Detecting and predicting cyber-attack phases in adjacent data processing environment regions

US 10,015,189 B2
Filed: 02/09/2016
Issued: 07/03/2018
Est. Priority Date: 02/09/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;

selecting, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment;

inputting the set of collections at a first input in a Long Short-Term Memory (LSTM) network;

inputting the second set of collections at a second input in the LSTM network;

classifying the events corresponding to the collections in the set of collections into a class of cyber-attack;

determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and

predicting the determined phase as likely to occur during the future time window in the region.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A set and a second set of collections of forecasted feature vectors are selected from a repository for a future time window, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set and a collection in the second set indicating an event related to the cyber-attack in a first region and a second event in a second region, respectively, of the environment at a discrete time. The set of collections is input at a first input and the second set of collections is input at a second input in the LSTM. The events corresponding to the collections are classified into a class of cyber-attack. From a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class is predicted as likely to occur during the future time window in the region.

12 Citations

18 Claims

1. A method comprising:
- selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
  
  selecting, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment;
  
  inputting the set of collections at a first input in a Long Short-Term Memory (LSTM) network;
  
  inputting the second set of collections at a second input in the LSTM network;
  
  classifying the events corresponding to the collections in the set of collections into a class of cyber-attack;
  
  determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and
  
  predicting the determined phase as likely to occur during the future time window in the region.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the second event has actually occurred in the second region at a second discrete time.
  - 3. The method of claim 1, wherein the second event is forecasted to occur in the second region at a second discrete time.
  - 4. The method of claim 1, wherein the second event occurs in the second region at the discrete time.
  - 5. The method of claim 1, further comprising:
    - selecting, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;
      
      classifying the events corresponding to the collections in the past set into a past class of cyber-attack;
      
      determining, from the mapping, a past phase that corresponds to the past class; and
      
      outputting the determined past phase as having occurred during the past time window in the region.
  - 6. The method of claim 5, wherein the classifying into the past class occurs after the classifying into the future class.
  - 7. The method of claim 1, wherein in the mapping, a plurality of classes in the set of classes map to a single phase in the set of phases.
  - 8. The method of claim 1, further comprising:
    - determining the class such that the class applies to the time window beyond a threshold amount of fit.
  - 9. The method of claim 8, wherein the threshold amount of fit is a threshold value of an output of the LSTM network.
  - 10. The method of claim 1, wherein each collection in the set of collection indicates an event at a different discrete time in the future time window.
  - 11. The method of claim 1, wherein the second event alters the event.

12. A computer program product comprising one or more computer-readable storage devices, and program instructions stored on at least one of the one or more storage devices, the stored program instructions comprising:
- program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
  
  program instructions to select, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment;
  
  program instructions to input the set of collections at a first input in a Long Short-Term Memory (LSTM) network;
  
  program instructions to input the second set of collections at a second input in the LSTM network;
  
  program instructions to classify the events corresponding to the collections in the set of collections into a class of cyber-attack;
  
  program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and
  
  program instructions to predict the determined phase as likely to occur during the future time window in the region.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer program product of claim 12, wherein the second event has actually occurred in the second region at a second discrete time.
  - 14. The computer program product of claim 12, wherein the second event is forecasted to occur in the second region at a second discrete time.
  - 15. The computer program product of claim 12, wherein the second event occurs in the second region at the discrete time.
  - 16. The computer program product of claim 12, further comprising:
    - program instructions to select, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;
      
      program instructions to classify the events corresponding to the collections in the past set into a past class of cyber-attack;
      
      program instructions to determine, from the mapping, a past phase that corresponds to the past class; and
      
      program instructions to output the determined past phase as having occurred during the past time window in the region.
  - 17. The computer program product of claim 16, wherein the program instructions to classify into the past class are configured to execute after the program instructions to classify into the future class.

18. A computer system comprising one or more processors, one or more computer-readable memories, and one or more computer-readable storage devices, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising:
- program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
  
  program instructions to select, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment;
  
  program instructions to input the set of collections at a first input in a Long Short-Term Memory (LSTM) network;
  
  program instructions to input the second set of collections at a second input in the LSTM network;
  
  program instructions to classify the events corresponding to the collections in the set of collections into a class of cyber-attack;
  
  program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and
  
  program instructions to predict the determined phase as likely to occur during the future time window in the region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Ahmed, Mohamed N., Baughman, Aaron K., McCrory, Nicholas A., Toor, Andeep S., Welcks, Michelle
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/019,352
Publication Number

US 20170230409A1
Time in Patent Office

875 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detecting and predicting cyber-attack phases in adjacent data processing environment regions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and predicting cyber-attack phases in adjacent data processing environment regions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links