COGNITIVE INFORMATION SECURITY USING A BEHAVIORAL RECOGNITION SYSTEM

US 20170163672A1
Filed: 11/29/2016
Published: 06/08/2017
Est. Priority Date: 08/09/2013
Status: Active Grant

First Claim

Patent Images

1. A method for processing streams of information security data from one or more networked computer systems, the method comprising:

receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; and

generating a neuro-linguistic model of the information security data by;

clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words.

Citations

20 Claims

1. A method for processing streams of information security data from one or more networked computer systems, the method comprising:
- receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; and
  
  generating a neuro-linguistic model of the information security data by;
  
  clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - comparing a current observation of letters, words, or phrases generated from subsequent normalized vectors in the ordered stream against the neuro-linguistic model; and
      
      generating alerts when the current observation of letters, words, phrases, differs from the neuro-lingustic model of the information security data.
  - 3. The method of claim 2, wherein generating alerts when the current observation of letters, words, phrases, differs from the neuro-lingustic model of the information security data comprises determining, for at least a first, letter, word, or phrase in the current observation an unusualness score based on a frequency of letters words, and phrases, respectively, in the letters, words, and phrases of the neuro-lingustic model;
    - andgenerating the alerts when the unusualness score for at least one of the letters, words, or phases in the current observation exceeds a specified threshold.
  - 4. The method of claim 1, further comprising:
    - comparing a current observation of letters, words, or phrases generated from subsequent normalized vectors in the ordered stream against the neuro-linguistic model; and
      
      generating an unusualness score for at least one of the letters, words, or phrases in the current observation.
  - 5. The method of claim 1, further comprising,dynamically updating the neuro-linguistic model from subsequent normalized vectors in the ordered stream of normalized vectors.
  - 6. The method of claim 1, wherein the each value of the information security data associated the normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 7. The method of claim 1, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 8. The method of claim 1, wherein building the dictionary comprises building a dictionary of words up to a maximum length of letters.

9. A computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for processing streams of data of one or more networked computer systems, the operation comprising:
- receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; and
  
  generating a neuro-linguistic model of the information security data by;
  
  clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9, wherein the operation further comprises:
    - comparing a current observation of letters, words, or phrases generated from subsequent normalized vectors in the ordered stream against the neuro-linguistic model; and
      
      generating alerts when the current observation of letters, words, phrases, differs from the neuro-lingustic model of the information security data.
  - 11. The computer-readable storage medium of claim 10, wherein generating alerts when the current observation of letters, words, phrases, differs from the neuro-lingustic model of the information security data comprises determining, for at least a first, letter, word, or phrase in the current observation an unusualness score based on a frequency of letters words, and phrases, respectively, in the letters, words, and phrases of the neuro-lingustic model;
    - andgenerating the alerts when the unusualness score for at least one of the letters, words, or phases in the current observation exceeds a specified threshold.
  - 12. The computer-readable storage medium of claim 9, wherein the operation further comprises:
    - comparing a current observation of letters, words, or phrases generated from subsequent normalized vectors in the ordered stream against the neuro-linguistic model; and
      
      generating an unusualness score for at least one of the letters, words, or phrases in the current observation.
  - 13. The computer-readable storage medium of claim 9, wherein the operation further comprises,dynamically updating the neuro-linguistic model from subsequent normalized vectors in the ordered stream of normalized vectors.
  - 14. The computer-readable storage medium of claim 9, wherein the each value of the information security data associated the normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 15. The computer-readable storage medium of claim 9, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 16. The computer-readable storage medium of claim 9, wherein building the dictionary comprises building a dictionary of words up to a maximum length of letters.

17. A system, comprising:
- a processor; and
  
  a memory storing one or more application programs configured to perform an operation for processing streams of data of one or more networked computer systems, the operation comprising;
  
  receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; and
  
  generating a neuro-linguistic model of the information security data by;
  
  clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the operation further comprises:
    - comparing a current observation of letters, words, or phrases generated from subsequent normalized vectors in the ordered stream against the neuro-linguistic model; and
      
      generating alerts when the current observation of letters, words, phrases, differs from the neuro-lingustic model of the information security data.
  - 19. The system of claim 18, wherein generating alerts when the current observation of letters, words, phrases, differs from the neuro-lingustic model of the information security data comprises determining, for at least a first, letter, word, or phrase in the current observation an unusualness score based on a frequency of letters words, and phrases, respectively, in the letters, words, and phrases of the neuro-lingustic model;
    - andgenerating the alerts when the unusualness score for at least one of the letters, words, or phases in the current observation exceeds a specified threshold.
  - 20. The system of claim 17, wherein the operation further comprises:
    - comparing a current observation of letters, words, or phrases generated from subsequent normalized vectors in the ordered stream against the neuro-linguistic model; and
      
      generating an unusualness score for at least one of the letters, words, or phrases in the current observation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellective Ai, Inc.
Original Assignee
Omni International, LLC (Blue Sail Medical Co., Ltd.)
Inventors
SEOW, Ming-Jung, COBB, Wesley Kenneth, COLE, JR., Curtis Edward, FALCON, Cody Shay, KONOSKY, Benjamin A., MORGAN, Charles Richard, POFFENBERGER, Aaron, NGUYEN, Thong Toan

Granted Patent

US 9,973,523 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 40/226   Validation

G06F 40/242   Dictionaries

G06F 40/247   Thesauruses; Synonyms

G06F 40/253   Grammatical analysis; Style...

G06F 40/284   Lexical analysis, e.g. toke...

G06F 40/289   Phrasal analysis, e.g. fini...

G06F 40/30   Semantic analysis

G06F 40/40   Processing or translation o...

G06N 20/00   Machine learning

G06N 3/0409   Adaptive resonance theory [...

G06N 3/042   Knowledge-based neural netw...

G06N 3/088   Non-supervised learning, e....

G06N 5/022   Knowledge engineering; Know...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

COGNITIVE INFORMATION SECURITY USING A BEHAVIORAL RECOGNITION SYSTEM

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

COGNITIVE INFORMATION SECURITY USING A BEHAVIORAL RECOGNITION SYSTEM

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links