System and method of detecting delivery of malware using cross-customer data
First Claim
1. A computerized method for malware detection conducted by a management platform including processing circuitry and a data store, comprising:
- receiving a set of indicators of compromise (IOCs) from a first source for storage in the data store, the set of IOCs identified as being caused by a known malware associated with a first message type;
receiving, for storage in the data store, one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and
responsive to a triggering event that includes a shift in volume of a given type of IOC at the second source that exceeds a prescribed threshold, conducting a predictive analysis by the processing circuitry of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source,wherein information associated with at least the set of IOCs is used to locate a malware associated with the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises receiving a set of indicators of compromise (IOCs) associated with a known malware of a first message type from a first source and receiving one or more IOCs (IOC(s)) from a second source that is different from the first source. Thereafter, a determination is made as to whether the received IOC(s) from the second source correspond to the set of IOCs received from the first source. If so, information associated with at least the set of IOCs is used to locate a malware of the first message type that is undetected at the second source.
659 Citations
48 Claims
-
1. A computerized method for malware detection conducted by a management platform including processing circuitry and a data store, comprising:
-
receiving a set of indicators of compromise (IOCs) from a first source for storage in the data store, the set of IOCs identified as being caused by a known malware associated with a first message type; receiving, for storage in the data store, one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and responsive to a triggering event that includes a shift in volume of a given type of IOC at the second source that exceeds a prescribed threshold, conducting a predictive analysis by the processing circuitry of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source, wherein information associated with at least the set of IOCs is used to locate a malware associated with the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
processing circuitry; a first logic in communication with the processing circuitry, the first logic is configured to (i) receive a set of indicators of compromise (IOCs) that are detected to have been caused by a known malware associated with a first message type from a first source, (ii) receive one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown, and (iii) determine whether a triggering event has occurred that signifies at least a prescribed likelihood that the one or more IOCs from the second source are caused by a undetected malicious electronic message present at the second source; and a second logic in communication with the processing circuitry, the second logic is configured to (i) conduct a predictive analysis that evaluates whether the received IOCs from the second source correspond to the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a level of confidence that the received IOCs from the second source are caused by the undetected malicious electronic message. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A system comprising:
-
processing circuitry; and a memory coupled to the processing circuitry, the memory includes (1) logic that controls receipt of (a) a set of indicators of compromise (IOCs) from a first source and the set of IOCs are identified as being caused by a malicious electronic message of a first message type and (b) one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown, (2) logic that conducts a predictive analysis to determine whether the one or more IOCs from the second source are caused by an undetected malicious electronic message, the predictive analysis includes evaluating whether the one or more IOCs from the second source correspond to the set of IOCs associated with the malicious electronic message and determining a threat level, which signifies a level of confidence that the one or more IOCs from the second source are caused by the undetected malicious electronic message, and (3) logic that selects a particular type of response based on the determined threat level. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
-
-
34. A computerized method for malware detection conducted by a network device including processing circuitry and a data store, comprising:
-
receiving a set of indicators of compromise (IOCs) from a first source, the set of IOCs identified as being caused by a known malware associated with a first message type; receiving one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and conducting a predictive analysis of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source by (i) determining a threat level associated with the one or more IOCs, the threat level signifies a degree of confidence that the one or more IOCs are caused by a malicious electronic message, and (ii) selecting a particular type of response based on the determined threat level, wherein information associated with at least the set of IOCs is used to locate a malware associated with the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A computerized method for malware detection conducted by a network device including processing circuitry and a data store, comprising:
-
receiving a set of indicators of compromise (IOCs) from a first source, the set of IOCs identified as being caused by a known malware associated with a first message type; receiving one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and conducting a predictive analysis of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source, wherein information including an arrival time of a malicious electronic message detected at the first source is used to locate a second malicious electronic message of the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source. - View Dependent Claims (48)
-
Specification