36 results about "Cyber threat intelligence" patented technology

A network-accessible cyber-threat security analytics service is configured to characterize and respond to a description that includes threat indicators (e.g., IOCs), and an initial severity. Enterprises register with the service by providing identifying information, such as industry, geographies, and the like. For each threat indicator, a query is sent to each of a set of one or more security knowledge bases, and at least some of the queries are scoped by the enterprise industry/geo information specified. The knowledge bases may vary but typically include: a managed security service, a cyber threat intelligence service, and a federated search engine that searches across one or more enterprise-connected data sources. Responses to the queries are collected. A response provides an indication whether the threat indicator identified in the query has been sighted in the knowledge base and the frequency. The system then adjusts the initial severity to reflect the indications returned from querying the security knowledge bases.

The invention discloses a network threat intelligence credibility identification method. The method disclosed by the invention comprises the following steps: 1) constructing an association diagram model of network threat intelligence, wherein a node on the diagram is a network threat indicator; 2) each network threat indicator has an initial reputation value, calculating the initial reputation value of each network threat indicator to serve as a part of a final threat reputation value of the indicator; 3) calculating a weight for each edge in the association diagram model; 4) designing a threat propagation algorithm via the idea of a diagram propagation algorithm, so that the threat reputation value is propagated step by step among the nodes and neighboring nodes, and then combining the threat reputation value with the initial reputation value of each network threat indicator to calculate a final reputation value; and 5) determining the network threat intelligence credibility accordingto the final reputation value of the network threat indicator. By adoption of the network threat intelligence credibility identification method disclosed by the invention, the quality of network threat intelligence can be better evaluated.

The invention provides a network threat intelligence sharing platform based on a blockchain smart contract, which is based on an Ethereum underlying architecture, takes network threat intelligence data as data assets, processes the network threat intelligence data through a trustworthy threat intelligence processing module, and with distributed data storage of a blockchain system, through intelligent contract development and design, intelligence sharing of network threat intelligence data on an autonomous peer-to-peer data platform by a data provider and a data purchaser is realized. Threat intelligence credibility evaluation in a unified security sharing network space of network threat intelligence data is realized, the problem of low multi-source data integration quality faced by threatintelligence sharing in the prior art is solved, the satisfaction degree of sharing platform users is increased, and the false alarm rate of threat intelligence security application is reduced.

Methods and systems are disclosed for integrating cyber threat intelligence (CTI), threat metadata, and threat intelligence gateways with analysis systems to form efficient and effective system for active, proactive, and reactive network protection. A network gateway may be composed of multiple stages. A first stage may include a threat intelligence gateway (TIG). A second stage may include one or more cyber analysis systems that ingest TIG-filtered communications and associated threat metadata signals. A third stage may include network protection logic that determines which protective actions. The gateway may be provisioned and configured with rules that specify the network protection policies to be enforced. The gateway may ingest all communications flowing between the protected network and the unprotected network.

The embodiment of the invention provides a network threat intelligence automatic extraction method based on deep learning, which can obtain intelligence source data and judge the data structure type of the intelligence source data. If the data structure type is an unstructured type, inputting the intelligence source data into a pre-trained intelligence entity identification model to obtain each intelligence entity in the intelligence source data, the intelligence entity identification model being a neural network model obtained by training based on preset characters and front and back positionconstraint conditions of the characters by using the intelligence sample data; and according to a preset combination form, combining the information entities to obtain the network threat information.According to the invention, a pre-trained information entity identification model can be used to carry out automatic extraction of network threat information; and the position constraint conditions introduced by the information entity identification model during training limit the front-back position relationship of the characters in the information entity, so that the out-of-order result of theinformation entity is reduced, and the accuracy of network threat information identification is improved.

The invention belongs to the technical field of network security, and particularly relates to a unified control method and system for network security equipment, and the method comprises the followingsteps: generating a network defense strategy according to a received network threat information; judging whether the generated network defense strategy contains local area network information or not,commanding a command and control center to send a request to all the local area network managers, and updating an attribute list of all the managed local area network security devices; generating a corresponding network defense command through security equipment and a command format file thereof specified in the network defense strategy, and sending the network defense command to the local area network security equipment; and using the local area network security device to execute the network defense command and return a response to the command and control center. Various kinds of safety equipment are dynamically and uniformly controlled, the safety equipment comprises an intrusion detection system, a virtual private network and a safety gateway, and rapid defense can be carried out.

The invention relates to a threat intelligence response and disposal method and system based on virtual machine introspection. A threat detection and response module is deployed on a privilege virtualmachine except a detected virtual machine; a virtual machine introspection technology is used for obtaining a port number-transmission layer network protocol-process corresponding relationship in thedetected virtual machine which carries out network communication; the network data package of virtual machine communication is captured and analyzed; a network threat intelligence database is used for judging whether the data package has threats or not; and if the data package has threats, a thread alarm is given, and the obtained corresponding relationship is used for positioning and threateningthe virtual machine process of thread source communication so as to block the process or the port and the like. By use of the method and the system, the threat detection and response module is deployed on the outer part of the detected virtual machine, the detection and response module is effectively protected, meanwhile, process-level network threat detection and response can be finished, existing cloud architecture does not need to be changed, and the method and the system can be conveniently applied to a server of a cloud service provider.

