WO2015134008A1 - Système de détection et d'atténuation automatisées de menace internet et procédés associés - Google Patents

Système de détection et d'atténuation automatisées de menace internet et procédés associés Download PDF

Info

Publication number
WO2015134008A1
WO2015134008A1 PCT/US2014/020673 US2014020673W WO2015134008A1 WO 2015134008 A1 WO2015134008 A1 WO 2015134008A1 US 2014020673 W US2014020673 W US 2014020673W WO 2015134008 A1 WO2015134008 A1 WO 2015134008A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
customer
threat
subsystem
intelligence
Prior art date
Application number
PCT/US2014/020673
Other languages
English (en)
Inventor
David B. AMSLER
Nick Allen
Sarah Messer
Trent Healy
Original Assignee
Foreground Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Foreground Security filed Critical Foreground Security
Priority to PCT/US2014/020673 priority Critical patent/WO2015134008A1/fr
Publication of WO2015134008A1 publication Critical patent/WO2015134008A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2127Bluffing

Definitions

  • the present invention generally relates to network security and in particular to an automated system and method for detecting, evaluating and reporting network threats
  • Embodiments of the present invention provide risk assessment and managed security systems and methods for network users, such as commercial organizations by way of example, and provide managed security services knowing that organizations must deal with daunting cyber threats, malware creations and phishing techniques.
  • Embodiments of the invention provide automated solutions and a combination of automated and human-driven solutions to establish an always-alert positioning for incident anticipation, mitigation, discovery proactive and response.
  • Embodiments of the invention include systems and methods that take a, intelligence-driven and customized approach to protect network users from even the most intricately conceived threats.
  • the teachings of the present invention go beyond infrastructure monitoring and event notification as is typical in the art. It is realized that there are endless varieties of exploiting methods, malware manifestations and anonymization strategies that routinely evade well-known controls. Networks are best served by assessments of events before and after a breach from outside experts, as people within organizations are typically busy enough with their other IT related responsibilities. Embodiments of the present invention identify threats in advance of a resulting network problem, by way of example, and then automate analysis of all data to find those threats and stop them from having an adverse effect. Automated systems and methods blanket the enterprise landscape so humans can focus on the high-level view, instead of looking at every single potential problem area.
  • One embodiment of the invention may be a computer-implemented system for automated internet threat detection and mitigation, wherein the system may comprise a centralized database and a customer database operable with the centralized database.
  • the computer-implemented system may further comprise a Honeytrap subsystem deployed within the customer network environment, wherein the Honeytrap subsystem monitors scams and cyber-attacks and analyzes suspicious activity, feeding resulting analysis data to the analytics subsystem.
  • a method aspect of the invention may comprise a computer-implemented method for automated internet threat detection and mitigation, wherein the method may include providing an analytics subsystem for identifying suspicious patterns of behavior in a customer network environment.
  • a reader process may be operable with the analytics subsystem for gathering threat intelligence data from a plurality of threat intelligence sources, including commercial and open-source feeds as well as suspicious patterns identified by the analytic subsystem or specified by an analysts through a portal connection.
  • the data may further be normalized by the reader processor for providing a common format.
  • the method may further provide an initial believability factor based only on past performance of the relevant source of the threat intelligence data.
  • the gatekeeper may review the normalized intelligence data and compare the data to past incidents and rules operable by the analytics subsystem for refining the believability factor and severity of each indicator.
  • the gatekeeper processor may either ask a human to check the data or discard the believability factor indicated as unusable and overly likely to generate false positives.
  • one method for automatically securing a network against threats may comprise collating data feeds for sending through a scanning system; scanning the data feeds based on preselected categories by determining type of information discerned from each data feed; tagging data from the data feed scanning and providing extended data pieces by adding context surrounding threats including at least one of geophysical, customer verticals, operating system, adversary campaigns, and a combination thereof; storing the tagged data into at least one of a relational database and a NoSQL database, wherein the storing is based on contextual tags and link analysis between contextual categories assigned to the data pieces; automatically scanning multiple different programs based on enterprise tools for taking contextual threat data pieces and projecting the contextual threat data pieces into enterprise tools using application programming interfaces; automatically discovering a match for at least one of the threat data pieces to the tagged data; and sending an alert to a security information and event manager (SI EM).
  • SI EM security information and event manager
  • FIG. 1 is a diagrammatical illustration of one network security management system according to the teachings of the present invention
  • FIG. 2 is a block diagram illustrating components of one automated threat detection and mitigation system according to the teachings of the present invention
  • FIG. 4 is functional flow chart illustrating one sequence of actions carried out by the Threat Intelligence operations
  • FIG. 5 is a flowchart for one process of adding a new customer/user, by way of example
  • FIGS. 7 and 8 are flowcharts illustrating information from a source being directed to a Gatekeeper
  • FIGS. 9, 10 and 1 1 show illustrate multiple workflows for an analyst using an automated Security Operations Center (SOC) system according to the teachings of the present invention
