Cyber security using a model of normal behavior for a group of entities
First Claim
Patent Images
1. A method for use in detection of abnormal behavior, the method arranged to be performed by a processing system for a cyber security system, the method comprising:
- creating a model of normal behavior of a group of entities from a plurality of entities of a computer system, wherein the model of normal behavior of the group of entities is based on a Bayesian model that uses at least conditional probability terms, wherein within the Bayesian model, groups, G, are dependent on time, T;
devices, Y, are dependent on groups, G, and time, T;
activities, A, are dependent on devices, D, groups, G, and time, T; and
network traffic data N is dependent on activities, A, devices, D, groups, G, and time, T; and
determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities, where the method for the detection of abnormal behavior of the group of entities for the computer system uses at least the determined parameter indicative of abnormal behavior of the group of entities to detect abnormal behavior.
4 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a method for use in detection of abnormal behavior of a group of a plurality of entities of a computer system. The method is arranged to be performed by a processing system and comprises: creating a model of normal behavior of the group of entities; and determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.
48 Citations
16 Claims
-
1. A method for use in detection of abnormal behavior, the method arranged to be performed by a processing system for a cyber security system, the method comprising:
-
creating a model of normal behavior of a group of entities from a plurality of entities of a computer system, wherein the model of normal behavior of the group of entities is based on a Bayesian model that uses at least conditional probability terms, wherein within the Bayesian model, groups, G, are dependent on time, T;
devices, Y, are dependent on groups, G, and time, T;
activities, A, are dependent on devices, D, groups, G, and time, T; and
network traffic data N is dependent on activities, A, devices, D, groups, G, and time, T; anddetermining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities, where the method for the detection of abnormal behavior of the group of entities for the computer system uses at least the determined parameter indicative of abnormal behavior of the group of entities to detect abnormal behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
Specification