Systems and methods for consensus driven threat intelligence

Description

TECHNICAL FIELD

This disclosure relates generally to consensus driven threat intelligence, and more particularly relates to systems and methods for utilizing a blockchain network configured to receive threat intelligence requests and validate or invalidate such threat intelligence requests based on a consensus response from a series of nodes on the blockchain network.

BACKGROUND

A common methodology in use to try to address/reduce the perpetuation of malicious internet based threats involves the creation and curating of watchlists including various internet based sources known to pose a threat, such as certain internet protocol (IP) addresses, domains, files, and uniform resource locators (URLs). Typically, such watchlists may include a list of compromised, malicious, and/or other internet based resources that pose a threat. These watchlists further may be distributed to a community or various clients to aid in identifying and blocking these compromised and/or malicious internet based threats. However, since such watchlists are not owned by a single owner, the community may not reach a consensus regarding the contents of such watchlists, and/or the format and distribution of these watchlists. Further, watchlists, when solely curated and controlled by one entity, may be offered for sale at inflated prices due to their being considered proprietary data, preventing many in the community from using such watchlists. Additionally, such watchlists can lack historical context of potentially malicious internet based threats, leaving the community to determine if and/or how any historical context may impact the risk or potential threat of an internet based resource.

Accordingly, it can be seen that a need exists for systems and methods directed to active threat intelligence determinations that can be made with increased reliability and can be made readily available to and accessible by a plurality of computing devices (e.g., users in the community). The present disclosure is directed to the foregoing and other related, and unrelated, problems/issues in the art.

SUMMARY

Briefly described, according to various aspects, the present disclosure is directed to systems and methods for consensus driven threat intelligence. Such systems and methods may utilize a blockchain network comprising a plurality of blockchains. Each blockchain in the blockchain network may include one or more smart contracts. Each of the one or more smart contracts may comprise an API, instructions, or other program configured to transmit, retrieve, and/or store gathered and/or generated threat intelligence data corresponding to the threat intelligence request. In embodiments, the threat intelligence request may correspond to a request or query to determine whether an internet based resource or activity is or includes a valid or invalid threat or malicious action. Any one or more computing devices and/or users may submit the threat intelligence request to the blockchain network and a particular or corresponding smart contract (e.g., based on, for example, the type of threat intelligence request) active on the blockchain network. The smart contract may be configured to transmit the threat intelligence request to one or more oracles in signal communication with the blockchain network based on, for example, the type of threat intelligence request. In an embodiment, the smart contract may be configured to, periodically or at a pre-specified time interval, transmit the threat intelligence request to the one or more oracles. In another embodiment, the smart contract may be configured to generate a schedule, the schedule defining a selected time interval within which the smart contract may submit a threat intelligence request.

The one or more oracles may be configured to execute or to cause execution of a script, API, or other instructions or programs to generate the threat intelligence data at one or more corresponding nodes. The results from the one or more nodes may be transmitted back to the one or more oracles. The one or more oracles may then validate or invalidate a potential threat included in the threat intelligence request. In embodiments, the decision to validate or invalidate the potential threat of the threat intelligence request can be based on whether or not a consensus is reached by all of the nodes receiving the threat of intelligence request, and if all the nodes do not agree to validate, an error or other notice can be provided back to the oracle and/or the requestor. If a consensus is reached as to a validation or not, the validation or invalidation determination by the set of nodes may be transmitted back to the smart contract and used to update the smart contract.

In embodiments, each smart contract may be configured to transmit a threat intelligence request to the one or more oracles a plurality of times, generating a history for a particular potential threat. Further, the blockchain network may be configured to accept or receive requests to provide a watchlist. When a computing device or user requests a watchlist (e.g., submitting a request to the blockchain network for a watchlist or subset of a watchlist), each entry related to potential threats may include a history. For example, a website may initially be considered a ‘safe’ or “unsafe” website, and over time, such a consideration or status may change for any reason. In such examples, the historical analysis and validation/invalidation of the website or any other potential threat may be stored with a timestamp, subsequent analysis, an indicator of a compromise, an indicator of an attack, an indicator to indicate a reason the potential threat is malicious, a score, and/or other data.

In embodiments, to reach consensus as to whether a potential threat exists or not, the one or more oracles may utilize unanimous agreement from the one or more nodes. In one example, a majority of valid/invalid responses from the correspond nodes receiving the threat intelligence request may be utilized to reach consensus (e.g., simple or some other specified percentage) agreement. The systems and methods also may be configured to enable users to stake tokens on particular potential intelligence threats or intelligence threat requests. For example, a user may stake a token indicating a vote that the potential intelligence threat is valid or invalid. If the vote confirms that the intelligence threat is validated, then the user may receive the amount of tokens the user staked plus additional tokens.

In one aspect, the present disclosure provides a method for consensus driven threat intelligence utilizing a blockchain network. The method may include receiving a threat intelligence request that can be directed to at least one of one or more smart contracts implemented on a blockchain of the blockchain network and distributed to a plurality of nodes of the blockchain network. The threat intelligence request can include a request to gather intelligence related to a potential threat. The method may include broadcasting the threat intelligence request to one or more oracles configured to connect external information regarding potential threats to the blockchain. The method may include broadcasting the threat intelligence request from the one or more oracles to one or more corresponding nodes of the plurality of nodes. The method may include gathering threat intelligence data relating to the threat intelligence request at each of the one or more selected or corresponding nodes. The method may include determining, via a threat intelligence operation conducted at each of the one or more corresponding nodes and based on gathered threat intelligence data, a validation or invalidation of the potential threat. The method may include determining whether a consensus has been reached as to whether the potential threat is valid or invalid as determined by the threat intelligence operations conducted by each of the one or more corresponding nodes. The method may include, if a consensus is reached, submitting a threat entry including the gathered threat intelligence data relating to the determination of whether the potential threat of the threat intelligence request is valid or invalid resulting from the threat intelligence operations conducted by each of the one or more corresponding nodes to the at least one of the one or more smart contracts. The method may include storing and sorting each threat entry on the blockchain using the smart contract.

In an embodiment, the potential threat may be considered valid when each of the one or more corresponding nodes agrees on the validation of the potential threat submitted by the threat intelligence request.

In another embodiment, the method may include, if a consensus is not reached as to whether the potential threat is valid or invalid as determined by the threat intelligence operations conducted by each of the one or more corresponding nodes, returning an error message to the smart contract.

The threat intelligence request may be received from one or more computing devices, and, in embodiments the one or more computing nodes may be configured to stake tokens for or against validity of the potential threat. Each threat entry may comprise a timestamp, an indicator of a compromise, an indicator of an attack, a reason or an indicator to indicate a reason the potential threat is malicious, and the score. In such an embodiment, the method may include voting on whether the potential threat is malicious based on the received score. In some embodiments, the method further may include, in response to a request made to the at least one of the one or more smart contracts, generating a watchlist of threat entries from the blockchain. The watchlist may be sorted by age of the threat entry, a reason the threat entry is determined to be malicious, and/or a score relating to the determination of whether the potential threat is valid or invalid.

In an embodiment, each of the corresponding one or more nodes may include one or more of a custom API, a user based API, an internal API, an enterprise-specific API, or an external API. In another embodiment, each of the corresponding one or more nodes may validate potential threats via one or more of internet protocol (IP) address scans, advertisement banner grabs, network mapping, or gathering information from native sources, organic sources, or cultivated third party sources. The native sources, organic sources, or cultivated third party sources may relate to the potential threat's capability, infrastructure, motives, goals, relationships, resources, or some combination thereof. Each of the one or more smart contracts may include one of a blockchain application or a byte code application.

In one aspect, the present disclosure provides a system for consensus driven threat intelligence utilizing a blockchain network. The system may include one or more processors at a series of computing nodes of a decentralized and/or distributed network; each of the computing nodes including a memory having a datastore or memory configured to store and manage a blockchain of the blockchain networks comprising a plurality of smart contracts. The system may include non-transitory machine readable storage medium storing programming or computer readable instructions that are accessed and executed by the one or more processors of the computing nodes. The executed instructions may cause selected or corresponding ones of the computing nodes to receive a threat intelligence request directed to at least one of one or more smart contracts implemented on a blockchain of the blockchain network and distributed to a plurality of nodes of the blockchain network, the threat intelligence request to include a request to gather intelligence regarding a potential threat the threat intelligence request to include a potential threat. The executed instructions may cause the computing nodes to broadcast the threat intelligence request to one or more oracles configured to connect external information regarding potential threats to the blockchain. The executed instructions may cause the computing nodes to receive or determine a validation or invalidation of the potential threat based on a broadcast of the threat intelligence request from the one or more oracles to corresponding one or more nodes of a plurality of nodes, the corresponding one or more nodes of a plurality of nodes to gather threat intelligence data relating to the threat intelligence request and to generate a validation or invalidation of the threat intelligence request. The executed instructions may cause the one or more oracles to determine whether a consensus has been reached as to whether the potential threat is valid or invalid as determined by the threat intelligence operations conducted by each of the one or more corresponding nodes. The executed instructions may cause the one or more oracles to, if a consensus is reached, submit a threat entry including the gathered threat intelligence data relating to the determination of whether the potential threat of the threat intelligence request is valid or invalid based on the threat intelligence operations conducted by each of the one or more corresponding nodes.

In an embodiment, each of the corresponding one or more nodes may provide a timestamp, an indicator of a compromise, an indicator of an attack, a reason or an indicator to indicate a reason the potential threat is malicious, and a score.

In another embodiment, the computer readable instructions that are accessed and executed by the one or more processors of the computing nodes may cause the computing nodes to generate, in response to a received watchlist request from a computing device, a sorted watchlist, the watchlist including each validated potential threat. The executed instructions may cause the computing nodes to transmit the sorted watchlist to the computing device. The sorted watchlist may be sorted based on one or more of the timestamp, the reason or indicator to indicate the reason the potential threat is malicious, or a score.

In another embodiment, the one or more computing nodes may be configured to enable a user or operator stake tokens for or against validity of the potential threat. If the potential threat is validated, computing nodes that staked tokens for validity of the potential threat receive the staked tokens and additional tokens.

In another aspect, the present disclosure provides a system for consensus driven threat intelligence utilizing a blockchain network. The system may include a blockchain circuitry. The blockchain circuitry may operate with the blockchain network, and may be configured to store one or more smart contracts, the one or more smart contracts generated by one or more computing nodes to thereby define a blockchain of the blockchain network. The blockchain circuitry may receive a threat intelligence request directed to at least one of the one or more smart contracts implemented on a blockchain of the blockchain network and distributed to a plurality of nodes of the blockchain network, the threat intelligence request to include a request to gather intelligence related to a potential threat. The blockchain circuitry may be configured to broadcast, based on an API in the at least one of the one or more smart contracts corresponding to the potential threat, the threat intelligence request to one or more oracles configured to connect external information regarding potential threats to the blockchain. The blockchain circuitry may be configured to receive validation data from the one or more oracles. The blockchain circuitry may be configured to store results associated with the validation data. The system may include an oracle circuitry including the one or more oracles. The oracle circuitry may be configured to receive the threat intelligence request from the at least one of the one or more smart contracts. The oracle circuitry may be configured to broadcast the threat intelligence request to one or more nodes corresponding to the one or more oracles. The oracle circuitry may be configured to receive results from the one or more nodes, the results to include data indicating validation or invalidation of the potential threat of the threat intelligence request. The oracle circuitry may be configured to validate the potential threat based on the results from each of the one or more nodes. The oracle circuitry may utilize results received from the one or more nodes within a specified time for the threat intelligence request. The system may include a node circuitry configured to perform a threat assessment operation using data related to the potential threat of the threat intelligence request. The node circuitry may be configured to transmit the results to the corresponding one or more oracles. The oracle circuitry can be configured to determine if a consensus was reached by the one or more nodes as to whether to validate or invalidate the potential threat. In embodiments, if there is no consensus among the one or more nodes, an error message can be returned and/or the request resubmitted for further review by the nodes or by other circuitry.

In an embodiment, each of the one or more smart contracts may be configured to, in response to a request received from the one or more computer nodes, generate a watchlist based on the threat entries stored on the blockchain circuitry.

Various objects, features and advantages of the present disclosure will become apparent to those skilled in the art upon a review of the following detail description, when taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

It will be appreciated that for simplicity and clarity of illustration, elements illustrated in the Figures are not necessarily drawn to scale. For example, the dimensions of some elements may be exaggerated relative to other elements. Embodiments incorporating teachings of the present disclosure are shown and described with respect to the drawings herein, in which:

FIG. 1 is a schematic diagram of a data center including a networked system of information handling systems, according to one aspect of the present disclosure.

FIG. 2A, FIG. 2B, and FIG. 2C are schematic diagrams of systems for consensus driven threat intelligence, according to one aspect of the present disclosure.

FIG. 3 is a flow diagrams for consensus driven threat intelligence, according to one aspect of the present disclosure.

FIG. 4A and FIG. 4B is a flow diagrams for consensus driven threat intelligence, according to one aspect of the present disclosure.

FIG. 5 is a method/process for consensus driven threat intelligence, according to one aspect of the present disclosure.

FIG. 6 is a schematic diagram of an information handling system capable of administering each of the specific embodiments, according to one aspect of the present disclosure.

The use of the same reference symbols in different drawings indicates similar or identical items.

DETAILED DESCRIPTION

The following description in combination with the figures is provided to assist in understanding the teachings disclosed herein. The description is focused on specific implementations and embodiments of the teachings, and is provided to assist in describing the teachings. This focus should not be interpreted as a limitation on the scope or applicability of the teachings.

According to various aspects, the present disclosure is directed to systems and methods for consensus driven threat intelligence, for example, for determining if a potential action, website, URL, or other activity is malicious or poses a threat, and doing so in a manner that is independent and trust agnostic e.g., a series of reviews (nodes) to independently determine validity/invalidity of the potential threat, and if a threat is found classifying the potential threat as valid or invalid, which finding can be added for a block of the blockchain, and used to develop.

In embodiments, such systems and methods may utilize a blockchain network comprising a plurality of blockchains. Each blockchain in the blockchain network may include one or more smart contracts. Each of the one or more smart contracts may be or may include an API, instructions, or other program configured to transmit, retrieve, and/or store generated threat intelligence data corresponding to the threat intelligence request. The threat intelligence request may correspond to a request or query to determine whether an internet based resource is a valid or invalid threat. Any one or more computing devices and/or users may submit the threat intelligence request to the blockchain network and a particular or corresponding smart contract (e.g., based on, for example, the type of threat intelligence request). The smart contract may be configured to transmit the threat intelligence request to one or more oracles in signal communication with the blockchain network based on, for example, the type of threat intelligence request. In an embodiment, the smart contract may be configured to, periodically or at a pre-specified time interval, transmit the threat intelligence request to the one or more oracles. In another embodiment, the smart contract may be configured to generate a schedule, the schedule defining the specified time interval that the smart contract may submit a threat intelligence request.

The one or more oracles may be configured to execute or to cause execution of a script, API, or other instructions or programs to generate the threat intelligence data on one or more corresponding nodes. The results from the one or more nodes may be transmitted back to the one or more oracles. Based on the responses from the one or more nodes a consensus was reached by the nodes to validate or invalidate the one or more oracles may then validate or invalidate a potential threat included in the threat intelligence request, e.g. in some embodiments, based on whether the validation or invalidation may be transmitted back to the smart contract and used to update the smart contract and in turn can be used to update or modify a corresponding block of the blockchain.

Each smart contract may be configured to transmit a threat intelligence request to the one or more oracles a plurality of times, generating a history for a particular potential threat. Further, the blockchain network may be configured to accept or receive requests to provide a watchlist. When a computing device or user requests a watchlist (e.g., submitting a request to the blockchain network for a watchlist or subset of a watchlist), each entry related to potential threats may include a history. For example, a website may initially be considered a ‘safe’ website. Over time, such a consideration or status may change for any reason. In such examples, analysis of the website or any other potential threat may be stored with a timestamp, subsequent analysis, an indicator of a compromise, an indicator of an attack, a reason or an indicator to indicate a reason the potential threat is malicious, a score, and/or other data. Thus, as a plurality of determinations that a potential threat is valid or invalid are generated or formed, a history of the potential threat may be formed. Further, each of the one or more oracle nodes or nodes may utilize the history to determine a set of results to be sent to the one or more oracles.

To reach consensus, the one or more oracles may utilize unanimous agreement from the one or more nodes. In another example, a threshold majority of nodes may be utilized to reach consensus (e.g., simple or some other specified percentage) agreement. The systems and methods may also be configured to enable users to stake tokens on particular potential intelligence threats or intelligence threat requests. For example, a user may stake a token indicating a vote that the potential intelligence threat is valid or invalid. If the position voted on by the user is validated, then the user may receive the amount of tokens the user staked plus additional tokens.

As shown in FIGS. 1-6, the present disclosure includes systems and methods for consensus. The systems and methods disclosed herein are adapted to enable creation of watchlists, including watchlists of malicious activities or actions, and/or other internet based resources (e.g. IP addresses, domains, files, URLs, etc.) in a substantially automatic and trusted manner via independent validation from nodes of the blockchain network driven threat intelligence. A consensus reached for a particular threat may indicate validation or invalidation of an actual threat and/or as a compromised and/or malicious internet based resource.

FIG. 1 is a block diagram of an exemplary data center 10 for consensus driven threat intelligence. As shown in FIG. 1, the data center 10 can include a network 12 that may provide communications among a plurality of information handling systems 14, which can include work stations, personal computers, smart cellular telephones, personal digital assistants, laptop computers, servers, computing devices, other suitable devices, and/or combinations thereof. The information handling systems 14 further can be coupled to the network 12 through wired line connections 16, wireless connections 18, or any other suitable lines of communication or connection. As further shown in FIG. 1, the data center 10, and/or one or more of the information handling systems 14 thereof, can be communicatively coupled to a network, including a cloud based or other network as shown at 12 or 20 in FIG. 1, for example, through wired line connection 16, or through any other suitable connection, such as a wireless connection 18 (e.g., WiFi, cellular, etc.). The network 12 further can be accessible to/by one or more user or client managed information handling systems or devices 22 to facilitate communication between the client managed information handling systems 22 and the data center 10 for which system logs may be parsed and/or parsing scripts and/or rules may be generated by an event management center. The network 12 can include an API interface of the event management center, though the network can include any suitable network, such as the Internet or other wide area network, a local area network, or a combination of networks, and may provide communications, e.g., data communications, among the event management center and the client managed information handling systems 22.

The client managed information handling systems 22 can be connected to the network 20 through wired connections, e.g., an Ethernet cable, or other suitable wired or wireless connections 18, e.g., WiFi, Bluetooth®, cellular connections (e.g., 3G, 4G, LTE, 5G, etc.), other suitable wireless connections or combinations thereof (FIG. 1), to enable the clients or operators of information handling systems 22 to communicate with the event management center, e.g., to access one or more services provided thereby. For example, the event management center can be or include a web service.

For purposes of the present disclosure, the information handling systems 14/22 may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. In one embodiment, the information handling systems may include storage, such as random access memory (RAM) or (ROM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touchscreen, and/or a video display. The information handling systems also may include one or more buses operable to transmit communications between the various hardware components.

FIG. 2A, FIG. 2B, and FIG. 2C are schematic diagrams of systems for consensus driven threat intelligence, according to one aspect of the present disclosure. Turning first to FIG. 2A, a system 200 for generating consensus driven threat intelligence is illustrated. In such an embodiment, a blockchain or blockchain network 202 may include one or more smart contracts 204A, 204B, and up to 204N. The one or more smart contracts 204A, 204B, and up to 204N may handle or manage threat intelligence data and/or threat intelligence requests (e.g., the threat intelligence requests received from one or more computing devices 210A, 210B, and up to 210N). As noted one or more computing devices 210A, 210B, and up to 210N and/or one or more users (e.g., the users submitting the requests via the or more computing devices 210A, 210B, and up to 210N) may request that at least one of the one or more smart contracts 204A, 204B, and up to 204N gather threat intelligence data for a specified threat, potential threat, and/or threat intelligence request. The at least one of the one or more smart contracts 204A, 204B, and up to 204N also may store gathered results (e.g., validation or invalidation of a potential threat and/or corresponding data) on the blockchain or blockchain network 202.

Further, at least one of the one or more smart contracts 204A, 204B, and up to 204N may be utilized a plurality of times in relation to the specified threat, potential threat, and/or threat intelligence request, thus creating a history for that specified threat, potential threat, and/or threat intelligence request over a time interval or specified or pre-selected period of time. The specified threat, potential threat, and/or threat intelligence request may change over time or change a status (e.g., a threat or low to no threat) over time. The specified threat or potential threat may, for example, change from no threat to an actual threat, or from an actual threat to no threat based on varying factors (e.g., a resolution for a malicious threat is implemented, etc.). The specified threat or potential threat may change a plurality of times over time thus forming a history.

As noted, any user and/or one or more computing devices 210A, 210B, and up to 210N may request a threat validation or submit a threat intelligence request or operation. Such a request or submission may be automatically submitted based on various activities detected by or schedules implemented in or by the one or more computing devices 210A, 210B, and up to 210N. For example, a website may indicate to one or more computing devices 210A, 210B, and up to 210N that suspicious activity is occurring. In such examples, the one or more computing devices 210A, 210B, and up to 210N may automatically send the potential threat (e.g. a URL of the website and/or other internet resource threat information) with a request to gather threat intelligence data or validation, to the blockchain or blockchain network 202 and/or one or more smart contracts 204A, 204B, and up to 204N.

In an embodiment, the blockchain or blockchain network 202 may include software and/or hardware to parse or transmit received requests to at least one or more of the smart contracts 204A, 204B, and up to 204N based on a received threat intelligence request and/or information included in the threat intelligence request. In yet another embodiment, a user and/or the one or more computing devices 210A, 210B, and up to 210N may set or create a schedule for a threat intelligence request. In such embodiments, the threat intelligence request may be executed or performed by the at least one or more of the smart contracts 204A, 204B, and up to 204N at specified periods of time. In an embodiment, each of the one or more smart contracts 204A, 204B, and up to 204N may include one of a blockchain application or a byte code application.

The system 200 generally will include one or more oracles (e.g., oracle 206). In an embodiment, each one or more smart contracts 204A, 204B, and up to 204N may connect to one or more different oracles and/or one or more of the same oracles. While one oracle 206 is illustrated in FIG. 2A, it will be understood that such an embodiment is not limiting and that a plurality of oracles may be included in the system 200. The one or more oracles may gather the threat intelligence data and/or determine whether, based on received results, if a threat intelligence request includes a malicious internet based threat. The one or more oracles may connect the blockchain or blockchain network 202, typically unable to receive external data, to external data sources and/or real-world information, e.g., via the nodes or oracle nodes 208A, 208B, and up to 208N.

In such an embodiment, using the information in the threat intelligence request, each of the one or more nodes or oracle nodes 208A, 208B, and up to 208N called by the oracle 206 may gather threat intelligence data and/or perform a function or operation to gather such data or execute an operation to generate such data. For example, a node or oracle node may perform various operations, including, but not limited to, a banner grab, execute a port scan, execute an HTTP get command, open a website in an isolated environment, inspect a downloadable and/or installable software and/or firmware package, inspect a downloadable file, and so on.

Once the node or oracle node 208A, 208B, and up to 208N has performed such operations and/or gathered threat intelligence data, the node or oracle node 208A, 208B, and up to 208N may generate a validation or invalidation (e.g., whether a threat is present). The node or oracle node 208A, 208B, and up to 208N may return the validation or invalidation, along with other relevant data to the oracle 206. The oracle 206 may determine whether a consensus has been reached in regards to threat validation (e.g., whether a potential threat is malicious or not). A consensus will be determined based on the number of returned validations, and embodiments, a consensus will be reached if all nodes or oracles nodes 208A, 208B, and up to 208N return a validation. If all of the nodes that received the threat intelligence request do not return the same validate/invalidate response a consensus will not be reached and an error generated by the oracle 206 and all return an invalidation response. In yet another embodiment, the nodes or oracle nodes 208A, 208B, and up to 208N may return their individual decisions/results to the oracle 206 and the oracle 206 may determine if the potential threat is valid based on the results.

The oracle 206 may then return the consensus and related data to the at least one of the one or more smart contracts 204A, 204B, and up to 204N. The at least one of the one or more smart contracts 204A, 204B, and up to 204N may store the consensus and related data in the blockchain or blockchain network 202. The related data may include the validation or invalidation of the threat, a timestamp of when the threat was validated or invalidated, an indicator of a compromise, an indicator of an attack, a reason or an indicator to indicate a reason the potential threat is malicious, and a score indicating severity of the potential threat.

The one or more nodes or oracle nodes 208A, 208B, and up to 208N may include or call an API. The API may be added, included, or linked to the node or oracle node 208A, 208B, and up to 208N via or by a user, a computing device, the system 200, an administrator of the system 200, a curator of the system 200, and/or an internal and/or external user in relation to the blockchain or blockchain network 202.

Turning to FIG. 2B, the system 200 may include a threat intelligence system 203. The threat intelligence system 203 may include a processor 212 and memory 214. The memory 214 may include or store blockchain data 218. In another embodiment, the blockchain data 218 may be distributed across storage devices (e.g., the internal/external database 228), in addition to being stored in the memory 214. The threat intelligence system 203 may include other components such as an input/output module 220. The input/output module 220 may be configured to receive and/or transmit data from external sources (e.g., the oracles 220A, 220B, and up to 220N and/or the computing devices 210A, 210B, and up to 210N).

In an embodiment, the processor 212 may execute instructions stored in the memory 214, such as the APIs or other instructions or programs associated with, corresponding to, or comprising one or more smart contracts. In an embodiment, the oracles 220A, 220B, and up to 220N and nodes or oracle nodes (e.g., nodes or oracle nodes 222A, 222B, up to 222N, 224A, 224B, up to 224N, 226A, 226B, up to 226N) may be separate from or not included in the threat intelligence system 203. In another embodiment, the threat intelligence system 203 may include the oracles 220A, 220B, and up to 220N and/or nodes or oracle nodes (e.g., nodes or oracle nodes 222A, 222B, up to 222N, 224A, 224B, up to 224N, 226A, 226B, up to 226N) or instructions associated or corresponding therewith.

Turning to FIG. 2C, in an embodiment, the system 200 or apparatus may include a processing circuitry 230, memory 232, communications circuitry 234, blockchain circuitry 236, oracle circuitry 238, and node circuitry 240, each of which will be described in greater detail below. While the various components are only illustrated in FIG. 2C as being connected with processing circuitry 230, it will be understood that the system 200 or apparatus may further comprise a bus (not expressly shown in FIG. 2C) for passing information amongst any combination of the various components of the system 200 or apparatus. The system 200 or apparatus further may include programming or be configured to execute various operations described herein, such as those described above in connection with FIG. 1, FIG. 2A, and FIG. 2B and below in connection with FIG. 3, FIG. 4A, FIG. 4B, FIG. 5, and FIG. 6.

The processing circuitry 230 (and/or co-processor or any other processor assisting or otherwise associated with the processor) may be in communication with the memory 2232 via a bus for passing information amongst components of the system 200 or apparatus. The processing circuitry 230 may be embodied in a number of different ways and may, for example, include one or more processing devices configured to perform independently. Furthermore, the processing circuitry 230 may include one or more processors configured in tandem via a bus to enable independent execution of software instructions, pipelining, and/or multithreading. The use of the term “processor” may be understood to include a single core processor, a multi-core processor, multiple processors of the system 200 or apparatus, remote or “cloud” processors, or any combination thereof.

The processing circuitry 230 may be configured to execute software instructions stored in the memory 232 or otherwise accessible to the processing circuitry 230. In some cases, the processor may be configured to execute hard-coded functionality. As such, whether configured by hardware or software methods, or by a combination of hardware with software, the processing circuitry 230 represents an entity (e.g., physically embodied in circuitry) capable of performing operations according to various embodiments of the present invention while configured accordingly. Alternatively, as another example, when the processing circuitry 230 is embodied as an executor of software instructions, the software instructions may specifically configure the processing circuitry 230 to perform the algorithms and/or operations described herein when the software instructions are executed.

The memory 232 may be a non-transitory machine readable storage medium and may include, for example, one or more volatile and/or non-volatile memories. In other words, for example, the memory 232 may be an electronic storage device (e.g., a computer readable storage medium). The memory 232 may be configured to store information, data, content, applications, software instructions, or the like, for enabling the apparatus to carry out various functions in accordance with example embodiments contemplated herein.

The communications circuitry 234 may be any means such as a device or circuitry embodied in either hardware or a combination of hardware and software that is configured to receive and/or transmit data from/to a network and/or any other device, circuitry, or module in communication with the system 200 or apparatus. In this regard, the communications circuitry 234 may include, for example, a network interface for enabling communications with a wired or wireless communication network. For example, the communications circuitry 234 may include one or more network interface cards, antennas, buses, switches, routers, modems, and supporting hardware and/or software, or any other device suitable for enabling communications via a network. Furthermore, the communications circuitry 234 may include the processing circuitry for causing transmission of such signals to a network or for handling receipt of signals received from a network.

