Security threat information analysis

US 9,762,617 B2
Filed: 05/16/2016
Issued: 09/12/2017
Est. Priority Date: 08/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

determining, by one or more computers in an analysis system, one or more intelligence types;

categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;

identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that each that categorizes the subset of data; and

associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;

determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;

determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligence type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;

determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;

determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes;

determining, for a first third party system, a first group includes the first subset; and

determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;

assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset; and

generating, by at least one of the computers for each third party system in the multiple third party system using the group of subsets that include the particular data the third party system should receive, data that includes instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the generating includes;

generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and

generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and

sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion preventing system, wherein the sending includes;

sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and

sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing data that includes security threat information. One of the methods includes identifying intelligence types that each categorizes a subset of data, associating, for each of the intelligence types, each of the subsets of data, which are categorized by the respective intelligence type, with the respective intelligence type, determining rules for a third party that each indicate that the third party should receive data associated with particular types of potential security threats and priority information for the data, determining, for each of the potential security threats indicated in the rules, a group of the subsets that include information associated with the respective potential security threat, assigning, for each subset in each of the groups, a priority to the respective subset using the priority information, and providing the determined subsets to the third party using the respective priorities.

58 Citations

View as Search Results

22 Claims

1. A computer-implemented method comprising:
- determining, by one or more computers in an analysis system, one or more intelligence types;
  
  categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
  
  identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that each that categorizes the subset of data; and
  
  associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
  
  determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligence type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes;
  
  determining, for a first third party system, a first group includes the first subset; and
  
  determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
  
  assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset; and
  
  generating, by at least one of the computers for each third party system in the multiple third party system using the group of subsets that include the particular data the third party system should receive, data that includes instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the generating includes;
  
  generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and
  
  generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and
  
  sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion preventing system, wherein the sending includes;
  
  sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and
  
  sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 21, 22)
- - 2. The method of claim 1 comprising sending, by at least one of the computers and to at least one of the third party systems from the multiple third party systems, the subsets in the respective group of the subsets for presentation according to the respective priorities.
  - 3. The method of claim 1 comprising:
    - receiving, by at least one of the computers, the datasets from one or more sources; and
      
      parsing, by at least one of the computers, each of the datasets into the subsets of data, wherein identifying the respective intelligence types that each categorize a subset of data in the respective dataset comprises identifying the respective intelligence types that each categorize one of the parsed subsets.
  - 4. The method of claim 1 comprising determining that the fourth subset comprises information with an older timestamp than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information with the older timestamp than the third subset.
  - 5. The method of claim 1 comprising determining that the fourth subset comprises information from a less reputable source than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information from a less reputable source than the third subset.
  - 6. The method of claim 5 comprising determining that content in the fourth subset varies from content in the third subset by more than a threshold amount, wherein determining that the fourth subset comprises information from the less reputable source than the third subset is responsive to determining that content in the fourth subset varies from content in the third subset by more than the threshold amount.
  - 7. The method of claim 1 comprising:
    - determining that a fifth subset from the categorized subsets comprises information about the same threat as a sixth different subset using a fourth intelligence type for the fifth subset and a fifth intelligence type for the sixth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; and
      
      merging the fifth subset with the sixth subset to create a merged subset in response to determining that the fifth subset from the categorized subsets comprises information about the same threat as the sixth different subset, wherein;
      
      determining the group of the subsets that include particular data the third party system should receive from the analysis system, comprises determining, for another third party system, a third group that includes the merged subset, wherein the method comprises;
      
      sending, to the other third party system, the subsets in the third group, including the merged subset, using the respective priorities.
  - 8. The method of claim 7 comprising determining that the fifth subset varies from the sixth subset by less than a threshold amount, wherein merging the fifth subset with the sixth subset is responsive to determining that the fifth subset varies from the sixth subset by less than the threshold amount.
  - 9. The method of claim 1 comprising:
    - determining that a fifth subset from the subsets comprises information about the same threat as a sixth subset using a fourth intelligence type for the fifth subset and a fifth intelligence type for the sixth subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
      
      determining that the fifth subset varies from the sixth subset by more than a threshold amount; and
      
      linking the fifth subset with the sixth subset prior to determining the group of the subsets and in response to determining that the fifth subset varies from the sixth subset by more than the threshold amount.
  - 10. The method of claim 1, wherein determining the one or more intelligence types comprises determining at least one of a) an observable intelligence type, b) an indicator of compromise intelligence type, c) a vulnerability intelligence type, d) an exploit intelligence type, e) an adversary tactics, techniques, and procedures intelligence type, f) a threat actor intelligence type, g) a threat campaign intelligence type, or h) a courses of action intelligence type.
  - 11. The method of claim 1, wherein:
    - at least one of the datasets from the multiple datasets comprises a data feed; and
      
      categorizing, for each dataset from the multiple datasets that each include information about potential security threats, each subset of data in the respective dataset comprises parsing, by a parser, data from the data feed to generate the subsets of data for the data feed.
  - 21. The method of claim 1, wherein sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system comprises sending, to the intrusion prevention system, the data that includes the instructions for the intrusion prevention system that receives the data.
  - 22. The method of claim 21, comprising:
    - sending, to an intrusion prevention system included in the second third party system, the data for the subsets in the second group that includes properties or measurable events related to the operation of computers and networks included in the second third party system to cause the intrusion prevention system to automatically determine, using the properties or measureable events, whether there is anomalous behavior in the second third party system;
      
      receiving, from the intrusion prevention system, a request for a course of action to mitigate a likelihood of the properties or measureable events occurring in the second third party system; and
      
      in response to receiving the request, determining a course of action for the properties or measureable events that includes data for rules updates, wherein generating, for the second third party system, the data that includes instructions for the second third party system using the subsets in the second group is responsive to determining the course of action for the properties or measureable events that includes data for rules updates.

12. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  determining, by at least one of the computers in an analysis system, one or more intelligence types;
  
  categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
  
  identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and
  
  associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
  
  determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligent type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes;
  
  determining, for a first third party system, a first group includes the first subset; and
  
  determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
  
  assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset;
  
  generating, by at least one of the computers for each third party system in the multiple third party systems using the group of subsets that include the particular data the third party system should receive, data that includes instructions detection system or the included intrusion prevention system, wherein the generating includes;
  
  generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and
  
  generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and
  
  sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the sending includes;
  
  sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and
  
  sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12 comprising sending, by at least one of the computers and to at least one of the third party systems from the multiple third party systems, the subsets in the respective group of the subsets for presentation according to the respective priorities.
  - 14. The system of claim 12 the operations comprising:
    - receiving, by at least one of the computers, the datasets from one or more sources; and
      
      parsing, by at least one of the computers, each of the datasets into the subsets of data, wherein identifying the respective intelligence types that each categorize a subset of data in the respective dataset comprises identifying the respective intelligence types that each categorize one of the parsed subsets.
  - 15. The system of claim 12 the operations comprising determining that the fourth subset comprises information with an older timestamp than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information with the older timestamp than the third subset.
  - 16. The system of claim 12 the operations comprising determining that the fourth subset comprises information from a less reputable source than the third subset, wherein determining, for the second third party system, the second group that includes the third subset and does not include the fourth subset is responsive to determining that the fourth subset comprises information from a less reputable source than the third subset.
  - 17. The system of claim 16 the operations comprising determining that content in the fourth subset varies from content in the third subset by more than a threshold amount, wherein determining that the fourth subset comprises information from the less reputable source than the third subset is responsive to determining that content in the fourth subset varies from content in the third subset by more than the threshold amount.
  - 18. The system of claim 12 the operations comprising:
    - determining that a fifth subset from the categorized subsets comprises information about the same threat as a sixth different subset using a fourth intelligence type for the fifth subset and a fifth intelligence type for the sixth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset; and
      
      merging the fifth subset with the sixth subset to create a merged subset in response to determining that the fifth subset from the categorized subsets comprises information about the same threat as the sixth different subset, wherein;
      
      determining the group of the subsets that include particular data the third party system should receive from the analysis system, comprises determining, for another third party system, a third group that includes the merged subset, wherein the operations comprises;
      
      sending, to the other third party system, the subsets in the third group, including the merged subset, using the respective priorities.
  - 19. The system of claim 18 the operations comprising determining that the fifth subset varies from the sixth subset by less than a threshold amount, wherein merging the fifth subset with the sixth subset is responsive to determining that the fifth subset varies from the sixth subset by less than the threshold amount.

20. A non-transitory computer storage medium encoded with instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
- determining, by at least one of the computers in an analysis system, one or more intelligence types;
  
  categorizing, by at least one of the computers for each dataset from multiple datasets that each include information about potential security threats, each subset of data for the respective dataset, the categorizing comprising;
  
  identifying, by at least one of the computers for each of the subsets of data in the respective dataset, an intelligence type that categorizes the subset of data; and
  
  associating, by at least one of the computers for each of the subsets of data in the respective dataset, the subset of data with the corresponding intelligence type;
  
  determining, by at least one of the computers for each of the categorized subsets using the respective intelligence types for the categorized subsets, whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a first subset from the categorized subsets does not comprise information about the same threat as a second different subset using a first intelligence type for the first subset and a second intelligence type for the second different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers, that a third subset from the categorized subsets comprises information about the same threat as a fourth different subset using a third intelligence type for the third subset and the fourth different subset and in response to determining whether the respective subset does not comprise information about the same threat as a different subset;
  
  determining, by at least one of the computers for each third party system from multiple third party systems, a group of the subsets that include particular data a third party system should receive from the analysis system, wherein each third party system in the multiple third party systems includes an intrusion detection system or an intrusion prevention system and the determining includes;
  
  determining, for a first third party system, a first group includes the first subset; and
  
  determining, for a second third party system, a second group that includes the third subset and does not include the fourth subset;
  
  assigning, by at least one of the computers for each subset in each of the groups, a priority to the respective subset;
  
  generating, by at least one of the computers for each third party system in the multiple third party systems using the group of subsets that include the particular data the third party system should receive, data that includes instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the generating includes;
  
  generating, for the first third party system, data that includes instructions for the first third party system using the subsets in the first group, including the first subset; and
  
  generating, for the second third party system, data that includes instructions for the second third party system using the subsets in the second group, including the third subset; and
  
  sending, by at least one of the computers to each third party system in the multiple third party systems, the data that includes the instructions to cause the third party system to automatically adjust rules for the included intrusion detection system or the included intrusion prevention system, wherein the sending includes;
  
  sending, to the first third party system, the data that includes instructions for the first third party system using the respective priorities; and
  
  sending, to the second third party system, the data that includes instructions for the second third party system using the respective priorities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Modi, Shimon, Schall, Stephen A.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Ho, Thomas

Application Number

US15/155,328
Publication Number

US 20160261640A1
Time in Patent Office

484 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/577   Assessing vulnerabilities a...

G06F 40/205   Parsing

H04L 41/16   using machine learning or a...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Security threat information analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat information analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links