Method for predicting and characterizing cyber attacks
First Claim
1. A method for predicting and characterizing cyber attacks comprising:
- executing by a computer processor;
receiving a first signal specifying a first behavior of a first asset on a network at a first time;
compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time;
calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration;
in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset;
in response to the deviation threshold score exceeding the first degree of deviation;
calculating a first malicious score proportional to proximity of the first data structure to a first malicious data structure defining a first set of behaviors representative of a first network security threat;
calculating a first benign score proportional to proximity of the first data structure to a benign data structure representing an innocuous set of behaviors;
in response to the first malicious score exceeding the first benign score, issuing a second alert to investigate the network for the first network security threat; and
in response to the first benign score exceeding the first malicious score, disregarding the first data structure.
5 Assignments
0 Petitions
Accused Products
Abstract
One variation of a method for predicting and characterizing cyber attacks includes: receiving, from a sensor implementing deep packet inspection to detect anomalous behaviors on the network, a first signal specifying a first anomalous behavior of a first asset on the network at a first time; representing the first signal in a first vector representing frequencies of anomalous behaviors—in a set of behavior types—of the first asset within a first time window; calculating a first malicious score representing proximity of the first vector to malicious vectors defining sets of behaviors representative of security threats; calculating a first benign score representing proximity of the first vector to a benign vector representing an innocuous set of behaviors; and in response to the first malicious score exceeding the first benign score and a malicious threshold score, issuing a first alert to investigate the network for a security threat.
-
Citations
18 Claims
-
1. A method for predicting and characterizing cyber attacks comprising:
- executing by a computer processor;
receiving a first signal specifying a first behavior of a first asset on a network at a first time; compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time; calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration; in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset; in response to the deviation threshold score exceeding the first degree of deviation; calculating a first malicious score proportional to proximity of the first data structure to a first malicious data structure defining a first set of behaviors representative of a first network security threat; calculating a first benign score proportional to proximity of the first data structure to a benign data structure representing an innocuous set of behaviors; in response to the first malicious score exceeding the first benign score, issuing a second alert to investigate the network for the first network security threat; and in response to the first benign score exceeding the first malicious score, disregarding the first data structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- executing by a computer processor;
-
15. A method for predicting and characterizing cyber attacks comprising:
- executing a computer processor;
receiving a first signal specifying a first behavior of a first asset on a network at a first time; compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time; calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration; in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset; in response to the deviation threshold score exceeding the first degree of deviation; accessing a set of malicious data structures defining sets of signals representative of network security threats; in response to the first data structure matching a first malicious data structure, in the set of malicious data structures, defining signals representative of a first network security threat, issuing a first alert to investigate the network for the first network security threat; in response to lack of a match between the first data structure and a malicious data structure in the set of malicious data structures, calculating a malicious score proportional to proximity of the first data structure to a cluster of malicious data structures defining sets of behaviors representative of a second network security threat; calculating a benign score proportional to proximity of the first data structure to a cluster of benign data structures representing innocuous sets of behaviors; in response to the benign score exceeding the malicious score disregarding the first data structure; in response to the first malicious score falling within a threshold difference of the first benign score, issuing a prompt to investigate the first asset; and in response to the malicious score exceeding a malicious threshold score and exceeding the benign score, issuing a second alert to investigate the network for the second network security threat. - View Dependent Claims (16)
- executing a computer processor;
-
17. A method for predicting and characterizing cyber attacks comprising:
- executing by a computer processor;
receiving a first signal from a sensor implementing deep packet inspection to detect anomalous behaviors of assets on the network, the first signal specifying a first anomalous behavior of a first asset on the network at a first time; compiling the first signal and a first set of signals into a first vector representing frequencies of anomalous behaviors, in a predefined set of behavior types, of the first asset on the network within a first time window of a preset duration up to the first time; calculating a first degree of deviation of the first vector from a corpus of historical vectors, each vector in the corpus of vectors representing a previous set of behaviors of an asset on the network within a time window of the preset duration; and in response to the first degree of deviation exceeding a deviation threshold score issuing a first alert to investigate the first asset; and in response to the deviation threshold score exceeding the first degree of deviation, calculating a first malicious score based on proximity of the first vector to a set of malicious vectors defining sets of behaviors representative of network security threats; calculating a first benign score proportional to proximity of the first vector to a set of benign vectors representing innocuous sets of behaviors; in response to the first malicious score exceeding the first benign score and a malicious threshold score, issuing a second alert to investigate the network for a network security threat; in response to the first benign score and the malicious threshold score exceeding the first malicious score, disregarding the first vector; and in response to the first malicious score differing from the first benign score, by less than a threshold difference, issuing a prompt to investigate the first asset. - View Dependent Claims (18)
- executing by a computer processor;
Specification