Cyber security
First Claim
1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by a processing apparatus, the method comprising:
- receiving input data associated with a first entity associated with the computer system;
deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data;
analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark;
comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and
determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.
4 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analyzing the metrics using one or more models, and determining, in accordance with the analyzed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.
-
Citations
17 Claims
-
1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by a processing apparatus, the method comprising:
-
receiving input data associated with a first entity associated with the computer system; deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data; analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark; comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer readable medium comprising:
-
computer readable code operable, when executed by or more processing apparatuses in a computer system to instruct a computing device to perform a method for detection of a cyber-threat to the computer system, the method comprising; receiving input data associated with a first entity associated with the computer system; deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data; analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark; comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.
-
-
17. A threat detection system comprising a processor and a non-transitory memory comprising computer readable code, where the processor is configured to execute the computer readable code in the non-transitory memory to instruct devices in a threat detection system to perform a method for detection of a cyber-threat to the computer system, the method comprising:
-
receiving input data associated with a first entity associated with the computer system; deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data; analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark; comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.
-
Specification