Systems and methods for log and snort synchronized threat detection
First Claim
1. A method for automated threat detection in a computer network, the method comprising:
- temporally correlating time segments parsed from a log stream and tagged time segments from an intrusion detection system stream to identify correlated time segments, the correlating performed by a server computer configured for monitoring network traffic to and from the computer network;
extracting features from a correlated time segment identified from the correlating, the extracting performed by the server computer and comprising determining tuples associated with the correlated time segment, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment;
generating a multidimensional feature vector for the correlated time segment, the multidimensional feature vector containing a select number of the tuples; and
providing the multidimensional feature vector for the correlated time segment as input to a machine learning module, the machine learning module implementing a machine learning model and operable to determine, based on the machine learning model, whether the correlated time segment indicates a true incident.
4 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides a new automated threat detection using synchronized log and Snort streams. Time segments from a log stream are correlated by time to time segments from a Snort stream that have been identified as indicating “true” incidents. To determine whether a correlated time segment is “good” or “bad,” features are extracted from the correlated time segment and used to determine tuples associated therewith, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment. A multidimensional feature vector containing a select number of the tuples is generated and provided as input to a machine learning module which determines, based on machine intelligence, whether the correlated time segment indicates a true incident.
-
Citations
21 Claims
-
1. A method for automated threat detection in a computer network, the method comprising:
-
temporally correlating time segments parsed from a log stream and tagged time segments from an intrusion detection system stream to identify correlated time segments, the correlating performed by a server computer configured for monitoring network traffic to and from the computer network; extracting features from a correlated time segment identified from the correlating, the extracting performed by the server computer and comprising determining tuples associated with the correlated time segment, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment; generating a multidimensional feature vector for the correlated time segment, the multidimensional feature vector containing a select number of the tuples; and providing the multidimensional feature vector for the correlated time segment as input to a machine learning module, the machine learning module implementing a machine learning model and operable to determine, based on the machine learning model, whether the correlated time segment indicates a true incident. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for automated threat detection in a computer network, the system comprising:
-
a processor; a non-transitory computer-readable medium; and stored instructions translatable by the processor for; temporally correlating time segments parsed from a log stream and tagged time segments from an intrusion detection system stream to identify correlated time segments; extracting features from a correlated time segment identified from the correlating, the extracting comprising determining tuples associated with the correlated time segment, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment; generating a multidimensional feature vector for the correlated time segment, the multidimensional feature vector containing a select number of the tuples; and providing the multidimensional feature vector for the correlated time segment as input to a machine learning module, the machine learning module implementing a machine learning model and operable to determine, based on the machine learning model, whether the correlated time segment indicates a true incident. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for automated threat detection in a computer network, the computer program product comprising a non-transitory computer-readable medium storing instructions translatable by a processor for:
-
temporally correlating time segments parsed from a log stream and tagged time segments from an intrusion detection system stream to identify correlated time segments; extracting features from a correlated time segment identified from the correlating, the extracting comprising determining tuples associated with the correlated time segment, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment; generating a multidimensional feature vector for the correlated time segment, the multidimensional feature vector containing a select number of the tuples; and providing the multidimensional feature vector for the correlated time segment as input to a machine learning module, the machine learning module implementing a machine learning model and operable to determine, based on the machine learning model, whether the correlated time segment indicates a true incident. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification