Cyber security

US 10,516,693 B2
Filed: 02/09/2017
Issued: 12/24/2019
Est. Priority Date: 02/25/2016
Status: Active Grant

First Claim

Patent Images

1. A method for a system to detect a cyber threat and in response to an attack to control abnormal behavior of at least one entity of a computer system, the method arranged to be performed by a processing system, the method comprising:

creating a model of normal behavior of a group of entities that includes the at least one entity; and

configuring the system to apply restrictions to the at least one entity of the group of entities based on the model of normal behavior, wherein the step of applying restrictions to the at least one entity is carried out when a parameter is detected that exceeds a threshold value away from the modeled normal behavior of the at least one entity;

wherein the group of entities is generated by grouping a plurality of entities of the computer system based on data associated with the plurality of entities of the computer system; and

wherein the grouping of the plurality of entities of the computer system to generate the group of entities is performed by spectral partitioning.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method for use in detection of abnormal behavior of a group of a plurality of entities of a computer system. The method is arranged to be performed by a processing system and includes: creating a model of normal behavior of the group of entities; and determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

42 Citations

View as Search Results

13 Claims

1. A method for a system to detect a cyber threat and in response to an attack to control abnormal behavior of at least one entity of a computer system, the method arranged to be performed by a processing system, the method comprising:
- creating a model of normal behavior of a group of entities that includes the at least one entity; and
  
  configuring the system to apply restrictions to the at least one entity of the group of entities based on the model of normal behavior, wherein the step of applying restrictions to the at least one entity is carried out when a parameter is detected that exceeds a threshold value away from the modeled normal behavior of the at least one entity;
  
  wherein the group of entities is generated by grouping a plurality of entities of the computer system based on data associated with the plurality of entities of the computer system; and
  
  wherein the grouping of the plurality of entities of the computer system to generate the group of entities is performed by spectral partitioning.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the model of normal behavior of the at least one entity is based on metrics representative of data associated with the entity of the computer system.
  - 3. The method of claim 1, further comprising:
    - determining, in accordance with the model of normal behavior of the at least one entity, the parameter indicative of abnormal behavior of the entity; and
      
      whereinthe step of applying restrictions to the at least one entity is carried out when the parameter is detected to exceed the threshold value.
  - 4. The method of claim 3, wherein the restrictions comprise at least one of blocking access to an internet address, removing permission to a network resource, restrict the at least one entity to normal behavior consistent with the model of normal behavior of the at least one entity, or removing permission to a local resource.
  - 5. The method of claim 3, wherein the restrictions are applied by a control system.
  - 6. The method of claim 5, wherein the control system is a firewall, next generation firewall, router, switch, intrusion prevention system or Microsoft Active Directory authentication system.
  - 7. The method of claim 3, wherein the parameter is a probability.
  - 8. The method of claim 1, wherein the model of normal behavior of the at least one entity is a Bayesian model.
  - 9. The method of claim 1, wherein each entity of the computer system is one of a device, a user, an activity.
  - 10. The method of claim 1, wherein the grouping of the plurality of entities of the computer system to generate the group of entities is based on prior knowledge of the plurality of entities of the computer system.
  - 11. A computer readable medium comprising non-transitory computer readable code, that when in use, instructs a computer to perform the method of claim 1.
  - 12. An anomalous behavior detection system comprising a processor, and a memory comprising non-transitory computer readable code, that when in use, instructs a computer to perform the method of claim 1.

13. A system to detect a cyber threat and in response to an attack to control abnormal behavior of at least one entity of a computer system,a model of normal behavior of a group of entities that includes the at least one entity;
- anda restriction module configured to cooperate with the model of normal behavior, where the restriction module is configured to apply restrictions to the at least one entity of the group of entities based on the model of normal behavior, wherein the restriction module is configured to apply restrictions to the at least one entity when a parameter is detected that exceeds a threshold value away from the modeled normal behavior of the at least one entity;
  
  wherein the group of entities is generated by grouping a plurality of entities of the computer system based on data associated with the plurality of entities of the computer system;
  
  wherein the grouping of the plurality of entities of the computer system to generate the group of entities is performed by spectral partitioning; and
  
  wherein any instructions of the restriction module and the model are stored in one or more non-transitory computer readable mediums and are configured to be executed by one or more processors in the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Darktrace Holdings Limited
Original Assignee
Darktrace Limited
Inventors
Stockdale, Jack, Dunn, Matt
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin A

Application Number

US15/429,062
Publication Number

US 20170251012A1
Time in Patent Office

1,048 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

Cyber security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links