Detecting and predicting cyber-attack phases in adjacent data processing environment regions
First Claim
1. A method comprising:
- selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
selecting, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment;
inputting the set of collections at a first input in a Long Short-Term Memory (LSTM) network;
inputting the second set of collections at a second input in the LSTM network;
classifying the events corresponding to the collections in the set of collections into a class of cyber-attack;
determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and
predicting the determined phase as likely to occur during the future time window in the region.
2 Assignments
0 Petitions
Accused Products
Abstract
A set and a second set of collections of forecasted feature vectors are selected from a repository for a future time window, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set and a collection in the second set indicating an event related to the cyber-attack in a first region and a second event in a second region, respectively, of the environment at a discrete time. The set of collections is input at a first input and the second set of collections is input at a second input in the LSTM. The events corresponding to the collections are classified into a class of cyber-attack. From a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class is predicted as likely to occur during the future time window in the region.
12 Citations
18 Claims
-
1. A method comprising:
-
selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time; selecting, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment; inputting the set of collections at a first input in a Long Short-Term Memory (LSTM) network; inputting the second set of collections at a second input in the LSTM network; classifying the events corresponding to the collections in the set of collections into a class of cyber-attack; determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and predicting the determined phase as likely to occur during the future time window in the region. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product comprising one or more computer-readable storage devices, and program instructions stored on at least one of the one or more storage devices, the stored program instructions comprising:
-
program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time; program instructions to select, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment; program instructions to input the set of collections at a first input in a Long Short-Term Memory (LSTM) network; program instructions to input the second set of collections at a second input in the LSTM network; program instructions to classify the events corresponding to the collections in the set of collections into a class of cyber-attack; program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and program instructions to predict the determined phase as likely to occur during the future time window in the region. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer system comprising one or more processors, one or more computer-readable memories, and one or more computer-readable storage devices, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising:
-
program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time; program instructions to select, from the repository, a second set of collections of feature vectors where the feature vectors in a collection in the second set of collections are indicative of a second event in a second region of the environment; program instructions to input the set of collections at a first input in a Long Short-Term Memory (LSTM) network; program instructions to input the second set of collections at a second input in the LSTM network; program instructions to classify the events corresponding to the collections in the set of collections into a class of cyber-attack; program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; and program instructions to predict the determined phase as likely to occur during the future time window in the region.
-
Specification