Cyber intelligence clearinghouse

US 9,319,420 B1
Filed: 06/08/2012
Issued: 04/19/2016
Est. Priority Date: 06/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for providing a cyber intelligence clearinghouse executed by at least one processor, the method comprising:

determining, by the at least one processor, a source fidelity score associated with a cyber-security intelligence source, the source fidelity score being generated based on an analysis of intelligence information received from the cyber-security intelligence source including a number of security threat events that have previously been confirmed to be associated with actual cyber-attacks based on the intelligence information received from the cyber-security intelligence source, wherein the source fidelity score represents a trustworthiness of the cyber-security intelligence source with regard to intelligence provided by the cyber-security intelligence source;

determining, by the at least one processor, to block a new security threat event based on;

new intelligence information received from the cyber-security intelligence source that predicts at least how an attack of the new security threat event may be performed based on patterns identified in the intelligence information, andthe source fidelity score of the cyber-security intelligence source; and

providing, over a network, feedback data to the cyber-security intelligence source, the feedback data comprising an indication that at least a portion of the new security threat event was successfully blocked by a security application based on the new intelligence information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable and executable instructions are provided for providing a cyber intelligence clearinghouse (CIC). Providing a CIC can include generating analysis data from intelligence information collected from a number of sources. In addition, providing a CIC can include calculating a number of fidelity scores from the analysis data, wherein the number of fidelity scores represent a trustworthiness of the number of sources. In addition, providing a CIC can include determining a number of events to block based on the number of fidelity scores. Furthermore, providing a CIC can include providing feedback data to the number of sources based on the number of fidelity scores and the number of events to block.

33 Citations

View as Search Results

20 Claims

1. A computer implemented method for providing a cyber intelligence clearinghouse executed by at least one processor, the method comprising:
- determining, by the at least one processor, a source fidelity score associated with a cyber-security intelligence source, the source fidelity score being generated based on an analysis of intelligence information received from the cyber-security intelligence source including a number of security threat events that have previously been confirmed to be associated with actual cyber-attacks based on the intelligence information received from the cyber-security intelligence source, wherein the source fidelity score represents a trustworthiness of the cyber-security intelligence source with regard to intelligence provided by the cyber-security intelligence source;
  
  determining, by the at least one processor, to block a new security threat event based on;
  
  new intelligence information received from the cyber-security intelligence source that predicts at least how an attack of the new security threat event may be performed based on patterns identified in the intelligence information, andthe source fidelity score of the cyber-security intelligence source; and
  
  providing, over a network, feedback data to the cyber-security intelligence source, the feedback data comprising an indication that at least a portion of the new security threat event was successfully blocked by a security application based on the new intelligence information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining, based on the source fidelity score, an event fidelity score associated with the new security threat event, wherein the event fidelity score represents a trustworthiness of the associated security threat event; and
      
      alerting, through a display, a user when the event fidelity score is within a predetermined threshold.
  - 3. The method of claim 2, wherein the new security threat event is automatically blocked if the event fidelity score is above the predetermined threshold.
  - 4. The method of claim 1, further comprising generating a timeline, via a cyber intelligence clearinghouse (CIC) engine, of received intelligence information and corresponding analysis data.
  - 5. The method of claim 4, further comprising storing, within the CIC engine, the timeline for a longer period of time than the analysis data and intelligence information.
  - 6. The method of claim 1, further comprising executing, via a CIC engine, a number of feedback loops, wherein a particular one of the number of sources is cross-analyzed against a remaining number of sources.
  - 7. The method of claim 1, further providing a number of source fidelity scores to a corresponding source and providing feedback to the corresponding source on the intelligence information collected.
  - 8. The method of claim 1, wherein the source fidelity score is generated based on the number of security threat events that have previously been confirmed to be associated with actual cyber-attacks based on the intelligence information received from the cyber-security intelligence source compared with a number of security threat events that have been reported by the cyber-security intelligence source.
  - 9. The method of claim 1, wherein the feedback information is usable by the cyber-security intelligence source to refine intelligence provided by the cyber-security intelligence source.

10. A non-transitory computer-readable medium storing a set of instructions executable by a processor to cause a computer to:
- determine a source fidelity score associated with a cyber-security intelligence source, the source fidelity score being generated based on an analysis of intelligence information received from the cyber-security intelligence source including a number of security threat events that have previously been confirmed to be associated with actual cyber-attacks based on the intelligence information received from the cyber-security intelligence source, wherein the source fidelity score represents a trustworthiness of the cyber-security intelligence source with regard to intelligence provided by the cyber-security intelligence source;
  
  determine to block a new security threat event based on;
  
  new intelligence information received from the cyber-security intelligence source that predicts at least how an attack of the new security threat event may be performed based on patterns identified in the intelligence information, andthe source fidelity score of the cyber-security intelligence source; and
  
  provide, over a network, feedback data to the cyber-security intelligence source, the feedback data comprising an indication that at least a portion of the new security threat event was successfully blocked by a security application based on the new intelligence information.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The medium of claim 10, wherein the instructions are executable to cause the computer to determine, based on the source fidelity score, an event fidelity score associated with the new security threat event, wherein the event fidelity score represents a trustworthiness of the associated security threat event.
  - 12. The medium of claim 10, wherein the instructions are executable to cause the computer to provide analysis data based upon the new intelligence information, the analysis data including identify information of an actor responsible for the new security threat event, andwherein a domain name, an email address, and a physical address within the identity information are utilized to determine an identity pattern, wherein the identity pattern can be utilized to predict future domain names of the actor.
  - 13. The medium of claim 11, wherein the event fidelity score further includes a security event data type that identifies a particular method of the security threat event.
  - 14. The medium of claim 10, wherein the feedback data includes security event data from a first source compared to security event data from a second source.
  - 15. The medium of claim 10, wherein feedback data includes a percentage of intelligence information confirmed to be malicious.

16. A system comprising a processor in communication with a non-transitory computer readable medium, wherein the non-transitory computer readable medium includes a set of instructions that when executed by the processor cause the processor to:
- determine a source fidelity score associated with a cyber-security intelligence source, the source fidelity score being generated based on an analysis of intelligence information received from the cyber-security intelligence source including a number of security threat events that have previously been confirmed to be associated with actual cyber-attacks based on the intelligence information received from the cyber-security intelligence source, wherein the source fidelity score represents a trustworthiness of the cyber-security intelligence source with regard to intelligence provided by the cyber-security intelligence source;
  
  determine to block a new security threat event based on;
  
  new intelligence information received from the cyber-security intelligence source that predicts at least how an attack of the new security threat event may be performed based on patterns identified in the intelligence information, andthe source fidelity score of the cyber-security intelligence source; and
  
  provide, over a network, feedback data to the cyber-security intelligence source, the feedback data comprising an indication that at least a portion of the new security threat event was successfully blocked by a security application based on the new intelligence information.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the alert is sub-tiered to notify a particular number of users based on the fidelity score.
  - 18. The system of claim 16, further comprising instructions executable by a processor to determine if a source is compromised.
  - 19. The system of claim 18, wherein intelligence information from the compromised source is automatically ignored.
  - 20. The system of claim 16, further comprising instructions executable by the processor to determine identity information from the analysis data and utilize the identity information to search for possible malicious domains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
United Services Automobile Association
Original Assignee
United Services Automobile Association
Inventors
Franke, Don, Babcock, Peter
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US13/492,396
Time in Patent Office

1,411 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/2135   Metering

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Cyber intelligence clearinghouse

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber intelligence clearinghouse

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links