Copula optimization method and apparatus for identifying and detecting threats to an enterprise or e-commerce system and other applications

US 10,044,762 B2
Filed: 06/02/2017
Issued: 08/07/2018
Est. Priority Date: 11/04/2014
Status: Active Grant

First Claim

Patent Images

1. A method for identifying and detecting threats to an enterprise or e-commerce system, the method comprising:

grouping log lines belonging to one or more log line parameters from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system;

extracting one or more features from the grouped log lines into one or more features tables;

using one or more statistical models on the one or more features tables to identify statistical outliers; and

for a Copula statistical model, estimating the marginal probability distribution of a feature using a nonparametric kernel density determination using a Gaussian kernel estimation step, said Gaussian kernel estimation step comprising the step of setting a bandwidth of said Gaussian kernel, and further setting said bandwidth using a Scott'"'"'s rule of thumb bandwidth setting process.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses employing copula optimization in building multivariate statistical models for identifying and detecting threats to an enterprise or e-commerce system are disclosed, including grouping log lines belonging to one or more log line parameters from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system; extracting one or more features from the grouped log lines into one or more features tables; using one or more statistical models on the one or more features tables to identify statistical outliers and using the one or more rules on incoming enterprise or e-commerce system data traffic to detect threats to the enterprise or e-commerce system. Other embodiments are described and claimed.

5 Citations

15 Claims

1. A method for identifying and detecting threats to an enterprise or e-commerce system, the method comprising:
- grouping log lines belonging to one or more log line parameters from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system;
  
  extracting one or more features from the grouped log lines into one or more features tables;
  
  using one or more statistical models on the one or more features tables to identify statistical outliers; and
  
  for a Copula statistical model, estimating the marginal probability distribution of a feature using a nonparametric kernel density determination using a Gaussian kernel estimation step, said Gaussian kernel estimation step comprising the step of setting a bandwidth of said Gaussian kernel, and further setting said bandwidth using a Scott'"'"'s rule of thumb bandwidth setting process.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising the step of applying a transformation module to at least a subset of said features for generating non-ordinal variables, in the event that said feature generator produces a plurality of discrete ordinal variables.
  - 3. The method of claim 2, further comprising the step of adding Gaussian noise to said discrete ordinal variables for producing an essentially continuous valued feature, said essentially continuous valued feature exhibiting an essentially uniform cumulative distribution function.
  - 4. The method of claim 3, wherein the step of adding said Gaussian noise comprises determining a customized noise value by adding the individual value of a feature and a second value, wherein the second value is based on a variance of a Gaussian distribution for adding said noise, wherein said variance of said Gaussian distribution is determined by dividing a “
    - signal power value”
      
      by a desired “
      
      signal-to-power ratio”
      
      value.
  - 5. The method of claim 4, further comprising the step of separately estimating said “
    - signal power value”
      
      for each feature to yield a customized noise value.

6. A system for identifying and detecting threats to an enterprise or e-commerce system, comprising:
- a processor memory for storing instructions for identifying and detecting threats to an enterprise or e-commerce system;
  
  a computer processor for executing said instructions for identifying and detecting threats to an enterprise or e-commerce system, said instructions comprising;
  
  instructions for grouping log lines belonging to one or more log line parameters from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system;
  
  instructions for extracting one or more features from the grouped log lines into one or more features tables;
  
  instructions for using one or more statistical models on the one or more features tables to identify statistical outliers; and
  
  instructions for applying a Copula statistical model for estimating the marginal probability distribution of a feature using a nonparametric kernel density determination using a Gaussian kernel estimation step, said Gaussian kernel estimation step comprising the step of setting a bandwidth of said Gaussian kernel, and further setting said bandwidth using a Scott'"'"'s rule of thumb bandwidth setting process.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, further comprising instructions for applying a transformation module to at least a subset of said features for generating non-ordinal variables, in the event that said feature generator produces a plurality of discrete ordinal variables.
  - 8. The system of claim 7, further comprising instructions for adding Gaussian noise to said discrete ordinal variables for producing an essentially continuous valued feature, said essentially continuous valued feature exhibiting an essentially uniform cumulative distribution function.
  - 9. The system of claim 8, further comprising instructions for adding said Gaussian noise, wherein said instructions comprise determining a customized noise value by adding the individual value of a feature and a second value, wherein the second value is based on a variance of a Gaussian distribution for adding said noise, wherein said variance of said Gaussian distribution is determined by dividing a “
    - signal power”
      
      value by a desired “
      
      signal-to-power ratio”
      
      value.
  - 10. The system of claim 9, further comprising instructions for separately estimating said “
    - signal power”
      
      value for each feature to yield a customized noise value.

11. A networked enterprise or e-commerce system comprising a threat detection and identification system for identifying and detecting threats, to a plurality of computing systems of the networked enterprise or e-commerce system, wherein the plurality of computing systems are networked over a common communications network for communicating with one another in a secure computing environment, wherein the threat detection and identification system comprises:
- a processor memory for storing instructions for identifying and detecting threats to an enterprise or e-commerce system;
  
  a computer processor for executing said instructions for identifying and detecting threats to an enterprise or e-commerce system, said instructions comprising;
  
  instructions for grouping log lines belonging to one or more log line parameters from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system;
  
  instructions for extracting one or more features from the grouped log lines into one or more features tables;
  
  instructions for using one or more statistical models on the one or more features tables to identify statistical outliers; and
  
  instructions for applying a Copula statistical model for estimating the marginal probability distribution of a feature using a nonparametric kernel density determination using a Gaussian kernel estimation step, said Gaussian kernel estimation step comprising the step of setting a bandwidth of said Gaussian kernel, and further setting said bandwidth using a Scott'"'"'s rule of thumb bandwidth setting process.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The networked enterprise or e-commerce system of claim 11, wherein said system for identifying and detecting threats further comprises instructions for applying a transformation module to at least a subset of said features for generating non-ordinal variables, in the event that said feature generator produces a plurality of discrete ordinal variables.
  - 13. The networked enterprise or e-commerce system of claim 12, wherein said system for identifying and detecting threats further comprises further comprises instructions for adding Gaussian noise to said discrete ordinal variables for producing an essentially continuous valued feature, said essentially continuous valued feature exhibiting an essentially uniform cumulative distribution function.
  - 14. The networked enterprise or e-commerce system of claim 13, wherein said system for identifying and detecting threats further comprises further comprising instructions for adding said Gaussian noise, wherein said instructions comprise determining a customized noise value by adding the individual value of a feature and a second value, wherein the second value is based on a variance of a Gaussian distribution for adding said noise, wherein said variance of said Gaussian distribution is determined by dividing a “
    - signal power value”
      
      by a desired “
      
      signal-to-power ratio”
      
      value.
  - 15. The networked enterprise or e-commerce system of claim 14, wherein said system for identifying and detecting threats further comprises instructions for separately estimating said “
    - signal power value”
      
      for each feature to yield a customized noise value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corelight, Inc.
Original Assignee
Patternex, Inc. (Corelight, Inc.)
Inventors
Veeramachaneni, Uday, Korrapati, Vamsi, Bassias, Constantinos, Arnaldo, Ignacio
Primary Examiner(s)
Lee, Jason

Application Number

US15/612,388
Publication Number

US 20170272471A1
Time in Patent Office

431 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06N 5/047   Pattern matching networks; ...

G06N 7/01   Probabilistic graphical mod...

H04L 2463/102   applying security measure f...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Copula optimization method and apparatus for identifying and detecting threats to an enterprise or e-commerce system and other applications

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Copula optimization method and apparatus for identifying and detecting threats to an enterprise or e-commerce system and other applications

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links