Search

US-12626024-B2 - Smart caching for threat intelligence

US12626024B2US 12626024 B2US12626024 B2US 12626024B2US-12626024-B2

Abstract

Mechanisms are provided for caching threat intelligence enhancements in a threat intelligence cache of a threat intelligence computing system. The mechanisms, in response to a threat intelligence enhancement (TIE) being generated based on threat intelligence data, apply one or more threat intelligence cache policies to the TIE to determine a default cache retention period for a TIE type corresponding to the TIE. Different TIE types have different default cache retention periods. The mechanisms process the TIE and corresponding context data in the threat intelligence data to determine an adjustment to the default cache retention period based on the context data. The mechanisms modify the default cache retention period by the determined adjustment to generate a modified cache retention period. The mechanisms store the TIE in a TIE cache in accordance with the modified cache retention period.

Inventors

  • Douglas North Franklin
  • Cheng-Ta Lee

Assignees

  • INTERNATIONAL BUSINESS MACHINES CORPORATION

Dates

Publication Date
20260512
Application Date
20240514

Claims (20)

  1. 1 . A computer-implemented method for caching threat intelligence enhancements in a threat intelligence cache of a threat intelligence computing system, the method comprising: in response to a threat intelligence enhancement (TIE) being generated based on threat intelligence data, applying one or more threat intelligence cache policies to the TIE to determine a default cache retention period for a TIE type corresponding to the TIE, wherein different TIE types have different default cache retention periods; processing, by a cache retention period engine, the TIE and context data in the threat intelligence data to determine an adjustment to the default cache retention period based on the context data, wherein the context data corresponds to the TIE; modifying the default cache retention period by the determined adjustment to generate a modified cache retention period; and storing the TIE in a TIE cache in accordance with the modified cache retention period.
  2. 2 . The computer-implemented method of claim 1 , wherein the context data comprises at least one of historical reputation of observables/artifacts, frequency of score/categorization changes, related indicators of compromise, reputation of threat intelligence provider, popularity of related threat campaign, and enrichments from other threat intelligence providers.
  3. 3 . The computer-implemented method of claim 2 , wherein processing the TIE and the context data comprises: converting the context data to context features; inputting the context features into one or more trained machine learning computer models; and processing the context data, by the one or more trained machine learning computer models, to generate one or more recommendations as to the adjustment to apply to the default cache retention period.
  4. 4 . The computer-implemented method of claim 1 , further comprising: analyzing a cache miss event to provide feedback for optimization of the one or more threat intelligence cache policies; and automatically optimizing the one or more threat intelligence cache policies based on the feedback.
  5. 5 . The computer-implemented method of claim 4 , wherein analyzing the cache miss event comprises: comparing a new TIE cache entry for the cache miss event to one or more previously generated TIE cache entries to determine if the new TIE cache entry is replacing a same previous TIE cache entry that has expired; and in response to the new TIE cache entry being determined to have replaced the same previous TIE cache entry, automatically extending a cache retention period in at least one of the threat intelligence cache policies.
  6. 6 . The computer-implemented method of claim 4 , wherein analyzing the cache miss event comprises: comparing a new TIE cache entry for the cache miss event to one or more previously generated TIE cache entries to determine if the new TIE cache entry is replacing a same previous TIE cache entry that has expired; calculating a measure of frequency that new TIE cache entries for a TIE type replace the same TIE cache entry in the TIE cache based on the comparison; and automatically modifying a cache retention period in at least one of the threat intelligence cache policies for the TIE type based on the calculated measure of frequency.
  7. 7 . The computer-implemented method of claim 6 , wherein automatically modifying the cache retention period comprises at least one of automatically extending the cache retention period in response to the measure of frequency being equal to or above a first predetermined threshold, or automatically reducing the cache retention period in response to the measure of frequency being below a second predetermined threshold.
  8. 8 . The computer-implemented method of claim 1 , wherein storing the TIE in a TIE cache in accordance with the modified cache retention period further comprises: identifying one or more related TIEs referenced in the context data; and prefetching the one or more related TIEs into the TIE cache as additional TIE cache entries in response to identifying the one or more related TIEs as being referenced in the context data.
  9. 9 . The computer-implemented method of claim 1 , wherein the computer-implemented method is executed in response to a request from a threat intelligence platform for the threat intelligence enhancement of the threat intelligence data and the threat intelligence enhancement not being present in the threat intelligence enhancement cache.
