Method for detecting a cyber attack

US 10,366,229 B2
Filed: 06/20/2017
Issued: 07/30/2019
Est. Priority Date: 06/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a cyber attack comprising:

storing network traffic data of network events occurring on a network over a period of time to a network accounting log;

compressing the network accounting log by writing metadata of network events, occurring within the period of time and represented in the network accounting log, to a compressed log file comprising a probabilistic data structure;

in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a network traffic metadata value representative of a threat element defined in the new threat intelligence;

in response to detecting the threat element in the compressed log file, querying the network accounting log for the threat element; and

in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One variation of a method for detecting a cyber attack includes: recording representations of network events occurring on a network over a period of time to a network accounting log; writing metadata values of network events in the accounting log to a compressed log file; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a set of metadata values of a threat element defined in the new threat intelligence; in response to detecting the set of metadata values of the threat element in the compressed log file, querying the network accounting log for a set of threat elements defined in the new threat intelligence; and in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.

Citations

18 Claims

1. A method for detecting a cyber attack comprising:
- storing network traffic data of network events occurring on a network over a period of time to a network accounting log;
  
  compressing the network accounting log by writing metadata of network events, occurring within the period of time and represented in the network accounting log, to a compressed log file comprising a probabilistic data structure;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a network traffic metadata value representative of a threat element defined in the new threat intelligence;
  
  in response to detecting the threat element in the compressed log file, querying the network accounting log for the threat element; and
  
  in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1:
    - wherein compressing the network accounting log into the compressed log file comprises;
      
      writing external Internet Protocol addresses associated with network events represented in the network accounting log to the probabilistic data structure;
      
      writing domain names associated with network events represented in the network accounting log to a second probabilistic data structure; and
      
      writing hostnames associated with network events represented in the network accounting log to a third probabilistic data structure;
      
      wherein querying the compressed log file for the value representative of the threat element comprises;
      
      querying the probabilistic data structure for an external Internet Protocol address defined by the new threat intelligence;
      
      querying the second probabilistic data structure for a domain name defined by the new threat intelligence; and
      
      querying the third probabilistic data structure for a hostname defined by the new threat intelligence; and
      
      wherein querying the network accounting log for the threat element comprises querying the network accounting log for a pattern of network events defined by the new threat intelligence in response to receiving positive query results from the first probabilistic data structure, the second probabilistic data structure, and the third probabilistic data structure.
  - 3. The method of claim 1:
    - wherein compressing the network accounting log into the compressed log file comprises writing external Internet Protocol addresses, domain names, and hostnames of network events represented in the network accounting log to the probabilistic data structure;
      
      wherein querying the compressed log file for the value representative of the threat element comprises querying the probabilistic data structure for an external Internet Protocol address, a domain name, and a hostname defined by the new threat intelligence; and
      
      wherein querying the network accounting log for the threat element comprises querying the network accounting log for a set of threat elements defined by the new threat intelligence in response to receiving positive query results from the probabilistic data structure for a threshold proportion of the external Internet Protocol address, the domain name, and the hostname.
  - 4. The method of claim 1:
    - wherein recording elements representing network events to the network accounting log comprises interfacing with external intrusion detection systems arranged throughout the network to detect events occurring on the network; and
      
      wherein compressing the network accounting log into the compressed log file comprises inserting elements comprising metadata of network events occurring on the network into the compressed log file comprising a probabilistic data structure.
  - 5. The method of claim 1:
    - wherein querying the network accounting log for the threat element comprises detecting, in the network accounting log, the threat element comprising an indicator of compromise affecting a particular asset on the network; and
      
      wherein issuing an alert to respond to the newly-identified security threat on the network comprises;
      
      generating the alert indicating the newly-identified security threat, indicating the particular asset, and comprising a prompt to investigate the network for presence of the newly-identified security threat; and
      
      transmitting the alert to an external security operation center.