The system 200 or apparatus may include a blockchain circuitry 236 configured to provide or generate a blockchain structure or blockchain network. The blockchain network may be populated with one or more smart contracts specific to or corresponding to one or more different types of threats or based on another factor. Further, the one or more smart contracts may be added by a user or other external device and by way of examples, the blockchain circuitry 236 may generate an Ethereum based or other type of blockchain. The blockchain circuitry 236 may be configured to accept requests from one or more user or computing devices and parse the requests, sending each request to one or more smart contracts. The blockchain circuitry 236 further may be configured to receive results from one or more oracles, to determine whether a potential threat is a malicious threat, to sort the data stored in blockchain (e.g., a watchlist), and to provide the watchlist in a readable format to a requesting user. The blockchain circuitry 236 also may utilize the processing circuitry 230 to control one or more functions of one or more of these user interface elements through software instructions (e.g., application software and/or system software, such as firmware) stored on a memory (e.g., memory 232) accessible to the processing circuitry 230.

The system 200 or apparatus may include an oracle circuitry 238 configured to generate one or more oracles. The oracle circuitry 238 may be configured to, via the one or more oracles, securely link the blockchain to a set of APIs (e.g., nodes) to securely gather threat intelligence. The oracle circuitry 238 may be configured to, via the one or more oracles, transmit a threat intelligence request to one or more nodes and determine whether the threat intelligence request is valid (e.g., the threat is malicious) based on results received from the one or more nodes. The oracle circuitry 238 may utilize the processing circuitry 230 to control one or more functions of one or more of these user interface elements through software instructions (e.g., application software and/or system software, such as firmware) stored on a memory (e.g., memory 232) accessible to the processing circuitry 230.

The apparatus 200 may include a node circuitry 240 configured to provide or generate one or more nodes, each of the one or more nodes including one or more APIs. The node circuitry 240 may be configured to, via the one or more nodes, perform or execute an operation, API, or instructions to cause the node circuitry 240 to generate a set of results related to the threat intelligence request. The node circuitry 240 may utilize the processing circuitry 230 to control one or more functions of one or more of these user interface elements through software instructions (e.g., application software and/or system software, such as firmware) stored on a memory (e.g., memory 232) accessible to the processing circuitry 230.

FIG. 3 is a flow diagram schematically illustrating a consensus driven threat intelligence, according to one aspect of the present disclosure. A user 302 (e.g., a computing device or person utilizing a computing device) may submit a request. The user 302 may submit the request to the contract 306 (e.g., smart contract) via a user interface, a web based user interface, a restful API, another API, or via some other interface configured to send a request from a user 302 to a smart contract 306. In such examples, the user interface may be generated to include a text box or search box and an upload file area. A user 302 may input a type of request and upload relevant data (e.g., a URL, IP address, file, email, etc.). The user 302 may submit a request to investigate a threat 304.

The smart contract 306, via included instructions and/or APIs, may initiate the gathering or collecting of threat intelligence 308 regarding the potential threat. Such an initiation may include the smart contract 306 transferring the relevant data and other details to the oracle 310. The oracle 310 may select a particular subset of oracle nodes 314 based on the type of request, type of threat, and/or type of threat intelligence sought. The oracle 310 may transfer the relevant data and other details regarding a threat intelligence request directed to the potential threat to the oracle nodes 314. The oracle nodes 314 may execute one or more of a custom API, a user based API, an internal API (e.g., internal to an organization or enterprise), an enterprise-specific API (e.g., code or an API that executes on enterprise specific hardware to perform a threat intelligence request), or an external API (e.g., developed by a third party) to generate data for the threat intelligence request.

Once the oracle node 314 executes the API to generate data or results related to the threat intelligence request, the oracle node 314 may transmit results 316 to the oracle 310. The oracle 310 may determine whether consensus has been reached based on responses from the nodes, and if so, determine whether the threat intelligence request indicates a valid and/or malicious threat. The oracle 310 then may transmit the watchlist update 318 to the contract 306. The smart contract 306 may then update the watchlist in the blockchain based on the results and/or the validation or invalidation.

FIG. 4A and FIG. 4B is a flow diagrams for consensus driven threat intelligence, according to one aspect of the present disclosure. In an embodiment, the smart contract 306 may include an API to sort the watchlist 404. Such an operation may occur upon user request of the watchlist 402, at a pre-selected time period, and/or upon occurrence of other events. In such embodiments, a user 302 may request a watchlist 402. If the watchlist has not been sorted, or in some cases, regardless of whether the watchlist previously has been sorted or not, the smart contract 306 may sort the watchlist 402 based on one or more factors, such as sorting the watchlist 402 based on by age of the threat entry, a reason the threat entry is determined to be malicious, and a score relating to the determination of whether the potential threat is valid or invalid or based on severity of the threat. The sorted watchlist 406 may be provided to the user 302, via the smart contract 306, in one or more different formats, such as a text file, a word document, a spreadsheet, a pdf file, or some other user readable format.

Turning to FIG. 4B, the user 302 may stake or may vote for an intelligence threat with one or more tokens or portions of a token 408. The user 302 may vote to validate or invalidate the potential threat. The vote and staked tokens may be submitted to the smart contract 306 by the user 302. In other words, the user 302 may submit a vote with a number or portion of tokens indicating that the user 302 suspects that the threat is a valid threat or an invalid threat. The smart contract 306 may increase the number of votes on an intelligence threat 410 based on the number or portion of tokens staked. If the position voted on by the user wins or is the result of the operations described herein, then the user 302 may receive a portion of tokens staked for an opposite position or vote, as well as the original amount of tokens staked.

FIG. 5 is a method/process for consensus driven threat intelligence, according to one aspect of the present disclosure It also will be understood that any of the Figs. described herein may implement the method 500, in particular FIGS. 1-2C. Method 500 may be included in one or more programs, protocols, or instructions loaded into memory of a computing device. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described blocks may be combined in any order and/or in parallel to implement the disclosed methods.

At block 502, a system (e.g., threat intelligence system 200 of FIGS. 2A-2C) may determine or check whether a request or threat intelligence request has been received. If a request has been received, from a user and/or computing device, the system may transmit the request to a smart contract or to a corresponding one or more smart contract.

At block 504 (FIG. 5), the smart contract may receive the threat intelligence request from the user and/or computing device. At block 506, the system and/or smart contract may broadcast the threat intelligence request to one or more oracles. At block 508, the oracle may determine corresponding nodes. In other words, the oracle may determine which nodes may be utilized for gathering threat intelligence data.

At block 510, the oracle may transmit or broadcast the threat intelligence request to the one or more corresponding nodes. The one or more corresponding nodes may execute APIs and/or other instructions or programs to gather threat intelligence. At block 512, the one or more corresponding nodes may determine validation results and other data. After a determination of validation results and other data, the one or more corresponding nodes may transmit the validation results and other data to the oracle. The oracle may determine whether the threat intelligence request is valid (e.g., the potential threat is malicious) or invalid (e.g., the potential threat is not malicious).

As noted, at block 514, the one or more oracles may determine whether the threat is valid based on the received results. If the threat is not valid, at block 516, the threat intelligence system may update the smart contract to indicate that the threat is invalid or not valid. If the threat is valid, at block 518, the threat intelligence system may update the smart contract to indicate a valid threat. In either case, the watchlist may be updated. Records may exist for a potential threat of the threat intelligence request. In such examples, the latest results may be stored in the blockchain network as an addition to the history of the potential threat. The smart contract, at block 520, may store the results along with other data (e.g., timestamp, indications of maliciousness, etc.)

FIG. 6 is a schematic diagram of an information handling system capable of administering each of the specific embodiments, according to one aspect of the present disclosure. The information handling system 600 can represent the systems of FIGS. 1 through 3. The information handling system 600 may include a computer system or processor 602 such as a central processing unit (CPU), a graphics processing unit (GPU), or both. Moreover, the information handling system 600 can include a main memory 604 and a static memory 607 that can communicate with each other via a bus 608. The information handling system 600 includes near-field communications (NFC) device and interface 618, such as an antenna and NFC subsystem. The information handling system 600 can also include a disk drive unit 616, and a network interface device 620. As shown, the information handling system 600 further may include a video display unit 610, such as a liquid crystal display (LCD), an organic light emitting diode (OLED), a flat panel display, a solid state display, or a cathode ray tube (CRT), or other suitable display. The video display unit 610 may also act as an input accepting touchscreen inputs. Additionally, the information handling system 600 may include an input device 612, such as a keyboard, or a cursor control device, such as a mouse or touch pad, or a selectable interface on the display unit. The information handling system may include a battery system 614. The information handling system 600 can represent a device capable of telecommunications and whose can be share resources, voice communications, and data communications among multiple devices. The information handling system 600 can also represent a server device whose resources can be shared by multiple client devices, or it can represent an individual client device, such as a laptop or tablet personal computer.

The information handling system 600 can include a set of instructions that can be executed to cause the processor to perform any one or more of the methods or computer based functions disclosed herein. The processor 602 may operate as a standalone device or may be connected such as using a network, to other computer systems or peripheral devices.

In a networked deployment, the information handling system 600 may operate in the capacity of a server or as a client user computer in a server-client user network environment, or as a peer computer system in a peer-to-peer (or distributed) network environment. The information handling system 600 can also be implemented as or incorporated into various devices, such as a personal computer (PC), a tablet PC, a set-top box (STB), a smartphone, a PDA, a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communications device, a wireless telephone, a land-line telephone, a control system, a camera, a scanner, a facsimile machine, a printer, a pager, a personal trusted device, a web appliance, a network router, switch or bridge, or any other machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. In a particular embodiment, the computer system 600 can be implemented using electronic devices that provide voice, video or data communication. Further, while a single information handling system 600 is illustrated, the term “system” shall also be taken to include any collection of systems or subsystems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer functions.

