428 results about "Threat intelligence" patented technology

Threat intelligence is collected from a variety of different sources. The threat intelligence information is aggregated, normalized, filtered and scored to identify threats to an information network. Threats are categorized by type, maliciousness and confidence level. Threats are reported to network administrators in a plurality of threat feeds, including for example malicious domains, malicious IP addresses, malicious e-mail addresses, malicious URLs and malicious software files.

Systems and methods for analyzing electronic messages are disclosed. In some embodiments, the method comprises receiving a new received message from an indicated sender, the new received message having a first message characteristic of the indicated sender and a second message characteristic, identifying an actual sender message characteristic pattern of an actual sender using the first message characteristic, probabilistically comparing the second message characteristic to the actual sender message characteristic pattern, determining a degree of similarity of the second message characteristic to the actual sender message characteristic pattern, and influencing a probability that the indicated sender is the actual sender based upon the degree of similarity. There may be multiple message characteristics and patterns. In some embodiments, the methods may utilize pattern matching techniques, recipient background information, quality measures, threat intelligence data or URL information to help determine whether the new received message is from the actual sender.

A micro-virtualization architecture deploys a threat-aware microvisor as a module of a virtualization system configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing in a memory of a node in a network environment. The micro-virtualization architecture organizes the memory as a user space and kernel space, wherein the microvisor executes in the kernel space of the architecture, while the operating system processes, an operating system kernel, a virtual machine monitor (VMM) and its spawned virtual machines (VMs) execute in the user space. Notably, the microvisor executes at the highest privilege level of a central processing unit of the node to virtualize access to kernel resources. The operating system kernel executes under control of the microvisor at a privilege level lower than a highest privilege level of the microvisor. The VMM and its spawned VMs execute at the highest privilege level of the microvisor.

A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.

An incident response system and method for tracking data security incidents in enterprise networks is disclosed. An Incident Manager application (IM) stores incident objects and incident artifacts (IAs) created in response to the incidents, where the incident objects include the information for the incident and the IAs are associated with data resources (e.g. IP addresses and malware hashes) identified within the incident objects. In response to creation of the IAs, the IM issues queries against one or more external threat intelligence sources (TISs) to obtain information associated with the IAs and augments the IAs with the obtained information. In examples, the IM can identify known threats by comparing the contents of IAs against TIS(s) of known threats, and can identify potential trends by correlating the created incident objects and augmented IAs for an incident with incident objects and IAs stored for other incidents.

The invention discloses a threat intelligence analysis system for attack tracing. The system comprises an internal threat intelligence collection module, an external threat intelligence collection module and an attack tracing analysis module; the internal threat intelligence collection module comprises a security detection module and a security analysis module; the attack tracing analysis module comprises attacker tracing and attack host tracking; threat intelligence obtained by the internal threat intelligence collection module and the external threat intelligence collection module is uploaded to the attack tracing analysis module, the attack tracing analysis module performs attacker tracing and attack host tracking on the threat intelligence and feeds back the result to the security detection module and the security analysis module; and meanwhile, the result is performed with threat intelligence sharing and exchange with an external cooperation mechanism. The threat intelligence analysis system disclosed by the invention can not only singly and quickly accomplish threat intelligence analysis and detection, but also can provide prediction for the attacks of enterprises, the method is orientated to attack tracing, and the attack mode is analyzed from the source so as to better identify the identity of the attacker.

The invention relates to the technical field of network security, in particular to a network attack event traceability processing method and device, equipment and a storage medium. The method comprises the steps of obtaining a network attack clue related to a to-be-traced network attack event; performing intelligence mining on the network attack clue based on the constructed network threat association model to obtain threat intelligence related to the network attack event; taking the network attack clue and the threat intelligence as attack behavior elements corresponding to the network attackevent, and constructing a traceability analysis model containing an association relationship between the attack behavior elements; and determining a traceability path according to the association relationship between the target attack behavior elements in the traceability analysis model, and performing traceability on the network attack event based on the traceability path to obtain a traceability result of the network attack event. By adopting the method, accurate tracking and tracing of the network attack event can be realized, so that the security of a computer communication network is improved.

A distributed security system and method are disclosed that enable access to known threat events from threat intelligence feeds when the system includes public cloud components. A cloud-based security policy system stores observable events for security incidents detected by and sent from user devices within an enterprise network. The observable events include observable indicators for characterizing the observable events. The threat events within the feeds include threat indicators for characterizing the threat events. An on-premises connector within the enterprise network downloads the observable indicators from the security policy system and the threat indicators from the feeds. In response to determining that any observable indicators match any threat indicators, the on-premises connector provides access to the threat events and/or the observable events having the matching indicators. In one example, the on-premises connector generates opaque query strings for users on user devices to access the threat events/observable events having the matching indicators.