  10. 10 . The computer-implemented method of claim 1 , wherein the threat intelligence data comprises threat intelligence data from a third party threat intelligence source computing system, and wherein the third party threat intelligence source computing system comprises one or more of a network traffic log source computing system, a social media computing system, a subject matter expert data source computing system, a news website computing system, a forum computing system, a blog computing system, or cyber counterintelligence source computing system.
  11. 11 . A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a computing device, causes the computing device to: apply, in response to a threat intelligence enhancement (TIE) being generated based on threat intelligence data, one or more threat intelligence cache policies to the TIE to determine a default cache retention period for a TIE type corresponding to the TIE, wherein different TIE types have different default cache retention periods; process, by a cache retention period engine, the TIE and context data in the threat intelligence data to determine an adjustment to the default cache retention period based on the context data, wherein the context data corresponds to the TIE; modify the default cache retention period by the determined adjustment to generate a modified cache retention period; and store the TIE in a TIE cache in accordance with the modified cache retention period.
  12. 12 . The computer program product of claim 11 , wherein the context data comprises at least one of historical reputation of observables/artifacts, frequency of score/categorization changes, related indicators of compromise, reputation of threat intelligence provider, popularity of related threat campaign, and enrichments from other threat intelligence providers.
  13. 13 . The computer program product of claim 12 , wherein processing the TIE and the context data comprises: converting the context data to context features; inputting the context features into one or more trained machine learning computer models; and processing the context data, by the one or more trained machine learning computer models, to generate one or more recommendations as to the adjustment to apply to the default cache retention period.
  14. 14 . The computer program product of claim 11 , wherein the computer readable program further causes the computing device to: analyze a cache miss event to provide feedback for optimization of the one or more threat intelligence cache policies; and automatically optimize the one or more threat intelligence cache policies based on the feedback.
  15. 15 . The computer program product of claim 14 , wherein analyzing the cache miss event comprises: comparing a new TIE cache entry for the cache miss event to one or more previously generated TIE cache entries to determine if the new TIE cache entry is replacing a same previous TIE cache entry that has expired; and in response to the new TIE cache entry being determined to have replaced the same previous TIE cache entry, automatically extending a cache retention period in at least one of the threat intelligence cache policies.
  16. 16 . The computer program product of claim 14 , wherein analyzing the cache miss event comprises: comparing a new TIE cache entry for the cache miss event to one or more previously generated TIE cache entries to determine if the new TIE cache entry is replacing a same previous TIE cache entry that has expired; calculating a measure of frequency that new TIE cache entries for a TIE type replace the same TIE cache entry in the TIE cache based on the comparison; and automatically modifying a cache retention period in at least one of the threat intelligence cache policies for the TIE type based on the calculated measure of frequency.
  17. 17 . The computer program product of claim 16 , wherein automatically modifying the cache retention period comprises at least one of automatically extending the cache retention period in response to the measure of frequency being equal to or above a first predetermined threshold, or automatically reducing the cache retention period in response to the measure of frequency being below a second predetermined threshold.
  18. 18 . The computer program product of claim 11 , wherein storing the TIE in a TIE cache in accordance with the modified cache retention period further comprises: identifying one or more related TIEs referenced in the context data; and prefetching the one or more related TIEs into the TIE cache as additional TIE cache entries in response to identifying the one or more related TIEs as being referenced in the context data.
  19. 19 . The computer program product of claim 11 , wherein the apply, process, modify, and store operations are executed in response to a request from a threat intelligence platform for the threat intelligence enhancement of the threat intelligence data and the threat intelligence enhancement not being present in the threat intelligence enhancement cache.
  20. 20 . An apparatus comprising: at least one processor; and at least one memory coupled to the at least one processor, wherein the at least one memory comprises instructions which, when executed by the at least one processor, cause the at least one processor to: apply, in response to a threat intelligence enhancement (TIE) being generated based on threat intelligence data, one or more threat intelligence cache policies to the TIE to determine a default cache retention period for a TIE type corresponding to the TIE, wherein different TIE types have different default cache retention periods; process, by a cache retention period engine, the TIE and context data in the threat intelligence data to determine an adjustment to the default cache retention period based on the context data, wherein the context data corresponds to the TIE; modify the default cache retention period by the determined adjustment to generate a modified cache retention period; and store the TIE in a TIE cache in accordance with the modified cache retention period.

