Cost Prioritized Evaluations of Indicators of Compromise
First Claim
1. A method of threat management, the method comprising:
- at a device having one or more processors and memory;
receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC;
dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and
determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.
22 Citations
20 Claims
-
1. A method of threat management, the method comprising:
at a device having one or more processors and memory; receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A system, comprising:
-
one or more processors; and memory storing instructions that when executed by the one or more processors cause the processors to perform operations including; receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium storing instructions that when executed by one or more processors cause the processors to perform operations comprising:
-
receiving respective specifications of a plurality of indicators of compromise (IOCs), wherein the respective specification of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC; dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs; and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.
-
Specification