US 12,170,684 B2
Systems and methods for predicting the likelihood of cyber-threats leveraging intelligence associated with hacker communities
Mohammed Almukaynizi, Tempe, AZ (US); Ericsson Marin, Tempe, AZ (US); Paulo Shakarian, Tempe, AZ (US); Gerardo Simari, Bahia Blanca (AR); and Eric Nunes, Tempe, AZ (US)
Assigned to Arizona Board of Regents on Behalf of Arizona State University, Tempe, AZ (US)
Filed by Mohammed Almukaynizi, Tempe, AZ (US); Ericsson Marin, Tempe, AZ (US); Paulo Shakarian, Tempe, AZ (US); Gerardo Simari, Bahia Blanca (AR); and Eric Nunes, Tempe, AZ (US)
Filed on Jul. 25, 2019, as Appl. No. 16/522,001.
Claims priority of provisional application 62/703,110, filed on Jul. 25, 2018.
Prior Publication US 2020/0036743 A1, Jan. 30, 2020
Int. Cl. H04L 9/40 (2022.01); G06N 5/025 (2023.01)
CPC H04L 63/1433 (2013.01) [G06N 5/025 (2013.01); H04L 63/302 (2013.01)] 8 Claims
OG exemplary drawing
 
1. A method of predicting likelihood of exploitation for cyber threats before they occur, the method, comprising:
providing a processor in communication with a tangible storage medium;
storing instructions that are executed by the processor to perform operations comprising:
accessing a first dataset defining communications from forums and marketplaces associated with a hacker community;
deriving a plurality of temporal rules by correlating a plurality of indicators generated from the first dataset and ground truth information associated with known cyberattacks by:
filtering out data that is not related to cybersecurity;
retaining data that is related to cybersecurity;
recognizing entities from the context of postings and assigning a confidence score;
using the confidence score and potential impact of concept drift to filter for relevant entities; and
using machine learning to derive the temporal rules;
the plurality of indicators including mappings between a vulnerability and a platform known to be susceptible to the vulnerability; and
predicting a cyber threat, including:
identifying an indicator of the plurality of indicators from a second dataset, the second dataset defining additional communications from the hacker community and the indicator being a precondition to a corresponding rule of the plurality of temporal rules, and applying information associated with the indicator to the corresponding rule of the plurality of temporal rules to output at least one prediction of a future attack associated with the cyber threat.