SYSTEMS AND METHODS FOR AUTOMATED RETRIEVAL, PROCESSING, AND DISTRIBUTION OF CYBER-THREAT INFORMATION

US 20180109545A1
Filed: 12/05/2017
Published: 04/19/2018
Est. Priority Date: 04/20/2015
Status: Active Grant

First Claim

Patent Images

1-26. -26. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for automated retrieval, processing, and/or distribution of cyber-threat information using a cyber-threat device. Consistent with disclosed embodiments, the cyber-threat device may receive cyber-threat information in first formats from internal sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may receive cyber-threat information second formats from external sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may process the received cyber-threat information in the first formats and the second formats into a standard format using a processing component of the cyber-threat device. The cyber-threat device may provide the processed items of cyber-threat information to a distributor using a distributing component of the cyber-threat device. The cyber-threat device may automatically report information concerning the processed items of cyber-threat information to a device of a user with a reporting component of the cyber-threat device.

12 Citations

View as Search Results

46 Claims

1-26. -26. (canceled)

27. A cyber-threat network device for automated processing of cyber-threat information, comprising:
- a network adapter configured to receive;
  
  first cyber-threat information in a first format from an internal cyber-threat information source over a private network, the internal cyber-threat information source comprising a network component of an entity system, the network component configured to provide, using an Application Program Interface (API) exposed by the network component, at least some of the first cyber-threat information; and
  
  second cyber-threat information in a second format from an external cyber-threat information source over an external network;
  
  a processor configured to;
  
  process the first cyber-threat information and the second cyber-threat information into processed cyber-threat information in a standard format, the standard format comprising at least one data marking indicating a categorization of the first cyber-threat information and the second cyber-threat information;
  
  extract, from the first cyber-threat information and the second cyber-threat information, information identifying the processed cyber-threat information based on stored identification criteria;
  
  enforce policy rules specifying at least one of;
  
  a user authorized to access the processed cyber-threat information;
  
  a type of processed cyber-threat information that may be accessed;
  
  methods of access to the processed cyber-threat information;
  
  orpermissible uses of accessed items of the processed cyber-threat information; and
  
  distribute the processed cyber-threat information in the standard format to a distributor using an API exposed by the distributor.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 28. The device of claim 27, wherein the policy rules further specify restrictions on distribution of the processed cyber-threat information.
  - 29. The device of claim 27, wherein the processor is further configured to retrieve third cyber-threat information in the standard format from the distributor.
  - 30. The device of claim 27, wherein the network adapter is further configured with at least one credential for accessing at least one of the internal cyber-threat information source, the external cyber-threat information source, or the distributor.
  - 31. The device of claim 30, wherein the at least one credential comprises at least one of a username, a password, an authentication token, or an item of information supporting authentication.
  - 32. The device of claim 27, wherein the network adapter is further configured to call an API library to receive the first cyber-threat information.
  - 33. The device of claim 27, wherein the external cyber-threat information source comprises at least one of a commercial security provider, a governmental regulatory agency, or a governmental security agency.
  - 34. The device of claim 27, wherein the standard format comprises an extensible cyber-threat information description specifying observables and context for the first cyber-threat information and the second cyber-threat information.
  - 35. The device of claim 27, wherein the at least one data marking includes source information and handling restrictions for the first cyber-threat information and the second cyber-threat information.
  - 36. The device of claim 27, wherein the processor is further configured to apply exclusion criteria to determine acceptable cyber-threat information from the first cyber-threat information and the second cyber-threat information.
  - 37. The device of claim 27, wherein the processor is further configured to automatically instruct the network component of the entity system to modify a network component configuration of the entity system.
  - 38. The device of claim 37, wherein the network component comprises an email appliance and the network component configuration comprises a blacklist.
  - 39. The device of claim 27, further comprising an I/O interface configured to display a user interface on a user device.
  - 40. The device of claim 39, wherein the user interface is configured to receive user instructions to modify a configuration of at least one of the network adapter, the processor, or the I/O interface.
  - 41. The device of claim 39, wherein the user interface is configured to receive user instructions to modify the policy rules to restrict access to at least one of a cyber-threat information source, a cyber-threat information item category, or a cyber-threat information item.

42. A cyber-threat network device for automated processing of cyber-threat information, comprising:
- a network adapter configured to receive;
  
  first cyber-threat information in a first format from an internal cyber-threat information source over a private network, the internal cyber-threat information source comprising a network component of an entity system, the network component configured to provide, using an Application Program Interface (API) exposed by the network component, at least some of the first cyber-threat information; and
  
  second cyber-threat information in a second format from an external cyber-threat information source over an external network;
  
  a processor configured to;
  
  process the first cyber-threat information and the second cyber-threat information into processed cyber-threat information in a standard format, the standard format comprising at least one data marking that indicates a categorization of the first cyber-threat information and the second cyber-threat information;
  
  automatically generate reports using the first cyber-threat information and the second cyber-threat information; and
  
  distribute the processed cyber-threat information in the standard format to a distributor using an API exposed by the distributor; and
  
  a non-transitory memory configured to store the first cyber-threat information, the second cyber-threat information, and the processed cyber-threat information.
- View Dependent Claims (43, 44, 45, 46)
- - 43. The device of claim 42, wherein the non-transitory memory is further configured to store the first cyber-threat information and the second cyber-threat information in at least one of following formats:
    - the first format, the second format, or an intermediate format.
  - 44. The device of claim 42, wherein the non-transitory memory is further configured to store the processed cyber-threat information in the standard format.
  - 45. The device of claim 42, wherein the non-transitory memory is further configured to store a plurality of reporting targets specifying recipients of the automatically generated reports.
  - 46. The device of claim 42, wherein the network component comprises an email appliance, and wherein the processor is further configured to automatically instruct the email appliance to modify a blacklist of the email appliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Weilbacher, Nathan

Granted Patent

US 10,178,112 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

SYSTEMS AND METHODS FOR AUTOMATED RETRIEVAL, PROCESSING, AND DISTRIBUTION OF CYBER-THREAT INFORMATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR AUTOMATED RETRIEVAL, PROCESSING, AND DISTRIBUTION OF CYBER-THREAT INFORMATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links