System for implementing threat detection using threat and risk assessment of asset-actor interactions
First Claim
Patent Images
1. A method for performing threat detection in a network comprising:
- monitoring, by a network security device, communications traffic in the network; and
implementing a threat detection system on the network security device, wherein the threat detection system performs the steps of;
constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators;
analyzing behaviors in the network relative to the predictive model; and
reporting a threat if abnormal behavior is identified.
5 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.
-
Citations
27 Claims
-
1. A method for performing threat detection in a network comprising:
-
monitoring, by a network security device, communications traffic in the network; and implementing a threat detection system on the network security device, wherein the threat detection system performs the steps of; constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators; analyzing behaviors in the network relative to the predictive model; and reporting a threat if abnormal behavior is identified. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 25, 26, 27)
-
-
9. A computer program product embodied on a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method for performing a process to perform threat detection in a network, the process comprising:
-
monitoring, by a network security device, communications traffic in the network; constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators; analyzing behaviors in the network relative to the predictive model; and reporting a threat if abnormal behavior is identified. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
a computer processor to execute a set of program code instructions; a memory to hold the program code instructions, in which the program code instructions comprises program code to perform; monitoring, by a network security device, communications traffic in a network; constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators; analyzing behaviors in the network relative to the predictive model; and reporting a threat if abnormal behavior is identified. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification