Automatic selection of malicious activity detection rules using crowd-sourcing techniques
First Claim
1. A computer-implemented method of providing a rule to detect malicious activity, the computer-implemented method comprising:
- receiving, by processing circuitry and from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity;
performing a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system;
based on the indication, locating, by the processing circuitry, the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, the locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value;
initiating transmitting, by the predicted numerical rating value exceeding the threshold rating value, a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity,wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors,wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, andwherein the performing of the numerical rating prediction operation includes;
deriving, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and
generating the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and
initiating detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule.
9 Assignments
0 Petitions
Accused Products
Abstract
Techniques of operating intrusion detection systems provide a recommendation of an intrusion detection rule to an administrator of an intrusion detection system based on the experience of another administrator that has used the rule in another intrusion detection system. For example, suppose that electronic circuitry receives a numerical rating from a first intrusion detection system that indicates whether an intrusion detection rule was effective in identifying malicious activity when used in the first intrusion detection system. Based on the received rating and attributes of the first intrusion detection system, the electronic circuitry generates a predicted numerical rating that indicates whether the intrusion detection rule is likely to be effective in identifying malicious communications when used in a second intrusion detection system. If the predicted numerical rating is sufficiently high, then the electronic circuitry transmits a message to the second intrusion detection system recommending the intrusion detection rule for use in the second intrusion detection system.
38 Citations
15 Claims
-
1. A computer-implemented method of providing a rule to detect malicious activity, the computer-implemented method comprising:
-
receiving, by processing circuitry and from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity; performing a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system; based on the indication, locating, by the processing circuitry, the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, the locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value; initiating transmitting, by the predicted numerical rating value exceeding the threshold rating value, a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity, wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors, wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, and wherein the performing of the numerical rating prediction operation includes; deriving, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and generating the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and initiating detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product having a non-transitory computer readable medium which stores a set of instructions to provide a rule to detect malicious activity, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
-
receiving, by processing circuitry and from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity; performing a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system; based on the indication, locating, by the processing circuitry, the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, the locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value; initiating transmitting, by the predicted numerical rating value exceeding the threshold rating value, a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity, wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors, wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, and wherein the performing of the numerical rating prediction operation includes; deriving, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and generating the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and initiating detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. An electronic apparatus, comprising:
-
a user interface; memory; and control circuitry coupled to the user interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to; receive, from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity; perform a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system; based on the indication, locate the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value; initiate transmission, by the predicted numerical rating value exceeding the threshold rating value, of a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity, wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors, wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, and wherein the memory stores the instructions which, when carried out by the control circuitry, further cause the control circuitry to perform the numerical rating prediction operation, including to; derive, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and generate the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and wherein the memory stores the instructions which, when carried out by the control circuitry, further cause the control circuitry to initiate detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule.
-
Specification