System and method for privacy-enhanced cyber data fusion using temporal-behavioral aggregation and analysis
First Claim
1. A method performed by a computer that has been programmed with instructions that cause the computer to function as a threat-monitoring device for determining, within a deployed environment over a data communication network, network threats and their associated behaviors, the method comprising:
- acquiring sensor data that identifies a specific contact;
normalizing the acquired sensor data to generate transformed sensor data;
deriving, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods;
determining, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact;
identifying a type of the specific contact based on the contact score vector; and
determining, by the threat-monitoring device, a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat in the identifying step.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of determining, within a deployed environment over a data communication network, network threats and their associated behaviors. The method includes the steps of acquiring sensor data that identifies a specific contact, normalizing the acquired sensor data to generate transformed sensor data, deriving, for the specific contact from the transformed sensor data, a contact behavior feature vector for each of a plurality of time periods, determining, for the specific contact, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact, identifying a type of the specific contact based on the contact score vector, and determining a threat type, based on the contact behavioral profile and the contact score vector, when the specific contact is determined to be a threat in the identifying step.
-
Citations
14 Claims
-
1. A method performed by a computer that has been programmed with instructions that cause the computer to function as a threat-monitoring device for determining, within a deployed environment over a data communication network, network threats and their associated behaviors, the method comprising:
-
acquiring sensor data that identifies a specific contact; normalizing the acquired sensor data to generate transformed sensor data; deriving, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods; determining, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact; identifying a type of the specific contact based on the contact score vector; and determining, by the threat-monitoring device, a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat in the identifying step. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A monitoring device for determining, within a deployed environment over a data communication network, network threats and their associated behaviors, the monitoring device comprising:
a processor configured to acquire sensor data that identifies a specific contact; normalize the acquired sensor data to generate transformed sensor data; derive, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods; determine, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact; identify a type of the specific contact based on the contact score vector; and determine a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat. - View Dependent Claims (9, 10, 11, 12, 13)
-
14. A non-transitory computer-readable medium storing a computer program, which when executed by a computer, causes the computer to determine, within a deployed environment over a data communication network, network threats and their associated behaviors by performing the steps of:
-
acquiring sensor data that identifies a specific contact; normalizing the acquired sensor data to generate transformed sensor data; deriving, for the specific contact from the transformed sensor data using temporal aggregation, a contact behavior feature vector for each of a plurality of time periods; determining, for the specific contact from the contact behavior feature vector, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact; identifying a type of the specific contact based on the contact score vector; and determining a threat type, based on the contact behavioral feature vector and the contact score vector, when the type of the specific contact is determined to be a threat in the identifying step.
-
Specification