System for implementing threat detection using threat and risk assessment of asset-actor interactions

US 10,050,985 B2
Filed: 11/02/2015
Issued: 08/14/2018
Est. Priority Date: 11/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method for performing threat detection in a network comprising:

monitoring, by a network security device, communications traffic in the network; and

implementing a threat detection system on the network security device, wherein the threat detection system performs the steps of;

constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators;

analyzing behaviors in the network relative to the predictive model; and

reporting a threat if abnormal behavior is identified.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.

Citations

27 Claims

1. A method for performing threat detection in a network comprising:
- monitoring, by a network security device, communications traffic in the network; and
  
  implementing a threat detection system on the network security device, wherein the threat detection system performs the steps of;
  
  constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators;
  
  analyzing behaviors in the network relative to the predictive model; and
  
  reporting a threat if abnormal behavior is identified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 25, 26, 27)
- - 2. The method of claim 1, wherein the predictive model corresponds to a given time period.
  - 3. The method of claim 1, wherein a threshold threat level is established relative to the predictive model, and activity that falls outside the threshold threat level is identifiable as the threat.
  - 4. The method of claim 3, in which the threshold threat level corresponds to a radius surrounding a centroid of a cluster formed within a dataspace representation.
  - 5. The method of claim 1, wherein evaluation metrics are employed to analyze the behaviors in the network, and the evaluation metrics corresponds to at least one of z-scores based on variances estimated from mixture models, mean absolute deviation, and distance from centroids of clusters.
  - 6. The method of claim 1, further comprising analysis of relative risks and impacts of possible threats.
  - 7. The method of claim 6, wherein a plurality of threshold threat levels are established relative to different predictive models.
  - 8. The method of claim 1, wherein (near) real time monitoring is performed to check for the abnormal behavior.
  - 25. The method of claim 1, wherein the step of monitoring by the network security device further comprises monitoring network packets, the network security device receiving the network packets from a network infrastructure having network equipment.
  - 26. The method of claim 25, wherein the networking equipment comprises a router or a switch.
  - 27. The method of claim 25, wherein the network security device is implemented as software on a dedicated hardware device.

9. A computer program product embodied on a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method for performing a process to perform threat detection in a network, the process comprising:
- monitoring, by a network security device, communications traffic in the network;
  
  constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators;
  
  analyzing behaviors in the network relative to the predictive model; and
  
  reporting a threat if abnormal behavior is identified.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein the predictive model corresponds to a given time period.
  - 11. The computer program product of claim 9, wherein a threshold threat level is established relative to the predictive model, and activity that falls outside the threshold threat level is identifiable as the threat.
  - 12. The computer program product of claim 11, in which the threshold threat level corresponds to a radius surrounding a centroid of a cluster formed within a dataspace plot.
  - 13. The computer program product of claim 9, wherein evaluation metrics are employed analyze the behaviors in the network, and the evaluation metrics corresponds to at least one of z-scores based on variances estimated from mixture models, mean absolute deviation, and distance from centroids of clusters.
  - 14. The computer program product of claim 9, further comprising analysis of relative risks and impacts of possible threats.
  - 15. The computer program product of claim 14, wherein a plurality of threshold threat levels are established relative to different predictive models.
  - 16. The computer program product of claim 9, wherein (near) real time monitoring is performed to check for the abnormal behavior.

17. A system, comprising:
- a computer processor to execute a set of program code instructions;
  
  a memory to hold the program code instructions, in which the program code instructions comprises program code to perform;
  
  monitoring, by a network security device, communications traffic in a network;
  
  constructing a predictive model using metadata extracted from the communications traffic, wherein the predictive model is constructed by identifying data for a key asset, generating a dataspace representation for the key asset relative to an actor in the network, and clustering data within the dataspace representation, wherein the predictive model is constructed using at least one of ensemble-based estimation over k-means, Gaussian mixture models, or other statistic estimators;
  
  analyzing behaviors in the network relative to the predictive model; and
  
  reporting a threat if abnormal behavior is identified.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the predictive model corresponds to a given time period.
  - 19. The system of claim 17, wherein a threshold threat level is established relative to the predictive model, and activity that falls outside the threshold threat level is identifiable as the threat.
  - 20. The system of claim 19, in which the threshold threat level corresponds to a radius surrounding a centroid of a cluster formed within a dataspace plot.
  - 21. The system of claim 17, wherein evaluation metrics are employed analyze the behaviors in the network, and the evaluation metrics corresponds to at least one of z-scores based on variances estimated from mixture models, mean absolute deviation, and distance from centroids of clusters.
  - 22. The system of claim 17, wherein the program code instructions further comprises program code to perform analysis of relative risks and impacts of possible threats.
  - 23. The system of claim 22, wherein a plurality of threshold threat levels are established relative to different predictive models.
  - 24. The system of claim 17, wherein the program code instructions further comprises program code to perform (near) real time monitoring to check for the abnormal behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vectra AI Incorporated
Original Assignee
Vectra Networks, Inc.
Inventors
Mhatre, Himanshu, Pegna, David Lopes, Brdiczka, Oliver
Primary Examiner(s)
Song, Hosuk

Application Number

US14/930,368
Publication Number

US 20160191559A1
Time in Patent Office

1,016 Days
Field of Search

726 22- 25, 709224
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 12/14   Protection against unauthor...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6245   Protecting personal data, e...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/30   Profiles

System for implementing threat detection using threat and risk assessment of asset-actor interactions

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System for implementing threat detection using threat and risk assessment of asset-actor interactions

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links