  • FIG. 12 is a diagrammatical illustration of another view of a sequence of calls between an analysts, a Filter subproject of Threat Intelligence, and customer's enterprise security devices, by way of example;
  • FIG. 13 is a diagrammatical illustration including decisions and actions to be taken by a Gatekeeper function for maintaining and improving quality of a threat intelligence database;
  • FIG. 14 illustrates, by way of example only, responsibilities and flow of data and requests as an incident report is processed
  • FIG. 15 is a diagrammatical illustration of one distributed nature of the system of FIG. 1 ;
  • FIG. 16 is a diagrammatical illustration of one way in which the system of FIG. 1 produces data about events and incidents in a Customer's system
  • FIG. 17 diagrammatically illustrates one response of a Honeytrap to a new, unexpected process (which is presumed to be an attack), according to the teachings of the present invention.
  • FIG. 18 illustrates one of the ways in which threat descriptors may be updated, by way of example
  • FIG. 19 is a block diagram illustrating an analytics system and relationship to other subsystems of the system illustrated with reference to FIG. 1 , by way of non- limiting example.
  • FIGS. 20A, 20B and 20C combine to form a flow chart illustrating one embodiment of a system employing various network portals for reporting threats.
  • Threat Intelligence Optimization (TIO) 12 includes receiving multiple and different sources of intelligence and/or data from data input 14, deriving contextual inferences for those pieces of data, and tagging the information appropriately to then disseminate into enterprise security solutions as an active defense 16 that a network owner or user is relying upon for services.
  • TIO Threat Intelligence Optimization
  • Automation occurs at different stages. "Cyveillance” is performed and data normalized 18 and delivered to a threat intelligence database. Information is also pulled from customer environment such as with baselining, statistics, modeling, predictive models, Next Gen Honeynet, MetaData, profiling, Incident Response, and the like.
  • an improved Honeynet herein referred to as a HoneyTrap 20 is provided and inlcudes an active VLAN within a customer or owner network.
  • the HoneyTrap mimics or copies critical and common systems within the customer environment.
  • Forensic and IR tool sets instantly alert and create the IOC.
  • Tier 4 analysts alerted via the portal 22 from the threat intelligence optimization 12, but different scenario based approaches for a customer are also made available to lower response time to incidents, and also help mitigate or manage incidents better.
  • the data normalization and fusion 18 take place with data analytics 24 bringing the process together.
  • the threat intelligence DB automates analysis of all the normalized data. Analysts may investigate anything that appears.
  • a Big Data Analytics platform 26 baselines the network environment, detects anomalies or statistical detection and then alerts an analyst. When something is detected, IR&F tools are utilized to investigate further along with Honeynet/Malware environment.
  • the Active Defenses 16 are developed to respond and eradicate the intruder. Threat intelligence is updated. Once data is normalized /fused, it can be sent into the Big Data Analytics platform 26 where machine learning code can perform specific automated analysis, as will be further detailed below.
  • believability and severity are given priority.
  • the system 10 incorporates their findings to improve its estimates of believability and severity. This allows the system to automatically adjust to emphasize the most- important threats. This feedback process happens both for individual customers and for the system as a whole.
  • a Manager subsystem handles coordination between each client's installation and a central database 42. This allows client installations to learn from each other based on patterns observed across all ForegroundTM customers, by way of example, or within specific industries.
  • Analytics 44 uses a wide variety of tools to diagnose threats and suspicious activity. Although some individual tools may be well known, they are rarely used in a security environment.
  • a toolset referred to in FIG. 1 as Big Data Analytics Platform 26, may include statistical analysis, link analysis, and machine-learning tools. These allow a leveraging of a variety of netflow and customer- specific data to provide individualized, continuously updated profiles of each customer's network, including suspicious activity.
  • Using a variety of analytic tools will help protect the system from unexpected attack vectors and attackers who use knowledge of the system to target clients.
  • Predictive tools use machine-learning tools to prioritize threat intelligence, to predict when and how attacks may occur, and to refine the Descriptive tools so they discover and present the information most likely to be useful to an analyst.
  • the Analytics 44 component of this task handles the computation and databases necessary for this adaptation.
  • the Investigator 40 portion of the Threat Intelligence subsystem 30 handles the data requests and assembly of the gathered information for each individual incident.
  • the behavior of each client is recorded and monitored for the client's internal machines and the external machines, to which the system 10 communicates. This allows normal patterns of use to be found, including times of activity, sizes of files transferred, and web sites visited. This information provides useful context for incident analysis. Outliers can also be used to detect suspicious events. Implementing baselining on a broad basis will allow us to automatically build
  • Predictive tools will draw additional inputs from broadly available data sets that are not specific to cyber security. These may include financial and political data for each client and its rivals. Such information may be useful to incident response in establishing likely actors and motives.
  • Some pieces of Threat Intelligence are tagged for specific industries, and will be given higher priorities for customers within those industries. Some portions of the analytics subsystem 44 will be installed separately at each client site. This will allow detection of customer-specific and industry-specific patterns, even for threat intelligence which is not already tagged with that information. Feedback for that customer's incidents and baselining of that customer's assets will help to optimize the Threat Intelligence and Incident Analysis for that customer's needs.
