Security threat detection
First Claim
1. A method of detecting a potential security threat on a computing system, the method comprising:
- embedding time series data relating to the computing system within a reconstructed phase space to generate embedded data;
partitioning the reconstructed phase space into a plurality of regions;
generating a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from the potential security threat;
generating a second matrix based on a second set of the time series data;
comparing the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein comparing the first matrix and the second matrix comprises;
calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and
comparing the state change parameter to a threshold value; and
performing an action when the state change parameter exceeds the threshold value.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of detecting a potential security threat on a computing system is provided. The method comprises embedding time series data relating to the computing system within a reconstructed phase space and partitioning the reconstructed phase space into a plurality of regions. The method further comprises generating a first matrix having a plurality of cells. The first matrix comprises a row and a column for each of the plurality of regions. A value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region. The first matrix is generated using a first set of the time series data that is associated with a normal operating condition of the computing system in which the computing system is not under attack from a security threat. The method further comprises generating a second matrix based on a second set of the time series data and comparing the first matrix and the second matrix to detect whether a potential security threat is present on the computing system.
33 Citations
16 Claims
-
1. A method of detecting a potential security threat on a computing system, the method comprising:
-
embedding time series data relating to the computing system within a reconstructed phase space to generate embedded data; partitioning the reconstructed phase space into a plurality of regions; generating a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from the potential security threat; generating a second matrix based on a second set of the time series data; comparing the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein comparing the first matrix and the second matrix comprises; calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and comparing the state change parameter to a threshold value; and performing an action when the state change parameter exceeds the threshold value. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system, comprising:
an electronic processor configured to; embed time series data relating to a computing system within a reconstructed phase space to generate embedded data; partition the reconstructed phase space into a plurality of regions; generate a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from a potential security threat; generate a second matrix based on a second set of the time series data; compare the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein the electronic processor is configured to compare the first matrix and the second matrix by; calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and comparing the state change parameter to a threshold value; and perform an action when the state change parameter exceeds the threshold value. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. One or more computer-readable media having instructions stored thereon, the instructions being executable by one or more processors to execute a method comprising:
-
embedding time series data within a reconstructed phase space to generate embedded data, wherein the time series data comprises network traffic data for a computing system; partitioning the reconstructed phase space into a plurality of regions; generating a first matrix having a plurality of cells, wherein the first matrix comprises a row and a column for each of the plurality of regions, wherein a value stored in each cell is based on a probability that the system will transition from a first region associated with the cell to a second region associated with the cell and a rate of separation of trajectories of the embedded data within at least one of the first region and the second region, and wherein the first matrix is generated using a first set of the time series data associated with a normal operating condition of the computing system where the computing system is not under attack from a potential security threat; generating a second matrix based on a second set of the time series data; comparing the first matrix and the second matrix to detect whether the potential security threat is present on the computing system, wherein comparing the first matrix and the second matrix comprises; calculating a state change parameter representing a degree of state change between a first state associated with the first matrix and a second state associated with the second matrix; and comparing the state change parameter to a threshold value; performing an action when the state change parameter exceeds the threshold value; and generating an image based on at least one of the first matrix and the second matrix and transmitting the image to a display. - View Dependent Claims (14, 15, 16)
-
Specification