Description

BACKGROUND The present application relates generally to an improved data processing apparatus and method and more specifically to an improved computing tool and improved computing tool operations/functionality for smart caching for threat intelligence. Threat intelligence plays a critical role in threat management by enriching observables and contextualizing artifacts. Threat intelligence enrichment is the process of gaining context through security threat data in order to better understand the threat, where the context refers to the surrounding circumstances and data that provides insights into whether a potential threat, e.g., particular transaction, is an actual threat or not. For example, if a security tool of a computing system detects port scans against servers of a protected computer system infrastructure, threat intelligence enrichment processes may collect information regarding the potential threat, such as information about the source of the scans, e.g., where the source is located and what operating systems are running at the source, what resources are affected, and the like. The more data that can be collected about the potential threat, the more likely the potential threat can be properly classified as to whether it is an actual threat or not and appropriate responses and decisions can be made to address it. The observables are the context data, also sometimes referred to as forensic data, observed as part of collecting data for threat intelligence enrichment are referred to as “artifacts” any may include various types of information including Internet Protocol (IP) addresses, processes, registry entries used, created, or modified, Uniform Resource Locators (URLs), files accessed, and the like. SUMMARY This Summary is provided to introduce a selection of concepts in a simplified form that are further described herein in the Detailed Description. This Summary is not intended to identify key factors or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. In one illustrative embodiment, a computer-implemented method is provided for caching threat intelligence enhancements in a threat intelligence cache of a threat intelligence computing system. The method comprises, in response to a threat intelligence enhancement (TIE) being generated based on threat intelligence data, applying one or more threat intelligence cache policies to the TIE to determine a default cache retention period for a TIE type corresponding to the TIE. Different TIE types have different default cache retention periods. The method further comprises processing, by a cache retention period engine, the TIE and corresponding context data in the threat intelligence data to determine an adjustment to the default cache retention period based on the context data. In addition, the method comprises modifying the default cache retention period by the determined adjustment to generate a modified cache retention period. Furthermore, the method comprises storing the TIE in a TIE cache in accordance with the modified cache retention period. In other illustrative embodiments, a computer program product comprising a computer useable or readable medium having a computer readable program is provided. The computer readable program, when executed on a computing device, causes the computing device to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment. In yet another illustrative embodiment, a system/apparatus is provided. The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors. The memory may comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment. These and other features and advantages of the present invention will be described in, or will become apparent to those of ordinary skill in the art in view of, the following detailed description of the example embodiments of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS The invention, as well as a preferred mode of use and further objectives and advantages thereof, will best be understood by reference to the following detailed description of illustrative embodiments when read in conjunction with the accompanying drawings, wherein: FIG. 1 is an example diagram of a distributed data processing system environment in which aspects of the illustrative embodiments may be implemented and at least some of the computer code involved in performing the inventive methods may be executed; FIG. 2 is an example diagram of the primary operational components of a smart caching computing tool for threat intelligence enhancements in accordance with one illustrative embodiment; FIG. 3 is a flowchart outlining an example operation for dete