METHOD AND DEVICE FOR MANAGING SECURITY IN A COMPUTER NETWORK

US 20160330219A1
Filed: 05/04/2016
Published: 11/10/2016
Est. Priority Date: 05/04/2015
Status: Abandoned Application

First Claim

Patent Images

1. A computer security system processing a security event comprising:

(a) a behavior module that comprises a plurality of sub-algorithms, wherein each sub-algorithm corresponds to a predetermined category, which is related to a predetermined security issue; and

(b) a combination module that provides a security analysis based on the output of the behavior module.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and device for managing security in a computer network include algorithms of iterative intelligence growth, iterative evolution, and evolution pathways; sub-algorithms of information type identifier, conspiracy detection, media scanner, privilege isolation analysis, user risk management and foreign entities management; and modules of security behavior, creativity, artificial threat, automated growth guidance, response/generic parser, security review module and monitoring interaction system. Applications include malware predictive tracking, clandestine machine intelligence retribution through covert operations in cyberspace, logically inferred zero-database a-priori realtime defense, critical infrastructure protection & retribution through cloud & tiered information security, and critical thinking memory & perception.

181 Citations

69 Claims

1. A computer security system processing a security event comprising:
- (a) a behavior module that comprises a plurality of sub-algorithms, wherein each sub-algorithm corresponds to a predetermined category, which is related to a predetermined security issue; and
  
  (b) a combination module that provides a security analysis based on the output of the behavior module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the sub-algorithms are executed in parallel, and each of the sub-algorithms processes input and stores output.
  - 3. The system of claim 2, wherein an information processing request is sent to at least one sub-algorithm, wherein each sub-algorithm processes data of the security event, wherein the result of each of sub-algorithms is stored in a database for the sub-algorithm.
  - 4. The system of claim 2, further comprising a high confidence filter that filters results from the sub-algorithms that are above a pre-determined confidence level.
  - 5. The system of claim 4, wherein a combination request is sent to the combination algorithm, wherein the combination algorithm combines two or more sub algorithms depending on the type of the combination request, wherein the combination algorithm selects result based on a predetermined criterion.
  - 6. The system of claim 5, further comprising a categorization module that determines the category of the security event based on combination of policy and behavior.
  - 7. The system of claim 6, further comprising a pattern matching module that filters out the security event based on behavior pattern of the security event, and wherein the categorization module that determines the category of the filtered event from the pattern matching module.
  - 8. The system of claim 7, wherein the behavior module is connected to a behavior database, wherein the behavior database stores metadata that comprise the plurality of categories.
  - 9. The system of claim 8, wherein each of the categories comprises a reference id, a first concept, a second concept, and an algorithm determined association index.
  - 10. The system of claim 7, further comprising a sanitation module that filters an incoming event based on a sanitation policy.

11. A cyber security system comprising:
- (i) a conspiracy detection sub-algorithm, which checks background for multiple security events, and determines patterns and correlations between the security events; and
  
  (ii) an Information type identifier sub-algorithm, which determines type of unknown data, and declares its confidence in the data type that it has chosen, and returns a failure flag if the confidence is lower than a predetermined level.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 12. The system of claim 11, wherein in the conspiracy detection sub-algorithm, the security event is parsed by the information type identifier sub-algorithm, which derives relevant attributes of the security event, wherein the attributes are checked by external policy and behavior interpretation to see whether the event passes the threshold for being processed.
  - 13. The system of claim 12, wherein the derived event attributes for the security event are stored in a specific DB, wherein all combinations for the derived event attributes are made, wherein the combinations are selected by pre-determined allowance rule, wherein the selected combinations are queried against the specific DB for predetermined similarity factors.
  - 14. The system of claim 13, wherein the predetermined similarity factors include having the same SSN and time of day of occurrence, including the same IP LAN subnet range and personal phone number and personal address, including the same domain name in different email addresses, and including a domain name and the IP address it is supposed to point to, to fight against ghost domain names.
  - 15. The system of claim 13, wherein results checked by the conspiracy detection sub-algorithm are notified to a management console.
  - 16. The system of claim 11, further comprising a foreign entities management sub-algorithm, which upgrades or downgrades the severity of foreign threats based off of requests the foreign threats make to an isolated network of an enterprise, and receives third party information to augment its perception of foreign threats, and a user risk management sub-algorithm, which determines overall risk assessment for a user record based on predetermined risk factors.
  - 17. The system of claim 16, wherein in the foreign entities management sub-algorithm, a security event is parsed by the information type identifier sub-algorithm to derive network origin and user involved for the security event, wherein the network origin of the security event is checked against a security watch list, wherein if user info has been found in the security watch list, then the user is checked by the user risk assessment sub-algorithm.
  - 18. The system of claim 17, wherein the check results are considered and aggregated based off of pre-determined thresholds which are influenced by external policy and behavior, wherein the aggregated results are stored in a specific database.
  - 19. The system of claim 16, wherein in the information type identifier sub-algorithm, for the provided unknown data, bulk input is offered for parallelization purposes.
  - 20. The system of claim 19, wherein the information type identifier sub-algorithm extracts attributes of the unknown data, including length, number, letter ratio and special characters.
  - 21. The system of claim 20, wherein the extracted attributes are compared to DB data points, which are selected for comparison.
  - 22. The system of claim 21, wherein cache is checked first for comparisons.
  - 23. The system of claim 22, wherein the information type identifier sub-algorithm processes the compared results for confidence levels.
  - 24. The system of claim 23, wherein if the confidence level of the results is lower than a predetermined threshold, the results are cutoff, wherein the predetermined threshold can be dynamic.
  - 25. The system of claim 23, wherein pattern detection is performed to correlate type affinity with attribute makeup, wherein high confidence patterns are stored in the cache, wherein the DB does not contain calculated patterns but contains static correlations between type and attribute.
  - 26. The system of claim 25, wherein the processed results are compiled to conform to API and the compiled results are output.
  - 27. The system of claim 16, further comprising a media scanner sub-algorithm, which scans given media, and checks for illegal information transfer and inconsistent/suspicious behavior for the expected composition of such media.
  - 28. The system of claim 27, wherein in the media scanner sub-algorithm, a media parse is performed to highlight suspected points of information in the given media, wherein the suspected points may be hidden in metadata, or in the raw format of the media, wherein the data and metadata of the media are scanned.
  - 29. The system of claim 27, wherein the suspected points of information are processed by the Information Type Identifier sub-algorithm, wherein user identities thus processes are passed to the User Risk Management sub-algorithm, wherein all other information is passed to a generic parser.
  - 30. The system of claim 27, wherein the generic parser interacts with a Risk Objects DB to find risky associations that are in the file.
  - 31. The system of claim 30, wherein if a risky association is found, the media is blocked from being transferred, a risk object is created, and the User Risk Management sub-algorithm is been notified of a relevant user'"'"'s involvement with the security event.
  - 32. The system of claim 30, wherein processed results are combined and parsed to produce a decision of whether to block or allow the media.
  - 33. The system of claim 16, further comprising a privilege isolation analysis sub-algorithm, which determines if a user or process is within their permitted privilege allocation, which is constantly invoked, and reports any confirmed privilege violations to a master process and a secondary process which double checks that the master process took action for the violations.
  - 34. The system of claim 33, wherein in the privilege isolation analysis sub-algorithm, a user permission event is sent, a user ID token and requested location of access/modification is extracted by the information type identifier sub-algorithm and pushed to a thread manager.
  - 35. The system of claim 34, wherein the thread manager comprises a location thread manager, which receives location information and invokes a location database for who is permitted to access/modify.
  - 36. The system of claim 35, wherein a location permission bank receives the location'"'"'s permission requirements by Specific DB 2, and is queried by a thread that decides if certain locations should be blocked as a precaution due to a user security risk, wherein the threshold for the precaution level is determined via external policy and behavior.
  - 37. The system of claim 36, wherein the thread manager comprises a user thread manager, which receives user information and invokes a user database for what locations are permitted to access/modify, and invokes the User Risk Management sub-algorithm to get risky locations that should be blocked for the user within a precautionary policy.
  - 38. The system of claim 37, wherein a user permission bank receives the user'"'"'s permission attributes by Specific DB 1, and is queried by the location thread manager to see if the user is permitted to perform the requested action in this location.
  - 39. The system of claim 38, wherein a permissions aggregator logically combines results by the location thread manager and the user thread manager, and outputs the combined result.
  - 40. The system of claim 16, wherein in the user risk management sub-algorithm, the predetermined risk factors include prior policy violations, excessive usage, and suspicious operations enacted.
  - 41. The system of claim 40, wherein a user identification token is input, and an overall risk assessment percentage with a plurality of linked objects that are of risk interest is output, wherein the objects can be accessed independently via other sub-algorithms for further analysis.
  - 42. The system of claim 41, wherein a risk object that is related to the user is input, wherein the user'"'"'s association with the risk object is recorded.
  - 43. The system of claim 41, wherein a user ID token is provided to generate a risk assessment report or to deposit a risk object reference, wherein a user'"'"'s risk history is built with the deposited risk object references.
  - 44. The system of claim 43, wherein if a risk object reference is provided, then deposit is made in the database for future reference.
  - 45. The system of claim 43, wherein if no risk object reference deposit is made, and the thread manager requests a report to be made, wherein a relevant user ID is looked up in a specific database to assess the user'"'"'s risk history.
  - 46. The system of claim 43, wherein risk rates are retrieved from a specific DB, which gives a risk rating for risk objects, wherein using the risk rates and the retrieved risk objects, a final aggregate report is produced and pushed to output, wherein a comprehensive principal risk index is also pushed to output, for identifying a user'"'"'s immediate risk factor.

