Security threat information analysis
First Claim
1. A computer-implemented method comprising:
- determining, by one or more computers in an analysis system, one or more intelligence types;
categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that each that categorizes the subset of data; and
associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligence type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes;
determining, for a first third party system, a first group includes the first subset; and
determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset; and
generating, by at least one of the computers for each third party system in the multiple third party system using the group of subsets that include the particular data the third party system should receive, data that includes instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the generating includes;
generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and
generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and
sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion preventing system, wherein the sending includes;
sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and
sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing data that includes security threat information. One of the methods includes identifying intelligence types that each categorizes a subset of data, associating, for each of the intelligence types, each of the subsets of data, which are categorized by the respective intelligence type, with the respective intelligence type, determining rules for a third party that each indicate that the third party should receive data associated with particular types of potential security threats and priority information for the data, determining, for each of the potential security threats indicated in the rules, a group of the subsets that include information associated with the respective potential security threat, assigning, for each subset in each of the groups, a priority to the respective subset using the priority information, and providing the determined subsets to the third party using the respective priorities.
58 Citations
22 Claims
-
1. A computer-implemented method comprising:
-
determining, by one or more computers in an analysis system, one or more intelligence types; categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising; identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that each that categorizes the subset of data; and associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type; determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligence type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes; determining, for a first third party system, a first group includes the first subset; and determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset; assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset; and generating, by at least one of the computers for each third party system in the multiple third party system using the group of subsets that include the particular data the third party system should receive, data that includes instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the generating includes; generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion preventing system, wherein the sending includes; sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 21, 22)
-
-
12. A system comprising:
one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; determining, by at least one of the computers in an analysis system, one or more intelligence types; categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising; identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type; determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligent type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes; determining, for a first third party system, a first group includes the first subset; and determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset; assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset; generating, by at least one of the computers for each third party system in the multiple third party systems using the group of subsets that include the particular data the third party system should receive, data that includes instructions detection system or the included intrusion prevention system, wherein the generating includes; generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the sending includes; sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
20. A non-transitory computer storage medium encoded with instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
-
determining, by at least one of the computers in an analysis system, one or more intelligence types; categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising; identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type; determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligence type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes; determining, for a first third party system, a first group includes the first subset; and determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset; assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset; generating, by at least one of the computers for each third party system in the multiple third party systems using the group of subsets that include the particular data the third party system should receive, data that includes instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the generating includes; generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the sending includes; sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities.
-
Specification