6. A method for detecting a cyber attack comprising:
- recording representations of network events occurring on a network over a period of time to a network accounting log;
  
  writing external Internet Protocol addresses of network events represented in the network accounting log to a first probabilistic data structure in;
  
  writing domain names of network events represented in the network accounting log to a second probabilistic data structure in the compressed log file; and
  
  writing hostnames of network events represented in the network accounting log to a third probabilistic data structure in the compressed log file;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time;
  
  querying the first probabilistic data structure in the compressed log file for an external Internet Protocol address representative of the new threat intelligence;
  
  querying the second probabilistic data structure for a domain name representative of the threat element; and
  
  querying the third probabilistic data structure for a hostname representative of the threat element;
  
  in response to receiving positive query results from the first probabilistic data structure, the second probabilistic data structure, and the third probabilistic data structure, querying the network accounting log for a set of network events defined by the new threat intelligence; and
  
  in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein issuing the alert to respond to the newly-identified security threat on the network comprises:
    - detecting a degree of temporal alignment between the set of network events in the network accounting log and a cyber attack pattern defined in the new threat intelligence, the cyber attack pattern defining an order of the threat elements;
      
      calculating a confidence score, for exposure of the network to the newly-identified security threat, proportional to the degree of temporal alignment; and
      
      transmitting the alert to an external security operation center in response to the confidence score exceeding a threshold score.
  - 8. The method of claim 6, wherein recording representations of network events occurring on the network to the network accounting log comprises executing deep packet inspection to detect events occurring on the network.

9. A method for detecting a cyber attack comprising:
- recording representations of network events occurring on a network over a period of time to a network accounting log;
  
  compressing the network accounting log into a compressed log file representing the network events occurring within the period of time;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a value representative of a threat element defined in the new threat intelligence;
  
  in response to detecting the threat element in the compressed log file, querying the network accounting log for a set of network events that approximate threat elements defined in the new threat intelligence in response to receiving a positive query result from the compressed log file;
  
  in response to detecting the threat element in the network accounting log, predicting exposure of the network to the newly-identified security threat during the period of time based on alignment between a sequence of the set of network events in the network accounting log and a sequence of threat elements defined by the new threat intelligence; and
  
  in response to predicting exposure of the network to the newly-identified security threat, issuing an alert to respond to the newly-identified security threat on the network.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9:
    - wherein exposure of the network to the newly-identified security threat comprisescalculating a degree of temporal alignment between the sequence and a timing of the set of network events in the network accounting log and a cyber attack pattern defined in the new threat intelligence; and
      
      calculating a confidence score for presence of the newly-identified security threat on the network proportional to the degree of temporal alignment; and
      
      wherein issuing the alert to respond to the newly-identified security threat on the network comprises issuing the alert in response to the confidence score exceeding a threshold score.
  - 11. The method of claim 10:
    - wherein querying the network accounting log for the threat element comprises detecting, in the network accounting log, the threat element affecting a particular asset on the network; and
      
      further comprising, in response to the confidence score exceeding a quarantine score greater than the threshold score, automatically executing a process to quarantine the particular asset from the network to contain the newly-identified security threat.

12. A method for detecting a cyber attack comprising:
- recording, to a network accounting log, representations of network events occurring on a network over a period of time of a first duration, extending up to a current time block, and excluding the current time block;
  
  compressing the network accounting log into a compressed log file representing the network events occurring within the period of time;
  
  recording representations of a new set of network events occurring during the current time block to a network event buffer, the current time block of a second duration less than the first duration;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified during the current time block, querying the network event buffer for a threat element defined in the new threat intelligence;
  
  in response to detecting the threat element in the network event buffer during the current time block, issuing an alert to respond to the newly-identified security threat on the network; and
  
  in response to receiving a negative query result for the threat element from the network event buffer, querying the compressed log file for a value representative of the threat element;
  
  in response to detecting the threat element in the compressed log file, querying the network accounting log for the threat element; and
  