47. A method for iterative intelligence growth comprising steps of:
- a) receiving input of an initial ruleset;
  
  b) receiving input of a plurality of personality trait, wherein the personal trait defines reactionary characteristics that should be exercised upon security events;
  
  c) choosing a personal trait and assigning the personal trait to an evolution pathway;
  
  d) repeating step c) for other evolution pathways for all of the personality traits; and
  
  e) executing the evolution pathways, wherein each of the evolution pathways evolves a plurality of generations according to its given personality trait;
  
  wherein the operation of each of the evolution pathways is virtually isolated from the operation of the other evolution pathways.
- View Dependent Claims (48, 49, 50, 51, 52)
- - 48. The method of claim 47, wherein the personal traits comprise:
    - i) a realist trait that uses CPU time based on degree of correlation;
      
      ii) a unforgiving trait that uses CPU time based on whether there was a prior security incident for a given entity, which comprises an individual or a computer system;
      
      iii) an opportunistic trait that uses CPU time based on availability of a corrective action;
      
      oriv) a strict and precautious trait that uses CPU time based on little forgiveness or tolerance of assumption;
      
      wherein the CPU time is measured in CPU cycles/second.
  - 49. The method of claim 47, wherein a monitoring and interaction system injects security events from an artificial security threat (AST) system into the evolution pathways, and relays security responses associated with the security events from a security behavior cloud, wherein if any one of the evolution pathways reaches an indefinite state of being unable to solve the given security problem, the execution of the evolution pathway is abandoned, wherein the personality trait of the abandoned evolution pathway is modified, wherein the modified personality trait is assigned to another evolution pathway and the security event of the abandoned evolution pathway is injected to the another evolution pathway, and wherein the another evolution pathway is executed, wherein the monitoring and interaction system outputs the performance of the evolution pathways, and receives input for modifying the personal trait.
  - 50. The method of claim 47, wherein a cross reference module analyzes a security system response for a given security event, decides whether a security system response is meaningful, pushes the security system response to a trait tagging module.
  - 51. The method of claim 50, wherein the trait tagging module classifies the security system response according to personality types provided to the trait tagging module.
  - 52. The method of claim 51, wherein a trait interaction module analyzes correlation among the personality traits, wherein the analysis result is passed to the security behavior cloud, wherein the security behavior cloud passes the analysis result to the monitoring and interaction system.

53. A cyber threat intelligence identification, integration and analysis system comprising:
- a) an intelligent selector that receives two parent forms, wherein the parent forms represent abstract constructs of data, and merges the two parent forms into a hybrid form;
  
  b) a mode module that defines the type of an algorithm in which the system is being used, wherein the intelligent selector decides parts to merge based on the type of the algorithm; and
  
  c) a static criteria module that receives input of customization data for how forms should be merged.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 54. The system of claim 53, wherein the customization data comprises ranking prioritizations, desired ratios of data, and data to direct merging which is dependent on the type of algorithm defined by the mode module.
  - 55. The system of claim 53, wherein the intelligent selector comprises a raw comparison module that performs raw comparison on the two parent forms based on the customization data provided by the static criteria module, wherein the raw comparison module outputs regarding changes and non-changes, wherein the intelligent selector ranks importance of the changes based on the customization data, wherein the changes and the non-changes are merged into a hybrid form based on the customization data of the static criteria and the type of the algorithm of the mode, wherein the merging comprises adjusting ratio distribution of data, importance of data, and relationship between data, wherein a ratio mode, a priority mode, and a style mode are preset in the system.
  - 56. The system of claim 55, wherein in the ratio mode, the amount of overlapping information is filtered through according to the ratio set by the Static Criteria, wherein if the ratio is set to large then a large amount of form data that has remained consistent will be merged into the hybrid form, wherein if the ratio is set to small then most of hybrid form will be constructed has a very different from its past iterations.
  - 57. The system of claim 55, wherein in the priority mode, when both data sets compete to define a feature at the same place in the form, a prioritization process occurs to choose which features are made prominent and which are overlapped and hidden, wherein when only one trait can occupy in the hybrid form, a prioritization process occurs.
  - 58. The system of claim 55, in the style mode, the manner in which overlapping points are merged, wherein the Static Criteria and mode direct this module to prefer a certain merge over another.
  - 59. The system of claim 53, wherein a trait makeup and indexed security Points of Interest (POI) are provided to query security events with their responses, wherein the POI'"'"'s are stored in a security POI pool, and POI'"'"'s are bridged with the trait index, wherein when a personality trait regarding a security issue is queried, relevant POI'"'"'s are looked up in the POI pool and the relevant Event and Response storage are retrieved and returned, wherein in a POI interface module, personal traits are associated with POI'"'"'s.
  - 60. The system of claim 53, further comprising a response parser, which comprises:
    - a) a cross reference module, in which that data describing a security event and a response to the security event are received;
      
      the security behavior module provides known POI, and input for a personality trait tagged to a security event is received;
      
      b) a trait tagging module that associates the security response with personal trait based on prescription of the personal trait and pattern correlation from past security behavior; and
      
      c) a trait interaction module that receives a trait makeup from the trait tagging module, and assesses its internal compatibility;
      
      wherein the security event, response, trait are stored in the security behavior cloud.
  - 61. The system of claim 53, wherein a security ruleset is tested with an artificial exploit, wherein after the exploit is performed, result feedback module provides the result if the exploit worked and if it should be incorporated into the Exploit DB, wherein the information release module provides details to the creativity module for how the next exploit should look like, wherein information is merged between the information release module and the Exploit DB, wherein the exploit is performed as a batch in which all the evolutionary pathways get tested in parallel and simultaneously with the same exploit, wherein the creativity module produces a hybrid exploit that uses the strengths of prior exploits and avoids known weaknesses in exploits based on result by the information release module.
  - 62. The system of claim 61, wherein an oversight management module monitors developments in an exploit storage and usage, wherein exploits are produced/modified/removed by external inputs, wherein the exploits are stored along with known behavioral history that describes how the exploits performed in the past within certain conditions and exploit importance.
  - 63. The system of claim 53, further comprising a monitoring/interaction system, in which the creativity module produces the next generation for a pathway, wherein two input forms are compiled security behavior from the security behavior cloud, and variables from a security review module, wherein the resultant hybrid form is pushed to an iteration processor, wherein the iteration processor processes the hybrid form pushed from the creativity module, and assembles a new generation, and loads the new generation into the relevant evolutionary pathway, wherein the security review module receives report variables from the evolutionary pathway, and evaluates its security performance against the Artificial Security Threat (AST) system, outputs report for further review, and sends the report to the creativity module to Iterate the next generation, wherein the security behavior cloud supplies relevant events and responses to the security review module, wherein the criteria is determined via a trait index query, wherein if a good performance evaluation is received, the security review module attempts to find a better exploit to break the exploit in the security behavior cloud, wherein the trait makeups are provided to the security behavior cloud and the security behavior cloud provides the trait makeups to the creativity module to guide how the generational ruleset should be composed.
  - 64. The system of claim 63, wherein an automated growth guidance system intervenes between external control and the monitoring and interaction system, wherein a module type discerns what the desired module behavior is, and wherein forced feedback is a response by a module informing about its current condition every time it is given new instructions, wherein high level master variables are externally input to the static criteria, wherein the creativity module discerns a new desired result after being given the previous desired result and the actual result, wherein the actual result that comprises status and state of the controlled module is stored in the module tracking DB, wherein the module tracking DB is populated by the module and the creativity module, wherein the module tracking DB provides an input form to the creativity module which reflects the internally chosen growth pattern for the controlled module, wherein the creativity module pushes the new controls for the module to the module tracker and the module itself, wherein the modules are controlled in parallel, except that the module tracking operates in a single instance and is partitioned to deal with multiple modules simultaneously, wherein the feedback from the controlled module, which comprises information derived from actual module history, is stored in the realistic DB, wherein the theory DB contains theoretical controls for the module, which are provided by the creativity module, wherein if a control performs as expected then the same growth pattern is kept, and if a control performs odd, then alternate growth pattern is adopted.
  - 65. The system of claim 53, further comprising a malware predictive tracking algorithm, in which an existing malware is iterated to consider theoretical variances in makeup, wherein as the theoretical time progresses, the malware evolves interacting with the creativity module, wherein CATEGORY A represents confirmed malware threats with proven history of recognition and removal, CATEGORY B represents malware that the system knows exists but is unable to recognize nor remove with absolute confidence and CATEGORY C represents malware that is completely unknown to the system in every way possible, wherein the process starts from category A, wherein known malware is pushed to the creativity module to produce a hybrid form which includes potential variations that represent currently unknown malware, wherein then based on category B, a theoretical process represents the best estimate of what an unknown threat is like, wherein a process based on category C represents the actual threat that the system is unaware of and trying to predict, wherein a pattern is produced to represent the transition of a known and confirmed iteration, wherein the transition pattern is used to predict a currently unknown threat.
  - 66. The system of claim 53, further comprising a critical infrastructure protection &
    - retribution through cloud &
      
      tiered information security (CIPR/CTIS) that comprises trusted platform security information synchronization service, wherein information flows between multiple security algorithms within a managed network &
      
      security services provider (MNSP), wherein all enterprise traffic within an enterprise intranet, extranet and internet are relayed to the MNSP cloud via VPN for realtime and retrospective security analysis, wherein in the retrospective security analysis, events and their security responses and traits are stored and indexed for future queries, conspiracy detection provides a routine background check for multiple security events and attempts to determine patterns and correlations, parallel evolutionary pathways are matured and selected, iterative generations adapt to the same AST batch, and the pathway with the best personality traits ends up resisting the security threats the most, wherein in the realtime security analysis, syntax module provides a framework for reading &
      
      writing computer code, purpose module uses syntax module to derive a purpose from code, &
      
      outputs such a purpose in its own complex purpose format, the enterprise network and database is cloned in a virtual environment, and sensitive data is replaced with mock (fake) data, signal mimicry provides a form of retribution used when the analytical conclusion of virtual obfuscation (protection) has been reached, wherein it checks that all the internal functions of a foreign code make sense, uses the syntax and purpose modules to reduce foreign code to a complex purpose format, detects code covertly embedded in data &
      
      transmission packets, wherein a mapped hierarchy of need &
      
      purpose is referenced to decide if foreign code fits in the overall objective of the system.
  - 67. The system of claim 53, further comprising a logically inferred zero-database a-priori realtime defense (LIZARD), in which every digital transfer within the enterprise system is relayed through an instance of LIZARD, wherein all outgoing/incoming information from outside the enterprise system are channeled via the LIZARD VPN and LIZARD cloud, wherein the iteration module (IM) uses the static core (SC) to syntactically modify the code base of dynamic shell (DS), wherein the modified version is stress tested in parallel with multiple and varying security scenarios by the artificial security threat (AST), wherein if LIZARD performs a low confidence decision, it relays relevant data to AST to improve future iterations of LIZARD, wherein AST creates a virtual testing environment with simulated security threats to enable the iteration process, wherein the static core of LIZARD derives logically necessary functions from initially simpler functions, converts arbitrary (generic) code which is understood directly by syntax module, and reduces code logic to simpler forms to produce a map of interconnected functions, wherein iteration expansion adds detail and complexity to evolve a simple goal into a complex purpose by referring to purpose associations, wherein a virtual obfuscation module confuses &
    - restricts code by gradually &
      
      partially submerging them into a virtualized fake environment, wherein malware hypothetically bypasses the enterprise security system, LIZARD has a low confidence assessment of the intent/purpose of the incoming block of code, the questionable code is covertly allocated to an environment in which half of the data is intelligently mixed with mock (fake) data, the real data synchronizer intelligently selects data to be given to mixed environments &
      
      in what priority, and the mock data generator uses the real data synchronizer as a template for creating counterfeit &
      
      useless data.
  - 68. The system of claim 53, further comprising a clandestine machine intelligence &
    - retribution through covert operations in cyberspace module, in which a sleeper double agent silently captures a copy of a sensitive file and the captured file is pushed outside of an enterprise network to a rogue destination server, wherein standard logs are generated which are delivered for real-time and long-term analysis, wherein real-time analysis performs a near instant recognition of the malicious activity to stop it before execution, and the long-term analysis recognizes the malicious behavior after more time to analyze.
  - 69. The system of claim 53, further comprising a critical thinking, memory and perception algorithm that produces an emulation of the observer, and tests/compares all potential points of perception with such variations of observer emulations, wherein priority of perceptions chosen are selected according to weight in descending order, wherein the policy dictates the manner of selecting a cut off, wherein perceptions and relevant weight are stored with comparable variable format (CVF) as their index, wherein CVF derived from data enhanced logs is used as criteria in a database lookup of a perception storage, wherein a metric processing module reverse engineers the variables from selected pattern matching algorithm (SPMA) security response, wherein a part of the security response and its corresponding system metadata are used to replicate the original perception of the security response, wherein debugging and algorithm trace are separated into distinct categories using traditional syntax based information categorization, wherein the categories are used to organize and produce distinct security response with a correlation to security risks and subjects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Syed Kamran Hasan
Original Assignee
Syed Kamran Hasan
Inventors
HASAN, SYED KAMRAN

Application Number

US15/145,800
Publication Number

US 20160330219A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G01C 21/387   Organisation of map data, e...

G06N 20/00   Machine learning

G06N 5/025   Extracting rules from data

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

METHOD AND DEVICE FOR MANAGING SECURITY IN A COMPUTER NETWORK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

69 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND DEVICE FOR MANAGING SECURITY IN A COMPUTER NETWORK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

69 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others