Automated internet threat detection and mitigation system and associated methods

US 9,258,321 B2
Filed: 08/22/2013
Issued: 02/09/2016
Est. Priority Date: 08/23/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented system for automated internet threat detection and mitigation, the system comprising:

a centralized database;

a customer database operable with the centralized database;

a threat Intelligence subsystem for receiving intelligence data from a plurality of external intelligence sources;

an analytics subsystem communicating with the threat intelligence subsystem for tracking accuracy and relevance of the intelligence data, wherein suspicious patterns are transmitted to the centralized database for use by automatic query security tools in a customer network environment;

a data gathering subsystem for gathering public data from a plurality of website sources sufficient for providing context for the analytics subsystem;

a portal subsystem comprising at least one of an analyst portal and a customer portal, wherein;

the analyst portal allows analysts to query the customer database and incidents detected resulting from patterns from the threat intelligence segment, the analyst portal further tracks various metrics of analyst performance and provides feedback to the system; and

the customer portal operable for allowing the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system; and

a Honeytrap subsystem deployed within the customer network environment, wherein the Honeytrap subsystem monitors scams and cyber-attacks and analyzes suspicious activity, feeding resulting analysis data to the analytics subsystem, wherein the Honeytrap subsystem is operable for monitoring files used by adversaries on compromised computers so as to form a basis of an early alerting system, and wherein the Honeytrap subsystem is customized to particular locations, and automatically incorporating and quarantining infected computers.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response. A proactive, intelligence-driven and customized approach is taken to protect network users. Assessments of threats are made before and after a breach. Cyber threats are identified in advance of a resulting network problem, and automated analysis locates the threats and stops them from having an adverse effect. Humans can focus on the high-level view, instead of looking at every single potential problem area. Troubling patterns may be reviewed within the network environment to identify issues. Cyber analysis is conducted to provide a baseline over time via statistically proven, predictive models that anticipate vulnerabilities brought on by social-media usage, Web surfing and other behaviors that invite risk.

148 Citations

View as Search Results

16 Claims

1. A computer-implemented system for automated internet threat detection and mitigation, the system comprising:
- a centralized database;
  
  a customer database operable with the centralized database;
  
  a threat Intelligence subsystem for receiving intelligence data from a plurality of external intelligence sources;
  
  an analytics subsystem communicating with the threat intelligence subsystem for tracking accuracy and relevance of the intelligence data, wherein suspicious patterns are transmitted to the centralized database for use by automatic query security tools in a customer network environment;
  
  a data gathering subsystem for gathering public data from a plurality of website sources sufficient for providing context for the analytics subsystem;
  
  a portal subsystem comprising at least one of an analyst portal and a customer portal, wherein;
  
  the analyst portal allows analysts to query the customer database and incidents detected resulting from patterns from the threat intelligence segment, the analyst portal further tracks various metrics of analyst performance and provides feedback to the system; and
  
  the customer portal operable for allowing the customer to view the analyst performance metrics as well as customize threat intelligence feeds, local security tools, and descriptions of the customer environment and customer assets, and wherein the customer portal provides information feedback for the system; and
  
  a Honeytrap subsystem deployed within the customer network environment, wherein the Honeytrap subsystem monitors scams and cyber-attacks and analyzes suspicious activity, feeding resulting analysis data to the analytics subsystem, wherein the Honeytrap subsystem is operable for monitoring files used by adversaries on compromised computers so as to form a basis of an early alerting system, and wherein the Honeytrap subsystem is customized to particular locations, and automatically incorporating and quarantining infected computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented system according to claim 1, wherein the threat intelligence subsystem normalizes the intelligence data received from each of the plurality of external intelligence sources and stores resulting normalized intelligence data in the centralized database.
  - 3. The computer-implemented system according to claim 1, wherein the public data includes at least one of natural language processing and broad economic, financial, and political data for use by the analytics subsystem for understanding and predicting at least one of hacktivism, state-backed hackers, and industrial espionage.
  - 4. The computer-implemented system according to claim 1, wherein the analytics subsystem unifies the data sources received from the threat intelligence subsystem, data gathering subsystem, and the centralized database.
  - 5. The computer-implemented system according to claim 4, wherein the analytics subsystem operates with machine-learning tools for finding and exploiting patterns within the gathered information.
  - 6. The computer-implemented system according to claim 1, wherein the analyst portal directs incidents to an analyst for dealing with specific attacks and affected assets.
  - 7. The computer-implemented system according to claim 1, wherein the threat Intelligence subsystem comprises a reader processor for ingesting the intelligence data from the plurality of external intelligence sources, the reader processor processing the data received from each source for providing normalized data in a preselected standard format, the reader processor operable with threat intelligence produced by predictive or investigative routines, thus allowing patterns produced by the analytics subsystem to be used automatically.
  - 8. The computer-implemented system according to claim 7, wherein the threat intelligence subsystem comprises a gatekeeper processor operable for receiving the normalized data from the reader processor and assigning a believability factor based on past performance of each of the plurality of external intelligence sources providing information and a similarity of new patterns to data associated with past events.
  - 9. The computer-implemented system according to claim 8, wherein the gatekeeper processor is operable for recognizing a prospective pattern that will likely produce false positive information, and wherein the prospective pattern is dropped, fed directly into the incident database, or referred to the analyst for a decision.
  - 10. The computer-implemented system according to claim 8, further comprising a filter processor operable with the centralized database and the customer database for comparing the threat intelligence data associated with customer enterprise security devices.
  - 11. The computer-implemented system according to claim 10, wherein the threat intelligence system comprises an investigator processor providing fill-in data associated with suspicious events received from the filter processor, wherein detailed incidents are passed from investigator processor through the filter processor to an incident database stored within at least one of the centralized database and the customer database, and wherein identified suspicious events are passed to the investigator processor from the filter processor for researching additional details.
  - 12. The computer-implemented system according to claim 11, wherein the investigator processor is operable with the customer enterprise security devices for providing a more detailed view of at least one of an event, affected machines, user, and application, and queries external reputation databases, geo-location data, and other potential sources of information to learn more about the programs and external entities involved in an incident.
  - 13. The computer-implemented system according to claim 12, wherein the investigator processor communicates with Internet databases to perform malicious domain lookups and compare registrations across domains alerted by threat intelligence, and wherein the investigator processor communicates with the analytics subsystem for obtaining information relevant to the incident, thus providing a detailed record of each incident that can be presented to the analyst, and thus saving the analyst time, speeding research and understanding of each incident.

14. A computer-implemented method for automated internet threat detection and mitigation, the method comprising:
- providing an analytics subsystem for identifying suspicious patterns of behavior in a customer network environment;
  
  providing a reader processor operable with the analytics subsystem for gathering threat intelligence data from a plurality of threat intelligence sources, including commercial and open-source feeds as well as suspicious patterns identified by the analytic subsystem or specified by an analysts through a portal connection;
  
  normalizing the data by the reader processor and providing a common format;
  
  providing an initial believability factor based only on past performance of the relevant source of the threat intelligence data;
  
  providing a gatekeeper processor operable with the reader processor and the analytics subsystem, the gatekeeper reviewing the normalized intelligence data and comparing the data to past incidents and rules operable by the analytics subsystem for refining the believability factor and severity of each indicator, wherein if the believability factor is too low, the gatekeeper processor will either ask a human to check the data or discard the believability factor indicated as unusable and overly likely to generate false positives; and
  
  deploying a Honeytrap subsystem within the customer network environment, the Honeytrap subsystem monitoring scams and cyber-attacks and analyzing suspicious activity, feeding resulting analysis data to the analytics subsystem, wherein the Honeytrap subsystem is operable for monitoring files used by adversaries on compromised computers so as to form a basis of an early alerting system, and wherein the Honeytrap subsystem is customized to particular locations, and automatically incorporating and quarantining infected computers.
- View Dependent Claims (15, 16)
- - 15. The computer-implemented method according to claim 14, wherein a manager processor distributes the resulting normalized threat intelligence to the customer, and wherein tagged data will result in a higher believability factor or severity for specified targets and lower a believability factor and severity for non-tagged data.
  - 16. The computer-implemented method according to claim 15, wherein a filter processor acquires indicators from the manager processor and sorts the indicators by severity and believability, wherein customer security tools are queried, and a centralized watch lists automatically generated and provided to relevant security tools, and wherein queries or watch lists generate a result, and wherein the result is transmitted to an investigator processor for obtaining information relevant to the incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Foreground Security Incorporated (Rtx Corporation)
Original Assignee
Raytheon Foreground Security Incorporated (Rtx Corporation)
Inventors
Amsler, David B., Allen, Nick, Messer, Sarah, Healy, Trent
Primary Examiner(s)
McNally, Michael S

Application Number

US13/973,027
Publication Number

US 20140201836A1
Time in Patent Office

901 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/20 for managing network securi...

Automated internet threat detection and mitigation system and associated methods

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

148 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Automated internet threat detection and mitigation system and associated methods

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others