COMPUTERIZED SYSTEM AND METHOD FOR SECURELY DISTRIBUTING AND EXCHANGING CYBER-THREAT INFORMATION IN A STANDARDIZED FORMAT

US 20160366174A1
Filed: 04/14/2016
Published: 12/15/2016
Est. Priority Date: 04/17/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized system for automatically exchanging threat information, comprising:

a central server comprising at least one multi-core processor,wherein the central server hosts a central repository containing a plurality of centralized threat information, the central repository comprising a MongoDB database, andthe central server has SSL certification;

a plurality of distributed servers,wherein each of the distributed servers hosts a local repository containing a plurality of localized threat information; and

wherein the central server is configured to synchronize the plurality of centralized threat information with the plurality of localized threat information contained in each of the plurality of distributed servers by exchanging, using SSL encryption, at least a portion of the plurality of centralized threat information for at least a portion of the plurality of localized threat information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized systems and methods for sharing identified cyber-threat information in a standardized and secure format. The sharing of cyber-threat information assists in preventing malicious actors from replicating successful cyber-attacks by informing potential targets of the methods employed by the malicious actors, and the defensive measures that those targets should to implement to prevent those methods from succeeding. By distributing cyber-threat information in a standardized format, the systems and methods enable participating entities to automatically analyze and implement defensive measures for cyber-threat information shared by any other participating entities. The systems and methods also permit an entity to control which threat information it shares and which other entities it shares it with in a secure manner in order to preserve that entity'"'"'s security and reputation.

Citations

24 Claims

1. A computerized system for automatically exchanging threat information, comprising:
- a central server comprising at least one multi-core processor,wherein the central server hosts a central repository containing a plurality of centralized threat information, the central repository comprising a MongoDB database, andthe central server has SSL certification;
  
  a plurality of distributed servers,wherein each of the distributed servers hosts a local repository containing a plurality of localized threat information; and
  
  wherein the central server is configured to synchronize the plurality of centralized threat information with the plurality of localized threat information contained in each of the plurality of distributed servers by exchanging, using SSL encryption, at least a portion of the plurality of centralized threat information for at least a portion of the plurality of localized threat information.
- View Dependent Claims (2, 3)
- - 2. The computerized system of claim 1, wherein at least a first distributed server of the plurality of distributed servers is configured to synchronize the plurality of localized threat information contained in the first distributed server with the plurality of localized threat information contained in at least one other distributed server by exchanging, using SSL encryption, at least a portion of the plurality of localized threat information from the first distributed server'"'"'s local repository for at least a portion of the plurality of localized threat information from the at least one other distributed server'"'"'s local repository.
  - 3. The computerized system of claim 1, further comprising a network connecting the central server and the plurality of distributed servers;
    - wherein the network is configured to transmit a plurality of localized threat information between the central server and the plurality of distributed servers in accordance with the TAXII specification.

4. A computerized method for securely exchanging threat information, comprising, at a first distributed server:
- creating a first item of threat information in a machine-readable language;
  
  converting the first item of threat information from the machine-readable language into the STIX language;
  
  at a TAXII interface at the first distributed server, securely transmitting the converted first item of threat information to a centralized server using SSL encryption;
  
  at the TAXII interface at the first distributed server, receiving a second item of encrypted threat information, wherein the second item is in the STIX language and has been encrypted using SSL encryption;
  
  validating an XML schema of the second item of encrypted threat information;
  
  analyzing the second item of encrypted threat information;
  
  translating the second item from the STIX language into the machine-readable language; and
  
  inserting the translated second item into a local repository, wherein the local repository is a MongoDB database.

5. A computerized method for distributing threat information, comprising:
- creating, at a first repository for storing and distributing threat information, a first item describing an observed event or property in a common language;
  
  distributing the first item to at least one other repository for storing and distributing threat information.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 6. The computerized method of claim 5, wherein creating the first item comprises converting an existing item that describes, in a customized language of the first repository, the observed event or property, into the first item describing the observed event or property in the common language.
  - 7. The computerized method of claim 5, further comprising:
    - converting the first item, at the at least one other repository for storing and distributing threat information, into a second item describing the observed event or property in a customized language of the at least one other repository.
  - 8. The computerized method of claim 5, wherein the common language is the STIX language, and the first item is distributed in accordance with the TAXII specification.
  - 9. The computerized method of claim 8, wherein the first item contains descriptions of one or more of:
    - (a) an observed event or property;
      
      (b) a pattern of relevant observed activity;
      
      (c) a set of related system or network activity associated with the observed event or property;
      
      (d) an entity responsible for causing the observed event or property;
      
      (e) a representation of the behavior or modus operandi of the entity responsible for the observed event or property;
      
      (f) a vulnerability, weakness, or configuration issue of a potential victim of the observed event or property;
      
      (g) a particular action that can be taken to prevent, mitigate, or remediate the effects of the observed event or property; and
      
      (h) related activities executed by the entity responsible for the observed event or property.
  - 10. The computerized method of claim 5, wherein distributing the first item comprises transmitting the first item to a plurality of other repositories, and the first repository and the plurality of other repositories are members of an access control group.
  - 11. The computerized method of claim 5, further comprising manually analyzing or automatically analyzing the first item at the at least one other repository.
  - 12. The computerized method of claim 11, wherein automatically analyzing the first item comprises automatically determining whether to implement a response to the observed event or property.
  - 13. The computerized method of claim 12, further comprising automatically implementing a response to the observed event or property.
  - 14. The computerized method of claim 5, further comprising analyzing, at the first repository for storing and distributing the threat information, a plurality of items describing a plurality of observed events or properties.
  - 15. The computerized method of claim 14, further comprising determining, from the analysis of the plurality of items describing the plurality of observed events or properties, at least one piece of information selected from the group comprising:
    - (a) a representation of the behavior or modus operandi of an entity responsible for at least one of the plurality of observed events or properties;
      
      (b) a vulnerability, weakness, or configuration issue of a victim of at least one of the plurality of observed events or properties;
      
      (c) a particular action that could be taken to prevent, mitigate, or remediate the effects of at least one of the plurality of observed events or properties;
      
      (d) the entity responsible for at least one of the plurality of observed events or properties; and
      
      (e) a prediction of at least one future observed event or property.
  - 16. The computerized method of claim 15, further comprising adding the at least one piece of information to at least one of the plurality of items.
  - 17. The computerized method of claim 5, further comprising assigning a quality metric to the first item describing the observed event or property.
  - 18. The computerized method of claim 17, wherein the quality metric is automatically assigned or manually assigned to the first item, and the quality metric is based on at least one confidence metric previously assigned to the first item.
  - 19. The computerized method of claim 18, wherein the at least one confidence metric was automatically assigned or manually assigned to the first item, and the confidence metric is based on at least one of:
    - (a) an identity of an entity responsible for creating the first item describing the observed event or property;
      
      (b) a type of the observed event or property;
      
      (c) a set of related system or network activity associated with the observed event or property; and
      
      (d) an entity responsible for causing the observed event or property.

20. A computerized system for storing and distributing threat information, comprising:
- a central repository for storing and distributing threat information;
  
  a plurality of local repositories for storing and distributing threat information; and
  
  a network connecting the central repository with the plurality of local repositories,wherein the network is configured to transmit one or more items of threat information from at least one of the plurality of local repositories to the central repository, and configured to transmit one or more items of threat information from the central repository to at least one of the plurality of local repositories.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The computerized system of claim 20, wherein the central repository for storing and distributing threat information is connected to at least one of:
    - (a) a private feed configured to transmit threat information to the central repository;
      
      (b) a public feed configured to transmit threat information to the central repository; and
      
      (c) a government feed configured to transmit threat information to the central repository.
  - 22. The computerized system of claim 20, wherein at least one of the plurality of local repositories for storing and distributing threat information is connected to at least one of:
    - (a) a private feed configured to transmit threat information to the central repository;
      
      (b) a public feed configured to transmit threat information to the central repository; and
      
      (c) a government feed configured to transmit threat information to the central repository.
  - 23. The computerized system of claim 20, wherein a first one of the plurality of local repositories is configured to transmit at least one item of threat information over the network via the central repository to at least a second one of the plurality of local repositories.
  - 24. The computerized system of claim 20, wherein a first one of the plurality of local repositories is configured to transmit at least one item of threat information over the network directly to at least a second one of the plurality of local repositories.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Celerium Inc.
Original Assignee
NC4 Soltra, LLC (Everbridge Incorporated)
Inventors
Chernin, Michael Aharon, Clancy, Mark, Eiken, David, Guerrino, Eric, Nelson, William

Granted Patent

US 10,686,828 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/04   for providing a confidentia...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 67/1097   for distributed storage of ...

COMPUTERIZED SYSTEM AND METHOD FOR SECURELY DISTRIBUTING AND EXCHANGING CYBER-THREAT INFORMATION IN A STANDARDIZED FORMAT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTERIZED SYSTEM AND METHOD FOR SECURELY DISTRIBUTING AND EXCHANGING CYBER-THREAT INFORMATION IN A STANDARDIZED FORMAT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links