METHOD FOR PREDICTING AND CHARACTERIZING CYBER ATTACKS

US 20180004948A1
Filed: 06/20/2017
Published: 01/04/2018
Est. Priority Date: 06/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method for predicting and characterizing cyber attacks comprising:

receiving a first signal specifying a first behavior of a first asset on a network at a first time;

compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time;

calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration;

in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset;

in response to the deviation threshold score exceeding the first degree of deviation;

calculating a first malicious score proportional to proximity of the first data structure to a first malicious data structure defining a first set of behaviors representative of a first network security threat;

calculating a first benign score proportional to proximity of the first data structure to a benign data structure representing an innocuous set of behaviors;

in response to the first malicious score exceeding the first benign score, issuing a second alert to investigate the network for the first network security threat; and

in response to the first benign score exceeding the first malicious score, disregarding the first data structure.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One variation of a method for predicting and characterizing cyber attacks includes: receiving, from a sensor implementing deep packet inspection to detect anomalous behaviors on the network, a first signal specifying a first anomalous behavior of a first asset on the network at a first time; representing the first signal in a first vector representing frequencies of anomalous behaviors—in a set of behavior types—of the first asset within a first time window; calculating a first malicious score representing proximity of the first vector to malicious vectors defining sets of behaviors representative of security threats; calculating a first benign score representing proximity of the first vector to a benign vector representing an innocuous set of behaviors; and in response to the first malicious score exceeding the first benign score and a malicious threshold score, issuing a first alert to investigate the network for a security threat.

Citations

20 Claims

1. A method for predicting and characterizing cyber attacks comprising:
- receiving a first signal specifying a first behavior of a first asset on a network at a first time;
  
  compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time;
  
  calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration;
  
  in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset;
  
  in response to the deviation threshold score exceeding the first degree of deviation;
  
  calculating a first malicious score proportional to proximity of the first data structure to a first malicious data structure defining a first set of behaviors representative of a first network security threat;
  
  calculating a first benign score proportional to proximity of the first data structure to a benign data structure representing an innocuous set of behaviors;
  
  in response to the first malicious score exceeding the first benign score, issuing a second alert to investigate the network for the first network security threat; and
  
  in response to the first benign score exceeding the first malicious score, disregarding the first data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1:
    - wherein receiving the first signal comprises accessing the first signal generated by a sensor;
      
      arranged on the network,implementing deep packet inspection to detect anomalous behaviors of assets on the network, andoutputting signals responsive to anomalous behaviors of assets on the network; and
      
      wherein compiling the first signal and the first set of signals into the first data structure comprises generating the first data structure in response to receipt of the first signal.
  - 3. The method of claim 2:
    - wherein receiving the first signal comprises receiving the first signal specifying a combination of the first behavior and a second behavior of the first asset defined by a first machine hosting a first user on the network; and
      
      wherein compiling the first signal and the first set of signals into the first data structure comprises accessing;
      
      a second signal specifying the first behavior and the second behavior of the first asset within the first time window and prior to the first time; and
      
      a third signal specifying a third behavior of the first asset within the first time window.
  - 4. The method of claim 2, wherein receiving the first signal comprises receiving the first signal specifying one of:
    - an error event involving the first asset;
      
      unauthorized access by the first asset on the network;
      
      uncommon connection between the first asset and a domain external the network; and
      
      receipt of an executable attachment from an email address new to the network at the first asset.
  - 5. The method of claim 1:
    - wherein receiving the first signal comprises receiving the first signal specifying the first behavior, in a predefined set of behavior types, anomalous to the first asset;
      
      wherein compiling the first signal and the first set of signals into the first data structure comprises generating the first data structure representing frequencies of behaviors, in the predefined set of behavior types, of the first asset during the first time window; and
      
      wherein calculating the first degree of deviation of the first data structure from the corpus of data structures comprises calculating the first degree of deviation of frequencies of behaviors of each behavior type represented in the first data structure from frequencies of behaviors of each behavior type represented in data structures in the corpus of data structures.
  - 6. The method of claim 5:
    - wherein compiling the first signal and the first set of signals into the first data structure comprises generating a first multi-dimensional vector representing frequencies of behaviors of each behavior type, in the predefined set of behavior types, of the first asset within the preset duration of two weeks terminating at the first time;
      
      wherein calculating the first degree of deviation of the first data structure from the corpus of data structures comprises;
      
      accessing the corpus of data structures, each data structure in the corpus of data structures comprising a multi-dimensional vector representing a frequency of behaviors of an asset, in the set of assets, within a duration of two weeks prior to the first time;
      
      training a replicator neural network on the corpus of data structures;
      
      passing the first multi-dimensional vector through the replicator neural network to generate a first output vector; and
      
      calculating an outlier score based on a difference between the first multi-dimensional vector and the first output vector; and
      