The disk drive unit 616 or static memory 614 may include a computer-readable medium 622 in which one or more sets of instructions 624 such as software can be embedded. The disk drive unit 616 or static memory 614 also contains space for data storage. Further, the instructions 624 may embody one or more of the methods or logic as described herein. In a particular embodiment, the instructions 624 may reside completely, or at least partially, within the main memory 604, the static memory 606, and/or within the processor 602 during execution by the information handling system 600. The main memory 604 and the processor 602 also may include computer-readable media. The network interface device 620 can provide connectivity to a network 626, e.g., a wide area network (WAN), a local area network (LAN), wireless network (IEEE 802), or other network. The network interface 620 may also interface with macrocellular networks including wireless telecommunications networks such as those characterized as 2G, 3G, 4G, 5G, LTE or similar wireless telecommunications networks similar to those described above. The network interface 620 may be a wireless adapter having antenna systems 632 for various wireless connectivity and radio frequency subsystems 630 for signal reception, transmission, or related processing.

In an alternative embodiment, dedicated hardware implementations such as application specific integrated circuits, programmable logic arrays and other hardware devices can be constructed to implement one or more of the methods described herein. Applications that may include the apparatus and systems of various embodiments can broadly include a variety of electronic and computer systems. One or more embodiments described herein may implement functions using two or more specific interconnected hardware modules or devices with related control and data signals that can be communicated between and through the modules, or as portions of an application-specific integrated circuit. Accordingly, the present system encompasses software, firmware, and hardware implementations. In accordance with various embodiments of the present disclosure, the methods described herein may be implemented by software programs executable by a computer system. Further, in an exemplary, non-limited embodiment, implementations can include distributed processing, component/object distributed processing, and parallel processing. Alternatively, virtual computer system processing can be constructed to implement one or more of the methods or functionality as described herein.

The present disclosure contemplates a computer-readable medium that includes instructions 624 or receives and executes instructions 624 responsive to a propagated signal; so that a device connected to a network 628 can communicate voice, video or data over the network 628. Further, the instructions 624 may be transmitted or received over the network 628 via the network interface device 620. In a particular embodiment, BIOS/FW code 624 reside in memory 604, and include machine-executable code that is executed by processor 602 to perform various functions of information handling system 600.

Information handling system 600 includes one or more application programs 624, and Basic Input/Output System and Firmware (BIOS/FW) code 624. BIOS/FW code 624 functions to initialize information handling system 600 on power up, to launch an operating system, and to manage input and output interactions between the operating system and the other elements of information handling system 600.

In another embodiment (not illustrated), application programs and BIOS/FW code reside in another storage medium of information handling system 600. For example, application programs and BIOS/FW code can reside in drive 616, in a ROM (not illustrated) associated with information handling system 600, in an option-ROM (not illustrated) associated with various devices of information handling system 600, in storage system 607, in a storage system (not illustrated) associated with network channel 620, in another storage medium of the information handling system 600, or a combination thereof. Application programs 624 and BIOS/FW code 624 can each be implemented as single programs, or as separate programs carrying out the various features as described herein.

While the computer-readable medium is shown to be a single medium, the term “computer-readable medium” includes a single medium or multiple media, such as a centralized or distributed database, and/or associated caches and servers that store one or more sets of instructions. The term “computer-readable medium” shall also include any medium that is capable of storing, encoding, or carrying a set of instructions for execution by a processor or that cause a computer system to perform any one or more of the methods or operations disclosed herein.

In a particular non-limiting, exemplary embodiment, the computer-readable medium can include a solid-state memory such as a memory card or other package that houses one or more non-volatile, read-only memories. Further, the computer-readable medium can be a random access memory or other volatile re-writable memory. Additionally, the computer-readable medium can include a magneto-optical or optical medium, such as a disk or tapes or other storage device to store information received via carrier wave signals such as a signal communicated over a transmission medium. Furthermore, a computer readable medium can store information received from distributed network resources such as from a cloud-based environment. A digital file attachment to an e-mail or other self-contained information archive or set of archives may be considered a distribution medium that is equivalent to a tangible storage medium. Accordingly, the disclosure is considered to include any one or more of a computer-readable medium or a distribution medium and other equivalents and successor media, in which data or instructions may be stored.

In the embodiments described herein, an information handling system includes any instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or use any form of information, intelligence, or data for business, scientific, control, entertainment, or other purposes. For example, an information handling system can be a personal computer, a consumer electronic device, a network server or storage device, a switch router, wireless router, or other network communication device, a network connected device (cellular telephone, tablet device, etc.), or any other suitable device, and can vary in size, shape, performance, price, and functionality.

The information handling system can include memory (volatile (such as random-access memory, etc.), nonvolatile (read-only memory, flash memory etc.), or any combination thereof), one or more processing resources, such as a central processing unit (CPU), a graphics processing unit (GPU), hardware or software control logic, or any combination thereof. Additional components of the information handling system can include one or more storage devices, one or more communications ports for communicating with external devices, as well as, various input and output (I/O) devices, such as a keyboard, a mouse, a video/graphic display, or any combination thereof. The information handling system can also include one or more buses operable to transmit communications between the various hardware components. Portions of an information handling system may themselves be considered information handling systems.

When referred to as a “device,” a “module,” or the like, the embodiments described herein can be configured as hardware. For example, a portion of an information handling system device may be hardware such as, for example, an integrated circuit (such as an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), a structured ASIC, or a device embedded on a larger chip), a card (such as a Peripheral Component Interface (PCI) card, a PCI-express card, a Personal Computer Memory Card International Association (PCMCIA) card, or other such expansion card), or a system (such as a motherboard, a system-on-a-chip (SoC), or a stand-alone device).

The device or module can include software, including firmware embedded at a device, such as a Pentium class or PowerPC™ brand processor, or other such device, or software capable of operating a relevant environment of the information handling system. The device or module can also include a combination of the foregoing examples of hardware or software. Note that an information handling system can include an integrated circuit or a board-level product having portions thereof that can also be any combination of hardware and software.

Devices, modules, resources, or programs that are in communication with one another need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices, modules, resources, or programs that are in communication with one another can communicate directly or indirectly through one or more intermediaries.

The term “computing device” or “system device” is used herein to refer to any one or all of programmable logic controllers (PLCs), programmable automation controllers (PACs), industrial computers, desktop computers, personal data assistants (PDAs), laptop computers, tablet computers, smart books, palm-top computers, personal computers, smartphones, wearable devices (such as headsets, smartwatches, or the like), and similar electronic devices equipped with at least a processor and any other physical components necessarily to perform the various operations described herein. Devices such as smartphones, laptop computers, tablet computers, and wearable devices are generally collectively referred to as mobile devices.

The term “server” or “server device” is used herein to refer to any computing device capable of functioning as a server, such as a master exchange server, web server, mail server, document server, or any other type of server. A server may be a dedicated computing device or a server module (e.g., an application) hosted by a computing device that causes the computing device to operate as a server. A server module (e.g., server application) may be a full function server module, or a light or secondary server module (e.g., light or secondary server application) that is configured to provide synchronization services among the dynamic databases on computing devices. A light server or secondary server may be a slimmed-down version of server type functionality that can be implemented on a computing device, such as a smart phone, thereby enabling it to function as an Internet server (e.g., an enterprise e-mail server) only to the extent necessary to provide the functionality described herein.

The term “non-transitory machine-readable storage medium” is used herein to refer to any electronic, magnetic, optical, or other physical storage apparatus to contain or store information such as executable instructions, data, and the like. For example, any machine-readable storage medium described herein may be any of random access memory (RAM), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disc, and the like, or a combination thereof. The memory may store or include instructions executable by the processor.

The term “processor” or “processing circuitry” is used herein to refer to any one processor or multiple processors included in a single device or distributed across multiple computing devices. The processor may be at least one of a central processing unit (CPU), a semiconductor-based microprocessor, a graphics processing unit (GPU), a field-programmable gate array (FPGA) to retrieve and execute instructions, a real time processor (RTP), other electronic circuitry suitable for the retrieval and execution instructions stored on a machine-readable storage medium, or a combination thereof.

The foregoing description generally illustrates and describes various embodiments of the present disclosure. It will, however, be understood by those skilled in the art that various changes and modifications can be made to the above-discussed construction of the present disclosure without departing from the spirit and scope of the disclosure as disclosed herein, and that it is intended that all matter contained in the above description or shown in the accompanying drawings shall be interpreted as being illustrative, and not to be taken in a limiting sense. Furthermore, the scope of the present disclosure shall be construed to cover various modifications, combinations, additions, alterations, etc., above and to the above-described embodiments, which shall be considered to be within the scope of the present disclosure. Accordingly, various features and characteristics of the present disclosure as discussed herein may be selectively interchanged and applied to other illustrated and non-illustrated embodiments of the disclosure, and numerous variations, modifications, and additions further can be made thereto without departing from the spirit and scope of the present invention as set forth in the appended claims.

