Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls

US 20160352759A1
Filed: 05/25/2015
Published: 12/01/2016
Est. Priority Date: 05/25/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

obtaining one or more responses of a security sensor to events from each of a plurality of sources;

clustering each of the sources into one or more clusters, based on an amount of responses of the security sensor to the events from that source;

training a classifier with the sources and the clusters they belong; and

reconfiguring the security sensor based on the classifier.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method comprising: obtaining one or more responses of a security sensor to events from each of a plurality of sources; clustering each of the sources into one or more clusters, based on an amount of responses of the security sensor to the events from that source; training a classifier with the sources and the clusters they belong; and reconfiguring the security sensor based on the classifier.

29 Citations

24 Claims

1. A method comprising:
- obtaining one or more responses of a security sensor to events from each of a plurality of sources;
  
  clustering each of the sources into one or more clusters, based on an amount of responses of the security sensor to the events from that source;
  
  training a classifier with the sources and the clusters they belong; and
  
  reconfiguring the security sensor based on the classifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the events are selected from a group consisting of computer system logs, network device logs, security device logs and alerts, security tool logs and alerts, network packets and flows, and application logs, physical security events, and threat intelligence events.
  - 3. The method of claim 1, further comprising normalizing the events.
  - 4. The method of claim 1, further comprising parsing the events.
  - 5. The method of claim 1, wherein the events occurred over a period of time greater than a threshold.
  - 6. The method of claim 1, wherein the source are selected from a group consisting of servers, networks, transmission lines, computer system logs, network device logs, security device logs and alerts, security tool logs and alerts, network packets and flows, and application logs, physical security events, and threat intelligence events and a combination thereof.
  - 7. The method of claim 1,wherein the security sensor comprises a processor, a memory, a communication interface;
    - wherein the communication interface is coupled to one or more hosts and configured to capture events on the one or more hosts;
      
      wherein the memory has instructions and a plurality of attack signatures stored thereon;
      
      wherein when the instructions are executed by the processor, the processor determines one or more responses to the events based on the signatures.
  - 8. The method of claim 7, wherein reconfiguring the security sensor comprises change a parameter of one of the attack signatures, adding a new signature into the attack signatures, or eliminating one of the attack signatures.
  - 9. The method of claim 1, wherein obtaining the one or more responses comprises simulating the security sensor.
  - 10. The method of claim 1, further comprising reducing a dimension of the events.

11. A method comprising:
- obtaining one or more responses of a security sensor to events from each a plurality of sources;
  
  training a classifier with the sources and the responses;
  
  reconfiguring the security sensor based on the classifier.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the events are selected from a group consisting of computer system logs, network device logs, security device logs and alerts, security tool logs and alerts, network packets and flows, and application logs, physical security events, and threat intelligence events.
  - 13. The method of claim 11, further comprising normalizing the events.
  - 14. The method of claim 11, further comprising parsing the events.
  - 15. The method of claim 11, wherein the events occurred over a period of time greater than a threshold.
  - 16. The method of claim 11, wherein the source are selected from a group consisting of servers, networks, transmission lines, computer system logs, network device logs, security device logs and alerts, security tool logs and alerts, network packets and flows, and application logs, physical security events, and threat intelligence events and a combination thereof.
  - 17. The method of claim 11,wherein the security sensor comprises a processor, a memory, a communication interface;
    - wherein the communication interface is coupled to one or more hosts and configured to capture events on the one or more hosts;
      
      wherein the memory has instructions and a plurality of attack signatures stored thereon;
      
      wherein when the instructions are executed by the processor, the processor determines one or more responses to the events based on the signatures.
  - 18. The method of claim 17, wherein reconfiguring the security sensor comprises change a parameter of one of the attack signatures, adding a new signature into the attack signatures, or eliminating one of the attack signatures.
  - 19. The method of claim 11, wherein obtaining the one or more responses comprises simulating the security sensor.
  - 20. The method of claim 11, further comprising reducing a dimension of the events.

21. A system comprising:
- a data collection module configured to obtain events from each of a plurality of sources;
  
  a clustering module configured to cluster each of the sources into one or more clusters, based on an amount of responses of a security sensor to the events from that source;
  
  a classifier training module configured to train a classifier with the sources and the clusters they belong; and
  
  a sensor reconfiguration module configured to reconfigure the security sensor based on the classifier.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21, wherein the security sensor comprises a processor, a memory, a communication interface;
    - wherein the communication interface is coupled to one or more hosts and configured to capture events on the one or more hosts;
      
      wherein the memory has instructions and a plurality of attack signatures stored thereon;
      
      wherein when the instructions are executed by the processor, the processor determines one or more responses to the events based on the attack signatures.
  - 23. The system of claim 21, further comprising a sensor simulation module configured to obtain one or more responses of the security sensor to the events by simulating the security sensor.
  - 24. The system of claim 21, further comprising a feature identification module configured to identify a feature from the events or the responses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yan Zhai
Original Assignee
Yan Zhai
Inventors
ZHAI, Yan

Application Number

US14/720,900
Publication Number

US 20160352759A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links