Cyber security event detection

US 10,397,259 B2
Filed: 03/23/2017
Issued: 08/27/2019
Est. Priority Date: 03/23/2017
Status: Active Grant

First Claim

Patent Images

1. A system for detecting cyber security events comprising:

a memory device; and

a hardware processor to;

generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users;

separate the set of users into a plurality of clusters based on the first set of the plurality of time series or the aggregate statistics for each user;

assign an identifier to each of the plurality of clusters;

generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster;

detect an anomaly based on a new value stored in the second set of plurality of time series; and

execute a prevention instruction in response to detecting the anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting cyber security events can include a processor to generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users. The processor can also separate the set of users into a plurality of clusters based on the first set of the plurality of time series or aggregate statistics for each user and assign an identifier to each of the plurality of clusters. Additionally, the processor can generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid and detect an anomaly based on a new value stored in the second set of the time series. Furthermore, the processor can execute a prevention instruction.

Citations

17 Claims

1. A system for detecting cyber security events comprising:
- a memory device; and
  
  a hardware processor to;
  
  generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users;
  
  separate the set of users into a plurality of clusters based on the first set of the plurality of time series or the aggregate statistics for each user;
  
  assign an identifier to each of the plurality of clusters;
  
  generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster;
  
  detect an anomaly based on a new value stored in the second set of plurality of time series; and
  
  execute a prevention instruction in response to detecting the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the second time series and the first time series correspond to a same time range.
  - 3. The system of claim 1, wherein the hardware processor is to generate an anomalous score indicating the anomaly.
  - 4. The system of claim 1, wherein the hardware processor is to detect a seasonal change in the second set of time series and normalize the second set of time series based on the seasonal change.
  - 5. The system of claim 1, wherein the hardware processor is to detect at least two clusters from two different clustering runs that share a common percentage of users and associate the at least two clusters together to generate a single times series for each of the at least two clusters.
  - 6. The system of claim 1, wherein the hardware processor is to monitor a transition of users from a first cluster to a second cluster and detect the anomaly in response to a user transitioning between a first cluster and a third cluster.
  - 7. The system of claim 6, wherein the first cluster, the second cluster, and the third cluster correspond to administrative rights for a database, wherein the first cluster indicates basic user access, the second cluster indicates expanded user access, and the third cluster indicates administrator access.
  - 8. The system of claim 1, wherein the hardware processor is to detect the anomaly based on a statistical analysis of a time series, wherein a difference between a most recent value in the time series and an average of older values exceeds a predetermined standard deviation threshold.
  - 9. The system of claim 1, wherein the hardware processor is to:
    - generate a third set of a plurality of time series for each user, wherein each value of the third set of the plurality of time series corresponds to a cluster identity for the user at a particular time; and
      
      detect the anomaly based on a new value stored in the third set of time series.

10. A method for detecting cyber security events comprising:
- generating, via a hardware processor, a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users;
  
  separating, via the hardware processor, the set of users into a plurality of clusters based on the first set of the plurality of time series for each user;
  
  assigning, via the hardware processor, an identifier to each of the plurality of clusters;
  
  generating, via the hardware processor, a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster;
  
  detecting, via the hardware processor, an anomaly based on a new value stored in the second time series; and
  
  executing, via the hardware processor, a prevention instruction in response to detecting the anomaly.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, comprising detecting, via the hardware processor, a seasonal change in the second time series and normalizing the second time series based on the seasonal change.
  - 12. The method of claim 10, comprising detecting, via the hardware processor, at least two clusters from two different clustering runs that share a common percentage of users and associating the at least two clusters together to generate a single times series for each of the at least two clusters.
  - 13. The method of claim 10, comprising monitoring, via the hardware processor, a transition of users from a first cluster to a second cluster and detecting the anomaly in response to a user transitioning between the first cluster and a third cluster.
  - 14. The method of claim 13 wherein the first cluster, the second cluster, and the third cluster correspond to administrative rights for a database, wherein the first cluster indicates basic user access, the second cluster indicates expanded user access, and the third cluster indicates administrator access.

15. A computer program product for detecting cyber security events, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor to cause the processor to:
- generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users;
  
  separate the set of users into a plurality of clusters based on the first set of the plurality of time series or the aggregate statistics for each user;
  
  assign an identifier to each of the plurality of clusters;
  
  generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster;
  
  detect an anomaly based on a new value stored in the second time series; and
  
  execute a prevention instruction in response to detecting the anomaly.
- View Dependent Claims (16, 17)
- - 16. The computer program product of claim 15, wherein the program instructions cause the processor to detect a seasonal change in the second time series and normalize the second time series based on the seasonal change.
  - 17. The computer program product of claim 15, wherein the program instructions cause the processor to monitor a transition of users from a first cluster to a second cluster and detect the anomaly in response to a user transitioning between the first cluster and a third cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Adir, Allon, Aharoni, Ehud, Greenberg, Lev, Miroshnikov, Rosa, Rozenberg, Boris, Sofer, Oded
Primary Examiner(s)
Jamshidi, Ghodrat

Application Number

US15/466,892
Publication Number

US 20180278634A1
Time in Patent Office

887 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Cyber security event detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber security event detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links