  in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12:
    - wherein recording representations of the new set of network events occurring during the current time block to the network event buffer comprises recording, to the network event buffer, representations of the new set of network events occurring during the current time block comprising a current date; and
      
      further comprising, in response to conclusion of the current date;
      
      updating the network accounting log with elements in the network event buffer; and
      
      updating the compressed log file with metadata of elements in the network event buffer.
  - 14. The method of claim 13, further comprising:
    - in response to receipt of a second threat intelligence representing a second security threat identified on a subsequent date, querying the compressed log file for a second threat element defined in the second threat intelligence;
      
      in response to receiving a positive query result from the compressed log file, querying the network accounting log for the second threat element; and
      
      in response to detecting the second threat element in the network accounting log, issuing a second alert to respond to the second security threat on the network.
  - 15. The method of claim 14:
    - further comprising accessing a database of past threat intelligence representing a set of known security threats; and
      
      wherein querying the network event buffer for the threat element comprises querying the network event buffer for threat elements defined in the new threat intelligence and in the database of past threat intelligence.
  - 16. The method of claim 15:
    - wherein querying the network event buffer for threat elements defined in the new threat intelligence and in the database of past threat intelligence comprises;
      
      accessing a compressed threat intelligence file representing threat elements defined in the database of past threat intelligence;
      
      inserting threat elements defined in the new threat intelligence into the compressed threat intelligence file; and
      
      in response to detecting a new network event on the network during the current time block, querying the compressed threat intelligence file for metadata of the new network event; and
      
      wherein querying the network event buffer for the threat element defined in the new threat intelligence comprises querying the new threat intelligence and the database of past threat intelligence for metadata of the new network event in response to receiving a positive query result from the compressed threat intelligence file.

17. A method for detecting a cyber attack comprising:
- recording representations of network events occurring on a network over a period of time to a network accounting log;
  
  compressing the network accounting log into;
  
  a first compressed log file representing network events occurring within a first segment of the period of time; and
  
  a second compressed log file representing network events occurring with a second segment of the period of time, the second segment distinct from, temporally preceding, and of duration greater than the first segment of the period of time;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the first compressed log file for a value representative of a threat element defined in the new threat intelligence;
  
  in response to omission of the threat element from the first compressed log file, querying the second compressed log file for the threat element;
  
  in response to detecting the threat element in one of the first compressed log file and the second compressed log file, querying the network accounting log for the threat element; and
  
  in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.

18. A method for detecting a cyber attack comprising:
- recording, to a network accounting log, representations of network events occurring on a network over a period of time of a first duration, extending up to a current time block, and excluding the current time block;
  
  writing metadata values of network events in the accounting log to a compressed log file;
  
  recording representations of a new set of network events occurring during the current time block to a network event buffer, the current time block of a second duration less than a first duration;
  
  accessing a database of past threat intelligence representing a set of known security threats;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified during the current time block, querying the network event buffer for metadata values of threat elements defined in the new threat intelligence and in the database of past threat intelligence;
  
  in response to detecting metadata values of the threat element in the network event buffer during the current time block, issuing an alert to respond to the newly-identified security threat on the network;
  
  in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a set of metadata values of a threat element defined in the new threat intelligence;
  
  in response to receiving a negative query result for the threat element from the network event buffer, querying the compressed log file for metadata values representative of the threat element;
  
  in response to detecting the set of metadata values of the threat element in the compressed log file, querying the network accounting log for a set of threat elements defined in the new threat intelligence; and
  
  in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sumo Logic, Inc.
Original Assignee
Jask Labs Inc. (Sumo Logic, Inc.)
Inventors
Martin, Gregory, Piscitell, III, Thomas, Matslofva, David
Primary Examiner(s)
Song, Hosuk

Application Number

US15/628,196
Publication Number

US 20180004942A1
Time in Patent Office

770 Days
Field of Search

726 22- 26
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Method for detecting a cyber attack

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for detecting a cyber attack

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links