CYBER SECURITY

US 20170220801A1
Filed: 08/03/2015
Published: 08/03/2017
Est. Priority Date: 08/04/2014
Status: Active Grant

First Claim

Patent Images

1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by a processing apparatus, the method comprising:

receiving input data associated with a first entity associated with the computer system;

deriving metrics from the received input data, the derived metrics representative of characteristics of the received input data;

analyzing the derived metrics using one or more models; and

determining, in accordance with the analyzed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behaviour of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

42 Citations

22 Claims

1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by a processing apparatus, the method comprising:
- receiving input data associated with a first entity associated with the computer system;
  
  deriving metrics from the received input data, the derived metrics representative of characteristics of the received input data;
  
  analyzing the derived metrics using one or more models; and
  
  determining, in accordance with the analyzed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method according to claim 1, further comprising updating the model of normal behavior of the first entity in accordance with the analysis of the derived metrics.
  - 3. The method according to claim 1, wherein the received input data includes data relating to activity on the computer system associated with the first entity.
  - 4. The method according to claim 1, wherein the derived metrics reflect a usage of the computer system by the first entity over a period of time.
  - 5. The method according to claim 4, wherein the derived metrics are network traffic related metrics associated with activity of the first entity on the computer system.
  - 6. The method according to claim 3, wherein the derived metrics are derived from header analysis on an Internet Layer protocol level of the computer system.
  - 7. The method according to claim 1, further comprising selecting the plurality of metrics from a range of possible metrics before deriving the plurality of metrics.
  - 8. The method according to claim 1, wherein the one or more models include a first model arranged to analyzed data for detecting a first type of threat and a second model arranged to analyzed data for detecting a second type of threat.
  - 9. The method according to claim 1, wherein the cyber-threat risk parameter is a probability of the likelihood of a threat.
  - 10. The method according to claim 9, wherein the probability is determined using a recursive Bayesian estimation.
  - 11. The method according to claim 1, further comprising determining whether or not there is a threat by comparing the cyber-threat risk parameter with a threshold.
  - 12. The method according to claim 11, wherein the threshold is a moving threshold.
  - 13. The method according to claim 1, wherein the cyber-threat risk parameter is determined by comparing the analyzed metrics with the model of normal behavior of the first entity.
  - 14. The method according to claim 13, further comprising predicting an expected behavior of the first entity based on the model of normal behavior, wherein the determining the cyber-threat risk parameter comprises comparing the analyzed metrics with the expected behavior.
  - 15. The method according to claim 1, further comprising receiving input data associated with a second entity, wherein the determining the cyber-threat risk parameter comprises taking the input data associated with the second entity into consideration.
  - 16. The method according to claim 1, wherein the entity is a user of the computer system.
  - 17. The method according to claim 1, wherein the entity is a device forming part of the computer system.
  - 18. The method according to claim 1, wherein the entity forms part of an industrial control system connected to or forming part of the computer system.
  - 19. The method according to claim 1, wherein the computer system is a network of computing devices.
  - 20. A computer readable medium comprising computer readable code operable, in use, to instruct a computer to perform the method of claim 1.
  - 21. A computer program comprising computer readable code operable, in use, to instruct a computer to perform the method of claim 1.
  - 22. A threat detection system comprising a processor, and a memory comprising computer readable code operable, in use, to instruct the processor to perform the method of claim 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Darktrace Holdings Limited
Original Assignee
Darktrace Limited
Inventors
STOCKDALE, Jack, MARKHAM, Alex

Granted Patent

US 10,268,821 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/069   using logs of notifications...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

CYBER SECURITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

CYBER SECURITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others