Security threat detection

US 8,578,494 B1
Filed: 08/11/2011
Issued: 11/05/2013
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a potential security threat on a computing system, the method comprising:

embedding time series data relating to the computing system within a reconstructed phase space to generate embedded data;

partitioning the reconstructed phase space into a plurality of regions;

generating a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from the potential security threat;

generating a second matrix based on a second set of the time series data;

comparing the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein comparing the first matrix and the second matrix comprises;

calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and

comparing the state change parameter to a threshold value; and

performing an action when the state change parameter exceeds the threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting a potential security threat on a computing system is provided. The method comprises embedding time series data relating to the computing system within a reconstructed phase space and partitioning the reconstructed phase space into a plurality of regions. The method further comprises generating a first matrix having a plurality of cells. The first matrix comprises a row and a column for each of the plurality of regions. A value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region. The first matrix is generated using a first set of the time series data that is associated with a normal operating condition of the computing system in which the computing system is not under attack from a security threat. The method further comprises generating a second matrix based on a second set of the time series data and comparing the first matrix and the second matrix to detect whether a potential security threat is present on the computing system.

33 Citations

View as Search Results

16 Claims

1. A method of detecting a potential security threat on a computing system, the method comprising:
- embedding time series data relating to the computing system within a reconstructed phase space to generate embedded data;
  
  partitioning the reconstructed phase space into a plurality of regions;
  
  generating a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from the potential security threat;
  
  generating a second matrix based on a second set of the time series data;
  
  comparing the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein comparing the first matrix and the second matrix comprises;
  
  calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and
  
  comparing the state change parameter to a threshold value; and
  
  performing an action when the state change parameter exceeds the threshold value.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the value stored in each cell is based on a maximum Lyapunov exponent associated with the first region or the second region.
  - 3. The method of claim 1, further comprising updating the first matrix associated with the normal operating condition of the computing system over a period of time.
  - 4. The method of claim 1, wherein performing the action comprises activating an alarm indicating that a potential security threat has been detected.
  - 5. The method of claim 1, further comprising generating an image based on at least one of the first matrix and the second matrix and transmitting the image to a display.
  - 6. The method of claim 1, wherein embedding time series data relating to the computing system within a reconstructed phase space comprises maintaining a buffer of time series data and streaming new data into the buffer using a moving window method.

7. A system, comprising:
- an electronic processor configured to;
  
  embed time series data relating to a computing system within a reconstructed phase space to generate embedded data;
  
  partition the reconstructed phase space into a plurality of regions;
  
  generate a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from a potential security threat;
  
  generate a second matrix based on a second set of the time series data;
  
  compare the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein the electronic processor is configured to compare the first matrix and the second matrix by;
  
  calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and
  
  comparing the state change parameter to a threshold value; and
  
  perform an action when the state change parameter exceeds the threshold value.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the value stored in each cell is based on a maximum Lyapunov exponent associated with the first region or the second region.
  - 9. The system of claim 7, wherein the electronic processor is further configured to update the first matrix associated with the normal operating condition of the computing system over a period of time.
  - 10. The system of claim 7, wherein the action performed by the electronic processor when the state change parameter exceeds the threshold value comprises activating an alarm indicating that a potential security threat has been detected.
  - 11. The system of claim 7, wherein the electronic processor is further configured to generate an image based on at least one of the first matrix and the second matrix and transmit the image to a display.
  - 12. The system of claim 7, wherein the electronic processor is further configured to maintain a buffer of time series data and stream new data into the buffer using a moving window method.

13. One or more computer-readable media having instructions stored thereon, the instructions being executable by one or more processors to execute a method comprising:
- embedding time series data within a reconstructed phase space to generate embedded data, wherein the time series data comprises network traffic data for a computing system;
  
  partitioning the reconstructed phase space into a plurality of regions;
  
  generating a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from a potential security threat;
  
  generating a second matrix based on a second set of the time series data;
  
  comparing the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein comparing the first matrix and the second matrix comprises;
  
  calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and
  
  comparing the state change parameter to a threshold value;
  
  performing an action when the state change parameter exceeds the threshold value; and
  
  generating an image based on at least one of the first matrix and the second matrix and transmitting the image to a display.
- View Dependent Claims (14, 15, 16)
- - 14. The one or more computer-readable media of claim 13, wherein the value stored in each cell is based on a maximum Lyapunov exponent associated with the first region or the second region.
  - 15. The one or more computer-readable media of claim 13, wherein the method further comprises updating the first matrix associated with the normal operating condition of the computing system over a period of time.
  - 16. The one or more computer-readable media of claim 13, wherein performing the action comprises activating an alarm indicating that a potential security threat has been detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Original Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Inventors
Engler, Joseph J., Jones, Timothy B., Rice, Gregory W.
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US13/208,071
Time in Patent Office

817 Days
Field of Search

726 22- 26, 713/188, 705/7.11, 702/66, 702/179, 707/101
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

Security threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links