SYSTEM AND METHOD THEREOF FOR CREATING PROGRAMMABLE SECURITY DECISION ENGINES IN A CYBER-SECURITY SYSTEM

US 20160021135A1
Filed: 05/19/2015
Published: 01/21/2016
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method for generating a software decision engine (SDE) operable in a cyber-security system, comprising:

determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE;

receiving at least one engine rule describing an anomaly to be evaluated; and

creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for adaptively securing a protected entity against cyber-threats. The method comprises: determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE; receiving at least one engine rule describing an anomaly to be evaluated; and creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.

43 Citations

View as Search Results

22 Claims

1. A method for generating a software decision engine (SDE) operable in a cyber-security system, comprising:
- determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE;
  
  receiving at least one engine rule describing an anomaly to be evaluated; and
  
  creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 19)
- - 2. The method of claim 1, further comprising:
    - determining at least one of;
      
      a synchronization function to synchronize between values of the at least one input feature, and a feature function to be applied on the values of the at least one input feature.
  - 3. The method of claim 2, further comprising:
    - applying the at least one normalization function to one of the at least one input feature to yield behavioral levels, wherein the score of anomaly is further computed based on the behavioral levels.
  - 4. The method of claim 3, wherein each of the at least one normalization function is defined using at least a plurality of edge values and at least one normalization function parameter, wherein the plurality of edge values determine a degree of membership of the received input feature'"'"'s value to a certain behavioral level, wherein further the normalization function parameter sets the characteristics of the selected normalization function.
  - 5. The method of claim 1, wherein each of the received at least one engine rule includes at least a logical operator and a value operator applied on the input feature.
  - 6. The method of claim 5, wherein receiving the at least one engine rule further comprises:
    - determining the at least one engine rule based on the received input feature and the at least one normalization function.
  - 7. The method of claim 1, wherein each inference unit outputs a degree of fulfillment index based on the at least one input feature.
  - 8. The method of claim 1, wherein the score of anomaly is computed by any one of:
    - aggregating the degree of fulfillment indexes, selecting a maximum or minimum degree of fulfillment based on logical operators of the at least one engine rule, and using a centroid method.
  - 9. The method of claim 1, wherein the at least one normalization function is determined based on at least one normalization parameter instruction.
  - 10. The method of claim 9, wherein each of the at least one input feature is associated with a finite set of normalization functions.
  - 11. The method of claim 10, wherein each determined normalization function is a default normalization function for one of the at least one input feature.
  - 12. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1.
  - 19. The system of claim 11, wherein the system is further configured to:
    - determine the at least one engine rule based on the at least one input feature and the at least one normalization function.

13. A system for generating a software decision engine (SDE) operable in a cyber-security system, comprising:
- a processing unit; and
  
  a memory, the memory containing instructions that, when executed by the processing unit, configure the system to;
  
  determine, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE;
  
  receive at least one engine rule describing an anomaly to be evaluated; and
  
  create an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.
- View Dependent Claims (14, 15, 16, 17, 18, 20, 21, 22)
- - 14. The system of claim 13, wherein the memory is further configured to contain a plurality of normalization functions.
  - 15. The system of claim 13, wherein the system is further configured to:
    - determine at least one of;
      
      a synchronization function to synchronized between values of the least one at least one input feature, and a feature function to be applied on the values of the at least one input feature.
  - 16. The system of claim 13, wherein the system is further configured to:
    - apply the at least one normalization function to one of the at least one input feature to yield behavioral levels, wherein the score of anomaly is further computed based on the behavioral levels.
  - 17. The system of claim 16, wherein each of the at least one normalization function is defined using at least a plurality of edge values and at least one normalization function parameter, wherein the plurality of edge values determine a degree of membership of the received input feature'"'"'s value to a certain behavioral level, wherein further the normalization function parameter sets the characteristics of the selected normalization function.
  - 18. The system of claim 13, wherein each of the received at least one engine rule includes at least a logical operator and a value operator applied on the input feature.
  - 20. The system of claim 13, wherein each inference unit outputs a degree of fulfillment index based on the at least one input feature.
  - 21. The system of claim 13, wherein the score of anomaly is computed by any one of:
    - aggregating the degree of fulfillment indexes, selecting a maximum degree of fulfillment, and using a centroid method.
  - 22. The system of claim 13, wherein each of the at least one input feature is associated with a finite set of normalization, wherein each determined normalization function is a default normalization function for one of the at least one input feature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybereason, Inc.
Original Assignee
empow Cyber Security Ltd.
Inventors
Chesla, Avi, MEDALION, Shlomi

Granted Patent

US 9,967,279 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/02   for separating internal fro...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/20   for managing network securi...

SYSTEM AND METHOD THEREOF FOR CREATING PROGRAMMABLE SECURITY DECISION ENGINES IN A CYBER-SECURITY SYSTEM

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD THEREOF FOR CREATING PROGRAMMABLE SECURITY DECISION ENGINES IN A CYBER-SECURITY SYSTEM

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others