Collective threat intelligence gathering system
Inventors
Magee, Joseph C. • Andrews, Alison M. • Nicholson, Mark W. • James, Jonathon Lance • Li, Henry C. • Stevenson, Christopher L. • Lathrop, Joel
Assignees
Publication Number
US-8813228-B2
Publication Date
2014-08-19
Expiration Date
2032-06-29
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
Threat intelligence is collected from a variety of different sources. The threat intelligence information is aggregated, normalized, filtered and scored to identify threats to an information network. Threats are categorized by type, maliciousness and confidence level. Threats are reported to network administrators in a plurality of threat feeds, including for example malicious domains, malicious IP addresses, malicious e-mail addresses, malicious URLs and malicious software files.
Core Innovation
The invention provides a system for collecting, processing, and distributing threat intelligence information from a wide variety of sources to network administrators in a useable and coherent format. Threat intelligence is aggregated from multiple sources, including public sources, private sources, anonymous intelligence collectors, and consumer feedback, and then parsed, normalized, and enriched before being classified and stored in a common database structure. This normalization enables the integration of threat intelligence that is initially in disparate, proprietary formats and from sources with variable reliability and validation.
The system further categorizes, deduplicates, and filters the threat intelligence records to improve the quality and relevance of the reported threats. Categorization uses defined threat categories and rule-based engines to assign each record to an appropriate threat class, while filtering processes such as whitelist, blacklist, and malformed address filtering remove non-malicious or irrelevant entries. A scoring engine utilizing multiple scoring modules assesses each record to assign a maliciousness score and a confidence level, using algorithms and external data to produce comprehensive threat assessments.
Once threat records are processed, scored, and validated, the system formats and delivers threat intelligence feeds tailored to the preferences or tools of the consuming network administrators, for example, Security Information and Event Management (SIEM) tools. These feeds may separately report malicious domains, IP addresses, URLs, phishing email addresses, and malware-related files, facilitating real-time and effective defense against malware threats across information networks.
Claims Coverage
The patent includes claims covering multiple inventive features distributed among several independent claims, focusing on systems and methods for collecting, processing, categorizing, scoring, and distributing threat intelligence information.
System for collecting and formatting threat intelligence information
A system comprising: - A database for storing threat intelligence information. - A threat information collector configured to gather threat intelligence from a plurality of sources in different formats. - A parser that parses the collected information into a common format and stores it in the database. - A scoring engine that receives parsed threat information and calculates at least one threat score. - A distributor that formats and distributes the threat intelligence information and scored data in multiple formats according to predefined consumer preferences.
Method for collecting and distributing threat intelligence information
A method including: 1. Collecting threat intelligence information from a plurality of sources in various formats. 2. Parsing the data into a common format using at least one data processing device. 3. Calculating at least one threat score based on parsed intelligence information. 4. Formatting and distributing the parsed and scored threat information in a plurality of delivery formats according to consumer preferences.
Method for analyzing threat intelligence information using scoring modules
A method comprising: - Receiving threat intelligence from at least one source. - Processing the data into at least one record, each record corresponding to a respective threat. - Calculating a module score for each record using a plurality of threat scoring modules, each applying a different methodology. - Using a scoring engine to derive a threat score for each record by applying a weighted mathematical average to the module scores based on assigned weights. - Providing the threat intelligence records and scores to at least one consumer.
System for analyzing threat intelligence with scoring modules and weighted threat scores
A system comprising: - A database for threat intelligence storage. - At least one data processing device configured to process the intelligence into records. - Capability for multiple scoring modules to calculate a module score for each threat record, with each module applying different scoring methodologies. - A scoring engine to derive a threat score using weighted mathematical averages of module scores. - Output of threat intelligence records and corresponding threat scores to at least one consumer.
In summary, the claims cover a system and methods for collecting threat intelligence from diverse sources, standardizing and categorizing the data, scoring threats with multiple methodologies, and distributing tailored threat intelligence to consumers in desired formats.
Stated Advantages
Aggregates and normalizes disparate threat intelligence feeds from varied sources into a useable, coherent format for network administrators.
Improves quality, reliability, and validation of threat intelligence by filtering, categorizing, deduplicating, and scoring incoming data.
Enables real-time defense and actionable reporting by distributing threat intelligence in formats compatible with consumers’ preferred tools.
Documented Applications
Processing and providing threat intelligence information to network administrators for defending information networks against current malware threats using SIEM tools such as ArcSight, enVision, or Q1 Radar.
Interested in licensing this patent?