Search

CN-122003676-A - System and method for providing threat intelligence

CN122003676ACN 122003676 ACN122003676 ACN 122003676ACN-122003676-A

Abstract

A method for providing threat intelligence includes generating a plurality of keywords based at least in part on a network model associated with an asset, searching one or more data sources to retrieve data associated with the network model based at least in part on the generated keywords, the retrieved data including information about threats and/or vulnerabilities associated with the asset, and updating the network model based at least in part on the retrieved data.

Inventors

  • ROY FRIEDMAN
  • DANIEL MOSCOVICI
  • Y. Davidovic
  • David Molofik
  • ZEEV SHALEV

Assignees

  • C2A安全有限公司

Dates

Publication Date
20260508
Application Date
20240905
Priority Date
20230905

Claims (20)

  1. 1. A method for providing threat intelligence, the method comprising: generating a plurality of keywords based at least in part on a network model associated with the asset; Searching one or more data sources based at least in part on the generated keywords to retrieve data associated with the network model, the retrieved data including information about threats and/or vulnerabilities associated with the asset, and Based at least in part on the retrieved data, the network model is updated.
  2. 2. The method of claim 1, further comprising summarizing at least a portion of the retrieved data with a first Large Language Model (LLM), wherein the updating of the network model is based at least in part on the summarized data.
  3. 3. The method of claim 1 or 2, wherein the network model includes a risk analysis of the asset, and Wherein the updating of the network model comprises updating of the risk analysis.
  4. 4. A method according to any of claims 1-3, wherein the updating of the network model comprises updating one or more attack paths.
  5. 5. The method of claim 4, further comprising the step of identifying one or more attack paths based at least in part on the retrieved data, Wherein the updating of the one or more attack paths is based at least in part on the identified one or more attack steps.
  6. 6. The method of any of claims 1-5, wherein the updating of the network model includes adding one or more attack paths.
  7. 7. The method of any of claims 3-6, further comprising generating one or more text attack paths with a second LLM based at least in part on the retrieved data, Wherein the updating of the network model is based at least in part on the generated one or more text attack paths.
  8. 8. The method of claim 7, further comprising utilizing the LLM to aggregate at least a portion of the retrieved data, Wherein the updating of the network model is based at least in part on the aggregated data, and Wherein the one or more text attack paths are based at least in part on the aggregated data.
  9. 9. The method of claim 7 or 8, further comprising: Receiving a system document; converting the received system document into a canonical language using the LLM; Feeding the converted document to an inference engine; Querying the inference engine about paths within the system, and One or more text attack paths of the output are validated based at least in part on the query.
  10. 10. The method of any one of claims 7-9 when dependent on claim 2, wherein the second LLM is the first LLM.
  11. 11. The method of any of claims 1-10, further comprising receiving security information including information about an attack in the asset, information about a threat to the asset, information about a vulnerability in the asset, or information about a potential vulnerability in the asset, Wherein the generation of the key is based at least in part on the received security information.
  12. 12. The method of claim 11, wherein the portion of the retrieved data is associated with configuration data associated with the asset.
  13. 13. The method of claim 11, wherein the retrieved data is associated with any configuration data susceptible to the attack, vulnerability, or potential vulnerability.
  14. 14. The method of claim 13, further comprising outputting information regarding the configuration data susceptible to the attack, vulnerability, or potential vulnerability.
  15. 15. The method of any of claims 13-14, further comprising performing additional searches in the one or more data sources to: One or more most relevant versions of the configuration data that are susceptible to an attack, vulnerability, or potential vulnerability are identified.
  16. 16. The method of any of claims 11-15, further comprising performing additional searches in the one or more data sources to identify data about additional vulnerabilities associated with the configuration data, the configuration data associated with the portion of the retrieved data.
  17. 17. The method of claim 16, further comprising receiving user input regarding the retrieved data, the retrieved data being associated with the received security information, Wherein the additional search is responsive to the received user input.
  18. 18. The method of claim 1, further comprising receiving security information including information about an attack in the asset, information about a threat to the asset, information about a vulnerability in the asset, or information about a potential vulnerability in the asset, Wherein the generation of the key is based at least in part on the received security information, Wherein the received security information includes a textual description, the method further comprising inputting the textual description into the LLM, Wherein the plurality of keywords are extracted from the text description by the LLM.
  19. 19. The method of any of claims 1-18, wherein the one or more data sources include one or more of the internet, a darknet, a National Vulnerability Database (NVD), an Open Source Vulnerability (OSV) database, a database utilizing codes, a code repository, a specification sheet associated with the asset, and a risk analysis associated with the asset.
  20. 20. The method of claim 1, further comprising ordering the retrieved data with LLM, the updating of the network model based at least in part on the ordering of the retrieved data.

Description

System and method for providing threat intelligence Technical Field The present disclosure relates generally to the field of threat intelligence. Background Threat intelligence is the collection and analysis of multi-source network security data using various algorithms. By collecting a large amount of data about current cyber security threats and trends and analyzing the data, threat intelligence providers can obtain available data and insight that helps their customers better detect and respond to threats. Organizations have a wide threat intelligence need, ranging from low-level information of malware variants currently used for attack activities to high-level information aimed at informing strategic investments and policy establishment. Thus, threat intelligence can be divided into three different types: 1. Operational threat intelligence focuses on the tools (malware, infrastructure, etc.) and techniques used by network attackers to achieve their goals. This type of understanding helps analysts and threat hunters identify and understand the attack activity. 2. Strategic threat intelligence is advanced and focuses on the broad trend within the cyber threat situation. This type of threat intelligence is directed to the director (typically without a network security context) who needs to know the network risk of their organization as part of their policy planning. 3. Tactical threat intelligence (Tactical) the Tactical threat intelligence focuses on the use of a collapse (IoC) index to identify specific types of malware or other network attacks. Threat intelligence of this type is ingested by network security solutions and used to detect and block incoming or ongoing attacks. SUMMARY It is therefore a primary object of the present invention to overcome at least some of the disadvantages of prior art systems and methods for network security traffic prioritization. In some examples, this is provided by a method for providing threat intelligence, the method comprising generating a plurality of keywords based at least in part on a network model associated with an asset. In some examples, based at least in part on the generated keywords, the method includes searching one or more data sources to retrieve data associated with the network model. In some examples, the retrieved data includes information about threats and/or vulnerabilities associated with the asset. In some examples, the method includes updating the network model based at least in part on the retrieved data. In some examples, the method includes utilizing a Large Language Model (LLM) to summarize at least a portion of the retrieved data. Additional features and advantages of the invention will be apparent from the accompanying drawings and description that follow. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. In case of conflict, the present specification, including definitions, will control. As used herein, the articles "a" and "an" mean "at least one" or "one or more" unless the context clearly indicates otherwise. As used herein, "and/or" refers to any one or more items in a list that are connected by "and/or". By way of example, "x and/or y" refers to any element in the set of three elements { (x), (y), (x, y) }. In other words, "x and/or y" refers to "x, y, or both x and y". As some examples, "x, y, and/or z" refers to any element in a set of seven elements { (x), (y), (z), (x, y), (x, z), (y, z), (x, y, z) }. Furthermore, unless explicitly stated to the contrary, "or" means an inclusive or, not an exclusive or. For example, condition A or B is satisfied by either A being true (or present) and B being false (or absent), A being false (or absent) and B being true (or present), both A and B being true (or present). In addition, the elements and components of an embodiment of the inventive concept are described using "a" or "an". This is done merely for convenience and to give a general sense of the inventive concept, and "a" and "an" are intended to include one or at least one, and the singular also includes the plural unless it is obvious that it is meant otherwise. As used herein, the term "about," when referring to a measurable value (e.g., amount, duration, etc.), is meant to encompass deviations of +/-10%, more preferably +/-5%, even more preferably +/-1%, and still more preferably +/-0.1% from the specified value, as such deviations are suitable for performing the disclosed apparatus and/or method. The following embodiments and aspects thereof are described and illustrated with respect to systems, tools, and methods, which are meant to be exemplary and illustrative, not limiting in scope. In various embodiments, one or more of the problems set forth above have been reduced or eliminated, while other embodiments are directed to other advantages or improvements. Brief Description of Drawings For a bett