Claims

1. A method for consensus driven threat intelligence utilizing a blockchain network, the method comprising: receiving a threat intelligence request directed to at least one of one or more smart contracts implemented on a blockchain of the blockchain network and distributed to a plurality of nodes of the blockchain network, the threat intelligence request to include a request to gather intelligence related to a potential threat;broadcasting the threat intelligence request to one or more oracles configured to connect external information regarding potential threats to the blockchain;broadcasting the threat intelligence request from the one or more oracles to one or more corresponding nodes of the plurality of nodes;gathering threat intelligence data relating to the threat intelligence request at each of the one or more corresponding nodes;determining, via a threat intelligence operation conducted at each of the one or more corresponding nodes and based on gathered threat intelligence data, a validation or invalidation of the potential threat;determining whether a consensus has been reached as to whether the potential threat is valid or invalid as determined by the threat intelligence operations conducted by each of the one or more corresponding nodes;if a consensus is reached, submitting a threat entry including the gathered threat intelligence data relating to the determination of whether the potential threat of the threat intelligence request is valid or invalid resulting from the threat intelligence operations conducted by each of the one or more corresponding nodes to the at least one of the one or more smart contracts; andstoring and sorting each threat entry on the blockchain using the smart contract.
2. The method of claim 1, wherein the potential threat is considered valid when each of the one or more corresponding nodes agrees on the validation of the potential threat submitted by the threat intelligence request.
3. The method of claim 1, further comprising, if a consensus is not reached as to whether the potential threat is valid or invalid as determined by the threat intelligence operations conducted by each of the one or more corresponding nodes, returning an error to the smart contract.
4. The method of claim 1, wherein the threat intelligence request is received from one or more computing devices, and wherein the one or more computing nodes are configured to stake tokens for or against validity of the potential threat.
5. The method of claim 1, wherein each threat entry comprises a timestamp, an indicator of a compromise, an indicator of an attack, a reason or an indicator to indicate a reason the potential threat is malicious, and the score.
6. The method of claim 5, further comprising voting on whether the potential threat is malicious based on the received score.
7. The method of claim 6, further comprising, in response to a request made to the at least one of the one or more smart contracts, generating a watchlist of threat entries from the blockchain, wherein the watchlist is sorted by age of the threat entry, a reason the threat entry is determined to be malicious, and a score relating to the determination of whether the potential threat is valid or invalid.
8. The method of claim 1, wherein each of the corresponding one or more nodes includes one or more of a custom API, a user based API, an internal API, an enterprise-specific API, or an external API.
9. The method of claim 1, wherein each of the corresponding one or more nodes validates potential threats via one or more of internet protocol (IP) address scans, advertisement banner grabs, network mapping, or gathering information from native sources, organic sources, or cultivated third party sources.
10. The method of claim 7, wherein the native sources, organic sources, or cultivated third party sources relate to the potential threat's capability, infrastructure, motives, goals, relationships, resources, or some combination thereof.
11. The method of claim 1, wherein each of the one or more smart contracts includes one of a blockchain application or a byte code application.
12. A system for consensus driven threat intelligence utilizing a blockchain network, the system comprising: one or more processors at a series of computing nodes of a distributed network, each of the computing nodes including a memory having a datastore configured to store and manage a blockchain of the blockchain networks comprising a plurality of smart contracts;a non-transitory machine readable storage medium storing computer readable instructions that are accessed and executed by the one or more processors of the computing nodes to cause the computing nodes to: receive a threat intelligence request directed to at least one of one or more smart contracts implemented on a blockchain of the blockchain network and distributed to a plurality of nodes of the blockchain network, the threat intelligence request to include a request to gather intelligence regarding a potential threat the threat intelligence request to include a potential threat;broadcast the threat intelligence request to one or more oracles configured to connect external information regarding potential threats to the blockchain;receive a validation or invalidation of the potential threat based on a broadcast of the threat intelligence request from the one or more oracles to corresponding one or more nodes of a plurality of nodes, the corresponding one or more nodes of a plurality of nodes to gather threat intelligence data relating to the threat intelligence request and to generate a validation or invalidation of the threat intelligence request;determine whether a consensus has been reached as to whether the potential threat is valid or invalid as determined by the threat intelligence operations conducted by each of the one or more corresponding nodes; andif a consensus is reached, submit a threat entry including the gathered threat intelligence data relating to the determination of whether the potential threat of the threat intelligence request is valid or invalid resulting from the threat intelligence operations conducted by each of the one or more corresponding nodes to the at least one of the one or more smart contracts.
13. The system of claim 12, wherein each of the corresponding one or more nodes provides a timestamp, an indicator of a compromise, an indicator of an attack, a reason or an indicator to indicate a reason the potential threat is malicious, and a score.
14. The system of claim 13, wherein the computer readable instructions that are accessed and executed by the one or more processors of the computing nodes to cause the computing nodes to: generate, in response to a received watchlist request from a computing device, a sorted watchlist, the watchlist including each validated potential threat; andtransmitting the sorted watchlist to the computing device.
15. The system of claim 14, wherein the sorted watchlist is sorted based on one or more of the timestamp, the reason or the indicator to indicate the reason the potential threat is malicious, or a score.
16. The system of claim 12, wherein the one or more computing nodes are configured to stake tokens for or against validity of the potential threat.
17. The system of claim 16, wherein, if the potential threat is validated, computing nodes that staked tokens for validity of the potential threat receive the staked tokens and additional tokens.
18. A system for consensus driven threat intelligence utilizing a blockchain network, the system comprising: a blockchain circuitry configured to: store one or more smart contracts, the one or more smart contracts generated by one or more computing nodes to thereby define a blockchain of the blockchain network,receive a threat intelligence request directed to at least one of the one or more smart contracts implemented on a blockchain of the blockchain network and distributed to a plurality of nodes of the blockchain network, the threat intelligence request to include a request to gather intelligence related to a potential threat,broadcast, based on an API in the at least one of the one or more smart contracts corresponding to the potential threat, the threat intelligence request to one or more oracles configured to connect external information regarding potential threats to the blockchain;receive validation data from the one or more oracles, andstore results associated with the validation data;an oracle circuitry including the one or more oracles and configured to: receive the threat intelligence request from the at least one of the one or more smart contracts,broadcast the threat intelligence request to one or more nodes corresponding to the one or more oracles,receive results from the one or more nodes, the results to include data indicating validation or invalidation of the potential threat of the threat intelligence request, andvalidate the potential threat based on the results from each of the one or more nodes; anda node circuitry configured to: perform a threat assessment operation using data related to the potential threat of the threat intelligence request; andtransmit the results to the corresponding one or more oracles.
19. The system of claim 18, wherein the each of the one or more smart contracts is configured to, in response to a request received from the one or more computer nodes, generate a watchlist based on the threat entries stored on the blockchain circuitry.
20. The system of claim 18, wherein the oracle circuitry utilizes results received from the one or more nodes within a specified time for the threat intelligence request.

US Referenced Citations (389)

