PROTECTING THREAT INDICATORS FROM THIRD PARTY ABUSE

US 20170149802A1
Filed: 11/19/2015
Published: 05/25/2017
Est. Priority Date: 11/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting threats based on obfuscated threat indicators, the method comprising:

receiving a protected threat indicator associated with an identified cyber-threat, the protected threat indicator configured to protect raw information related to the threat indicator from malicious actors;

identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the event is attributed;

determining that the third-party system experienced a cyber-threat when the protected threat indicator matches at least one entity identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat analytics system expends significant resources to acquire, structure, and filter the threat indicators provided to the client-side monitoring systems. To protect the threat indicators from misuse, the threat analytics system only provides enough information about the threat indicators to the client-side systems to allow the client-side systems to detect past and ongoing threats. Specifically, the threat analytics system provides obfuscated threat indicators to the client-side monitoring systems. The obfuscated threat indicators enable the client-side systems to detect threats while protecting the threat indicators from misuse or malicious actors.

35 Citations

View as Search Results

20 Claims

1. A method for detecting threats based on obfuscated threat indicators, the method comprising:
- receiving a protected threat indicator associated with an identified cyber-threat, the protected threat indicator configured to protect raw information related to the threat indicator from malicious actors;
  
  identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the event is attributed;
  
  determining that the third-party system experienced a cyber-threat when the protected threat indicator matches at least one entity identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the protected threat indicator comprises an obfuscated threat indicator, and further comprising obfuscating the entity identifier using an obfuscation mechanism applied to the obfuscated threat indicator.
  - 3. The method of claim 2, further comprising reporting the cyber-threat to the third-party system when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 4. The method of claim 2, further comprising generating descriptive information associated with the obfuscated threat indicator when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 5. The method of claim 4, further comprising reporting the descriptive information to the third-party system when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 6. The method of claim 4, wherein generating the descriptive information comprises de-obfuscating the obfuscated threat indicator using a decryption key.
  - 7. The method of claim 6, wherein the decryption key is a derivative of the client-side event that matched with the obfuscated threat indicator.
  - 8. The method of claim 2, wherein the obfuscation mechanism applied to the obfuscated threat indicator is a hashing algorithm.
  - 9. The method of claim 2, wherein the obfuscation mechanism applied to the obfuscated threat indicator is an encryption algorithm.
  - 10. The method of claim 2, further comprising:
    - purging the obfuscated threat indicator when the threat indicator expires, andsubsequently receiving a second obfuscated threat indicator associated with the identified cyber-threat, the second obfuscated threat indicator being different from the obfuscated threat indicator.

11. A computer program product for detecting threats based on obfuscated threat indicators, the computer program product comprising a computer-readable storage medium containing computer program code for:
- receiving an obfuscated threat indicator associated with an identified cyber-threat, the obfuscated threat indicator configured to protect raw information related to the threat indicator from malicious actors;
  
  identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the event is attributed;
  
  obfuscating the entity identifier using an obfuscation mechanism applied to the obfuscated threat indicator; and
  
  determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one obfuscated entity identifier.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer program product of claim 11, further comprising reporting the cyber-threat to the third-party system when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 13. The computer program product of claim 11, further comprising generating descriptive information associated with the obfuscated threat indicator when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 14. The computer program product of claim 13, further comprising reporting the descriptive information to the third-party system when the obfuscated threat indicator matches at least one obfuscated entity identifier.
  - 15. The computer program product of claim 13, wherein generating the descriptive information comprises de-obfuscating the obfuscated threat indicator using a decryption key.
  - 16. The computer program product of claim 15, wherein the decryption key is a derivative of the client-side event that matched with the obfuscated threat indicator.
  - 17. The computer program product of claim 11, further comprising:
    - purging the obfuscated threat indicator when the threat indicator expires, andsubsequently receiving a second obfuscated threat indicator associated with the identified cyber-threat, the second obfuscated threat indicator being different from the obfuscated threat indicator.

18. A method for transmitting threat information to client modules, the method comprising:
- generating protected threat indicators associated with an identified cyber-threats, each protected threat indicator configured to protect raw information related to the threat indicator from malicious actors;
  
  transmitting the protected threat indicators to a client module for threat detection;
  
  determining that additional threat indicators are available for transmission to the client module;
  
  determining whether a threat detection report associated with the protected threat indicators was received from the client module; and
  
  transmitting the additional threat indicators to the client module only when the threat detection report was received from the client module.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising process the threat detection report to evaluate a relevance between the protected threat indicators and a client system associated with the client module.
  - 20. The method of claim 18, wherein transmitting the additional threat indicators comprises obfuscating the additional threat indicators prior to transmission and transmitting the obfuscated additional threat indicators to the client module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Anomali, Inc.
Original Assignee
Threat Stream, Inc.
Inventors
Huang, Wei, Njemanze, Hugh, Zhou, Yizheng

Granted Patent

US 10,367,829 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

PROTECTING THREAT INDICATORS FROM THIRD PARTY ABUSE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING THREAT INDICATORS FROM THIRD PARTY ABUSE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links