Non-rule based security risk detection
First Claim
1. A non-rule based security detection method comprising:
- communicatively coupling a sub-system to at least one computing device of a plurality of computing devices, wherein the sub-system includes a processor, memory, and security detection module, wherein each computing device of the plurality of servers is associated with at least one data source of a plurality of data sources;
identifying, by the security detection module, the plurality of data sources;
generating, by the security detection module, a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period;
detecting, by the security detection module, a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline;
identifying, by the security detection module, a geolocation for each data source anomaly;
generating, by the security detection module, a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and
associating, by the security detection module, at least one correlation with a security event.
1 Assignment
0 Petitions
Accused Products
Abstract
A non-rule based security detection system and method is described. The method includes identifying a plurality of data sources. The method then proceeds to generate a baseline for each data source. The baseline includes a plurality of data source outputs that are evaluated over a time period. A plurality of data source anomalies are detected, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline. A geolocation for each data source anomaly is then identified. A plurality of correlations between the plurality of data source anomalies and the geolocation for each data source anomaly are generated. At least one correlation is associated with a security event.
-
Citations
21 Claims
-
1. A non-rule based security detection method comprising:
-
communicatively coupling a sub-system to at least one computing device of a plurality of computing devices, wherein the sub-system includes a processor, memory, and security detection module, wherein each computing device of the plurality of servers is associated with at least one data source of a plurality of data sources; identifying, by the security detection module, the plurality of data sources; generating, by the security detection module, a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period; detecting, by the security detection module, a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline; identifying, by the security detection module, a geolocation for each data source anomaly; generating, by the security detection module, a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and associating, by the security detection module, at least one correlation with a security event. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-rule based security detection system comprising:
-
a sub-system including a processor, a memory, and a security detection module, wherein the sub-system is communicatively coupled to at least one computing device of a plurality of computing devices, wherein the memory includes a database, wherein each computing device of the plurality of computing devices is associated with at least one data source of a plurality of data sources; the database receives data from the plurality of data sources; the security detection module generates a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period; the security detection module detects a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline; the security detection module identifying a geolocation for each data source anomaly; the security detection module generating a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and the security detection module associating at least one correlation with a security event. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-rule based security detection system comprising:
-
a sub-system including a processor, a memory, a timeline module, a geolocation module, and a correlation module, wherein the sub-system is communicatively coupled to at least one computing device of a plurality of computing devices, wherein the memory includes a database, wherein each computing device of the plurality of computing devices is associated with at least one data source of a plurality of data sources; the database receives data from the plurality of data sources; the timeline module generates a baseline for each data source, wherein the baseline includes a plurality of data source outputs that are evaluated over a time period; the timeline module configured to detect a plurality of data source anomalies, in which each data source anomaly is associated with at least one data source output exceeding a threshold for the data source baseline; the geolocation module configured to identify a geolocation for each data source anomaly; the correlation module configured to generate a plurality of correlations with the plurality of data source anomalies and the geolocation for each data source anomaly; and the correlation module associating at least one correlation with a security event. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification