SYSTEM AND METHOD TO DETECT THREATS TO COMPUTER BASED DEVICES AND SYSTEMS

US 20150033341A1
Filed: 07/24/2014
Published: 01/29/2015
Est. Priority Date: 07/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a threat of a computing system, the method comprising:

receiving a plurality of instances of input data from at least one sensor;

generating at least one feature vector based upon at least one instance of the plurality of instances of input data;

sending the at least one feature vector to a model training component, wherein the model training component includes a plurality of threat assessment models;

determining a threat assessment score for the at least one feature vector, wherein determining the threat assessment score comprises combining information associated with the plurality of instances of input data using the plurality of threat assessment models;

assigning a threat assignment to the at least one instance of input data based on the determined threat assessment score; and

disseminating the threat assignment and the threat assessment score.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the present disclosure relate to systems and methods for detecting a threat of a computing system. In one aspect, a plurality of instances of input data may be received from at least one sensor. A feature vector based upon at least one instance of the plurality of instances of input data may be generated. The feature vector may be sent to a classifier component, where a threat assessment score is determined for the feature vector. The threat assessment score may be determined by combining information associated with the plurality of instances of input data. A threat assignment may be assigned to the at least one instance of data based on the determined threat assessment score. The threat assignment and threat assessment score may be disseminated.

164 Citations

20 Claims

1. A method for detecting a threat of a computing system, the method comprising:
- receiving a plurality of instances of input data from at least one sensor;
  
  generating at least one feature vector based upon at least one instance of the plurality of instances of input data;
  
  sending the at least one feature vector to a model training component, wherein the model training component includes a plurality of threat assessment models;
  
  determining a threat assessment score for the at least one feature vector, wherein determining the threat assessment score comprises combining information associated with the plurality of instances of input data using the plurality of threat assessment models;
  
  assigning a threat assignment to the at least one instance of input data based on the determined threat assessment score; and
  
  disseminating the threat assignment and the threat assessment score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 17)
- - 2. The method of claim 1, wherein the threat assignment is assigned to the at least one instance of input data by determining whether the threat assessment score is above a first predetermined threshold or below a second predetermined threshold value.
  - 3. The method of claim 2, wherein a positive threat assignment is assigned to the at least one instance of input data when the threat assessment score is above the first predetermined threshold, and wherein a negative threat assignment is assigned to the at least one instance of input data when the threat assessment score is below the second predetermined threshold.
  - 4. The method of claim 2, further comprising sending the threat assessment score to a threat assignment component.
  - 5. The method of claim 4, wherein when the threat assessment score is between the first predetermined threshold and the second predetermined threshold, the method further comprises:
    - reviewing at least the at least one generated feature vector and the threat assessment score; and
      
      assigning a threat assignment to the at least one instance based on the review.
  - 6. The method of claim 5, further comprising:
    - sending the assigned threat assignment and the at least one generated feature vector to the model training component.
  - 7. The method of claim 6, further comprising retraining the plurality of threat assessment models in response to sending the threat assignment and the at least one generated feature vector to the model training component.
  - 8. The method of claim 1, wherein the threat assignment and the threat assessment score are sent to at least one of an endpoint device, a server, a published white-list, and a published black-list.
  - 11. The computer storage medium of claim 1, the method further comprising sending the threat assessment score to a threat assignment component.
  - 12. The computer storage medium of claim 11, wherein when the threat assessment score is between the first predetermined threshold and the second predetermined threshold, the method further comprises:
    - reviewing at least one of the at least one generated feature vector, the input data, third party data, and the threat assessment score; and
      
      assigning a threat assignment to the at least one instance based on the review.
  - 13. The computer storage medium of claim 12, the method further comprising:
    - sending the assigned threat assignment and the at least one generated feature vector to the model training component.
  - 14. The computer storage medium of claim 13, the method further comprising retraining the plurality of threat assessment models in response to sending the threat assignment and the at least one generated feature vector to the model training component.
  - 17. The computer storage medium of claim 12, wherein the at least one generated feature vector and the threat assessment score are reviewed by a third party source.

9. A computer storage medium encoding computer executable instructions that, when executed by at least one processor, perform a method for detecting a threat of a computing system, the method comprising:
- receiving a plurality of instances of input data from at least one sensor;
  
  generating at least one feature vector based upon at least one instance of the plurality of instances of input data;
  
  sending the at least one feature vector to a model training component, wherein the model training component includes a plurality of threat assessment models;
  
  determining a threat assessment score for the at least one feature vector, wherein determining the threat assessment score comprises combining information associated with the plurality of instances of input data using the plurality of threat assessment models;
  
  when the threat assessment score is above a first predetermined threshold value or below a second predetermined threshold value, automatically assigning a threat assignment to the at least one instance based on the determined threat assessment score; and
  
  disseminating the threat assignment and the threat assessment score.
- View Dependent Claims (10, 15, 16)
- - 10. The computer storage medium of claim 9, wherein a positive threat assignment is assigned to the at least one instance of input data when the threat assessment score is above the first predetermined threshold, and wherein a negative threat assignment is assigned to the at least one instance of input data when the threat assessment score is below the second predetermined threshold.
  - 15. The computer storage medium of claim 9, wherein determining the threat assessment score for the at least one generated feature vector further comprises:
    - calculating a probability that the at least one instance is a threat.
  - 16. The computer storage medium of claim 9, wherein the threat assignment and the threat assessment score are sent to at least one of an endpoint device, a server, a published white-list, and a published black-list.

18. A system comprising:
- at least one processor; and
  
  memory encoding computer executable instructions that, when executed by the at least one processor, perform a method for detecting a threat of a computing system, the method comprising;
  
  receiving a plurality of instances of input data from at least one sensor;
  
  generating at least one feature vector based upon at least one instance of the plurality of instances of input data;
  
  determining whether the at least one instance of input data has a threat assignment;
  
  when the at least one instance of input data has a threat assignment, sending the threat assignment and the at least one generated feature vector to a threat assignment dissemination component;
  
  when the at least one instance of input data does not have a threat assignment;
  
  sending the at least one generated feature vector to a model training component, wherein the model training component includes a plurality of threat assessment models;
  
  determining a threat assessment score for the at least one feature vector,wherein determining the threat assessment score comprises combininginformation associated with the plurality of instances of input data using the plurality of threat assessment models;
  
  automatically assigning a threat assignment to the at least one instance of input data based on the determined threat assessment score; and
  
  disseminating the threat assignment and the threat assessment score.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein when the threat assessment score is between the first predetermined threshold and the second predetermined threshold, the method further comprises:
    - reviewing at least one of the at least one generated feature vector, the input data, third party data, and the threat assessment score;
      
      assigning a threat assignment to the at least one instance based on the review; and
      
      sending the assigned threat assignment and the at least one generated feature vector to the model training component to retrain the plurality of threat assessment models.
  - 20. The system of claim 18, wherein the threat assignment is automatically assigned to the at least one instance of input data by determining whether the threat assessment score is above a first predetermined threshold or below a second predetermined threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Schmidtler, Mauritius A.R., Dalal, Gaurav, Kovalev, Timur

Granted Patent

US 10,284,570 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEM AND METHOD TO DETECT THREATS TO COMPUTER BASED DEVICES AND SYSTEMS

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

164 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD TO DETECT THREATS TO COMPUTER BASED DEVICES AND SYSTEMS

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links