      wherein issuing the first alert to investigate the first asset comprises issuing the first alert to investigate the first asset in response to the outlier score exceeding the deviation threshold score.
  - 7. The method of claim 6:
    - wherein accessing the corpus of data structures comprises accessing the corpus of data structures comprising a first set of unlabeled vectors and a second set of vectors labeled with identifiers of known network security threats, the first set of unlabeled vectors and the second set of vectors representing frequencies of behaviors of assets on the network over a second time window comprising the first time window and greater than the preset duration; and
      
      wherein calculating the first malicious score and calculating the first benign score comprise accessing the corpus of labeled vectors comprising the second set of vectors.
  - 8. The method of claim 1:
    - further comprising;
      
      accessing a set of malicious data structures, each malicious data structure in the set of malicious data structures defining a set of signals representative of a network security threat; and
      
      in response to the first data structure matching a second malicious data structure in the set of malicious data structures, issuing a second alert to investigate the network for a second network security threat represented by the second malicious data structure; and
      
      wherein calculating the first malicious score comprises, in response to lack of a match between the first data structure and a malicious data structure in the set of malicious data structures;
      
      calculating the first malicious score proportional to proximity of the first data structure to the first malicious data structure, in the set of malicious data structures, nearest the first data structure.
  - 9. The method of claim 1:
    - wherein compiling the first signal and the first set of signals into the first data structure comprises generating a first multi-dimensional vector representing frequencies of behaviors, in a predefined set of behavior types, of the first asset during the first time window;
      
      wherein calculating the first malicious score comprises calculating the first malicious score proportional to proximity of the first multi-dimensional vector to a first cluster of vectors, in a corpus of labeled vectors, representing the first network security threat; and
      
      wherein calculating the first benign score comprises calculating the first benign score proportional to proximity of the first multi-dimensional vector to a second duster of vectors, in the corpus of labeled vectors, representing innocuous network activity.
  - 10. The method of claim 9:
    - wherein issuing the second alert to investigate the network for the first network security threat comprises;
      
      generating the second alert specifying the first asset and comprising a prompt for an investigation into presence of the first network security threat, associated with the first malicious data structure, on the network; and
      
      inserting the second alert into an alert feed of a security operation center; and
      
      further comprising;
      
      accessing a result of the investigation into presence of the first network security threat on the network from the security operation center;
      
      labeling the first data structure according to the result; and
      
      inserting the first data structure into the corpus of labeled vectors.
  - 11. The method of claim 9, further comprising:
    - in response to the first malicious score approximating the first benign score, issuing a prompt to investigate the first asset;
      
      accessing a result of an investigation into the first asset from the security operation center;
      
      labeling the first data structure according to the result; and
      
      inserting the first data structure into the corpus of labeled vectors.
  - 12. The method of claim 9, further comprising:
    - in response to issuing the first alert to investigate the first asset;
      
      accessing a result of an investigation into the asset responsive to the first alert, the result specifying a second security threat;
      
      labeling the first data structure according to the second security threat; and
      
      inserting the first data structure into the corpus of labeled vectors.receiving a second signal specifying a second behavior of a second asset on the network at a second time succeeding the first time;
      
      compiling the second signal and a second set of signals into a second data structure, each signal in the second set of signals specifying a behavior of the second asset on the network within a second time window up to the second time, of the preset duration, and overlapping the first time window;
      
      calculating a second degree of deviation of the second data structure from the corpus of data structures;
      
      in response to the deviation threshold score exceeding the second degree of deviation;
      
      calculating a second malicious score proportional to proximity of the second data structure to the first data structure; and
      
      calculating a second security threat benign score proportional to proximity of the first data structure to a second security threat benign data structure representing an innocuous set of behaviors; and
      
      in response to the second malicious score exceeding the second benign score, issuing a third alert to investigate the network for the second network security threat.
  - 13. The method of claim 1, further comprising:
    - receiving a second signal specifying a second behavior of a second asset on the network at a second time;
      
      compiling the second signal and a second set of signals into a second data structure, each signal in the second set of signals specifying a behavior of the second asset on the network within a second time window up to the second time, of the preset duration, and overlapping the first time window;
      
      calculating a second degree of deviation of the second data structure from the corpus of data structures;
      
      in response to the second degree of deviation exceeding the deviation threshold score, issuing a second alert to investigate the second asset; and
      
      ranking the first alert ahead of the second alert in response to the first degree of deviation exceeding the second degree of deviation.
  - 14. The method of claim 1, wherein issuing the second alert to investigate the network for the first network security threat comprises:
    - in response to the first malicious data structure defining a set of behaviors previously detected on the network;
      
      retrieving a first malicious threshold score for network security threats previously detected on the network; and
      
      issuing the second alert to investigate the network for the first network security threat in response to the first malicious score exceeding the first benign score and the first malicious threshold score;
      
      in response to the first malicious data structure defining a set of behaviors previously detected on a second network external to the network;
      
      retrieving a second malicious threshold score for network security threats previously detected outside of the network, the second malicious threshold confidence greater than the first malicious threshold confidence; and
      
      issuing the second alert to investigate the network for the first network security threat in response to the first malicious score exceeding the first benign score and the second malicious threshold score.

15. A method for predicting and characterizing cyber attacks comprising:
- receiving a first signal specifying a first behavior of a first asset on a network at a first time;
  
  compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time;
  
  calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration;
  
  in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset;
  
  in response to the deviation threshold score exceeding the first degree of deviation;
  
  accessing a set of malicious data structures defining sets of signals representative of network security threats;
  
  in response to the first data structure matching a first malicious data structure, in the set of malicious data structures, defining signals representative of a first network security threat, issuing a first alert to investigate the network for the first network security threat;
  
  in response to lack of a match between the first data structure and a malicious data structure in the set of malicious data structures, calculating a malicious score proportional to proximity of the first data structure to a cluster of malicious data structures defining sets of behaviors representative of a second network security threat; and
  
  in response to the malicious score exceeding a malicious threshold score, issuing a second alert to investigate the network for the second network security threat.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15:
    - wherein receiving the first signal comprises accessing the first signal generated by a sensor;
      
      arranged on the network,implementing deep packet inspection to detect anomalous behaviors of assets on the network, andoutputting signals responsive to anomalous behaviors of assets on the network; and
      
      wherein compiling the first signal and the first set of signals into the first data structure comprises generating a first multi-dimensional vector representing frequencies of behaviors, in a predefined set of behavior types, of the first asset during the first time window; and
      
      wherein calculating the first degree of deviation of the first data structure from the corpus of data structures comprises calculating the first degree of deviation of the first multi-dimensional vector from multi-dimensional vectors in the corpus of data structures representing historical frequencies of behaviors, in the predefined set of behavior types, of assets on the network during time windows of the preset duration.
  - 17. The method of claim 15:
    - further comprising;
      
      calculating a benign score proportional to proximity of the first data structure to a cluster of benign data structures representing innocuous sets of behaviors;
      
      in response to the benign score exceeding the malicious score, disregarding the first data structure;
      
      in response to the first malicious score approximating the first benign score, issuing a prompt to investigate the first asset;
      
      wherein issuing the second alert to investigate the network for the second network security threat comprises issuing a second alert to investigate the network for the second network security threat in response to the malicious score exceeding the benign score.

18. A method for predicting and characterizing cyber attacks comprising:
- receiving a first signal from a sensor implementing deep packet inspection to detect anomalous behaviors of assets on the network, the first signal specifying a first anomalous behavior of a first asset on the network at a first time;
  
  compiling the first signal and a first set of signals into a first vector representing frequencies of anomalous behaviors, in a predefined set of behavior types, of the first asset on the network within a first time window of a preset duration up to the first time;
  
  calculating a first malicious score based on proximity of the first vector to a set of malicious vectors defining sets of behaviors representative of network security threats;
  
  calculating a first benign score proportional to proximity of the first vector to a set of benign vectors representing innocuous sets of behaviors;
  
  in response to the first malicious score exceeding the first benign score and a malicious threshold score, issuing a first alert to investigate the network for a network security threat;
  
  in response to the first benign score and the malicious threshold score exceeding the first malicious score, disregarding the first vector; and
  
  in response to the first malicious score differing from the first benign score, by less than a threshold difference, issuing a prompt to investigate the first asset.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18:
    - further comprising;
      
      calculating a first degree of deviation of the first vector from a corpus of historical vectors, each vector in the corpus of vectors representing a previous set of behaviors of an asset on the network within a time window of the preset duration; and
      
      in response to the first degree of deviation exceeding a deviation threshold score, issuing a second alert to investigate the first asset; and
      
      wherein calculating the first malicious score comprises calculating the first malicious score in response to the deviation threshold score exceeding the first degree of deviation.
  - 20. The method of claim 18:
    - wherein issuing the second alert to investigate the network for the network security threat comprises;
      
      generating the second alert specifying the first asset and comprising a prompt for an investigation into presence of the network security threat, associated with a first malicious vector nearest the first vector, on the network; and
      
      inserting the second alert into an alert feed of a security operation center; and
      
      further comprising;
      
      accessing a confirmation of the network security threat on the network from the security operation center;
      
      labeling the first vector as representative of the network security threats;
      
      inserting the first vector into the set of malicious vectors; and
      
      inserting the first vector into the corpus of historical vectors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sumo Logic, Inc.
Original Assignee
Jask Labs Inc. (Sumo Logic, Inc.)
Inventors
Martin, Gregory, Piscitell, III, Thomas, Matslofva, David, Waskiewicz, Brian

Granted Patent

US 10,372,910 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

METHOD FOR PREDICTING AND CHARACTERIZING CYBER ATTACKS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR PREDICTING AND CHARACTERIZING CYBER ATTACKS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links