System and method for privacy-enhanced cyber data fusion using temporal-behavioral aggregation and analysis

US 8,468,599 B2
Filed: 09/20/2010
Issued: 06/18/2013
Est. Priority Date: 09/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer that has been programmed with instructions that cause the computer to function as a threat-monitoring device for determining, within a deployed environment over a data communication network, network threats and their associated behaviors, the method comprising:

acquiring sensor data that identifies a specific contact;

normalizing the acquired sensor data to generate transformed sensor data;

deriving, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods;

determining, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact;

identifying a type of the specific contact based on the contact score vector; and

determining, by the threat-monitoring device, a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat in the identifying step.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of determining, within a deployed environment over a data communication network, network threats and their associated behaviors. The method includes the steps of acquiring sensor data that identifies a specific contact, normalizing the acquired sensor data to generate transformed sensor data, deriving, for the specific contact from the transformed sensor data, a contact behavior feature vector for each of a plurality of time periods, determining, for the specific contact, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact, identifying a type of the specific contact based on the contact score vector, and determining a threat type, based on the contact behavioral profile and the contact score vector, when the specific contact is determined to be a threat in the identifying step.

Citations

14 Claims

1. A method performed by a computer that has been programmed with instructions that cause the computer to function as a threat-monitoring device for determining, within a deployed environment over a data communication network, network threats and their associated behaviors, the method comprising:
- acquiring sensor data that identifies a specific contact;
  
  normalizing the acquired sensor data to generate transformed sensor data;
  
  deriving, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods;
  
  determining, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact;
  
  identifying a type of the specific contact based on the contact score vector; and
  
  determining, by the threat-monitoring device, a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat in the identifying step.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - deriving, for the specific contact from the transformed sensor data, a measure of trust and a measure of risk.
  - 3. The method of claim 1, wherein the acquiring step comprises:
    - acquiring the sensor data that identifies the specific contact, the specific contact being one of a host, a host group, a network, an autonomous system, and a country.
  - 4. The method of claim 1, wherein the identifying step comprises identifying the type of the specific contact, the type being one of normal, abnormal, threat, and unknown.
  - 5. The method of claim 1, further comprising:
    - deriving a behavioral trust vector based on the contact score vector;
      
      calculating a measure of trust of the specific contact based on the derived behavioral trust vector; and
      
      calculating a measure of risk to business processes, based on the contact score vector and identified threats to assets that are used by the business processes.
  - 6. The method of claim 1, further comprising:
    - determining whether the specific contact is an asset within the deployed environment or whether the specific contact is external to the deployed environment; and
      
      determining a set of trust and risk metrics based on whether the specific contact is the asset within the deployed environment or is external to the deployed environment.
  - 7. The method of claim 1, wherein the normalizing step comprises:
    - formatting the acquired sensor data into a predefined format; and
      
      removing address information from the acquired sensor data, and associating a unique, anonymous identification with the sensor data.

8. A monitoring device for determining, within a deployed environment over a data communication network, network threats and their associated behaviors, the monitoring device comprising:
- a processor configured toacquire sensor data that identifies a specific contact;
  
  normalize the acquired sensor data to generate transformed sensor data;
  
  derive, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods;
  
  determine, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact;
  
  identify a type of the specific contact based on the contact score vector; and
  
  determine a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The monitoring device of claim 8, wherein the processor is further configured to derive, for the specific contact from the transformed sensor data, a measure of trust and a measure of risk.
  - 10. The monitoring device of claim 8, wherein the processor is configured to acquire the sensor data that identifies the specific contact, the specific contact being one of a host, a host group, a network, an autonomous system, and a country.
  - 11. The monitoring device of claim 8, wherein the processor is configured to identify the type of the specific contact, the type being one of normal, abnormal, threat, and unknown.
  - 12. The monitoring device of claim 8, wherein the processor is further configured to:
    - derive a behavioral trust vector based on the contact score vector; and
      
      calculate a measure of trust of the specific contact based on the derived behavioral trust vector.
  - 13. The monitoring device of claim 8, wherein the processor is further configured to:
    - determine whether the specific contact is an asset within the deployed environment or whether the specific contact is external to the deployed environment; and
      
      determine a set of trust and risk metrics based on whether the specific contact is the asset within the deployed environment or is external to the deployed environment.

14. A non-transitory computer-readable medium storing a computer program, which when executed by a computer, causes the computer to determine, within a deployed environment over a data communication network, network threats and their associated behaviors by performing the steps of:
- acquiring sensor data that identifies a specific contact;
  
  normalizing the acquired sensor data to generate transformed sensor data;
  
  deriving, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods;
  
  determining, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact;
  
  identifying a type of the specific contact based on the contact score vector; and
  
  determining a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat in the identifying step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sonalysts, Inc.
Original Assignee
Sonalysts, Inc.
Inventors
McCusker, Owen, Brunza, Scott
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US12/885,723
Publication Number

US 20120072983A1
Time in Patent Office

1,002 Days
Field of Search

726 22- 25
US Class Current

726/22
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

System and method for privacy-enhanced cyber data fusion using temporal-behavioral aggregation and analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for privacy-enhanced cyber data fusion using temporal-behavioral aggregation and analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links