Number	Name	Date	Kind
5937066	Gennaro et al.	Aug 1999	A
6357010	Viets et al.	Mar 2002	B1
7269578	Sweeney	Sep 2007	B2
7331061	Ramsey et al.	Feb 2008	B1
7492957	Bonhaus et al.	Feb 2009	B1
7548932	Horvitz et al.	Jun 2009	B2
7555482	Korkus	Jun 2009	B2
7571474	Ross et al.	Aug 2009	B2
7594270	Church et al.	Sep 2009	B2
7606801	Faitelson et al.	Oct 2009	B2
7613722	Horvitz et al.	Nov 2009	B2
7770031	MacKay et al.	Aug 2010	B2
7841008	Cole	Nov 2010	B1
7856411	Darr	Dec 2010	B2
7926113	Gula et al.	Apr 2011	B1
8037529	Chiueh	Oct 2011	B1
8079081	Lavrik et al.	Dec 2011	B1
8082506	McConnell	Dec 2011	B1
8122495	Ramsey et al.	Feb 2012	B2
8156553	Church et al.	Apr 2012	B1
8327419	Korablev et al.	Dec 2012	B1
8407335	Church et al.	Mar 2013	B1
8490193	Sarraute et al.	Jul 2013	B2
8490196	Lucangeli et al.	Jul 2013	B2
8522350	Davenport et al.	Aug 2013	B2
8539575	Schmitlin et al.	Sep 2013	B2
8578393	Fisher	Nov 2013	B1
8595170	Gladstone et al.	Nov 2013	B2
8621618	Ramsey et al.	Dec 2013	B1
8701176	Ramsey et al.	Apr 2014	B2
8793786	Bhesania et al.	Jul 2014	B2
8805881	Hom et al.	Aug 2014	B2
8832048	Lim	Sep 2014	B2
8839414	Mantle et al.	Sep 2014	B2
8898777	Oliver	Nov 2014	B1
8909673	Faitelson et al.	Dec 2014	B2
8931095	Ramsey et al.	Jan 2015	B2
8938802	Davenport et al.	Jan 2015	B2
8959115	Marathe	Feb 2015	B2
8984644	Oliphant et al.	Mar 2015	B2
9009828	Ramsey et al.	Apr 2015	B1
9032478	Ballesteros et al.	May 2015	B2
8928476	Jerhotova et al.	Jun 2015	B2
9046886	Chong et al.	Jun 2015	B2
9047336	Hom et al.	Jun 2015	B2
9058492	Satish	Jun 2015	B1
9069599	Martinez et al.	Jun 2015	B2
9098702	Rubin et al.	Aug 2015	B2
9129105	Donley et al.	Sep 2015	B2
9130988	Seifert et al.	Sep 2015	B2
9137262	Qureshi et al.	Sep 2015	B2
9191400	Ptasinski et al.	Nov 2015	B1
9195809	Kaplan	Nov 2015	B1
9275231	Chen	Mar 2016	B1
9298895	Lim	Mar 2016	B2
9319426	Webb et al.	Apr 2016	B2
9338134	Yin	May 2016	B2
9338180	Ramsey et al.	May 2016	B2
9430534	Bhattacharya et al.	Aug 2016	B2
9438563	Yin	Sep 2016	B2
9438623	Thioux	Sep 2016	B1
9519756	Bitran et al.	Dec 2016	B2
9544273	Fleury et al.	Jan 2017	B2
9548994	Pearcy et al.	Jan 2017	B2
9558352	Dennison et al.	Jan 2017	B1
9560062	Khatri et al.	Jan 2017	B2
9560068	Figlin et al.	Jan 2017	B2
9596252	Coates et al.	Mar 2017	B2
9628511	Ramsey et al.	Apr 2017	B2
9667656	Banerjee et al.	May 2017	B2
9667661	Sharma et al.	May 2017	B2
9690938	Saxe et al.	Jun 2017	B1
9692778	Mohanty	Jun 2017	B1
9710672	Braun	Jul 2017	B2
9712549	Almurayh	Jul 2017	B2
9742559	Christodorescu et al.	Aug 2017	B2
9767302	Lim	Sep 2017	B2
9792443	Sheridan	Oct 2017	B1
9805202	Medeiros et al.	Oct 2017	B2
9825989	Mehra	Nov 2017	B1
9910986	Saxe et al.	Mar 2018	B1
9934376	Ismael	Apr 2018	B1
9973524	Boyer et al.	May 2018	B2
9998480	Gates	Jun 2018	B1
10038706	Mekky	Jul 2018	B2
10050992	Thyni et al.	Aug 2018	B2
10063582	Feng et al.	Aug 2018	B1
10114954	Bellis	Oct 2018	B1
10116500	Long et al.	Oct 2018	B1
10218733	Amidon	Feb 2019	B1
10270790	Jackson	Apr 2019	B1
10277625	Efstathopoulos	Apr 2019	B1
10311231	Kayyoor et al.	Jun 2019	B1
10348747	Yamada	Jul 2019	B2
10356125	Goutal et al.	Jul 2019	B2
10382473	Ashkenazy	Aug 2019	B1
10382489	Das et al.	Aug 2019	B2
10419903	Singh et al.	Sep 2019	B2
10425223	Roth et al.	Sep 2019	B2
10454950	Aziz	Oct 2019	B1
10474813	Ismael	Nov 2019	B1
10474820	Manadhata	Nov 2019	B2
10491632	Natarajan et al.	Nov 2019	B1
10521584	Sharifi Mehr	Dec 2019	B1
10558809	Joyce	Feb 2020	B1
10567407	Tang et al.	Feb 2020	B2
10594713	McLean	Mar 2020	B2
10601865	Mesdaq et al.	Mar 2020	B1
10642753	Steinberg	May 2020	B1
10691810	Freitag	Jun 2020	B1
10726127	Steinberg	Jul 2020	B1
10728263	Neumann	Jul 2020	B1
10735470	Vidas et al.	Aug 2020	B2
10754958	Sidagni	Aug 2020	B1
10762206	Titonis et al.	Sep 2020	B2
10785238	McLean et al.	Sep 2020	B2
10834128	Rajogopalan et al.	Nov 2020	B1
10841337	Kinder	Nov 2020	B2
10853431	Lin et al.	Dec 2020	B1
10855717	Feiman	Dec 2020	B1
10868825	Dominessy	Dec 2020	B1
10915828	Qhi	Feb 2021	B2
10944758	Nagargadde	Mar 2021	B1
11003718	McLean et al.	May 2021	B2
11038920	Sellers	Jun 2021	B1
11044263	McLean et al.	Jun 2021	B2
11113086	Steinberg	Sep 2021	B1
11140193	Patel	Oct 2021	B2
11165862	Austin et al.	Nov 2021	B2
11275831	Aouad et al.	Mar 2022	B1
11310268	Bowditch et al.	Apr 2022	B2
11693972	Nunes	Jul 2023	B2
11757907	Berger	Sep 2023	B1
11863577	Miseiko	Jan 2024	B1
20020129135	Delany et al.	Sep 2002	A1
20020199122	Davis	Dec 2002	A1
20040128543	Blake	Jul 2004	A1
20050060295	Gould et al.	Mar 2005	A1
20050138204	Iyer et al.	Jun 2005	A1
20050166072	Converse	Jul 2005	A1
20050288939	Peled et al.	Dec 2005	A1
20060012815	Ebner et al.	Jan 2006	A1
20060037076	Roy	Feb 2006	A1
20060195575	Delany et al.	Aug 2006	A1
20060253447	Judge	Nov 2006	A1
20070143852	Keanini	Jun 2007	A1
20070192867	Miliefsky	Aug 2007	A1
20070226248	Darr	Sep 2007	A1
20070226807	Ginter et al.	Sep 2007	A1
20070294756	Fetik	Dec 2007	A1
20080077593	Abrams et al.	Mar 2008	A1
20080219334	Brainos et al.	Sep 2008	A1
20080255997	Bluhm et al.	Oct 2008	A1
20080262991	Kapoor et al.	Oct 2008	A1
20080301798	Hao	Dec 2008	A1
20080320000	Gaddam	Dec 2008	A1
20090038015	Diamant	Feb 2009	A1
20090198682	Buehler et al.	Aug 2009	A1
20100083374	Schmitlin et al.	Apr 2010	A1
20100125913	Davenport et al.	May 2010	A1
20100251329	Wei et al.	Sep 2010	A1
20110004771	Matsushima et al.	Jan 2011	A1
20110179492	Markopoulou et al.	Jul 2011	A1
20110197056	Chen	Aug 2011	A1
20110276604	Hom et al.	Nov 2011	A1
20110276716	Coulson et al.	Nov 2011	A1
20120072983	McCusker et al.	Mar 2012	A1
20120117640	Ramsey et al.	May 2012	A1
20120151594	McClure et al.	Jun 2012	A1
20120185275	Loghmani	Jul 2012	A1
20120246730	Raad	Sep 2012	A1
20120254333	Chandramouli et al.	Oct 2012	A1
20120260341	Chan et al.	Oct 2012	A1
20130074188	Giakouminakis et al.	Mar 2013	A1
20130104191	Peled et al.	Apr 2013	A1
20130138428	Chandramouli et al.	May 2013	A1
20130173620	Takenouchi	Jul 2013	A1
20130226938	Risher et al.	Aug 2013	A1
20130238319	Minegishi et al.	Sep 2013	A1
20130282746	Balko et al.	Oct 2013	A1
20130291103	Davenport et al.	Oct 2013	A1
20130318604	Coates et al.	Nov 2013	A1
20140041028	Ramsey et al.	Feb 2014	A1
20140047544	Jakobsson	Feb 2014	A1
20140051432	Gupta et al.	Feb 2014	A1
20140143863	Deb et al.	May 2014	A1
20140165195	Brdiczka et al.	Jun 2014	A1
20140181981	Christodorescu	Jun 2014	A1
20140215629	Raz et al.	Jul 2014	A1
20140223555	Sanz Hernando et al.	Jul 2014	A1
20140222712	Samaha et al.	Aug 2014	A1
20140283081	Sheridan	Sep 2014	A1
20140283083	Gula	Sep 2014	A1
20140331207	Sridharan	Nov 2014	A1
20140373151	Webb et al.	Dec 2014	A1
20150019323	Goldberg et al.	Jan 2015	A1
20150040225	Coates et al.	Feb 2015	A1
20150074390	Stoback et al.	Mar 2015	A1
20150135287	Medeiros et al.	May 2015	A1
20150135320	Coskun	May 2015	A1
20150156212	Khatri et al.	Jun 2015	A1
20150186618	Poorvin et al.	Jul 2015	A1
20150222652	Ramsey et al.	Aug 2015	A1
20150271047	McLean	Sep 2015	A1
20150310211	Mei et al.	Oct 2015	A1
20150324457	McLean	Nov 2015	A1
20150332054	Eck	Nov 2015	A1
20150365437	Bell, Jr.	Dec 2015	A1
20160006749	Cohen et al.	Jan 2016	A1
20160014140	Akireddy et al.	Jan 2016	A1
20160014151	Prakash	Jan 2016	A1
20160078365	Baumard	Mar 2016	A1
20160099963	Mahaffey et al.	Apr 2016	A1
20160112445	Abramowitz	Apr 2016	A1
20160134653	Vallone	May 2016	A1
20160139886	Perdriau et al.	May 2016	A1
20160156655	Lotem et al.	Jun 2016	A1
20160162690	Reith	Jun 2016	A1
20160182546	Coates et al.	Jun 2016	A1
20160205127	Roehl	Jul 2016	A1
20160241591	Ramsey et al.	Aug 2016	A1
20160248789	Nakamatsu	Aug 2016	A1
20160253497	Christodorescu	Sep 2016	A1
20160277423	Apostolescu et al.	Sep 2016	A1
20160313709	Biesdorf et al.	Oct 2016	A1
20160337400	Gupta	Nov 2016	A1
20160342805	Lim	Nov 2016	A1
20160378978	Singla et al.	Dec 2016	A1
20170026343	Wardman	Jan 2017	A1
20170026391	Abu-Nimeh	Jan 2017	A1
20170063893	Franc et al.	Mar 2017	A1
20170063905	Muddu et al.	Mar 2017	A1
20170093902	Roundy et al.	Mar 2017	A1
20170098087	Li	Apr 2017	A1
20170111379	Khatri et al.	Apr 2017	A1
20170140295	Bandara	May 2017	A1
20170142149	Coates et al.	May 2017	A1
20170169154	Lin et al.	Jun 2017	A1
20170171228	McLean	Jun 2017	A1
20170180418	Shen et al.	Jun 2017	A1
20170201381	Kinder et al.	Jul 2017	A1
20170201431	Kinder et al.	Jul 2017	A1
20170201490	Kinder et al.	Jul 2017	A1
20170201548	Kinder et al.	Jul 2017	A1
20170208084	Steelman et al.	Jul 2017	A1
20170208085	Steelman et al.	Jul 2017	A1
20170243004	Kinder et al.	Aug 2017	A1
20170243005	Kinder et al.	Aug 2017	A1
20170243009	Sejpal	Aug 2017	A1
20170244734	Kinder et al.	Aug 2017	A1
20170244750	Kinder et al.	Aug 2017	A1
20170244754	Kinder et al.	Aug 2017	A1
20170244762	Kinder et al.	Aug 2017	A1
20170318033	Holland et al.	Nov 2017	A1
20170318034	Holland et al.	Nov 2017	A1
20170346839	Peppe	Nov 2017	A1
20170359368	Hodgman et al.	Dec 2017	A1
20180004948	Martin	Jan 2018	A1
20180069885	Patterson	Mar 2018	A1
20180077189	Doppke et al.	Mar 2018	A1
20180077195	Gathala	Mar 2018	A1
20180089574	Goto	Mar 2018	A1
20180091306	Antonopoulos et al.	Mar 2018	A1
20180096140	Bulygin	Apr 2018	A1
20180103010	Diaz Cuellar et al.	Apr 2018	A1
20180124073	Scherman et al.	May 2018	A1
20180124085	Frayman et al.	May 2018	A1
20180124094	Hamdi	May 2018	A1
20180129811	Diu	May 2018	A1
20180152480	Kinder et al.	May 2018	A1
20180181599	Crabtree et al.	Jun 2018	A1
20180219899	Joy	Aug 2018	A1
20180234434	Viljoen	Aug 2018	A1
20180288198	Pope et al.	Oct 2018	A1
20180324203	Estes	Nov 2018	A1
20180367550	Musuvathi et al.	Dec 2018	A1
20190014149	Cleveland et al.	Jan 2019	A1
20190037406	Wash	Jan 2019	A1
20190050554	Fiske	Feb 2019	A1
20190068630	Valecha et al.	Feb 2019	A1
20190095320	Biswas et al.	Mar 2019	A1
20190095801	Saillet et al.	Mar 2019	A1
20190102554	Luo et al.	Apr 2019	A1
20190102564	Li	Apr 2019	A1
20190102646	Redmon et al.	Apr 2019	A1
20190104154	Kumar et al.	Apr 2019	A1
20190109717	Reddy et al.	Apr 2019	A1
20190122258	Bramberger et al.	Apr 2019	A1
20190132344	Lem et al.	May 2019	A1
20190166149	Gerrick	May 2019	A1
20190166152	Steele	May 2019	A1
20190173919	Irimie et al.	Jun 2019	A1
20190242718	Siskind et al.	Aug 2019	A1
20190258807	DiMaggio et al.	Aug 2019	A1
20190297096	Ahmed et al.	Sep 2019	A1
20190342296	Anandam et al.	Nov 2019	A1
20190347423	Sanossian	Nov 2019	A1
20190347433	Chakravorty et al.	Nov 2019	A1
20200012796	Trepagnieer	Jan 2020	A1
20200036750	Bahnsen et al.	Jan 2020	A1
20200036751	Kohavi	Jan 2020	A1
20200057857	Roytman	Feb 2020	A1
20200074084	Dorrans	Mar 2020	A1
20200082080	Boulton	Mar 2020	A1
20200097662	Hufsmith	Mar 2020	A1
20200097663	Sato	Mar 2020	A1
20200110873	Rosendahl	Apr 2020	A1
20200120126	Ocepek	Apr 2020	A1
20200177618	Hassanzadeh	Jun 2020	A1
20200186544	Dichiu et al.	Jun 2020	A1
20200186569	Milazzo	Jun 2020	A1
20200195683	Kuppa et al.	Jun 2020	A1
20200210590	Doyle	Jul 2020	A1
20200213346	Shafet	Jul 2020	A1
20200257792	Rivard	Aug 2020	A1
20200259791	Garcia et al.	Aug 2020	A1
20200274894	Argoeti et al.	Aug 2020	A1
20200285737	Kraus et al.	Sep 2020	A1
20200285952	Liu et al.	Sep 2020	A1
20200314122	Jones et al.	Oct 2020	A1
20200327237	Shakarian	Oct 2020	A1
20200336497	Seul et al.	Oct 2020	A1
20200351285	Eisenkot et al.	Nov 2020	A1
20200351302	Kyle et al.	Nov 2020	A1
20200351307	Vidas et al.	Nov 2020	A1
20200356665	Denney et al.	Nov 2020	A1
20200358795	Urbanski et al.	Nov 2020	A1
20200364338	Ducau et al.	Nov 2020	A1
20200372129	Gupta	Nov 2020	A1
20200372154	Bacher	Nov 2020	A1
20200380119	Correa Bahnsen et al.	Dec 2020	A1
20200394309	Angelo et al.	Dec 2020	A1
20210006575	McLean et al.	Jan 2021	A1
20210012012	Soroush	Jan 2021	A1
20210034752	Canada	Feb 2021	A1
20210034753	Canada	Feb 2021	A1
20210034895	Archibald	Feb 2021	A1
20210037055	Dumont	Feb 2021	A1
20210067562	Kinder et al.	Mar 2021	A1
20210103663	Gadhe	Apr 2021	A1
20210109797	Zhou	Apr 2021	A1
20210112087	Tassoumt	Apr 2021	A1
20210112090	Rivera et al.	Apr 2021	A1
20210133320	Havenga	May 2021	A1
20210157926	Handurukande	May 2021	A1
20210157945	Cobb	May 2021	A1
20210160273	Choi	May 2021	A1
20210173930	Dahal	Jun 2021	A1
20210185057	McLean	Jun 2021	A1
20210192057	Helfman	Jun 2021	A1
20210194853	Xiao	Jun 2021	A1
20210216928	O'Toole	Jul 2021	A1
20210226926	Crabtree	Jul 2021	A1
20210226970	Ross et al.	Jul 2021	A1
20210256113	Stott	Aug 2021	A1
20210258327	Felke et al.	Aug 2021	A1
20210273957	Boyer	Sep 2021	A1
20210281609	Crabtree	Sep 2021	A1
20210306372	Koral	Sep 2021	A1
20210312058	Chiarelli	Oct 2021	A1
20210312351	Pourmohammad	Oct 2021	A1
20210360007	Paquin	Nov 2021	A1
20210390181	McClay	Dec 2021	A1
20220004643	Sloane	Jan 2022	A1
20220014542	Janakiraman	Jan 2022	A1
20220021691	Bhatkar	Jan 2022	A1
20220038424	Liu et al.	Feb 2022	A1
20220043911	Pomerantsev	Feb 2022	A1
20220070182	Bowditch et al.	Mar 2022	A1
20220070193	Konda et al.	Mar 2022	A1
20220078203	Shakarian	Mar 2022	A1
20220083644	Kulshreshtha	Mar 2022	A1
20220100868	Tarrant	Mar 2022	A1
20220101326	Kim	Mar 2022	A1
20220159033	Mizrahi	May 2022	A1
20220174077	Sel	Jun 2022	A1
20220179908	Wei	Jun 2022	A1
20220191230	Morgan	Jun 2022	A1
20220206819	Pokam	Jun 2022	A1
20220210656	Shaw	Jun 2022	A1
20220237764	Mullet	Jul 2022	A1
20220263850	Colyandro, Jr.	Aug 2022	A1
20220394034	Keith	Dec 2022	A1
20220400135	Gamra	Dec 2022	A1
20220407891	Albanese	Dec 2022	A1
20220414206	Hinkle	Dec 2022	A1
20230038196	Labreche	Feb 2023	A1
20230105087	Borges	Apr 2023	A1
20230370486	Paquette et al.	Nov 2023	A1