  • Each question that is given over to the machine-learning components will have a single "Teacher” associated with it.
  • This Teacher is itself a machine-learning tool, which is responsible for generating, grading, and modifying the various trial machine- learning tools.
  • the Teacher tracks the performance of each of its assigned Pupils, learning which ones produce the best and fastest answers.
  • the Teacher will also be able to create new Pupils and to discard those, which consistently perform poorly. This automation will speed the development of machine-learning algorithms to answer new questions.
  • an Analyst Portal 46 allows Analysts to review events of interest prioritized by estimated severity and believability, and shows them which events / their coworkers have already claimed incidents. It also allows them to group multiple auto-detected events together and to treat them as a single incident. The analysts' assessment of incident severity and False Positives will be fed back into the Threat Intel database.
  • a Client Portal 48 allows a customer to quickly see which incidents their analysts are currently handling, as well as histories of incidents. It may show which individual analysts are prioritizing high-severity incidents, which are handling the most incidents, and trends in the analysts' incident reports. It may also be used to recommend staffing levels (based on the Analytics package 44).
  • Honeytrap [0061] With continued reference to FIG. 2, and as initially introduced with reference to FIG. 1 , the Honeytrap 20, according to the teachings of the present invention, outperforms traditional honeypots by allowing analysts to shunt suspected processes and attackers onto a separate virtual LAN, by way of example. This and a set of passive and active live forensic tools provide additional data for the system.
  • one embodiment comprises a Honeytrap server forming a virtual local area network (VLAN) on a user network that looks like an actual part of the network and set up to attract an "intruder" as an actual function of the network.
  • the Honeytrap 20 provides a one-way entry to a copy of the main server in terms of the domain so that it looks like the actual user network.
  • lateral hacking can be detected and once a hacker or intruder enters the user network.
  • the intruder is encouraged to go laterally and enter into to the Honeytrap server.
  • the intruder can't leave and is trapped. This essentially keeps the intruder alive instead of shutting it down.
  • typical Honeynet methods immediately shut down and lock out a threat and thereby re-image a computer, and thus lose the intelligence.
  • the Honeytrap 20 of the present invention mimics the environment of the user network and keeps the threat alive so it can be learned how such a malware intruder works, learn about it and then teaches the rest of the system to look for that particular malware intruder.
  • an indicator(s) of compromise (IOC) is created for the intruder, the intruder is trapped in the Honeynet, and information is populated to the appropriate users or to a general database.
  • IOC indicator(s) of compromise
  • a Honeynet is well known in the art and is typically a separate network set up with intentional vulnerabilities.
  • a Honeynet contains one or more "honey pots" including computer systems on the Internet expressly set up to attract and "trap" intruders who attempt to penetrate computer systems where they are not welcome.
  • the primary purpose of a Honeynet is to gather information about methods and motives of the attacker, the decoy network can benefit its operator by diverting attackers from a real network and its resources.
  • HoneyNet Project a non-profit research organization dedicated to computer security and information sharing.
  • the Honeytrap 20 mimics or copies critical and common systems within the customer environment (e.g. DC, DNS, Database(s), Web, Desktop, File, etc.). There is active monitoring on the network, ports, and end point systems using forensic tool sets (Foreground IPTM and Open SourceTM, possibly commercial systems such as NetWitnessTM). Once an APT or Insider (or Intruder) tries to move laterally within an environment, the Intruder is identified instantly and an IOC created. The lOCs are plugged into the threat intelligence database (DB) 42 and thus it is known where else in the environment the intruder may be moving or attempting penetration. When, the Honeynet system becomes infected, Forensic and IR tool sets instantly alert and create the lOCs. Once again that is plugged into the data fusion and it is known where else this has happened, how it is happening, and how they are communicating.
  • DB threat intelligence database
  • Active Honeypot Active Defense
  • TIO 12 threat optimization suite
  • Quarantine mimics the internet, with fake DNS, faked IP addressing, fake services, and attempt to keep the computers running while a second part of Active Defense is deployed.
  • the second part of Active Defense is an automated Incident Response.
  • the analysts may enact a memory forensics program, a script to copy a memory dumping executable to the machines and dump the physical memory in order to capture the malicious content that may be installed on the machines. This is done through scripting xcopy, and using commercial memory forensic tools.
  • the active defense is thus to isolate, contain, surge and recover from incidents faster, and allow creation of further intelligence for incident response teams we may deploy to the client.
  • Data Gathering takes place on a large scale, including detailed netflow information and ongoing link analysis, profiling of companies, users, machines, and external contacted IPs, as well as analysis from Honeytrap activity. Each customer's installation will track this information locally and send selected data back to the central location, ForegroundTM by way of example, for comparison across multiple companies. This allows the analytics subsystem 44 to discover industry-wide trends and emerging threats. Subscribing to a variety of open-source and limited-distribution feeds, features and benefits of Threat Intelligence continue to improve. These are currently being compared to each other and will be used to recognize omissions and false positives from individual Intel Sources. Additional tools such as web crawlers may be used to augment the Threat Intel data with publicly available information not specifically designed for security use. All these data will be normalized to automatically construct alerts, warnings, and threat intelligence customized to a customers' need.
  • Automated Program using a vmware esx server application program interface stands up 3 replicated machines that appear in the isolated VLAN, using the same hostnames and addressing scheme as the "real" operating environment.
  • the malicious code running is kept running in memory or is prevented from connecting to the internet so that the adversary still performs the techniques in real-time that can be monitored by full packet capture and Tier 4 analysts in order to create indicators of compromise to match the adversaries movements on the cloned environment.
  • This will also have the dual benefit of allowing for intelligence gathering against the adversary as the analysts will capture what specifically the adversary is after, what types of information, whether the adversary knows who to target for what, whether the adversary has done his homework, whether the adversary is already familiar with the internal network, etc.
  • data normalization and fusion 18 take place, wherein data the analytics 24 brings the process together.
  • the Threat Intel DB automates analysis of all normalized Data. Analysts may investigate anything that appears.
  • An example to consider includes: A user logs in remotely from a geo-IP that is not normal, during a time frame that is not normal and accesses a critical system they don't normally access. At what point does it trigger? One will base this on weighting of assets (systems, network segments, types of data) and by overall learning of machine code.
  • the Data Gathering component 45 includes a set of tools for gathering a broad set of data from many publicly available websites. It is intended to provide context for the analytics system. Natural language processing and broad economic, financial, and political data will help the analytics system understand and predict hacktivism, state-backed hackers, and industrial espionage.
  • the Portal 22 above described with reference to FIG. 1 is herein described by way of example as including includes two parts, the analyst portal 46 and the customer or client portal 48, illustrated with reference to FIG. 2.
  • the analyst portal 46 will allow analysts to query the Customer Database 50 and incidents detected by the system 10 (via patterns from the Threat Intelligence segment 30). It operates to direct incidents toward the analysts most suited for dealing with the specific attacks and affected assets. It tracks various metrics of analyst performance and provides feedback to the system.
  • the customer portal 48 allows managers to view analyst performance metrics as well as customize their threat intelligence feeds, local security tools, and descriptions of the customer's environment and assets. These choices will provide further feedback for the system 10.
  • Intelligence Sources 34 is the Reader 32.
  • the Reader 32 has a modular design that minimizes the amount of coding that needs to be done to add each additional Intelligence Source 34, thus allowing new sources to be added quickly.
  • the Reader 32 places data from each source 34 into a standard format, and then passes the reformatted data to the
  • Gatekeeper 36 Although nominally aimed at understanding a variety of the external Sources 34, the Reader 32 can also handle threat intelligence produced by predictive or investigative routines within our system. This allows patterns produced by the analytics engine to be used automatically.
  • the Filter 38 compares each piece of threat intelligence in the incident database to the data associated with each of the customer's enterprise security devices or tools 52. It has a modular design analogous to that of the Reader 32, allowing the system 10 to easily support a number of enterprise security devices. When suspicious events are found, these are passed to Investigator, which researches additional details. Detailed incidents are then passed from Investigator through Filter to the incident database.
  • FIG. 4 illustrates a process 100 or sequence of actions carried out by the Threat Intelligence subsystem 30.
  • the Reader 32 initially gathers data 102 from a wide variety of threat intelligence sources, including commercial and open-source feeds as well as suspicious patterns identified by the Analytic subsystem 44 or specified by the analysts or customers through the appropriate portal 46, 48.
  • the Reader 32 includes software that normalizes the data by putting it in a common format, as earlier described. This normalization 18, described with reference to FIG. 1 , includes an initial believability based only on the past performance of the relevant source of the Intel.
  • the Gatekeeper 36 then reviews 104 the gathered intelligence and compares it to past incidents and other rules described by the Analytics subsystem 44.
  • the Filter 38 acquires the indicators from the manager and sorts 108 the indicators by severity and believability. Each of a customer's security tools is queried, and centralized watch lists may be automatically generated which are then pushed out to the relevant security tools. When either the queries or watch lists generate a result, the resulting event is passed to Investigator 40, which component of the Threat
  • additional threat descriptors can be added into the customer's local database. These descriptors may be generated either from specific non-standard signatures in the incident database, or based on expected & typical use of the customer's machines. Once these additional signatures have been put in place, the customer will shift to a steady-operation mode.
  • FIG. 6 illustrates much the same information and process as the Add
  • FIGS. 7 and 8 illustrate much of the same processes, but for different results at the Gatekeeper 36.
  • a Signature comes in from an intel source, and (after normalization), is passed to the Gatekeeper 36, where the Gatekeeper determines the believability of the input data, based on some or all of the following factors: 1 ) Historical / assumed Believability of the intel source; 2) if the new signature matches any existing incident reports, it should appear more often in True-Positive reports and less often in False-Positive reports; 3) Explicitly whitelist or probably-okay rules will compete with the Threat Signature; 4) Overly-broad signatures that trigger on very broad data sets are likely bad; 5) Signatures that duplicate ones already in the database will not be inserted, but may alter the severity and believability associated with the existing Threat Signatures. These criteria will help set the new Signature's
  • the Gatekeeper will either trust the signature or add it to the central database, or request human review of the Signature. After human revision, the new threat will either be discarded (case not shown), or added to the incident and customer databases.
  • FIGS. 9, 10 and 1 1 illustrate multiple workflows for an analyst using the automated SOC system.
  • the analyst-paced version is the one that is closest to the operation of the analyst portal.
  • Analyst-Dominated is the version, which is closest to the workflow in the majority of security operation centers.
  • the AutoSOC / portal and Threat Intel is responsible for recording Incidents and maintaining the threat database.
  • AutoSOC also communicates with the IDS appliances (called "Log & Packet Parsers" here) to find and prioritize events.
  • the analyst works quasi-independently of AutoSOC, finding incidents and events of interest on his own initiative.
  • the analyst works on one event at a time, and when he finishes one incident, AutoSOC automatically hands him the highest-priority incident.
  • AutoSOC-Driven workflow the automated system not only chooses the next event for an analyst, but can decide that sufficiently important / high-priority events can override the Analyst's current activity. In such a case, AutoSOC would store the Analyst's work and insist that the human work on the high-priority item.
  • FIG. 12 illustrates a view of a sequence of calls between the analysts, the Filter subproject of Threat Intelligence, and the customer's enterprise security devices.
  • FIG. 14 illustrates responsibilities and flow of data and requests as an incident report is processed.
  • the Analyst initializes actions by asking the Analyst Portal 46 to present a particular incident from a list.
  • the analyst queries the Customer's security tools 52 to get more information about the incident.
  • the report is finished, the analyst stores it in the customer's database via the Analyst Portal 46. Later, the Customer can view the incidents via the Customer Portal 48.
  • FIG. 19 illustrates one analytics subsystem 24 and a relationship to other subsystems operable within the system 10.
  • the core of the analytics 24 is an engine including a collection of Machine-Learning Tools 54.
  • the machine learning tools 54 work by making predictions based on internal models. By way of example, as data is fed into the subsystem 24, the machine learning tools 54 compare their predictions to actual data and revise operating models accordingly.
  • the feedback may come from any of the other portions of the automated threat detection and mitigation system 10, and is organized into a large database.
  • Each of the machine-learning tools 54 is aimed at answering a specific question. As feedback optimizes machine-learning algorithms, these questions can be answered more accurately.
  • Adaptation 58 asks questions analogous to those of customer-specific adaptation 56, but spread across all ForegroundTM customers, by way of example.
  • Baselining 60 constructs profiles for normal activity associated with particular customer machines and external sites. Typical patterns may involve time, file size, and pairings between users, files, internal machines, and external machines. Measuring and modeling these patterns can help identify unusual activity and unusual users.
  • Incident Analysis 62 uses detailed information from the Investigator 40 and the customer's enterprise security devices or tools 52, earlier described with reference to FIG. 3. Each datum collected from these tools 52 can be compared to historical models established by the Baselining 60 process, and compared to data made available from the ongoing Data Gathering 45 and HoneyTrap 20 operations.
  • Predictive Tools 64 attempt to answer questions such as "Would a human Analyst judge this incident to be a false positive?", "When are attacks most likely?", and "Which external events are most often correlated with each type of attack?"
  • An Analytics Database 66 links to or replicates much of the information involved in the Threat Intelligence subsystem 30, including full incident records (including the Analysts' reports and feedback information.) It will also have the customers' baselining information, so that it can work from what it known about the usual flows of information, asset management, times at which particular sites are most accessed, etc.
  • the analytics database will serve as a repository for external financial, security, and political information, which may be useful in predicting either the timing, or nature of attacks and which may be useful for providing context to incident response.
  • the data in the Analytics Database 66 can be described in terms of a number of Properties or Dimensions, which correspond roughly to computer data types. Different Dimensions lend themselves to different sorts of statistical analysis, and this information will be included in the description of each available Dimension.
  • a large number of Pupils will be present, each of which is a particular machine-learning algorithm aimed at answering a particular question.
  • Each Pupil includes all the information necessary to describe its algorithm. This information includes the Dimensions used by the algorithm, the general class of algorithm, and per- algorithm choices such as Distance Metric.
  • a smaller number of Teachers will be available, each of which is dedicated to answering a specific human-posed Question about the analytic database and cyber security.
  • the Teacher manages all the Pupils who share that Question.
  • the Teachers will have metrics which can be used to grade how well each Pupil has done at answering the question in the past, including number of correct answers, as well as the time and memory necessary for each Pupil to work.
  • a computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, by way of non-limiting example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, and the like, or any suitable combination thereof.
  • Computer program code for carrying out operations for aspects of various embodiments may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the C programming language or similar programming languages.
  • the program code may also be written in a specialized language.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (by way of non-limiting example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider an Internet Service Provider

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un système d'évaluation de risques et de sécurité gérée pour des utilisateurs de réseau, qui fournit des services de sécurité s'occupant de cybermenaces redoutables, de créations de logiciel malveillant et de techniques d'hameçonnage. Des solutions automatisées en combinaison avec des solutions entraînées par des êtres humains établissent un positionnement d'alerte permanente pour une anticipation, une atténuation, une découverte et une réponse d'incident. Une approche préventive, entraînée par les renseignements et personnalisée protège les utilisateurs de réseau. Des évaluations de menaces sont réalisées avant et après une intrusion. Des cybermenaces sont identifiées avant un problème de réseau résultant, et une analyse automatisée localise les menaces et les empêche d'avoir un effet néfaste. Une personne peut se concentrer sur la vue d'ensemble, au lieu de regarder chaque zone de problème potentielle. Des modèles perturbateurs peuvent être revus dans l'environnement de réseau pour identifier des problèmes. Une cyberanalyse est réalisée pour fournir un point de comparaison au cours du temps par l'intermédiaire de modèles statistiquement prouvés, prédictifs qui anticipent les vulnérabilités provoquées par une utilisation de média social, une navigation sur le Web et d'autres comportements qui invitent un risque.
PCT/US2014/020673 2014-03-05 2014-03-05 Système de détection et d'atténuation automatisées de menace internet et procédés associés WO2015134008A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2014/020673 WO2015134008A1 (fr) 2014-03-05 2014-03-05 Système de détection et d'atténuation automatisées de menace internet et procédés associés

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/020673 WO2015134008A1 (fr) 2014-03-05 2014-03-05 Système de détection et d'atténuation automatisées de menace internet et procédés associés

Publications (1)

Publication Number Publication Date
WO2015134008A1 true WO2015134008A1 (fr) 2015-09-11

Family

ID=54055670

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/020673 WO2015134008A1 (fr) 2014-03-05 2014-03-05 Système de détection et d'atténuation automatisées de menace internet et procédés associés

Country Status (1)

Country Link
WO (1) WO2015134008A1 (fr)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017011833A1 (fr) * 2015-07-16 2017-01-19 Canfield Raymond Système de sécurité électronique et procédé utilisant des agents intelligents
US10142365B2 (en) 2016-01-22 2018-11-27 The Boeing Company System and methods for responding to cybersecurity threats
US10313382B2 (en) 2016-03-29 2019-06-04 The Mitre Corporation System and method for visualizing and analyzing cyber-attacks using a graph model
US10318350B2 (en) 2017-03-20 2019-06-11 International Business Machines Corporation Self-adjusting environmentally aware resource provisioning
CN110140125A (zh) * 2016-12-30 2019-08-16 微软技术许可有限责任公司 安全性与合规性环境中的威胁情报管理
CN111277560A (zh) * 2019-12-24 2020-06-12 普世(南京)智能科技有限公司 一种基于高带宽物理隔离单向传输的安全情报采集导入整编方法及系统
CN111339398A (zh) * 2019-12-19 2020-06-26 杭州安恒信息技术股份有限公司 一种多元化大数据情报分析系统及其分析方法
US10785258B2 (en) 2017-12-01 2020-09-22 At&T Intellectual Property I, L.P. Counter intelligence bot
CN112560020A (zh) * 2021-02-19 2021-03-26 鹏城实验室 威胁攻击检测方法、装置、终端设备以及存储介质
CN112839036A (zh) * 2020-12-30 2021-05-25 中国人民解放军战略支援部队信息工程大学 基于拟态防御理论的软件运行环境生成方法及系统
US11204997B2 (en) * 2016-02-26 2021-12-21 Cylance, Inc. Retention and accessibility of data characterizing events on an endpoint computer
CN113835988A (zh) * 2021-11-29 2021-12-24 杭银消费金融股份有限公司 指标信息预测方法及系统
CN114070812A (zh) * 2016-10-21 2022-02-18 好事达保险公司 用于数字安全和账户发现的系统和方法
CN114338349A (zh) * 2021-12-27 2022-04-12 北京天融信网络安全技术有限公司 威胁分析方法、装置、电子设备及存储介质
CN114567497A (zh) * 2022-03-04 2022-05-31 南京联成科技发展股份有限公司 一种协同的安全集中管控系统
CN114884703A (zh) * 2022-04-19 2022-08-09 南京航空航天大学 基于威胁情报和消息传递模型的高级持续性威胁检测方法
CN115842685A (zh) * 2023-02-21 2023-03-24 北京微步在线科技有限公司 一种威胁情报的生成方法、装置、电子设备及存储介质
CN117093951A (zh) * 2023-10-16 2023-11-21 北京安天网络安全技术有限公司 一种威胁情报合并方法、装置、电子设备及存储介质
US11831420B2 (en) 2019-11-18 2023-11-28 F5, Inc. Network application firewall
US11895131B2 (en) 2016-05-10 2024-02-06 Allstate Insurance Company Digital safety and account discovery
CN117792794A (zh) * 2024-02-23 2024-03-29 贵州华谊联盛科技有限公司 一种网络威胁情报分析方法、设备及系统
CN117792794B (zh) * 2024-02-23 2024-04-26 贵州华谊联盛科技有限公司 一种网络威胁情报分析方法、设备及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120323558A1 (en) * 2011-02-14 2012-12-20 Decisive Analytics Corporation Method and apparatus for creating a predicting model
US20130117848A1 (en) * 2011-11-03 2013-05-09 Ali Golshan Systems and Methods for Virtualization and Emulation Assisted Malware Detection
US20130254838A1 (en) * 2009-03-25 2013-09-26 Ratinder Ahuja System and method for data mining and security policy management
US20130312101A1 (en) * 2002-10-01 2013-11-21 Amnon Lotem Method for simulation aided security event management
US20140007238A1 (en) * 2012-06-29 2014-01-02 Vigilant Inc. Collective Threat Intelligence Gathering System

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130312101A1 (en) * 2002-10-01 2013-11-21 Amnon Lotem Method for simulation aided security event management
US20130254838A1 (en) * 2009-03-25 2013-09-26 Ratinder Ahuja System and method for data mining and security policy management
US20120323558A1 (en) * 2011-02-14 2012-12-20 Decisive Analytics Corporation Method and apparatus for creating a predicting model
US20130117848A1 (en) * 2011-11-03 2013-05-09 Ali Golshan Systems and Methods for Virtualization and Emulation Assisted Malware Detection
US20140007238A1 (en) * 2012-06-29 2014-01-02 Vigilant Inc. Collective Threat Intelligence Gathering System

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017011833A1 (fr) * 2015-07-16 2017-01-19 Canfield Raymond Système de sécurité électronique et procédé utilisant des agents intelligents
US10142365B2 (en) 2016-01-22 2018-11-27 The Boeing Company System and methods for responding to cybersecurity threats
US11204997B2 (en) * 2016-02-26 2021-12-21 Cylance, Inc. Retention and accessibility of data characterizing events on an endpoint computer
US10313382B2 (en) 2016-03-29 2019-06-04 The Mitre Corporation System and method for visualizing and analyzing cyber-attacks using a graph model
US11895131B2 (en) 2016-05-10 2024-02-06 Allstate Insurance Company Digital safety and account discovery
CN114070812B (zh) * 2016-10-21 2023-10-03 好事达保险公司 用于数字安全和账户发现的系统和方法
CN114070812A (zh) * 2016-10-21 2022-02-18 好事达保险公司 用于数字安全和账户发现的系统和方法
CN110140125A (zh) * 2016-12-30 2019-08-16 微软技术许可有限责任公司 安全性与合规性环境中的威胁情报管理
CN110140125B (zh) * 2016-12-30 2023-07-07 微软技术许可有限责任公司 安全性与合规性环境中的威胁情报管理的方法、服务器和计算机可读存储器设备
US10318350B2 (en) 2017-03-20 2019-06-11 International Business Machines Corporation Self-adjusting environmentally aware resource provisioning
US10929192B2 (en) 2017-03-20 2021-02-23 International Business Machines Corporation Self-adjusting resource provisioning in a managed information-technology environment
US10785258B2 (en) 2017-12-01 2020-09-22 At&T Intellectual Property I, L.P. Counter intelligence bot
US11616808B2 (en) 2017-12-01 2023-03-28 At&T Intellectual Property I, L.P. Counter intelligence bot
US11831420B2 (en) 2019-11-18 2023-11-28 F5, Inc. Network application firewall
CN111339398A (zh) * 2019-12-19 2020-06-26 杭州安恒信息技术股份有限公司 一种多元化大数据情报分析系统及其分析方法
CN111277560A (zh) * 2019-12-24 2020-06-12 普世(南京)智能科技有限公司 一种基于高带宽物理隔离单向传输的安全情报采集导入整编方法及系统
CN112839036A (zh) * 2020-12-30 2021-05-25 中国人民解放军战略支援部队信息工程大学 基于拟态防御理论的软件运行环境生成方法及系统
CN112560020A (zh) * 2021-02-19 2021-03-26 鹏城实验室 威胁攻击检测方法、装置、终端设备以及存储介质
CN113835988B (zh) * 2021-11-29 2022-02-08 杭银消费金融股份有限公司 指标信息预测方法及系统
CN113835988A (zh) * 2021-11-29 2021-12-24 杭银消费金融股份有限公司 指标信息预测方法及系统
CN114338349B (zh) * 2021-12-27 2023-11-10 北京天融信网络安全技术有限公司 威胁分析方法、装置、电子设备及存储介质
CN114338349A (zh) * 2021-12-27 2022-04-12 北京天融信网络安全技术有限公司 威胁分析方法、装置、电子设备及存储介质
CN114567497A (zh) * 2022-03-04 2022-05-31 南京联成科技发展股份有限公司 一种协同的安全集中管控系统
CN114884703B (zh) * 2022-04-19 2023-02-28 南京航空航天大学 基于威胁情报和消息传递模型的高级持续性威胁检测方法
CN114884703A (zh) * 2022-04-19 2022-08-09 南京航空航天大学 基于威胁情报和消息传递模型的高级持续性威胁检测方法
CN115842685B (zh) * 2023-02-21 2023-05-05 北京微步在线科技有限公司 一种威胁情报的生成方法、装置、电子设备及存储介质
CN115842685A (zh) * 2023-02-21 2023-03-24 北京微步在线科技有限公司 一种威胁情报的生成方法、装置、电子设备及存储介质
CN117093951A (zh) * 2023-10-16 2023-11-21 北京安天网络安全技术有限公司 一种威胁情报合并方法、装置、电子设备及存储介质
CN117093951B (zh) * 2023-10-16 2024-01-26 北京安天网络安全技术有限公司 一种威胁情报合并方法、装置、电子设备及存储介质
CN117792794A (zh) * 2024-02-23 2024-03-29 贵州华谊联盛科技有限公司 一种网络威胁情报分析方法、设备及系统
CN117792794B (zh) * 2024-02-23 2024-04-26 贵州华谊联盛科技有限公司 一种网络威胁情报分析方法、设备及系统

Similar Documents

Publication Publication Date Title
US9258321B2 (en) Automated internet threat detection and mitigation system and associated methods
WO2015134008A1 (fr) Système de détection et d'atténuation automatisées de menace internet et procédés associés
US11546360B2 (en) Cyber security appliance for a cloud infrastructure
US10887330B2 (en) Data surveillance for privileged assets based on threat streams
Apruzzese et al. The role of machine learning in cybersecurity
Kaur et al. Artificial intelligence for cybersecurity: Literature review and future research directions
US10021127B2 (en) Threat indicator analytics system
EP2955894B1 (fr) Système de réseau de dissimulation
US20230208869A1 (en) Generative artificial intelligence method and system configured to provide outputs for company compliance
US20230164158A1 (en) Interactive artificial intelligence-based response loop to a cyberattack
Arfeen et al. Endpoint detection & response: A malware identification solution
US20240031380A1 (en) Unifying of the network device entity and the user entity for better cyber security modeling along with ingesting firewall rules to determine pathways through a network
WO2023283357A1 (fr) Priorisation intelligente d'évaluation et de remédiation de vulnérabilités et d'expositions communes pour des nœuds de réseau
US20210084061A1 (en) Bio-inspired agile cyber-security assurance framework
US11651313B1 (en) Insider threat detection using access behavior analysis
Islam Application of artificial intelligence and machine learning in security operations center
Ahmadi et al. Normalization of severity rating for automated context-aware vulnerability risk management
Aldea et al. Software vulnerabilities integrated management system
US20230403294A1 (en) Cyber security restoration engine
US20240098114A1 (en) System and Method for Identifying and Managing Cybersecurity Top Threats
US20240095350A1 (en) Threat management system for identifying and performing actions on cybersecurity top threats
US20240098100A1 (en) Automated sandbox generator for a cyber-attack exercise on a mimic network in a cloud environment
US20230252138A1 (en) Cybersecurity workflow management using autodetection
US20240045990A1 (en) Interactive cyber security user interface
US20230334388A1 (en) Cybersecurity operations center load balancing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14884617

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14884617

Country of ref document: EP

Kind code of ref document: A1