Cost Prioritized Evaluations of Indicators of Compromise

US 20170264627A1
Filed: 07/20/2016
Published: 09/14/2017
Est. Priority Date: 03/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method of threat management, the method comprising:

at a device having one or more processors and memory;

receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;

dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and

determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

22 Citations

20 Claims

1. A method of threat management, the method comprising:
- at a device having one or more processors and memory;
  
  receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and
  
  determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and
      
      determining whether a threat is present when at least one of the plurality of IOCs has been evaluated.
  - 3. The method of claim 1, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and
      
      determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit.
  - 4. The method of claim 1, further comprising:
    - upon detection of a threat, automatically performing one or more remedial actions to address the detected threat.
  - 5. The method of claim 1, including:
    - receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and
      
      in response to receiving the user input;
      
      modifying the respective costs associated with the one or more of the plurality of IOCs; and
      
      dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs.
  - 6. The method of claim 1, wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes:
    - ordering the plurality of IOCs based on increasing costs.
  - 7. The method of claim 1, including:
    - receiving a cost quota for evaluating the plurality of IOCs; and
      
      determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs.
  - 8. The method of claim 1, including:
    - determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs.
  - 9. The method of claim 1, wherein a first IOC of the plurality of IOCs includes a plurality of sub-components, and wherein the respective cost associated with evaluating the first IOC includes a sum of respective sub-costs associated with evaluating the plurality of sub-components of the first IOC.
  - 10. The method of claim 1, including:
    - maintaining an index for looking up local results for one or more indicator items, wherein a cost associated with looking up a local result for a respective indicator item from the index is lower than a cost associated with evaluating the respective indicator item in real-time at the device.
  - 11. The method of claim 10, including:
    - detecting that one or more of the plurality of IOCs include indicator items present in the index; and
      
      in response to detecting that one or more of the plurality of IOCs include at least one indicator item present in the index;
      
      modifying the respective costs associated with the one or more of the plurality of IOCs in accordance with the cost for looking up the at least one indicator item in the index; and
      
      dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs.

12. A system, comprising:
- one or more processors; and
  
  memory storing instructions that when executed by the one or more processors cause the processors to perform operations including;
  
  receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and
  
  determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - evaluating the plurality of IOCs locally in accordance with the dynamically determined order; and
      
      determining whether a threat is present when at least one of the plurality of IOCs has been evaluated.
  - 14. The system of claim 12, wherein determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order further includes:
    - sending queries into a linear communication orbit comprising a sequence of nodes, to collect IOC evaluation results for the plurality of IOCs in accordance with the dynamically determined order; and
      
      determining whether a threat is present when evaluation results for at least one of the plurality of IOCs has been received from the nodes in the linear communication orbit.
  - 15. The system of claim 12, wherein the operations further include:
    - upon detection of a threat, automatically performing one or more remedial actions to address the detected threat.
  - 16. The system of claim 12, wherein the operations further include:
    - receiving user input modifying the respective costs associated with one or more of the plurality of IOCs; and
      
      in response to receiving the user input;
      
      modifying the respective costs associated with the one or more of the plurality of IOCs; and
      
      dynamically determining a revised order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, including the modified respective costs associated with the one or more IOCs.
  - 17. The system of claim 12, wherein dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs includes ordering the plurality of IOCs based on increasing costs.
  - 18. The system of claim 12, wherein the operations further include:
    - receiving a cost quota for evaluating the plurality of IOCs; and
      
      determining which ones of the plurality of IOCs to evaluate based on the cost quota and the dynamically determined order for evaluating the plurality of IOCs.
  - 19. The system of claim 12, wherein the operations further include:
    - determining a respective frequency for evaluating a respective IOC of the plurality of IOCs based on the respective cost associated with the respective IOC and cost criteria received for evaluating the plurality of IOCs.

20. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
- receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
  
  dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and
  
  determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tanium Inc.
Original Assignee
Tanium Inc.
Inventors
Hunt, Christian L., Gissel, Thomas R., Savage, Thomas W.

Granted Patent

US 10,372,904 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 41/0813   characterised by the condit...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/141   Setup of application sessio...

Cost Prioritized Evaluations of Indicators of Compromise

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cost Prioritized Evaluations of Indicators of Compromise

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links