Cost prioritized evaluations of indicators of compromise

US 10,372,904 B2
Filed: 07/20/2016
Issued: 08/06/2019
Est. Priority Date: 03/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method of threat management in a network of machines, the method comprising:

at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls;

receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;

dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;

determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device;

determining modified respective costs associated with the one or more of the plurality of IOCs;

dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and

determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

101 Citations

View as Search Results

36 Claims

1. A method of threat management in a network of machines, the method comprising:
- at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls;
  
  receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
  
  determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device;
  
  determining modified respective costs associated with the one or more of the plurality of IOCs;
  
  dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and
  
  determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and
      
      determining whether a threat is present when at least one of the plurality of IOCs has been evaluated.
  - 3. The method of claim 1, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and
      
      determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit.
  - 4. The method of claim 1, further comprising:
    - upon detection of a threat, automatically performing one or more remedial actions to address the detected threat.
  - 5. The method of claim 1, including:
    - receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and
      
      in response to receiving the user input, modifying the respective costs associated with the one or more of the plurality of IOCs.
  - 6. The method of claim 1, wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes:
    - ordering the plurality of IOCs based on increasing costs.
  - 7. The method of claim 1, including:
    - receiving a cost quota for evaluating the plurality of IOCs; and
      
      determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs.
  - 8. The method of claim 1, including:
    - determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs.
  - 9. The method of claim 1, wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC.
  - 10. The method of claim 1, including:
    - maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device.
  - 11. The method of claim 10, including:
    - detecting that one or more of the plurality of IOCs include indicator items present in the index;
      
      wherein determining modified respective costs associated with the one or more of the plurality of IOCs further includes;
      
      in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index, modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index.

12. A system of threat management in a network of machines, wherein:
- the system is a server or a client machine within the network of machines, andthe system comprises;
  
  one or more processors; and
  
  memory storing instructions that when executed by the one or more processors cause the processors to perform operations including;
  
  receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
  
  determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device;
  
  determining modified respective costs associated with the one or more of the plurality of IOCs;
  
  dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and
  
  determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and
      
      determining whether a threat is present when at least one of the plurality of IOCs has been evaluated.
  - 14. The system of claim 12, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and
      
      determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit.
  - 15. The system of claim 12, wherein the operations further include:
    - upon detection of a threat, automatically performing one or more remedial actions to address the detected threat.
  - 16. The system of claim 12, wherein the operations include:
    - receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and
      
      in response to receiving the user input, modifying the respective costs associated with the one or more of the plurality of IOCs.
  - 17. The system of claim 12, wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes ordering the plurality of IOCs based on increasing costs.
  - 18. The system of claim 12, wherein the operations include:
    - receiving a cost quota for evaluating the plurality of IOCs; and
      
      determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs.
  - 19. The system of claim 12, wherein the operations include:
    - determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs.
  - 20. The system of claim 12, wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC.
  - 21. The system of claim 12, wherein the operations include:
    - maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device.
  - 22. The system of claim 21, wherein the operations include:
    - detecting that one or more of the plurality of IOCs include indicator items present in the index;
      
      wherein determining modified respective costs associated with the one or more of the plurality of IOCs further includes;
      
      in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index, modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index.

23. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
- receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
  
  determining whether a threat is present in a network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device;
  
  determining modified respective costs associated with the one or more of the plurality of IOCs;
  
  dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs; and
  
  determining whether a threat is present in the network of machines based on results for evaluating one or more of the plurality of IOCs in accordance with the revised order.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The non-transitory computer-readable medium of claim 23, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and
      
      determining whether a threat is present when at least one of the plurality of IOCs has been evaluated.
  - 25. The non-transitory computer-readable medium of claim 23, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and
      
      determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit.
  - 26. The non-transitory computer-readable medium of claim 23, wherein the operations further include:
    - upon detection of a threat, automatically performing one or more remedial actions to address the detected threat.
  - 27. The non-transitory computer-readable medium of claim 23, wherein the operations include:
    - receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and
      
      in response to receiving the user input, modifying the respective costs associated with the one or more of the plurality of IOCs.
  - 28. The non-transitory computer-readable medium of claim 23, wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes ordering the plurality of IOCs based on increasing costs.
  - 29. The non-transitory computer-readable medium of claim 23, wherein the operations include:
    - receiving a cost quota for evaluating the plurality of IOCs; and
      
      determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs.
  - 30. The non-transitory computer-readable medium of claim 23, wherein the operations include:
    - determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs.
  - 31. The non-transitory computer-readable medium of claim 23, wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC.
  - 32. The non-transitory computer-readable medium of claim 23, wherein the operations include:
    - maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device.
  - 33. The non-transitory computer-readable medium of claim 32, wherein the operations include:
    - detecting that one or more of the plurality of IOCs include indicator items present in the index;
      
      wherein determining modified respective costs associated with the one or more of the plurality of IOCs further includes;
      
      in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index, modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index.

34. A method of threat management in a network of machines, the method comprising:
- at a device having one or more processors and memory, wherein the device is a server or a client machine within the network of machines, and the device is separated from external networks by one or more firewalls;
  
  receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
  
  sending queries into a linear communication orbit comprising a sequence of machines within the network of machines;
  
  collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and
  
  determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.

35. A system of threat management in a network of machines, wherein:
- the system is a server or a client machine within the network of machines, and the system comprises;
  
  one or more processors; and
  
  memory storing instructions that when executed by the one or more processors cause the processors to perform operations including;
  
  receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
  
  sending queries into a linear communication orbit comprising a sequence of machines within the network of machines;
  
  collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and
  
  determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.

36. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
- receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining, without requiring user intervention after receipt of the respective specifications of the plurality of IOCs, an order for evaluating the plurality of IOCs based on the respective costs associated with evaluating the plurality of IOCs;
  
  sending queries into a linear communication orbit comprising a sequence of machines within the network of machines;
  
  collecting IOC evaluation results via the linear communication orbit, from a plurality of machines in the sequence of machines, for the plurality of IOCs evaluated locally at the plurality of machines in accordance with the dynamically determined order; and
  
  determining whether a threat is present in the network of machines based on the collected IOC evaluation results, evaluated locally at the plurality of machines in accordance with the dynamically determined order, instead of an order by which specifications of the plurality of IOCs have been received at the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tanium Inc.
Original Assignee
Tanium Inc.
Inventors
Hunt, Christian L., Gissel, Thomas R., Savage, Thomas W.
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/215,468
Publication Number

US 20170264627A1
Time in Patent Office

1,112 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 41/0813   characterised by the condit...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/141   Setup of application sessio...

Cost prioritized evaluations of indicators of compromise

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Cost prioritized evaluations of indicators of compromise

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links