The invention relates to a text data-oriented threat intelligence knowledge graph construction method. The functions of automatically extracting the key information from the text threat intelligence data and constructing the threat intelligence knowledge graph are realized. The invention provides a threat intelligence knowledge graph construction method for text data. The method comprises the following steps: defining an ontology structure in the threat intelligence field; using a threat intelligence named entity recognition model based on multiple factors and a threat intelligence entity relation extraction model based on a graph neural network to obtain threat intelligence entities and relation triples from text data, and finally storing information through a graph database to form a threat intelligence knowledge graph.

The invention relates to a threat intelligence-based network threat identification method and identification system. The method includes: after the detection module is started, loading all the threatinformation updated by the information updating module to the local; acquiring the collected and analyzed audit data, matching the audit data with data in a threat intelligence library, analyzing andacquiring threat event information based on risk data through an analysis and display module if the audit data is successfully matched with the data in the threat intelligence library, acquiring and analyzing associated information of possible lost host events, and counting, analyzing and displaying the relationship between the events. According to the invention, the threat condition of the wholenetwork is analyzed and displayed from two perspectives of threat event information and a lost host event; a collapsed host is determined, targeted attacks are accurately recognized, correlation analysis and display are carried out on the threats, the efficiency of processing network attack events is improved, the false alarm rate is low, potential threats can be found, tracing and post-processingof the threat events are greatly facilitated, attacks possibly occurring in the future are predicted, and therefore truly valuable attack events are deeply analyzed and found.

Embodiments of the invention disclose a threat intelligence processing method and apparatus. The method comprises the steps of obtaining threat index IOC data of multisource intelligence, and preprocessing the IOC data to obtain to-be-analyzed data; inputting the to-be-analyzed data to a threat intelligence detection model for performing detection to obtain a threat detection result; and if the to-be-analyzed data is judged to be threat intelligence according to the threat detection result, sending the threat detection result to a display terminal for performing display. The apparatus comprises a data preprocessing module, a data detection module and a result display module. According to the threat intelligence processing method and apparatus, the threat index data of the multisource intelligence is obtained and is preprocessed and detected to obtain the threat detection result, and after the threat intelligence is determined, the threat detection result is sent to the display terminalfor performing display, so that the timeliness and the coverage rate of malicious IP detection and malicious file searching and killing are ensured.

The embodiment of the invention provides a threat intelligence-based network security detection method and system, aiming at improving the accuracy of network security detection. The method provided by the embodiment of the invention includes the following steps: periodically acquiring threat intelligence data from at least one preset website; grouping associated data in the threat intelligence data according to a preset rule to form at least one threat intelligence group, wherein the threat intelligence group includes at least one type of the threat intelligence data, and each type of the threat intelligence data includes one or more pieces of data; and performing multidimensional matching on acquired network access data of a target terminal and the threat intelligence data in the threatintelligence group, and calculating target threat intelligence data that is successfully matched, and if the number of the target threat intelligence data that is successfully matched exceeds a presetnumber, determining that the target terminal is infected with a virus.

A computer-implemented method, computer program product and computing system for importing threat data from a plurality of threat data sources, thus generating a plurality of raw threat data definitions. The plurality of raw threat data definitions are processed, thus generating a plurality of processed threat data definitions. The plurality of processed threat data definitions are processed to form a master threat data definition. The master threat data definition is provided to one or more client electronic devices.

A data security incident correlation and dissemination system and method is disclosed. In an exemplary implementation of the system, a service provider of a managed security service receives incident information regarding data security incidents at different business organizations of the security service. One or more incident managers operated by different organizations send incident information, and a server system within the service provider's network creates aggregated data from the incident information received from the incident managers. The server system analyzes the aggregated data to create correlated incident records that include incident information from related data security incidents at the different organizations, and provides threat intelligence data based on the correlated incident records for the organizations. In embodiments, the server system can “push” threat intelligence data to the organizations, or the organizations can request the threat intelligence data from the server system.

Embodiments of the invention disclose a log-based threat intelligence detection method and device. The method comprises the steps of obtaining log files of different file types, analyzing the log files, matching different IOC types, and adding analysis files of the different IOC types to a detection engine queue; obtaining a target analysis file from the detection engine queue, and determining a corresponding target query mode according to the IOC type of the target analysis file; and if it is queried that threat intelligence exists in the target analysis file according to the target query mode, generating threat alert information, which, for example, includes an attacked host or a malicious file. The log files of the different file types are analyzed, and the target analysis file is queried in the corresponding attack detection query mode, so that large-batch data can be processed at the same time, and the network security detection efficiency of massive data is greatly improved.

