System and method of detecting delivery of malware based on indicators of compromise from different sources
First Claim
Patent Images
1. An electronic device, comprising:
- a communication interface;
a processor coupled to the communication interface; and
a memory coupled to the processor, the memory includesa first logic that, when executed by the processor, organizes (i) a set of indicators of compromise (IOCs) received from a first source via the communication interface, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source via the communication interface, the second source being different from the first source where a cause of the one or more IOCs is unknown, anda second logic that, when executed by the processor, (i) conducts a predictive analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises receiving a set of indicators of compromise (IOCs) associated with a known malware of a first message type from a first source and receiving one or more IOCs (IOC(s)) from a second source that is different from the first source. Thereafter, a determination is made as to whether the received IOC(s) from the second source correspond to the set of IOCs received from the first source. If so, information associated with at least the set of IOCs is used to locate a malware of the first message type that is undetected at the second source.
-
Citations
35 Claims
-
1. An electronic device, comprising:
-
a communication interface; a processor coupled to the communication interface; and a memory coupled to the processor, the memory includes a first logic that, when executed by the processor, organizes (i) a set of indicators of compromise (IOCs) received from a first source via the communication interface, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source via the communication interface, the second source being different from the first source where a cause of the one or more IOCs is unknown, and a second logic that, when executed by the processor, (i) conducts a predictive analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computerized method for malware detection conducted by a network device including processing circuitry and a data store, comprising:
-
receiving a plurality of indicators of compromise (IOCs) from a first source, the plurality of IOCs identified as being caused by a known malware associated with a first message type; receiving one or more IOCs from a second source that is different from the first source; and conducting a predictive analysis of the one or more IOCs received from the second source to determine whether the one or more IOCs from the second source correspond to the plurality of IOCs received from the first source, the predictive analysis includes (i) determining a threat level associated with the one or more IOCs, the threat level signifies a degree of confidence that the one or more IOCs are caused by a malicious electronic message, and (ii) selecting a particular type of response based on the determined threat level, wherein information associated with at least the plurality of IOCs is used to determine a presence of malware associated with the first message type at the second source that is currently undetected and is the cause of the one or more IOCs at the second source. - View Dependent Claims (17, 18, 19)
-
-
20. An electronic device, comprising:
-
one or more hardware processors; and a memory coupled to the one or more hardware processors, the memory includes a first logic that, when executed by the one or more hardware processors, organizes (i) a set of indicators of compromise (IOCs) received from a first source, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source, the second source being different from the first source where a cause of the one or more IOCs is unknown, and a second logic that, when executed by the one or more hardware processors, (i) conducts an analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware.
-
-
21. A non-transitory storage medium implemented with software for execution by one or more hardware processors, the non-transitory storage medium comprising:
-
a first logic that, stored in the non-transitory storage medium and upon execution by the one or more hardware processors, organizes (i) a set of indicators of compromise (IOCs) received from a first source, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source, the second source being different from the first source where a cause of the one or more IOCs is unknown, and a second logic that, stored in the non-transitory storage medium and upon execution by the one or more hardware processors, (i) conducts an analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification