Cyber defense systems and methods

US 9,185,124 B2
Filed: 11/16/2013
Issued: 11/10/2015
Est. Priority Date: 02/27/2013
Status: Active Grant

First Claim

Patent Images

1. A cyber defense method for protecting an enterprise system having a plurality of networked components, at least some of the components being accessible via endpoints, comprising:

collecting connectivity and relationship information indicative of connectivity and behavior of the components resulting from human interaction with the endpoints;

creating a relationship graph based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships between the components;

storing at least part of the relationship graph to form a chronology indicating the connectivity and relationship information of the components at a given time;

generating a prediction by analyzing the previously stored relationship graph and the previously formed chronology, the prediction indicating expected future connectivity and relationship behavior within the enterprise system; and

identifying a first anomaly when the most recent connectivity and relationships do not match the prediction.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cyber defense systems and methods protect an enterprise system formed of a plurality of networked components. Connectivity and relationship information indicative of connectivity and behavior of the components are collected. A relationship graph is created based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships. At least part of the relationship graph is stored to form a chronology. The relationship graph and the chronology are analyzed to predict connectivity and relationship changes within the enterprise system, and a first anomaly is identified when the current connectivity and relationships do not match the prediction.

Citations

20 Claims

1. A cyber defense method for protecting an enterprise system having a plurality of networked components, at least some of the components being accessible via endpoints, comprising:
- collecting connectivity and relationship information indicative of connectivity and behavior of the components resulting from human interaction with the endpoints;
  
  creating a relationship graph based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships between the components;
  
  storing at least part of the relationship graph to form a chronology indicating the connectivity and relationship information of the components at a given time;
  
  generating a prediction by analyzing the previously stored relationship graph and the previously formed chronology, the prediction indicating expected future connectivity and relationship behavior within the enterprise system; and
  
  identifying a first anomaly when the most recent connectivity and relationships do not match the prediction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The cyber defense method of claim 1, further comprising analyzing the relationship graph to identify peer groups of nodes that have similar connectivity and relationship characteristics, wherein the prediction is further based upon the peer groups.
  - 3. The cyber defense method of claim 1, further comprising sending at least part of the prediction to an associated agent operating to collect the connectivity and relationship information, wherein the agent identifies the first anomaly.
  - 4. The cyber defense method of claim 1, further comprising:
    - determining uncertainty of the connectivity or relationship information; and
      
      generating an alert if the uncertainty is less than a predefined threshold.
  - 5. The cyber defense method of claim 1, further comprising:
    - collecting textual data from at least a portion of the components;
      
      processing the textual data to identify infrequent phrases or words; and
      
      identifying a second anomaly based upon the infrequent words or phrases.
  - 6. The cyber defense method of claim 5, further comprising generating the alert based upon correlation of the first and second anomaly.
  - 7. The cyber defense method of claim 5, the infrequent phrases or words identifying script commands that are not commonly used on a corresponding one of the portion of the components.
  - 8. The cyber defense method of claim 5, the infrequent phrases or words identifying processes that are not commonly run on a corresponding one of the portion of the components.

9. A cyber defense method for protecting an enterprise system having a plurality of networked components, comprising:
- receiving information indicative of human interaction with endpoints of the enterprise system from at least one agent configured to collect the information from the enterprise system;
  
  calculating normative baseline values and abnormal statistical thresholds based upon the information;
  
  generate relationship graph T based upon updates and changes within the information;
  
  calculate uncertainty based upon the information and an age of the information;
  
  compare a previously generated predicted relationship graph T and relationship graph T and generate anomaly list;
  
  filter anomaly list based upon uncertainty; and
  
  generating alerts based upon the filtered anomaly list.
- View Dependent Claims (10, 11, 12)
- - 10. The cyber defense method of claim 9, further comprising aging the relationship graphs.
  - 11. The cyber defense method of claim 9, further comprising generating the predicted relationship graph based upon the relationship graphs.
  - 12. The cyber defense method of claim 11, further comprising sending predictions within the predicted relationship graph to the at least one agent, wherein the agent identifies current events within the enterprise system not matching the predictions.

13. A software product comprising instructions, stored on non-transitory computer-readable media, wherein the instructions, when executed by a computer, perform steps for protecting an enterprise system having a plurality of networked components, comprising:
- instructions for collecting connectivity and relationship information indicative of connectivity and behavior of the components resulting from human interaction with endpoints of the enterprise system;
  
  instructions for creating a relationship graph based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships between the components;
  
  instructions for storing at least part of the relationship graph to form a chronology;
  
  instructions for generating a prediction by analyzing the previously stored relationship graph and the previously formed chronology, the prediction indicating expected future connectivity and relationship behavior within the enterprise system; and
  
  instructions for identifying a first anomaly when the most recent connectivity and relationships do not match the prediction.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The software product of claim 13, further comprising instructions for analyzing the relationship graph to identify peer groups of nodes that have similar connectivity and relationship characteristics, wherein the prediction is further based upon the peer groups.
  - 15. The software product of claim 13, further comprising instructions for sending at least part of the prediction to an associated agent operating to collect the connectivity and relationship information, wherein the agent identifies the first anomaly.
  - 16. The software product of claim 13, further comprising:
    - instructions for determining uncertainty of the connectivity and relationship information; and
      
      instructions for generating an alert if the uncertainty is less than a predefined threshold.
  - 17. The software product of claim 13, further comprising:
    - instructions for collecting textual data from at least a portion of the components;
      
      instructions for processing the textual data to identify infrequent phrases or words; and
      
      instructions for identifying a second anomaly based upon the infrequent words or phrases.
  - 18. The software product of claim 17, further comprising instructions for generating the alert based upon correlation of the first and second anomaly.
  - 19. The software product of claim 17, the infrequent phrases or words identifying script commands that are not commonly used on a corresponding one of the portion of the components.
  - 20. The software product of claim 17, the infrequent phrases or words identifying processes that are not commonly run on a corresponding one of the portion of the components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sayan Chakraborty
Original Assignee
Sayan Chakraborty
Inventors
Chakraborty, Sayan
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US14/082,131
Publication Number

US 20140245443A1
Time in Patent Office

724 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1433 Vulnerability analysis

Cyber defense systems and methods

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber defense systems and methods

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links