The invention discloses a method and a device for asset safety early warning based on external threat information analysis. The method specifically comprises: through acquiring latest threat intelligence information issued by authority organizations at home and abroad, and performing similar information deduplication combination on the acquired threat intelligence information, generating final threat intelligence information in an external threat intelligence bank; then, according to attribute information of the threat information in the formed external threat intelligence bank, detecting whether a threatened device exist in an internal threatened asset information base. Since source of intelligence information in the external threat intelligence bank is wide, complementation of threat intelligence information issued by each threat intelligence issue platform can be realized, to form the external threat intelligence bank which is comprehensive and accurate in contents, and high in timeliness. At the same time, when the external threat intelligence bank is used for safe early warning on asset and equipment in a target network, a problem that intelligence information is too simple when information issued by a single threat intelligence platform is used can be prevented.

The invention discloses a tracing analysis method for network attacks, which comprises the following steps: acquiring threat intelligence of a specified type, and caching the threat intelligence to alocal threat intelligence database; acquiring current alarm information and the local threat information, and judging the attack source of the alarm; respectively carrying out alarm association according to the attack source and/or the equipment identifier of the attack target, determining the attack stage of the equipment, and judging the equipment collapse level according to the attack stage; and obtaining asset information of the equipment, and determining the influence range of the attack according to the alarm association result. Effective traceability analysis of network attacks is achieved, various traceability results are obtained, traceability data can be updated every time traceability is conducted, and a basis is provided for network operation and maintenance personnel to handleproblems and strengthen security policies.

The invention relates to the field of computer network security and discloses a blockchain-based threat intelligence exchange and sharing system comprising a login filtering module, a blockchain-basedsecurity wallet module, a sharing community, an expert representative review module and a threat intelligence reputation database. Threat intelligences form an exiting security manufacturer and security expert individual are original inputs of the threat intelligence exchange and sharing system; and threat intelligences inputted by individual users subsequently are stored into the threat intelligence reputation database after examination and verification of effectiveness by expert representatives. According to the invention, threat intelligences of all sources are collected and the collectedthreat intelligences are stored and updated by the blockchain, so that the timeliness and effectiveness of threat intelligence sharing as well as the threat intelligence sharing security, confidentiality and privacy are improved.

Data surveillance techniques are presented for the detection of security issues, especially of the kind where privileged data may be stolen by steganographic, data manipulation or any form of exfiltration attempts. Such attempts may be made by rogue users or admins from the inside of a network, or from outside hackers who are able to intrude into the network and impersonate themselves as legitimate users. The system and methods use a triangulation process whereby analytical results pertaining to data protocol, user-behavior and packet content are combined to establish a baseline for the data. Subsequent incoming data is then scored and compared against the baseline to detect any security anomalies. The above data surveillance techniques are also applied for detecting intentional or unintentional exfiltration/leak of privileged data/assets between unauthorized users/groups of the organization. Such detection may be performed based on analyzing threat stream data from threat intelligence providers.

This document discloses a system and method for consolidating threat intelligence data for a computer and its related networks. Massive volumes of raw threat intelligence data are collected from a plurality of sources and are partitioned into a common format for cluster analysis whereby the clustering of the data is done using unsupervised machine learning algorithms. The resulting organized threat intelligence data subsequently undergoes a weighted asset based threat severity level correlation process. All the intermediary network vulnerabilities of a particular computer network are utilized as the critical consolidation parameters of this process. The final processed intelligence data gathered through this high speed automated process is then formatted into predefined formats prior to transmission to third parties.

The invention provides a threat intelligence defense method and system. The method comprises the steps of acquiring threat intelligence; acquiring a threat information management platform based on thethreat information; performing collision matching on the threat intelligence management platform and the security big data analysis platform to obtain alarm information; performing normal scanning task screening processing on the alarm information to obtain threat alarm information; performing association analysis on the threat alarm information and a dynamic asset library, and positioning a threat source corresponding to the threat alarm information; and blocking the threat alarm information and the threat source. According to the invention, the network security can be effectively ensured.

Methods, systems, and computer-readable media for efficiently detecting threat incidents for cyber threat analysis are described herein. In various embodiments, a computing device, which may be located at a boundary between a protected network associated with the enterprise and an unprotected network, may combine one or more threat indicators received from one or more threat intelligence providers; may generate one or more packet capture and packet filtering rules based on the combined threat indicators; and, may capture or filter, on a packet-by-packet basis, at least one packet based on the generated rules. In other embodiments, a computing device may generate a packet capture file comprising raw packet content and corresponding threat context information, wherein the threat context information may comprise a filtering rule and an associated threat indicator that caused the packet to be captured.