SYSTEM AND METHOD FOR GENERATING AND REFINING CYBER THREAT INTELLIGENCE DATA

摘要

A method of refining cyber threat intelligence data, comprising: sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source; obtaining original first cyber threat intelligence data from the first source; obtaining original second cyber threat intelligence data from the second source; creating a second version of the threat list based on at least the original first cyber threat intelligence data and the original second cyber threat intelligence data; sending the second version of the threat list to the first source and to the second source; obtaining new first cyber threat intelligence data from the first source; obtaining new second cyber threat intelligence data from the second source; and creating a third version of the threat list based on at least the new first cyber threat intelligence data and the new second cyber threat intelligence data.

主权项

1. A method of refining cyber threat intelligence data, performed by network equipment in a carrier network controlled by a carrier network operator, comprising:
sending a first version of a threat list to a first cyber threat intelligence source and to a second cyber threat intelligence source; obtaining original first cyber threat intelligence data from the first cyber threat intelligence source, the original first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the first version of the threat list, wherein the original first cyber threat intelligence data includes an original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and an original first event log relating to communications characterized by the original first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious; obtaining original second cyber threat intelligence data from the second cyber threat intelligence source, the original second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the first version of the threat list, wherein the original second cyber threat intelligence data includes an original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and an original second event log relating to communications characterized by the original second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious; determining (i) an original plurality of instances of traffic attributes from the original first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the original plurality of instances of traffic attributes, the reputation score for each instance in the original plurality of instances of traffic attributes being determined based on factors including at least:
the instances of traffic attributes in the original first and second sets of instances of traffic attributes;the communications logged in the original first and second event logs;an origin of the original first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the original second cyber threat intelligence data which originates either internal or external to the carrier network; creating a second version of the threat list including at least the traffic attributes from the original plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score; sending the second version of the threat list to the first cyber threat intelligence source and to the second cyber threat intelligence source; obtaining new first cyber threat intelligence data from the first cyber threat intelligence source, the new first cyber threat intelligence data being issued by the first cyber threat intelligence source based on the second version of the threat list, wherein the new first cyber threat intelligence data includes a new first set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious and a new first event log relating to communications characterized by the new set of instances of traffic attributes deemed by the first cyber threat intelligence source to be suspicious; obtaining new second cyber threat intelligence data from the second cyber threat intelligence source, the new second cyber threat intelligence data being issued by the second cyber threat intelligence source also based on the second version of the threat list, wherein the new second cyber threat intelligence data includes a new second set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious and a new second event log relating to communications characterized by the new set of instances of traffic attributes deemed by the second cyber threat intelligence source to be suspicious; determining (i) a new plurality of instances of traffic attributes from the new first and second sets of instances of traffic attributes and (ii) a reputation score for each instance in the new plurality of instances of traffic attributes, the reputation score for each instance in the new plurality of instances of traffic attributes being determined based on factors including at least:
the instances of traffic attributes in the new first and second sets of instances of traffic attributes;the communications logged in the new first and second event logs;an origin of the new first cyber threat intelligence data which originates either internal or external to the carrier network and an origin of the new second cyber threat intelligence data which originates either internal or external to the carrier network; creating a third version of the threat list including at least the traffic attributes from the new plurality of instances of traffic attributes with a reputation score below a predetermined threshold reputation score.