Systems and methods for classifying malicious network events
First Claim
1. A system for classifying events on a computer network comprising:
- a feature engineering module on a host computer having a non-transitory memory and a processor, the feature engineering module comprising;
an event clustering engine hosted on the non-transitory memory, wherein the event clustering engine receives event and log data related to identifiable actors from a security information and event management (SIEM) or log management module and selects behavioral groupings of the event and log data;
an affinity-based feature generation module hosted on the non-transitory memory and in communication with the event clustering engine, wherein the affinity-based feature generation module assigns a value to each identifiable actor based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping, wherein the value is assigned to each identifiable actor for each event within the event and log data;
a time-based weighting decay module hosted on the non-transitory memory and in communication with the affinity-based feature generation module, wherein the time-based weighting decay module applies a time decaying function to the assigned values for each identifiable actor at a reference time, wherein the time decaying function is weighted based on an occurrence time of an event within the event and log data relative to the reference time; and
a feature engineering storage module hosted on the non-transitory memory and in communication with the time-based weighting decay module, wherein information relating to the identifiable actors and their associated time-decayed values are stored on the feature engineering storage module; and
a prediction model generated by a machine learning module on a host computer based on information received from the event clustering engine and the time-based weighting decay module, wherein the prediction model is utilized by a prediction engine on a computer to predict and classify received event and log data as malicious or non-malicious for each event within the event and log data.
3 Assignments
0 Petitions
Accused Products
Abstract
A system for classifying events on a computer network includes an event clustering engine for receiving event and log data related to identifiable actors from a security information and event management (SIEM) or log management module and selecting behavioral groupings of the event and log data. An affinity-based feature generation module assigns a value to each identifiable actor based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping. A time-based weighting decay module applies a time decaying function to the assigned values for each identifiable actor. A feature engineering storage module stores information relating to the identifiable actors and their associated time-decayed values. A machine learning module generates a prediction model based on information received from the event clustering engine and the time-based weighting decay module, and the prediction model is utilized by a prediction engine on a computer to predict and classify received event and log data as malicious or non-malicious.
-
Citations
20 Claims
-
1. A system for classifying events on a computer network comprising:
-
a feature engineering module on a host computer having a non-transitory memory and a processor, the feature engineering module comprising; an event clustering engine hosted on the non-transitory memory, wherein the event clustering engine receives event and log data related to identifiable actors from a security information and event management (SIEM) or log management module and selects behavioral groupings of the event and log data; an affinity-based feature generation module hosted on the non-transitory memory and in communication with the event clustering engine, wherein the affinity-based feature generation module assigns a value to each identifiable actor based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping, wherein the value is assigned to each identifiable actor for each event within the event and log data; a time-based weighting decay module hosted on the non-transitory memory and in communication with the affinity-based feature generation module, wherein the time-based weighting decay module applies a time decaying function to the assigned values for each identifiable actor at a reference time, wherein the time decaying function is weighted based on an occurrence time of an event within the event and log data relative to the reference time; and a feature engineering storage module hosted on the non-transitory memory and in communication with the time-based weighting decay module, wherein information relating to the identifiable actors and their associated time-decayed values are stored on the feature engineering storage module; and a prediction model generated by a machine learning module on a host computer based on information received from the event clustering engine and the time-based weighting decay module, wherein the prediction model is utilized by a prediction engine on a computer to predict and classify received event and log data as malicious or non-malicious for each event within the event and log data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method of classifying events on a computer network comprising:
-
receiving by an event clustering engine event and log data related to identifiable actors from a security information and event management (SIEM) or log management module; selecting behavioral groupings of the event and log data; assigning, by an affinity-based feature generation module, a value to each identifiable actor for each event within the event and log data based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping; applying, by a time-based weighting decay module, a time decaying function to the assigned values for each identifiable actor at a reference time, and weighting the time decay function based on an occurrence time of an event within the event and log data relative to the reference time; storing information relating to the identifiable actors and their associated time-decayed values; generating, by a machine learning module, a prediction model based on information received from the event clustering engine and the time-based weighting decay module; and predicting and classifying by a computer, based on the prediction model, received event and log data as malicious or non-malicious for each event within the event and log data. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer readable medium containing instructions for providing a process of classifying events on a computer network enabled at least in part on a processor of a computerized device, the instructions, which when executed by the processor, performing the steps of:
-
receiving by an event clustering engine event and log data related to identifiable actors from a security information and event management (SIEM) or log management module; selecting behavioral groupings of the event and log data; assigning, by an affinity-based feature generation module, a value to each identifiable actor for each event within the event and log data based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping; applying, by a time-based weighting decay module, a time decaying function to the assigned values for each identifiable actor at a reference time, and weighting the time decay function based on an occurrence time of an event within the event and log data relative to the reference time; storing information relating to the identifiable actors and their associated time-decayed values; generating, by a machine learning module, a prediction model based on information received from the event clustering engine and the time-based weighting decay module; and predicting and classifying, based on the prediction model, received event and log data as malicious or non-malicious for each event within the event and log data.
-
Specification