The invention discloses a computer network security situation awareness platform architecture. The computer network security situation awareness platform architecture comprises a network threat information module, an application system module, a data acquisition module and an analysis processing platform, wherein the network threat information module is connected with the application system module; the application system module is connected with the data acquisition module; the application system module and the data acquisition module are respectively connected with the analysis processing platform; and the analysis processing platform extracts the network threat information acquired by the data acquisition module. The computer network security situation awareness platform architecture has the advantages that information network related data are comprehensively collected; threat intelligence is fused for safety management and safety analysis based on a big data platform, asset management, vulnerability management, event management, threat alarm, investigation and analysis, emergency response and other service functions are achieved; and technical support is provided for safety operation (management, analysis and response) teams.

Disclosed herein are a method and system for collecting cyber threat intelligence (CTI) data. The system includes a management server that determines agent configuration values associated with an OSINT providing source, an agent that receives the agent configuration values from the management server, performs a data collection task for collecting the CTI data based on the agent configuration values, and transmits the CTI data and data collection status information to the management server, a threat information database where which the CTI data is logged, and a system database where the data collection status information is logged.

The invention provides an attack simulation method based on network threat intelligence in an industrial internet of things, which comprises the following steps of: threat intelligence collection: carrying out web crawler on network threat intelligence information through a threat intelligence platform, and collecting the threat intelligence information; generating an attacker portrait: searching threat information of the attack organization, and generating the attacker portrait according to the threat information; acquiring an attack route: acquiring an overall architecture and a data flow diagram of a system environment for attack simulation, and screening out a suitable attack route; and attack simulation: constructing a meta-attack language model in combination with an attacker portrait, performing attack simulation on an attack line, and obtaining an experimental result for calculating time estimation of system damage. According to the invention, the problem of low integration level of threat intelligence and attack simulation technology is solved, and specific threats can be automatically evaluated, so that security personnel can quickly take positive measures, and the threat response capability and attack resistance capability of an industrial Internet of Things system are improved.

The invention belongs to the technical field of benefit allocation-based transaction promotion in a network threat intelligence transaction alliance chain, and particularly relates to a transaction promotion method for a threat intelligence transaction alliance chain based on benefit distribution. Aiming to solve the problem of identity privacy protection of a transaction endorsement user in a threat intelligence transaction alliance chain transaction process, on the basis of a fragmentation mechanism of an alliance chain, a game strategy of nodes under a unified benefit distribution and fairbenefit distribution mechanism is analyzed by combining a game theory method, cooperation equilibrium conditions of the nodes are studied, and a benefit distribution mechanism based on fragmentation fair distribution is provided under the cooperation equilibrium conditions of the fair benefit distribution mechanism. According to the invention, the effect of attracting more users to participate intransaction cooperation can be achieved, and the goal of threatening benign development of intelligence transactions is achieved.

The invention designs a method and system for fusing network threat intelligence metadata, which are used for solving multi-source heterogeneous network threat intelligence conflicts. The method comprises the following steps: converting unstructured network threat intelligence data into structured network threat intelligence; mapping the structured network threat intelligence data and metadata; splitting the network threat intelligence metadata; fusing the network threat intelligence metadata; and providing the fused metadata for network security threat intelligence analysts in an interface form through a customized output template. According to the invention, the network threat intelligence data can be fused in a finer-grained manner, and the fused result is automatically configured.

A cyber threat intelligence (CTI) gateway device may receive rules for filtering TCP/IP packet communications events that are configured to cause the CTI gateway device to identify communications corresponding to indicators, signatures, and behavioral patterns of network threats. The CTI gateway device may receive packets that compose endpoint-to-endpoint communication events and, for each event,may determine that the event corresponds to criteria specified by a filtering rule. The criteria may correspond to one or more of the network threat indicators, signatures, and behavioral patterns. The CTI gateway may create a log of the threat event and forward the threat event log to a task queue managed by a cyberanalysis workflow application. Human cyberanalysts use the cyberanalysis workflowapplication to service the task queue by removing the task at the front of the queue, investigating the threat event, and deciding whether the event is a reportable finding that should be reported tothe proper authorities. In order to improve the efficiency of the workflow process, tasks in the queue are ordered by the likelihood, or probability, that cyberanalysts will determine the associated threat events to be reportable findings; thus, high-likelihood events are investigated first. Likelihoods are computed using human-designed algorithms and machine-learned algorithms that are applied tocharacteristics of the events. Low-likelihood events may be dropped from the work queue to further improve efficiency.

The packet gateway may protect the TCP/IP network by enforcing security policies on in-transit packets across network boundaries. The policy may include network threat intelligence (CTI) derived packet filtering rules. The rapid increase of the CTI amount and the size of the associated CTI derivation strategy, and the continuously increased network link speed and network flow may stop the cost of enough computing resources. To efficiently process packets, a packet gateway may be provided with at least one probabilistic data structure, such as a Bloom filter, for testing packets to determine whether packet data may match packet filtering rules. The packet filtering rules may be grouped into subsets of rules, and a data structure may be provided for determining a subset of matching rules associated with a particular packet.

A cyber threat intelligence of a cyber threat includes a threat chain that describes objects involved in the cyber threat and relationships between the objects. A related object hash of an object is calculated by calculating a hash of one or more objects that are linked to the object as indicated in the cyber threat intelligence. A related object sequence hash of the threat chain is generated by calculating a total of the related object hashes. The related object sequence hash of the threat chain is compared to a related object sequence hash of another threat chain to detect cyber threats.