Anomaly alert system for cyber threat detection

US 10,701,093 B2
Filed: 02/06/2017
Issued: 06/30/2020
Est. Priority Date: 02/09/2016
Status: Active Grant

First Claim

Patent Images

1. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:

deriving values, m₁, . . . , m_N, of a metric, M, representative of data associated with the device;

modelling a distribution of the values of the metric;

determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously;

determining, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously;

determining posterior probabilities for a plurality of given values, m_i, of a plurality of metrics, M_i, wherein the metrics, M_i, are representative of data associated with the device, where levels of anomalousness of values of the plurality of metrics for the device are combined to produce a measure of an overall posterior probability of the device being in an anomalous state; and

in accordance with the posterior probabilities for the given values, m_i, determining an overall posterior probability of the device being in the anomalous state, wherein the overall posterior probability is used to determine whether the device is behaving anomalously;

wherein a combined posterior probability that the device is in an anomalous state, P^d(A), is given by

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m₁, . . . , m_N, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

32 Citations

View as Search Results

20 Claims

1. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
- deriving values, m₁, . . . , m_N, of a metric, M, representative of data associated with the device;
  
  modelling a distribution of the values of the metric;
  
  determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously;
  
  determining, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously;
  
  determining posterior probabilities for a plurality of given values, m_i, of a plurality of metrics, M_i, wherein the metrics, M_i, are representative of data associated with the device, where levels of anomalousness of values of the plurality of metrics for the device are combined to produce a measure of an overall posterior probability of the device being in an anomalous state; and
  
  in accordance with the posterior probabilities for the given values, m_i, determining an overall posterior probability of the device being in the anomalous state, wherein the overall posterior probability is used to determine whether the device is behaving anomalously;
  
  wherein a combined posterior probability that the device is in an anomalous state, P^d(A), is given by
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - maintaining one or more mathematical models to build and maintain dynamic, ever-changing models of the normal behavior of each device monitored by the anomalous behavior detection system, based on the comparison of the metrics associated with a corresponding device, where two or more devices are monitored by the anomalous behavior detection system.
  - 3. The method of claim 2, wherein the suitable quantile point is a median.
  - 4. The method of claim 1, wherein the probabilistic model is a Bayesian model.
  - 5. The method of claim 4, wherein a logarithm of a Bayes factor,
  - 6. The method of claim 5, wherein the measure of anomalousness of the device is determined relative to a reference measure of anomalousness.
  - 7. The method of claim 6, wherein the measure of anomalousness of the device is attenuated above a given level.
  - 8. The method of claim 1, wherein the distribution of the values of the metric is modeled using extreme value theory.
  - 9. The method of claim 1, wherein the distribution of the values of the metric is modeled as a generalized Pareto, Gumbel or Fré
    - chet distribution.
  - 10. The method of claim 1, wherein the probability of observing a more extreme value is modeled using a peaks over thresholds method.
  - 11. The method of claim 1, further comprising:
    - utilizing an anomaly alert system that generates a notification when the device is behaving anomalously, where the anomaly alert system is configured to rank an importance of different alerts being generated.
  - 12. The method of claim 1, wherein the detection of anomalous behavior is performed using a subset, M₁, . . . , M_n′
    - , of the metrics, M₁, . . . , M_n, where n′
      
      ≤
      
      n.
  - 13. The method of claim 12, wherein the subset, M₁, . . . , M_n′
    - , of the metrics, M₁, . . . , M_n, where n′
      
      ≤
      
      n, is chosen by removing values for which P(M_i>
      
      m_i) exceeds a threshold probability, where P(M_i>
      
      m_i) is the probability of M_i>
      
      m_i.
  - 14. The method of claim 12, wherein the subset, M₁, . . . , M_n′
    - , of the metrics, M₁, . . . , M_n, where n′
      
      ≤
      
      n, is chosen by removing values for which P(M_i<
      
      m_i) exceeds a threshold probability, where P(M_i<
      
      m_i) is the probability of M_i<
      
      m_i.

15. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
- deriving values, m₁, . . . , m_N, of a metric, M, representative of data associated with the device;
  
  modelling a distribution of the values of the metric;
  
  determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously, anddetermining, in accordance with the probability of observing the more extreme value, and the mathematical model of the device, a posterior probability of the given value, m, being the result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously, wherein the posterior probability that the given value m of the metric M is the result of anomalous behavior of the device, P^M(A), is given by;
- View Dependent Claims (16)
- - 16. The method of claim 15, further comprising calculating transformed variables, z₁, . . . , z_n, wherein the transformed variables are such that:
    - z₁, . . . , z_n=Φ
      
      ^−
      
      1(P(M₁<
      
      m₁)), . . . , Φ
      
      ^−
      
      1(P(M_n<
      
      m_n))wherein Φ
      
      denotes a cumulative distribution function of a standard normal distribution and P(M, <
      
      m_i) is a probability of observing a smaller value than the given value, m_i.

17. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
- deriving values, m₁, . . . , m_N, of a metric, M, representative of data associated with the device;
  
  modelling a distribution of the values of the metric;
  
  determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously, anddetermining, in accordance with the probability of observing the more extreme value, and the mathematical model of the device, a posterior probability of the given value, m, being the result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously, wherein the posterior probability that the given value m of the metric M is the result of anomalous behavior of the device, P^M(A), is given by;

18. A method for an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a device in a computer system that is used in a detection of anomalous behavior of the device of the computer system, the method arranged to be performed by a processing system, the method comprising:
- deriving values, m₁, . . . , m_N, of a metric, M, representative of data associated with the device;
  
  modelling a distribution of the values of the metric;
  
  determining, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for that device to determine whether the device is behaving anomalously;
  
  determining, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the device, wherein the posterior probability is used to determine whether the device is behaving anomalously;
  
  determining posterior probabilities for a plurality of given values, m_i, of a plurality of metrics, M_i, wherein the metrics, M_i, are representative of data associated with the device, where levels of anomalousness of values of the plurality of metrics for the device are combined to produce a measure of an overall posterior probability of the device being in an anomalous state;
  
  in accordance with the posterior probabilities for the given values, m_i, determining an overall posterior probability of the device being in the anomalous state, wherein the overall posterior probability is used to determine whether the device is behaving anomalously;
  
  wherein the metrics, M_i, are assumed to be statistically dependent, the statistical dependencies modeled using copulas; and
  
  calculating transformed variables, z₁, . . . , z_n, wherein the transformed variables are such that
  z₁, . . . ,z_n=Φ
  
  ^−
  
  1(P(M₁>
  
  m₁)), . . . ,Φ
  
  ^−
  
  1(P(M_n>
  
  m_n)).wherein Φ
  
  denotes a cumulative distribution function of the standard normal distribution and P(M_i>
  
  m_i) is the probability of observing a greater value than the given value, m_i;
  
  wherein a combined posterior probability that the device is in an anomalous state, P^d(A), is given by;
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the permutation of indexes i, {1, . . . , n}, maximizes the value of P^d(A).

20. An anomalous behavior detection system, comprising a processor, an anomalous behavior detection system having a mathematical model of what is considered to be normal behavior for a first device in a computer system that is used in a detection of anomalous behavior of the first device of a computer system, and a non-transitory memory comprising computer readable code operable, which when executed by the processer that is configured to instruct a computing device toderive values, m_1, . . . , m_N, of a metric, M, representative of data associated with the first device;
- model a distribution of the values of the metric;
  
  determine, in accordance with the distribution of the values of the metric, a probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability and the distribution of the values of the metric are used by the mathematical model of what is considered to be normal behavior for the first device to determine whether the first device is behaving anomalously;
  
  maintain one or more mathematical models to build and maintain dynamic, ever-changing models of a normal behavior of each device monitored by the anomalous behavior detection system, based on a comparison of metrics associated with a corresponding device, where two or more devices, including the first device, are monitored by the anomalous behavior detection system, where the anomalous behavior detection system is configured to use the one or more mathematical models to determine whether each corresponding device is behaving anomalously;
  
  utilize an anomaly alert system that generates a notification when the first device is behaving anomalously, where the anomaly alert system is configured to rank an importance of different alerts being generated;
  
  determine, in accordance with the probability of observing the more extreme value, and a probabilistic model of the device, a posterior probability of the given value, m, being a result of anomalous behavior of the first device, wherein the posterior probability is used to determine whether the first device is behaving anomalously;
  
  determine posterior probabilities for a plurality of given values, m_i, of a plurality of metrics, M_i, wherein the metrics, M_i, are representative of data associated with the first device, where levels of anomalousness of values of the plurality of metrics for the first device are combined to produce a measure of an overall posterior probability of the first device being in an anomalous state;
  
  in accordance with the posterior probabilities for the given values, m_i, determine an overall posterior probability of the first device being in the anomalous state, wherein the overall posterior probability is used to determine whether the first device is behaving anomalously; and
  
  wherein a combined posterior probability that the first device is in an anomalous state, P^d(A), is given by;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Darktrace Holdings Limited
Original Assignee
Darktrace Limited
Inventors
Dean, Tom, Stockdale, Jack
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/425,906
Publication Number

US 20170230392A1
Time in Patent Office

1,240 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Anomaly alert system for cyber threat detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly alert system for cyber threat detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links