Computer application maturity illustration system with recovery exercise date display and analytics
US-2015121153-A1 · Apr 30, 2015 · US
Systems and methods for prioritizing indicators of compromise
US9900335B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9900335-B2 |
| Application number | US-201514757988-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 24, 2015 |
| Priority date | Dec 24, 2015 |
| Publication date | Feb 20, 2018 |
| Grant date | Feb 20, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques described herein include systems and methods for categorizing and prioritizing indicators of compromise for a network of network resources. The indicators of compromise may lead to security threats from malicious entities. In embodiments, a service provider computer receives information identifying an indicator of compromise for a network resource of a network associated with an organization. The information may include an identification of a severity for the indicator of compromise that is provided by a reporting entity. A normalized severity for the indicator of compromise may be calculated based at least in part on a set of factors. A lifecycle to associate with the indicator of compromise may be determined based on the normalized severity for the indicator of compromise. A report identifying the indicator of compromise and the normalized severity for the indicator of compromise may be generated and transmitted to an indicator of compromise information sharing network.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for prioritizing indicators of compromise for a network, comprising: receiving, by a server computer, information identifying an indicator of compromise for a network resource of an organization associated with the network, the information comprising an least one of an identification of a severity for the indicator of compromise provided by a reporting entity or a confidence of the reporting entity in the identification of the indicator of compromise; calculating, by the server computer, a normalized severity for the indicator of compromise based at least in part on a set of factors comprising collision logging information that indicates occurrences of the indicator of compromise within a plurality of network resources of the network subsequent to receiving the information; determining, by the server computer, a lifecycle to associate with the indicator of compromise based at least in part on the normalized severity for the indicator of compromise; updating, by the server computer, a database associated with the network indicating the normalized severity for the indicator of compromise and the lifecycle of the indicator of compromise; generating, by the server computer, a set of rules to apply to the network resource based at least in part on the indicator of compromise and the normalized severity for the indicator of compromise; and providing, by the server computer, the set of rules to the network resource for implementation, the network resource configured to detect and prevent subsequent occurrences of the indicator of compromise utilizing the set of rules. 2. The method of claim 1 , wherein the set of factors comprises the identification of the severity for the indicator of compromise provided by the reporting entity, the confidence of the reporting entity in the identification of the indicator of compromise, a type of the indicator of compromise, and a confidence score associated with the reporting entity provided by the organization. 3. The method of claim 1 , further comprising verifying, by the server computer, the indicator of compromise and the reporting entity based at least in part on a whitelist of indicators of compromise and reporting entities maintained in the database associated with the network. 4. The method of claim 1 , further comprising: generating, by the server computer, an alert based at least in part on the information identifying the indicator of compromise for the network resource and a watchlist of indicators of compromise maintained by the organization, the alert including the information; and transmitting, by the server computer, the alert to a user device of an entity associated with the organization. 5. The method of claim 4 , further comprising implementing, by the server computer, a detection sensor check for the network resource based at least in part on the alert and a type of the indicator of compromise. 6. The method of claim 1 , further comprising updating, by the server computer, a whitelist of indicators of compromise and reporting entities maintained in the database associated with the network based at least in part on the normalized severity for the indicator of compromise. 7. The method of claim 1 , wherein updating the database associated with the network indicating the normalized severity for the indicator of compromise includes setting an active tag for a data entry associated with the indicator of compromise based at least in part on the lifecycle associated with the indicator of compromise. 8. The method of claim 7 , wherein updating the database associated with the network indicating the normalized severity for the indicator of compromise includes updating the active tag for the data entry associated with the indicator of compromise upon expiration of the lifecycle associated with the indicator of compromise. 9. The method of claim 1 , wherein generating the set of rules to apply to the network resource is further based at least in part on a sensor threshold associated with the network resource. 10. An electronic device comprising: a processor; and a memory including instructions that, when executed with the processor, cause the system to, at least: receive information identifying an indicator of compromise for a network resource of a network associated with an organization, the information including at least one of an identification of a severity for the indicator of compromise provided by a reporting entity or a confidence of the reporting entity in the identification of the indicator of compromise; calculate a normalized severity for the indicator of compromise based at least in part on a set of factors comprising collision logging information that indicates occurrences of the indicator of compromise within a plurality of network resources of the network subsequent to receiving the information; determine a lifecycle to associate with the indicator of compromise based at least in part on the normalized severity for the indicator of compromise; generate a report identifying the indicator of compromise, the normalized severity for the indicator of compromise, and a lifecycle for the indicator of compromise; and transmit the report to an indicator of compromise information sharing network. 11. The electronic device of claim 10 , wherein generating the report is based at least in part on an information sharing threshold maintained by the organization. 12. The electronic device of claim 10 , wherein transmitting the report to the indicator of compromise information sharing network is based at least in part on a policy specified by a standard setting organization. 13. The electronic device of claim 10 , wherein transmitting the report to the indicator of compromise information sharing network is based at least in part on a policy specified by the organization, the policy identifying information classification restrictions associated with particular indicators of compromise. 14. The electronic device of claim 10 , wherein the instructions when executed with the processor cause the system to further at least generate a set of rules to apply to the network resource based at least in part on the indicator of compromise and the normalized severity for the indicator of compromise. 15. The electronic device of claim 14 , wherein the set of rules to apply to the network resource are updated based at least in part on the lifecycle associated with the indicator of compromise. 16. A method for prioritizing indicators of compromise for a network, comprising: receiving, at a server computer, information identifying an indicator of compromise for a network resource of an organization associated with the network, the information comprising at least one of a type of the indicator of compromise or an identification of a severity for the indicator of compromise provided by a reporting entity; calculating, by the server computer, a normalized severity for the indicator of compromise based at least in part on a set of factors comprising collision logging information that indicates occurrences of the indicator of compromise within a plurality of network resources of the network subsequent to receiving the information; determining, by the server computer, a lifecycle to associate with the indicator of compromise based at least in part on the normalized severity for the indicator of compromise; generating, by the server computer, a set of rules to apply to the network resource based at least in part on the indicator of compromise and the normalized severity for the indicator of compromise; and transmitting, by the server computer
Assignees
Inventors
Classifications
- H04L63/1433Primary
Vulnerability analysis · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Entity profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9900335B2 cover?
- Techniques described herein include systems and methods for categorizing and prioritizing indicators of compromise for a network of network resources. The indicators of compromise may lead to security threats from malicious entities. In embodiments, a service provider computer receives information identifying an indicator of compromise for a network resource of a network associated with an orga…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 20 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).