Method for detecting a cyber attack
First Claim
1. A method for detecting a cyber attack comprising:
- storing network traffic data of network events occurring on a network over a period of time to a network accounting log;
compressing the network accounting log by writing metadata of network events, occurring within the period of time and represented in the network accounting log, to a compressed log file comprising a probabilistic data structure;
in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a network traffic metadata value representative of a threat element defined in the new threat intelligence;
in response to detecting the threat element in the compressed log file, querying the network accounting log for the threat element; and
in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
4 Assignments
0 Petitions
Accused Products
Abstract
One variation of a method for detecting a cyber attack includes: recording representations of network events occurring on a network over a period of time to a network accounting log; writing metadata values of network events in the accounting log to a compressed log file; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a set of metadata values of a threat element defined in the new threat intelligence; in response to detecting the set of metadata values of the threat element in the compressed log file, querying the network accounting log for a set of threat elements defined in the new threat intelligence; and in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
-
Citations
18 Claims
-
1. A method for detecting a cyber attack comprising:
-
storing network traffic data of network events occurring on a network over a period of time to a network accounting log; compressing the network accounting log by writing metadata of network events, occurring within the period of time and represented in the network accounting log, to a compressed log file comprising a probabilistic data structure; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a network traffic metadata value representative of a threat element defined in the new threat intelligence; in response to detecting the threat element in the compressed log file, querying the network accounting log for the threat element; and in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for detecting a cyber attack comprising:
-
recording representations of network events occurring on a network over a period of time to a network accounting log; writing external Internet Protocol addresses of network events represented in the network accounting log to a first probabilistic data structure in; writing domain names of network events represented in the network accounting log to a second probabilistic data structure in the compressed log file; and writing hostnames of network events represented in the network accounting log to a third probabilistic data structure in the compressed log file; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time; querying the first probabilistic data structure in the compressed log file for an external Internet Protocol address representative of the new threat intelligence; querying the second probabilistic data structure for a domain name representative of the threat element; and querying the third probabilistic data structure for a hostname representative of the threat element; in response to receiving positive query results from the first probabilistic data structure, the second probabilistic data structure, and the third probabilistic data structure, querying the network accounting log for a set of network events defined by the new threat intelligence; and in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network. - View Dependent Claims (7, 8)
-
-
9. A method for detecting a cyber attack comprising:
-
recording representations of network events occurring on a network over a period of time to a network accounting log; compressing the network accounting log into a compressed log file representing the network events occurring within the period of time; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a value representative of a threat element defined in the new threat intelligence; in response to detecting the threat element in the compressed log file, querying the network accounting log for a set of network events that approximate threat elements defined in the new threat intelligence in response to receiving a positive query result from the compressed log file; in response to detecting the threat element in the network accounting log, predicting exposure of the network to the newly-identified security threat during the period of time based on alignment between a sequence of the set of network events in the network accounting log and a sequence of threat elements defined by the new threat intelligence; and in response to predicting exposure of the network to the newly-identified security threat, issuing an alert to respond to the newly-identified security threat on the network. - View Dependent Claims (10, 11)
-
-
12. A method for detecting a cyber attack comprising:
-
recording, to a network accounting log, representations of network events occurring on a network over a period of time of a first duration, extending up to a current time block, and excluding the current time block; compressing the network accounting log into a compressed log file representing the network events occurring within the period of time; recording representations of a new set of network events occurring during the current time block to a network event buffer, the current time block of a second duration less than the first duration; in response to receipt of a new threat intelligence representing a newly-identified security threat identified during the current time block, querying the network event buffer for a threat element defined in the new threat intelligence; in response to detecting the threat element in the network event buffer during the current time block, issuing an alert to respond to the newly-identified security threat on the network; and in response to receiving a negative query result for the threat element from the network event buffer, querying the compressed log file for a value representative of the threat element; in response to detecting the threat element in the compressed log file, querying the network accounting log for the threat element; and in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method for detecting a cyber attack comprising:
-
recording representations of network events occurring on a network over a period of time to a network accounting log; compressing the network accounting log into; a first compressed log file representing network events occurring within a first segment of the period of time; and a second compressed log file representing network events occurring with a second segment of the period of time, the second segment distinct from, temporally preceding, and of duration greater than the first segment of the period of time; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the first compressed log file for a value representative of a threat element defined in the new threat intelligence; in response to omission of the threat element from the first compressed log file, querying the second compressed log file for the threat element; in response to detecting the threat element in one of the first compressed log file and the second compressed log file, querying the network accounting log for the threat element; and in response to detecting the threat element in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
-
-
18. A method for detecting a cyber attack comprising:
-
recording, to a network accounting log, representations of network events occurring on a network over a period of time of a first duration, extending up to a current time block, and excluding the current time block; writing metadata values of network events in the accounting log to a compressed log file; recording representations of a new set of network events occurring during the current time block to a network event buffer, the current time block of a second duration less than a first duration; accessing a database of past threat intelligence representing a set of known security threats; in response to receipt of a new threat intelligence representing a newly-identified security threat identified during the current time block, querying the network event buffer for metadata values of threat elements defined in the new threat intelligence and in the database of past threat intelligence; in response to detecting metadata values of the threat element in the network event buffer during the current time block, issuing an alert to respond to the newly-identified security threat on the network; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a set of metadata values of a threat element defined in the new threat intelligence; in response to receiving a negative query result for the threat element from the network event buffer, querying the compressed log file for metadata values representative of the threat element; in response to detecting the set of metadata values of the threat element in the compressed log file, querying the network accounting log for a set of threat elements defined in the new threat intelligence; and in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.
-
Specification