Foreign Referenced Citations (6)

Number	Date	Country
3599753	Jan 2020	EP
2738344	Dec 2020	RU
WO2007002749	Jan 2007	WO
WO2007090605	Aug 2007	WO
WO2010059843	May 2010	WO
WO2021067238	Apr 2021	WO

Non-Patent Literature Citations (10)

Entry
Buyukkayhan, Ahmet Sali; Oprea, Alina; Li, Zhou; and Robertson, William; “Lens on the endpoint; Hunting for malicious software through endpoint data analysis”; International Symposium on Research in Attacks, Intrusions, and Defenses; RAID 2017: Research in Attacks, Intrusions, and Defenses Proceedings; pp. 73-79; Sep. 18-20, 2017; Atlanta, GA, USA.
Secureworks—Log Management—Protect your infrastructure from known and emerging threats; www.secureworks.com/resources/ds-log-management; 2015 (available).
Sofya Raskhodnikova & Adam Smith; CSE 598A Algorithmic Challenges in Data Privacy; Lecture 2; Jan. 19, 2010.
Afroz, S. and Greenstadt, R. “PhishZoo: Detecting Phishing Websites by Looking at Them”; IEEE Fifth International Conference on Semantic Computing, 2011; pp. 368-375; doi: 10.1109/ICSC.2011.52; 2011.
Alkhawlani, Mohammed, Elmogy, Mohammed and Elbakry, Hazem; “Content-based image retrieval using local features descriptors and bag-of-visual words”; International Journal of Advanced Computer Science and Applications, vol. 6 No. 9 2015; pp. 212-219; 2015.
Buber, E., Demir, O. and Sahingoz, O.K .; “Feature selections for the machine learning based detection of phishing websites”; 2017 International Artificial Intelligence and Data Processing Symposium (IDAP), 2017; pp. 1-5; doi: 10.1109/DAP.2017.8090317; 2017.
Lin, Tsung-Yi, et al.; “Microsoft coco: Common objects in context”; European Conference on Computer Vision, Springer, Cham, 2014; 2014.
Liu, Y., Wang, Q., Zhuang, M. and Zhu, Y .; Reengineering Legacy Systems with RESTFul Web Service; 2008 32nd Annual IEEE International Computer Software and Applications Conference, 2008; pp. 785-790; doi: 10.1109/COMPSAC.2008.89; 2008.
White, Joshua S., Matthews, Jeanna N., and Stacy, John L .; A method for the automated detection phishing websites through both site characteristics and image analysis Cyber Sensing 2012; vol. 8408; International Society for Optics and Photonics, 2012; 2012.
URLVOID; URLVoid.com; retrieved from archives.org: https: web.archive.org/web/20180730215132/https.://www.urlvoid.com/); Published Jul. 30, 2018.

Related Publications (1)

	Number	Date	Country
	20230421578 A1	Dec 2023	US

Systems and methods for consensus driven threat intelligence

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

International Classifications