Cyber security using a model of normal behavior for a group of entities

US 10,419,466 B2
Filed: 02/06/2017
Issued: 09/17/2019
Est. Priority Date: 02/09/2016
Status: Active Grant

First Claim

Patent Images

1. A method for use in detection of abnormal behavior, the method arranged to be performed by a processing system for a cyber security system, the method comprising:

creating a model of normal behavior of a group of entities from a plurality of entities of a computer system, wherein the model of normal behavior of the group of entities is based on a Bayesian model that uses at least conditional probability terms, wherein within the Bayesian model, groups, G, are dependent on time, T;

devices, Y, are dependent on groups, G, and time, T;

activities, A, are dependent on devices, D, groups, G, and time, T; and

network traffic data N is dependent on activities, A, devices, D, groups, G, and time, T; and

determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities, where the method for the detection of abnormal behavior of the group of entities for the computer system uses at least the determined parameter indicative of abnormal behavior of the group of entities to detect abnormal behavior.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method for use in detection of abnormal behavior of a group of a plurality of entities of a computer system. The method is arranged to be performed by a processing system and comprises: creating a model of normal behavior of the group of entities; and determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

48 Citations

View as Search Results

16 Claims

1. A method for use in detection of abnormal behavior, the method arranged to be performed by a processing system for a cyber security system, the method comprising:
- creating a model of normal behavior of a group of entities from a plurality of entities of a computer system, wherein the model of normal behavior of the group of entities is based on a Bayesian model that uses at least conditional probability terms, wherein within the Bayesian model, groups, G, are dependent on time, T;
  
  devices, Y, are dependent on groups, G, and time, T;
  
  activities, A, are dependent on devices, D, groups, G, and time, T; and
  
  network traffic data N is dependent on activities, A, devices, D, groups, G, and time, T; and
  
  determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities, where the method for the detection of abnormal behavior of the group of entities for the computer system uses at least the determined parameter indicative of abnormal behavior of the group of entities to detect abnormal behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the group of entities is formed by grouping the plurality of entities of the computer system.
  - 3. The method of claim 2, wherein the grouping of the plurality of entities of the computer system to generate the group of entities is based on data associated with the plurality of entities of the computer system.
  - 4. The method of claim 2, wherein the grouping of the plurality of entities of the computer system to generate the group of entities is performed by spectral partitioning.
  - 5. The method of claim 2, wherein the grouping of the plurality of entities of the computer system to generate the group of entities is based on prior knowledge of the plurality of entities of the computer system.
  - 6. The method of claim 1, wherein the model of normal behavior of the group of entities is based on metrics representative of data associated with the plurality of entities of the computer system.
  - 7. The method of claim 1, wherein the Bayesian model comprises the group of entities and one or more elements including a time characteristic associated with the group of entities and/or one or more entities of the group of entities, a device associated with a first entity of the group, an activity associated with a second entity of the group and network traffic data associated with a third entity of the group of entities.
  - 8. The method of claim 1, wherein the Bayesian model uses at least one or more of the conditional probability terms:
    - P(G/T);
      
      P(Y/G,T);
      
      P(A/Y,G,T); and
      
      P(N/A,Y,G,T).
  - 9. The method of claim 8, wherein the conditional probability terms are updated with an interpolation term with an interpolation weight w, wherein:
    - P(U/T)→
      
      wP(U/T)+(1−
      
      w)P(G/T)
      P(D/U,T)→
      
      wP(D/U,T)+(1−
      
      w)P(Y/G,T)
      P(A/D,U,T)→
      
      wP(A/D,U,T)+(1−
      
      w)P(A/Y,G,T)
      P(N/A,D,U,T)→
      
      wP(N/A,D,U,T)+(1−
      
      w)P(N/A,Y,G,T).
  - 10. The method of claim 1, wherein the conditional probability terms are updated with an interpolation term with an interpolation weight w.
  - 11. The method of claim 10, wherein the interpolation weight w is determined based on an amount of data available for modeling a particular user.
  - 12. The method of claim 1, wherein the parameter is a probability.
  - 13. The method of claim 1, further comprising determining, in accordance with the parameter indicative of abnormal behavior of the group of the computer system, a new parameter indicative of a cyber-threat.
  - 14. The method of claim 1, wherein the plurality of entities of the computer system comprises one of a device, a user or an activity.
  - 15. A computer readable non-transitory medium comprising computer readable code that when in use, instructs a computer in the computer system to perform the method of claim 1.
  - 16. An anomalous behavior detection system comprising a processor, and a non-transitory memory comprising computer readable code, that when in use, instructs the processing system to perform the method of claim 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Darktrace Holdings Limited
Original Assignee
Darktrace Limited
Inventors
Ferguson, Matt, Kadirkamanathan, Maha
Primary Examiner(s)
Simitoski, Michael

Application Number

US15/425,903
Publication Number

US 20170230391A1
Time in Patent Office

953 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06N 5/022   Knowledge engineering; Know...

G06N 7/01   Probabilistic graphical mod...

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Cyber security using a model of normal behavior for a group of entities

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber security using a model of normal behavior for a group of entities

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links