METHOD AND APPARATUS FOR COMPUTER INTRUSION DETECTION

US 20140215618A1
Filed: 03/14/2013
Published: 07/31/2014
Est. Priority Date: 01/25/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a computerized device, comprising:

receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities;

receiving data related to activity of the computerized system, the data comprising at least two events;

grouping the at least two events into at least two groups associated with the at least two entities; and

comparing the at least two groups in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.

Citations

18 Claims

1. A computer-implemented method performed by a computerized device, comprising:
- receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities;
  
  receiving data related to activity of the computerized system, the data comprising at least two events;
  
  grouping the at least two events into at least two groups associated with the at least two entities; and
  
  comparing the at least two groups in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising generating an alert related to the group not complying with the at least one statistical rule.
  - 3. The computer-implemented method of claim 2, further comprising issuing the alert to a person in charge.
  - 4. The computer-implemented method of claim 2, further comprising updating the description of the computerized system based on a reaction of an operator to the alert.
  - 5. The computer-implemented method of claim 1, further comprising reconstructing the group not complying with the at least one statistical rule.
  - 6. The computer-implemented method of claim 1 further comprising, aggregating each of the at least two groups to obtain at least two objects, and wherein comparing the at least two groups comprises comparing the at least two objects.
  - 7. The computer-implemented method of claim 6, wherein aggregating any of the least two groups comprises an option selected from the group consisting of:
    - counting items;
      
      averaging items;
      
      dividing an object sum by accumulated time; and
      
      dividing an object sum by time range.
  - 8. The computer-implemented method of claim 1, further comprising a learning component for learning the data and updating the description of the computerized system based on the data.
  - 9. The computer-implemented method of claim 1, further comprising:
    - receiving definition of the at least two entities;
      
      receiving at least one attribute for each of the at least two entities;
      
      receiving at least one relationship between the at least two entities; and
      
      receiving at least one statistical rule related to the relationship.
  - 10. The computer-implemented method of claim 1, wherein each of the at least two entities is selected from the group consisting of:
    - a computer;
      
      an application;
      
      a process;
      
      a module;
      
      a user;
      
      an organizational unit; and
      
      a web site.

11. An apparatus having a processing unit and a storage device, the apparatus comprising:
- a system receiving component for receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities;
  
  a data receiving component for data related to activity of the computerized system, the data comprising at least two events;
  
  a data division component for grouping the at least two events into at least two groups associated with the at least two entities;
  
  an aggregation component for aggregating each of the least two groups to obtain at least two objects; and
  
  a group analysis component for comparing the at least two objects in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The apparatus of claim 11, further comprising an alert generation component for generating an alert related to the group not complying with the at least one statistical rule.
  - 13. The apparatus of claim 11, further comprising a reconstruction component for reconstructing the group not complying with the at least one statistical rule.
  - 14. The apparatus of claim 11, further comprising a learning component for learning the data and updating the description of the computerized system based on the data.
  - 15. The apparatus of claim 14, further comprising an alert generation component for generating an alert related to the group not complying with the at least one statistical rule, and wherein the description is updated based on a reaction of an operator to the alert.
  - 16. The apparatus of claim 11, further comprising a system description module for:
    - receiving definition of the at least two entities;
      
      receiving at least one attribute for each of the at least two entities;
      
      receiving at least one relationship between the at least two entities; and
      
      receiving at least one statistical rule related to the relationship.
  - 17. The apparatus of claim 11, wherein each of the at least two entities is selected from the group consisting of:
    - a computer;
      
      an application;
      
      a process;
      
      a module;
      
      a user;
      
      an organizational unit; and
      
      a web site.

18. A computer program product comprising:
- a non-transitory computer readable medium;
  
  a first program instruction for receiving a description of a computerized system, the description comprising at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationship between the at least two entities;
  
  a second program instruction for receiving data related to activity of the computerized system, the data comprising at least two events;
  
  a third program instruction for grouping the at least two events into at least two groups associated with the at least two entities; and
  
  a fourth program instruction for comparing the at least two groups in accordance with the at least one statistical rule, to identify a group not complying with the at least one statistical rule,wherein said first, second, third and fourth program instructions are stored on said non-transitory computer readable medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybereason, Inc.
Original Assignee
Cybereason, Inc.
Inventors
Striem Amit, Yonatan

Granted Patent

US 9,679,131 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

METHOD AND APPARATUS FOR COMPUTER INTRUSION DETECTION

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR COMPUTER INTRUSION DETECTION

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links