise, based on the credibility of each action; and
determining that the potential indicator of compromise is an actual threat indicator, based on the composite credibility.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing threat intelligence information. One of the methods includes receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats, identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed, determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component, and communicating the indicators of compromise to the management process orchestration server.
67 Citations
20 Claims
-
1. A method, comprising:
-
identifying a compromise to a system; performing a snapshot of the system and, based at least in part on the snapshot, identifying one or more potential indicators of compromise, wherein each of the potential indicators of compromise are associated with a system process or a presence of a file on the system; determining that one or more potential indicators of compromise are potential threat indicators, wherein the determining is based on matching the potential indicators of compromise with stored security threat information; for each potential indicator of compromise that is a potential threat indicator; identifying one or more corresponding actions performed by the system; determining a credibility of each action performed by the system; determining a composite credibility of the potential indicator of compromise, based on the credibility of each action; and determining that the potential indicator of compromise is an actual threat indicator, based on the composite credibility. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer implemented method for analyzing threat intelligence information comprising:
-
receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats; identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed; determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component; and communicating the indicators of compromise to the management process orchestration server. - View Dependent Claims (11, 12, 13)
-
-
14. A system comprising:
-
one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; identifying a compromise to a system; performing a snapshot of the system and, based at least in part on the snapshot, identifying one or more potential indicators of compromise, wherein each of the potential indicators of compromise are associated with a system process or a presence of a file on the system; determining that one or more potential indicators of compromise are potential threat indicators, wherein the determining is based on matching the potential indicators of compromise with stored security threat information; for each potential indicator of compromise that is a potential threat indicator; identifying one or more corresponding actions performed by the system; determining a credibility of each action performed by the system; determining a composite credibility of the potential indicator of compromise, based on the credibility of each action; and determining that the potential indicator of compromise is an actual threat indicator, based on the composite credibility. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification