WO2017078648A1 - Method for calculating reputation of information and information source to be used in a security operation center - Google Patents

Method for calculating reputation of information and information source to be used in a security operation center Download PDF

Info

Publication number
WO2017078648A1
WO2017078648A1 PCT/TR2016/050425 TR2016050425W WO2017078648A1 WO 2017078648 A1 WO2017078648 A1 WO 2017078648A1 TR 2016050425 W TR2016050425 W TR 2016050425W WO 2017078648 A1 WO2017078648 A1 WO 2017078648A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
reputation
report
sources
degree
Prior art date
Application number
PCT/TR2016/050425
Other languages
French (fr)
Inventor
Hacı Hakan KILINÇ
Original Assignee
Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇ filed Critical Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇
Publication of WO2017078648A1 publication Critical patent/WO2017078648A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Definitions

  • the invention generally relates to "scalable" size Security Operation Center (SOC) architecture, which provides a significant infrastructure for prevention of cyber attacks, and which can be flexibly adapted to the needs of institutions.
  • SOC Security Operation Center
  • a security operation center has three components and a life cycle. These are:
  • Cyber Security Solutions It is a component which can be found both in and out of an institution, provides information, and generates log record.
  • Information Gathering, Analysis, and Distribution It is a component where the gathered information is processed, relationships are determined, prioritized, and turned into intelligence.
  • Cyber Security Services It is a component, to which the obtained intelligence is presented and turned into a report, and which provides information to cyber security solutions.
  • the second significant problem encountered by security teams is the lack of accurate and actionable intelligence.
  • the problem is the lack of intelligence that can prioritize and respond to present and newly occurring threats, and help in decision making.
  • the third significant problem is the reliability of the sources providing threat notification. Sources may be malicious and/or inadequate.
  • the application No. WO2012164336A1 encountered as a result of technical research relates to distribution and processing of cyber threat intelligence in communication networks.
  • Another application with No. US8407791 B2 discloses an integrated cyber network security system and method.
  • Another application with No. US20130247201 A1 encountered as a result of technical research relates to a system and method for malicious software and network reputation correlation.
  • Another application with No. CA2747584A1 discloses a system and method for generation and elimination of cyber threat intelligence.
  • the invention is formed with the inspiration from the prior art situations and aims to solve the above said problems.
  • Threat information should have a reputation value and this information should be correlated with the reputation of the information source.
  • This established trust environment will provide a deterrent structure that would prevent information sources from acting malicious.
  • it would set forth the problems of the sources such as lack of configuration or lack of capability.
  • the source owner institutions can be presented with reports for following threat-preventive approaches.
  • FIG. 1 A Security Operation Center Example
  • FIG. 3 A Security Operation Center Using Information Source Reputation
  • Figure 5 Operation of a Security Operation Center Using Information Source Reputation
  • Figure 6 Reputation Calculation Methods Flow Diagram for Security Operation Center
  • Network-1 (100) can comprise a security product-1 (101 ).
  • This security product-1 (101 ) may be a network firewall, a web applications firewall, or a VoIP firewall.
  • Security product-1 (101 ) can protect the devices found in network-1 (100) against harmful programs and attacks, and prevent suspicious ports and messages.
  • Security product-1 (101 ) can allow or block the information coming from internet network-1 (1 10), depending on whether they have a list about their security or not.
  • Security product-1 (101 ) can be used as hardware, software, or both.
  • Security product-1 (101 ) keeps the information of threats against the network-1 (100) it protects, and thus it can be configured in a better prepared manner against following attacks or it can automatically form rules itself. It can see a suspicious internet network-1 (1 10) component as soon as the component attacks it.
  • Figure 2 provides an example of a classical security operation center (500).
  • Network-1 100
  • network-2 200
  • network-3 300
  • network-4 400
  • security products security product-1 (101 ), security product-2 (201 ), security product-3 (301 ), security product-4 (401 )) protecting these networks are found.
  • These security products may be IP firewall, VoIP Firewall, Web Application Firewall, IDS, IPS etc. products.
  • These security products generate information gathering process (501 ) logs (firewall log, IDS/IPS log, Access log, system log, server log etc.), and send these logs to the security operation center (500). While the different networks and security products seen in the figure may be different networks in a single institution, they may also be the networks of different institutions.
  • the information gathering process (501 ) logs gathered at the security operation center (500) are subjected to information processing process (502), or in other words, turned into a certain form, processed, their interrelations are determined, and analysed. Risks are determined (503.1 ) as a result of these analyses, and it is determined whether there is a security problem or not. Problems obtained are prioritized (503.2) and a credit note is given / information reputation is determined (503.3) according to the size of the threat.
  • the information/intelligence obtained during the process of determining information reputation (503.3) is shared with the security products found in all of the networks, the security event is reported (503.4), and the security products are recommended to form relevant rules.
  • Figure 3 provides the figure of the security operation center (500) using the reputation of information source (1 ).
  • Calculation of information source (1 ) reputation and information/intelligence reputation (503.5) operation by using machine language algorithms and/or statistical approaches is added to the present security operation center (500) operations.
  • One of the reasons for excessive alarm and false positive problem is the information source (1 ) being malicious, incapable, or configured deficiently.
  • the approach shown in Figure 4 is used while the reputation value of an information/intelligence is calculated (503.5).
  • the reputation of information sources (1 ) may increase or decrease the reputation value of the information/intelligence.
  • the reputation of the information sources (1 ) is also an important output for institutions as much as the value of the information/intelligence reputation. In this way, the institution will have information about its deficiencies, adequacy of the product, or the information of whether the product is directed by a harmful product or not.
  • a chain of trust will be established in calculating the information source (1 ) and the sample approach shown below in Figure 5 will be used according to this chain.
  • the flow diagram of the reputation calculation methods for a security operation center (500) using information source (1 ) reputation developed for achieving the purposes of the present invention is shown in Figure 6.
  • the invention is a method for calculating reputation of information and information sources (1 ), and it comprises a system comprising: an information source (1 ) (cyber security products such as firewall, IPS, IDS etc.) developed by different producers working in different institutions providing any threat information,
  • an information gathering unit (2) ensuring gathering of information provided by the information source (1 ), by means of at least one cyber security service (web service
  • an information reading, arranging, and classification unit (3) ensuring arrangement (normalization) of the gathered information and classification of the information using machine language learning and statistical methods,
  • an information and information sources reputation calculation unit (4) ensuring calculation/determination of the reputation of the information and information sources (1 ),
  • an output unit (5) ensuring formation of results for the security operation center (500) and formation of output for the cyber security products contributing to the ecosystem, and a method performed by this system, comprising the operation steps of:
  • step "b" arrangement (normalization) of said information in step "b" by the information reading, arranging, and classification unit (3), and classification of the information by using machine language learning and statistical methods
  • step "c" transmission of the information classified in step "c" to the information and information sources reputation calculation unit (4) by means of the information reading, arranging, and classification unit (3),
  • calculation of the information source (1 ) reputation by means the information and information sources reputation calculation unit (4) by using the threat information and information of the information sources (1 ),
  • N is the number of information sources (1 ), ⁇ DRi , DR 2 , DR 3 ,...,DR N ⁇ are the information sources (1 );
  • the credit of DRi is decreased in proportion to the degree of the given report, if a high degree danger report is given from any information source (1 ) (DR N ) for said threat information, then;
  • the credit of DR N is decreased in proportion to the degree of the given report
  • the credit of DR N is decreased in proportion to the degree of the given report
  • the operating principle of the present invention basically comprises gathering of threat data and information source (1 ) information provided by various cyber security products as information sources (1 ) via web service or API etc. tools, reading, arranging (normalization), and classification of the gathered information using machine language learning and statistical methods, calculation of the reputation of the information and information sources (1 ) and formation of output.
  • Calculation of the reputation of information and information sources (1 ) start by entering of the threat data/information and information source (1 ) information into the information and information sources reputation calculation unit (4). Calculations of the reputations of information sources (1 ) are performed with the following method.
  • DRi For threat information/data DataT, a report is given stating black or tones of gray closer to black. These colours are the colour values given according to the size of the threat. DRi gives black if it is 100% sure that the information is a threat, and gives a tone of gray closer to black if it is not 100% sure. If we assume that gray has 50 tones, at least 25 of these are formed of gray tones closer to black. DRi previously does not have any information about this threat. Therefore, it can be considered as the source that provides the first threat data. If the whole system is considered, threat data is ultimately distributed to all information sources (1 ) fed by this security operation center (500).
  • the credit of DRi is decreased in proportion to the degree of the given report. That is to say, the information source (1 ) takes a responsibility by giving a report.
  • the purpose of the system is to prevent malicious information sources (1 ) from providing misleading information. While it is possible for a well-intentioned information source (1 ) to reduce and compensate this cost in a short time, it would be quite hard for an ill- intentioned information source.
  • the reputation (1 ) of the information source (1 ) giving the first report about the threat data/information is calculated with the summation of the credits it took as a result of each report. As a result of each report given about threat data, the information source earns a positive or negative credit value. Its reputation is calculated as the summation of all of the credits it has taken.
  • the basis of the credit function can be considered as distribution of an "x" value among all attending information sources (1 ) for each report. That is to say, in the second report about the threat data, this x value is distributed between the two sources. Distribution of the x value is made in proportion to the tone (colour tone) of the report given.
  • a report is given about the relevant threat data by a second information source (1 ), and this report is also says "yes, this is a threat". Therefore, there are two sources and two reports. As in the above given example, the x value is to be distributed between these two information sources (1 ). Since the second information source (1 ) confirmed the first information source (1 ) with this shared information, then the credit of the first information source (1 ) increases. And the credit of the second information source (1 ) is decreased a little due to the cost of taking responsibility.
  • DRi has 2x/3
  • DR 2 gains (-x/3) credit.
  • DR1 has two credits. If a report of black or gray tone close to black is given for the threat data (Datai-) from any information source (1 ) (the information source (1 ) may say that "yes, this is a threat” or indicates a colour code by saying “yes, it looks like a threat, but I am not sure"), then;
  • the reputation of the information source (1 ) is calculated by addition of all the credits it has obtained according to the above described calculation method using all the information it has reported, the number of threat data report it has reported first (if present), and previous reputation value (if present).
  • Calculation of the information reputation is made by means of adding the values obtained by multiplying the reputations of each of the information sources (1 ) that have given report with the values corresponding to the report degrees given by them.
  • the reputations of the information and information sources (1 ) are calculated as disclosed above and output is formed by turning these into a format suitable to be output for cyber security products.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention generally relates to a method for calculation of information and information source (1) reputation to be used in a "scalable" size Security Operation Center (SOC), which provides a significant infrastructure for prevention of cyber attacks, and which can be flexibly adapted to the needs of institutions.

Description

DESCRIPTION
METHOD FOR CALCULATING REPUTATION OF INFORMATION AND INFORMATION SOURCE TO BE USED IN A SECURITY OPERATION CENTER
The Related Art
The invention generally relates to "scalable" size Security Operation Center (SOC) architecture, which provides a significant infrastructure for prevention of cyber attacks, and which can be flexibly adapted to the needs of institutions.
The Prior Art
A security operation center has three components and a life cycle. These are:
· Cyber Security Solutions: It is a component which can be found both in and out of an institution, provides information, and generates log record.
Information Gathering, Analysis, and Distribution: It is a component where the gathered information is processed, relationships are determined, prioritized, and turned into intelligence.
· Cyber Security Services: It is a component, to which the obtained intelligence is presented and turned into a report, and which provides information to cyber security solutions.
Security teams operating with both open source security operation centers and commercial solutions frequently face confusion of the concepts of information and intelligence. This confusion leads to two significant problems. These are alarm overload and false positive problems.
The second significant problem encountered by security teams is the lack of accurate and actionable intelligence. In other words, the problem is the lack of intelligence that can prioritize and respond to present and newly occurring threats, and help in decision making.
The third significant problem is the reliability of the sources providing threat notification. Sources may be malicious and/or inadequate. The application No. WO2012164336A1 encountered as a result of technical research relates to distribution and processing of cyber threat intelligence in communication networks. Another application with No. US8407791 B2 discloses an integrated cyber network security system and method.
Another application with No. US20130247201 A1 encountered as a result of technical research relates to a system and method for malicious software and network reputation correlation. Another application with No. CA2747584A1 discloses a system and method for generation and elimination of cyber threat intelligence.
In these patents taken in relation to security operation center solutions, it is intended to solve the above given problems. However, it is not possible to say that they have either formed a chain of trust or provided an approach related to the significance of information source reputation.
As a result, the above said drawbacks and the inadequacy of the prior art solutions about the subject have necessitated an improvement in the related technical field.
Purpose of the Invention
The invention is formed with the inspiration from the prior art situations and aims to solve the above said problems.
The main motivation of the invention is that "cyber threat data/information is important, and at the same time, the source of the information is also important". A security operation center needs to be established, which would reduce alarm overload and false positive problems, provide accurate and actionable intelligence, and prove the reliability of the sources. For this purpose, a solution with the below given characteristics is needed.
1 . Both the information and the information source needs to have a chain of trust and trust models are needed to be formed. Threat information should have a reputation value and this information should be correlated with the reputation of the information source.
2. A chain of credibility and trust is needed to be formed between the information sources.
This established trust environment will provide a deterrent structure that would prevent information sources from acting malicious. In addition, it would set forth the problems of the sources such as lack of configuration or lack of capability. In this way, the source owner institutions can be presented with reports for following threat-preventive approaches.
The structural and characteristic features of the invention and all of its advantages shall be understood better with the figures and the detailed description given below in reference to the figures, and therefore, the assessment should be made by taking into account the said figures and detailed explanations.
Figures for Better Understanding of the Invention
Figure 1 : A Network Example
Figure 2: A Security Operation Center Example
Figure 3: A Security Operation Center Using Information Source Reputation
Figure 4: Calculation of the Information Source Reputation Value
Figure 5: Operation of a Security Operation Center Using Information Source Reputation Figure 6: Reputation Calculation Methods Flow Diagram for Security Operation Center
Drawings do not have to be scaled and details not necessary for understanding the present invention may be neglected. Moreover, components which are at least widely equal or which have at least widely equal functions are shown with the same number.
Description of Parts References
100. Network-1
101 . Security product- 1
1 10. Internet network-1
200. Network-2
201 . Security product-2
300. Network-3
301 . Security product-3
310. Internet network-2
400. Network-4
401 . Security product-4
500. Security Operation Center
501 . Information gathering process
502. Information processing process
503. Reputation Calculation and Intelligence Distribution Process 503.1 . Determination of risks
503.2. Prioritization
503.3. Determination of information reputation
503.4. Security event reporting
503.5. Calculation of information/intelligence reputation
1 . Data source
2. Information Gathering Unit
3. Information Reading, Arranging, and Classification Unit
4. Information and Information Sources Reputation Calculation Unit
5. Output Unit
Detailed Description of the Invention In this detailed description, the preferred embodiments of the invention are only disclosed for better understanding of the subject without forming any limiting effect.
According to Figure 1 , Network-1 (100) can comprise a security product-1 (101 ). This security product-1 (101 ) may be a network firewall, a web applications firewall, or a VoIP firewall. Security product-1 (101 ) can protect the devices found in network-1 (100) against harmful programs and attacks, and prevent suspicious ports and messages. Security product-1 (101 ) can allow or block the information coming from internet network-1 (1 10), depending on whether they have a list about their security or not. Security product-1 (101 ) can be used as hardware, software, or both. Security product-1 (101 ) keeps the information of threats against the network-1 (100) it protects, and thus it can be configured in a better prepared manner against following attacks or it can automatically form rules itself. It can see a suspicious internet network-1 (1 10) component as soon as the component attacks it.
Figure 2 provides an example of a classical security operation center (500). Separate networks (network-1 (100), network-2 (200), network-3 (300), network-4 (400)) and separate security products (security product-1 (101 ), security product-2 (201 ), security product-3 (301 ), security product-4 (401 )) protecting these networks are found. These security products may be IP firewall, VoIP Firewall, Web Application Firewall, IDS, IPS etc. products. These security products generate information gathering process (501 ) logs (firewall log, IDS/IPS log, Access log, system log, server log etc.), and send these logs to the security operation center (500). While the different networks and security products seen in the figure may be different networks in a single institution, they may also be the networks of different institutions. The information gathering process (501 ) logs gathered at the security operation center (500) are subjected to information processing process (502), or in other words, turned into a certain form, processed, their interrelations are determined, and analysed. Risks are determined (503.1 ) as a result of these analyses, and it is determined whether there is a security problem or not. Problems obtained are prioritized (503.2) and a credit note is given / information reputation is determined (503.3) according to the size of the threat. The information/intelligence obtained during the process of determining information reputation (503.3) is shared with the security products found in all of the networks, the security event is reported (503.4), and the security products are recommended to form relevant rules.
Figure 3 provides the figure of the security operation center (500) using the reputation of information source (1 ). Calculation of information source (1 ) reputation and information/intelligence reputation (503.5) operation by using machine language algorithms and/or statistical approaches is added to the present security operation center (500) operations. One of the reasons for excessive alarm and false positive problem is the information source (1 ) being malicious, incapable, or configured deficiently. Here, the possibility of these problems is also considered. The approach shown in Figure 4 is used while the reputation value of an information/intelligence is calculated (503.5). The reputation of information sources (1 ) may increase or decrease the reputation value of the information/intelligence.
The reputation of the information sources (1 ) is also an important output for institutions as much as the value of the information/intelligence reputation. In this way, the institution will have information about its deficiencies, adequacy of the product, or the information of whether the product is directed by a harmful product or not. A chain of trust will be established in calculating the information source (1 ) and the sample approach shown below in Figure 5 will be used according to this chain. The flow diagram of the reputation calculation methods for a security operation center (500) using information source (1 ) reputation developed for achieving the purposes of the present invention is shown in Figure 6.
The invention is a method for calculating reputation of information and information sources (1 ), and it comprises a system comprising: an information source (1 ) (cyber security products such as firewall, IPS, IDS etc.) developed by different producers working in different institutions providing any threat information,
an information gathering unit (2) ensuring gathering of information provided by the information source (1 ), by means of at least one cyber security service (web service
APIs),
an information reading, arranging, and classification unit (3) ensuring arrangement (normalization) of the gathered information and classification of the information using machine language learning and statistical methods,
· an information and information sources reputation calculation unit (4) ensuring calculation/determination of the reputation of the information and information sources (1 ),
an output unit (5) ensuring formation of results for the security operation center (500) and formation of output for the cyber security products contributing to the ecosystem, and a method performed by this system, comprising the operation steps of:
a. gathering of the threat information and the information source (1 ) information in the information source (1 ) by the information gathering unit (2),
b. transmission of the gathered information to the information reading, arranging, and classification unit (3),
c. arrangement (normalization) of said information in step "b" by the information reading, arranging, and classification unit (3), and classification of the information by using machine language learning and statistical methods,
d. transmission of the information classified in step "c" to the information and information sources reputation calculation unit (4) by means of the information reading, arranging, and classification unit (3),
e. for calculation of the reputation of information and information sources (1 ), calculation of the information source (1 ) reputation by means the information and information sources reputation calculation unit (4) by using the threat information and information of the information sources (1 ),
provided that N is the number of information sources (1 ), {DRi , DR2, DR3,...,DRN} are the information sources (1 );
• DRi gives high degree danger report for the incoming threat information, in accordance with the size of the threat,
• as a cost of taking responsibility, the credit of DRi is decreased in proportion to the degree of the given report, if a high degree danger report is given from any information source (1 ) (DRN ) for said threat information, then;
- the credit of DRi is increased in proportion to the degree of the given report,
- as a cost of taking responsibility, the credit of DRN is decreased in proportion to the degree of the given report,
- the credit of all of the information sources (1 ) that give high degree danger report is increased in proportion to the degree of the report they give,
- the credit of all of the information sources (1 ) that give low degree danger report is decreased in proportion to the degree of the report they give,
if a low degree danger report (that is to say, not dangerous) is given from any information source (1 ) (DRN ) for said threat information, then;
- the credit of DRi is decreased in proportion to the degree of the given report,
- as a cost of taking responsibility, the credit of DRN is decreased in proportion to the degree of the given report,
- the credit of all of the information sources (1 ) that give high degree danger report is decreased in proportion to the degree of the report they give,
- the credit of all of the information sources (1 ) that give low degree danger report is increased in proportion to the degree of the report they give,
addition of the DRi credit values obtained at the end of each report degree giving operation performed by the information sources (1 ), and calculation of the DRi reputation by using the number of first notification threat information reports (if present), or by using the previous reputation values of DRi (if present).
addition of the DRN credit values obtained at the end of each report degree giving operation performed by the information sources (1 ), and calculation of the DRi reputation by using the number of first notification threat information reports (if present), or by using the previous reputation values of DRN (if present). f. following calculation of the information sources (1 ) reputation, calculation of the information reputation by means of the information and information sources reputation calculation unit (4) by using the results obtained in step "e",
• calculation of the reputation value of the relevant information by means of adding the values obtained by multiplying the reputations of each of the information sources (1 ) with the values corresponding to the report degrees given by them,
g. transmission of the obtained reputation results of the information and information sources (1 ) by the information and information sources reputation calculation unit (4) to the output unit (5).
The operating principle of the present invention basically comprises gathering of threat data and information source (1 ) information provided by various cyber security products as information sources (1 ) via web service or API etc. tools, reading, arranging (normalization), and classification of the gathered information using machine language learning and statistical methods, calculation of the reputation of the information and information sources (1 ) and formation of output.
Calculation of the reputation of information and information sources (1 ) start by entering of the threat data/information and information source (1 ) information into the information and information sources reputation calculation unit (4). Calculations of the reputations of information sources (1 ) are performed with the following method.
In this preferred embodiment of the invention,
• Threat information/data: DataT (Threat Data)
• Information sources (1 ) giving report about the threat data/information : {DRi , DR2, DR3,...,DRN} (N is the number of information sources (1 )) (DR = Data Resource)
• Report Types: Black, white, tones of gray closer to black, and tones of gray closer to white.
The purpose of the below given rules is to form a responsibility chain that would enforce information sources (1 ) to provide correct information.
For threat information/data DataT, a report is given stating black or tones of gray closer to black. These colours are the colour values given according to the size of the threat. DRi gives black if it is 100% sure that the information is a threat, and gives a tone of gray closer to black if it is not 100% sure. If we assume that gray has 50 tones, at least 25 of these are formed of gray tones closer to black. DRi previously does not have any information about this threat. Therefore, it can be considered as the source that provides the first threat data. If the whole system is considered, threat data is ultimately distributed to all information sources (1 ) fed by this security operation center (500).
As a cost of taking responsibility, the credit of DRi is decreased in proportion to the degree of the given report. That is to say, the information source (1 ) takes a responsibility by giving a report. The purpose of the system is to prevent malicious information sources (1 ) from providing misleading information. While it is possible for a well-intentioned information source (1 ) to reduce and compensate this cost in a short time, it would be quite hard for an ill- intentioned information source.
The reputation (1 ) of the information source (1 ) giving the first report about the threat data/information is calculated with the summation of the credits it took as a result of each report. As a result of each report given about threat data, the information source earns a positive or negative credit value. Its reputation is calculated as the summation of all of the credits it has taken.
For example, the basis of the credit function can be considered as distribution of an "x" value among all attending information sources (1 ) for each report. That is to say, in the second report about the threat data, this x value is distributed between the two sources. Distribution of the x value is made in proportion to the tone (colour tone) of the report given.
DRi shares a threat data. As a result of this sharing, it earns a credit. In other words, (- x/n+1 ); and if x=1 , then it earns a responsibility credit of -0.5. A report is given about the relevant threat data by a second information source (1 ), and this report is also says "yes, this is a threat". Therefore, there are two sources and two reports. As in the above given example, the x value is to be distributed between these two information sources (1 ). Since the second information source (1 ) confirmed the first information source (1 ) with this shared information, then the credit of the first information source (1 ) increases. And the credit of the second information source (1 ) is decreased a little due to the cost of taking responsibility. That is to say, while DRi gains 2x/3, DR2 gains (-x/3) credit. As a result of this report, DR1 has two credits. If a report of black or gray tone close to black is given for the threat data (Datai-) from any information source (1 ) (the information source (1 ) may say that "yes, this is a threat" or indicates a colour code by saying "yes, it looks like a threat, but I am not sure"), then;
• The credit of DRi is increased in proportion to the degree of the given report.
· As a cost of taking responsibility, the credit of DRN is decreased in proportion to the degree of the given report.
• The credits of all information sources (1 ) providing a report with black or tones of gray closer to black is increased in proportion to the tone of the report given by DRN.
• The credits of all information sources (1 ) providing a report with white or tones of gray closer to white is decreased in proportion to the tone of the report given by DRN.
If a report of white or gray tone close to white is given for the threat data (Datai-) from any information source (1 ), then;
• The credit of DRi is decreased in proportion to the degree of the given report.
· As a cost of taking responsibility, the credit of DRN is decreased in proportion to the degree of the given report,
• The credits of all information sources (1 ) providing a report with black or tones of gray closer to black is decreased in proportion to the tone of the report given by DRN.
• The credits of all information sources (1 ) providing a report with white or tones of gray closer to white is increased in proportion to the tone of the report given by DRN.
The reputation of the information source (1 ) is calculated by addition of all the credits it has obtained according to the above described calculation method using all the information it has reported, the number of threat data report it has reported first (if present), and previous reputation value (if present).
Calculation of the information reputation is made by means of adding the values obtained by multiplying the reputations of each of the information sources (1 ) that have given report with the values corresponding to the report degrees given by them.
The reputations of the information and information sources (1 ) are calculated as disclosed above and output is formed by turning these into a format suitable to be output for cyber security products.

Claims

Method for calculating reputation of information and information sources (1 ) in a security operation center (500) providing infrastructure for prevention of cyber attacks, and it is characterized in that; it comprises a system comprising:
• an information source (1 ) developed by different producers working in different institutions providing any threat information,
• an information gathering unit (2) ensuring gathering of information provided by the information source (1 ), by means of at least one cyber security service,
• an information reading, arranging, and classification unit (3) ensuring arrangement of the gathered information and classification of the information using machine language learning and/or statistical methods,
• an information and information sources reputation calculation unit (4) ensuring calculation/determination of the reputation of the information and information sources (1 ),
• an output unit (5) ensuring formation of results for the security operation center (500) and formation of output for the cyber security products contributing to the ecosystem, and a method performed by this system, comprising the operation steps of:
a. gathering of the threat information and the information source (1 ) information in the information source (1 ) by the information gathering unit (2),
b. transmission of the gathered information to the information reading, arranging, and classification unit (3),
c. arrangement of said information in step "b" by the information reading, arranging, and classification unit (3), and classification of the information by using machine language learning and statistical methods,
d. transmission of the information classified in step "c" to the information and information sources reputation calculation unit (4) by means of the information reading, arranging, and classification unit (3),
e. for calculation of the reputation of information and information sources (1 ), calculation of the information source (1 ) reputation by means the information and information sources reputation calculation unit (4) by using the threat information and information of the information sources (1 ),
f. following calculation of the information sources (1 ) reputation, calculation of the information reputation by means of the information and information sources reputation calculation unit (4) by using the results obtained in step "e", g. transmission of the obtained reputation results of the information and information sources (1 ) by the information and information sources reputation calculation unit (4) to the output unit (5).
The method according to claim 1 , characterized in that; the operation of calculating the reputation of the information source (1 ) according to step "e" comprises the below given operation steps:
provided that N is the number of information sources (1 ), {DRi , DR2, DR3,...,DRN} are the information sources (1 );
• DRi gives high degree danger report for the incoming threat information, in accordance with the size of the threat,
• as a cost of taking responsibility, the credit of DRi is decreased in proportion to the degree of the given report,
• if a high degree danger report is given from any information source (1 ) (DRN ) for said threat information, then;
- the credit of DRi is increased in proportion to the degree of the given report,
- as a cost of taking responsibility, the credit of DRN is decreased in proportion to the degree of the given report,
- the credit of all of the information sources (1 ) that give high degree danger report is increased in proportion to the degree of the report they give,
- the credit of all of the information sources (1 ) that give low degree danger report is decreased in proportion to the degree of the report they give,
• if a low degree danger report is given from any information source (1 ) (DRN ) for said threat information, then;
- the credit of DRi is decreased in proportion to the degree of the given report,
- as a cost of taking responsibility, the credit of DRN is decreased in proportion to the degree of the given report,
- the credit of all of the information sources (1 ) that give high degree danger report is decreased in proportion to the degree of the report they give, - the credit of all of the information sources (1 ) that give low degree danger report is increased in proportion to the degree of the report they give,
• addition of the DRi credit values obtained at the end of each report degree giving operation performed by the information sources (1 ), and calculation of the DRi reputation by using the number of threat data reports reported first (if present), or by using the previous reputation values of DRi (if present).
• addition of the DRN credit values obtained at the end of each report degree giving operation performed by the information sources (1 ), and calculation of the DRi reputation by using the number of first notification threat information reports (if present), or by using the previous reputation values of DRN (if present).
The method according to Claim 2, characterized in that; the operation of calculating the reputation of the information comprises the operation step of:
• calculation of the reputation value of the relevant information by means of adding the values obtained by multiplying the reputations of each of the information sources (1 ) with the values corresponding to the report degrees given by them.
The method according to Claim 2 or 3, characterized in that; said danger degrees include black, white, tones of gray closer to black, and tones of gray closer to white, wherein black means lowest reliability and white means highest reliability.
PCT/TR2016/050425 2015-11-05 2016-11-04 Method for calculating reputation of information and information source to be used in a security operation center WO2017078648A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2015/13876 2015-11-05
TR201513876 2015-11-05

Publications (1)

Publication Number Publication Date
WO2017078648A1 true WO2017078648A1 (en) 2017-05-11

Family

ID=57590779

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2016/050425 WO2017078648A1 (en) 2015-11-05 2016-11-04 Method for calculating reputation of information and information source to be used in a security operation center

Country Status (1)

Country Link
WO (1) WO2017078648A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948147A (en) * 2017-08-31 2018-04-20 上海财经大学 Network connection data sorting technique

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012040609A1 (en) * 2010-09-24 2012-03-29 Verisign, Inc. Ip prioritization and scoring system for ddos detection and mitigation
CA2747584A1 (en) 2011-05-31 2012-11-30 Bce Inc. System and method for generating and refining cyber threat intelligence data
WO2012164336A1 (en) 2011-05-31 2012-12-06 Bce Inc. Distribution and processing of cyber threat intelligence data in a communications network
US8407791B2 (en) 2009-06-12 2013-03-26 QinetiQ North America, Inc. Integrated cyber network security system and method
US20130247201A1 (en) 2011-03-21 2013-09-19 Dmitri Alperovitch System and method for malware and network reputation correlation
US8832832B1 (en) * 2014-01-03 2014-09-09 Palantir Technologies Inc. IP reputation
WO2015160357A1 (en) * 2014-04-18 2015-10-22 Hewlett-Packard Development Company, L.P. Rating threat submitter

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8407791B2 (en) 2009-06-12 2013-03-26 QinetiQ North America, Inc. Integrated cyber network security system and method
WO2012040609A1 (en) * 2010-09-24 2012-03-29 Verisign, Inc. Ip prioritization and scoring system for ddos detection and mitigation
US20130247201A1 (en) 2011-03-21 2013-09-19 Dmitri Alperovitch System and method for malware and network reputation correlation
CA2747584A1 (en) 2011-05-31 2012-11-30 Bce Inc. System and method for generating and refining cyber threat intelligence data
WO2012164336A1 (en) 2011-05-31 2012-12-06 Bce Inc. Distribution and processing of cyber threat intelligence data in a communications network
US8832832B1 (en) * 2014-01-03 2014-09-09 Palantir Technologies Inc. IP reputation
WO2015160357A1 (en) * 2014-04-18 2015-10-22 Hewlett-Packard Development Company, L.P. Rating threat submitter

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948147A (en) * 2017-08-31 2018-04-20 上海财经大学 Network connection data sorting technique
CN107948147B (en) * 2017-08-31 2020-01-17 上海财经大学 Network connection data classification method

Similar Documents

Publication Publication Date Title
US20240022595A1 (en) Method for sharing cybersecurity threat analysis and defensive measures amongst a community
US11463457B2 (en) Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
US20220224716A1 (en) User agent inference and active endpoint fingerprinting for encrypted connections
US20230009127A1 (en) Method for cyber threat risk analysis and mitigation in development environments
Othman et al. Survey on intrusion detection system types
US10505953B2 (en) Proactive prediction and mitigation of cyber-threats
Navaz et al. Entropy based anomaly detection system to prevent DDoS attacks in cloud
Williams et al. Entropy-based network traffic analysis for efficient ransomware detection
US20210185057A1 (en) Systems and methods for identifying malicious actors or activities
US20150244732A1 (en) Systems And Methods For Malware Detection And Mitigation
AU2018313852A1 (en) Malware host netflow analysis system and method
US20230403296A1 (en) Analyses and aggregation of domain behavior for email threat detection by a cyber security system
Nkongolo et al. Network policy enforcement: An intrusion prevention approach for critical infrastructures
Miller et al. Traffic classification for the detection of anonymous web proxy routing
Melo et al. A novel immune detection approach enhanced by attack graph based correlation
Gonzalez-Granadillo et al. Towards an enhanced security data analytic platform
WO2017078648A1 (en) Method for calculating reputation of information and information source to be used in a security operation center
AU2023202044B2 (en) Network vulnerability assessment
Tucker et al. A new taxonomy for comparing intrusion detection systems
Yu et al. On detecting active worms with varying scan rate
Brignoli et al. Combining exposure indicators and predictive analytics for threats detection in real industrial IoT sensor networks
Jayan et al. Sys-log classifier for complex event processing system in network security
Ramprasath et al. Virtual Guard Against DDoS Attack for IoT Network Using Supervised Learning Method
CN113328976A (en) Security threat event identification method, device and equipment
Patel et al. An approach to detect and prevent distributed denial of service attacks using blockchain technology in cloud environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16816441

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16816441

Country of ref document: EP

Kind code of ref document: A1