×

Systems and methods for classifying malicious network events

  • US 9,306,962 B1
  • Filed: 07/24/2014
  • Issued: 04/05/2016
  • Est. Priority Date: 07/25/2013
  • Status: Active Grant
First Claim
Patent Images

1. A system for classifying events on a computer network comprising:

  • a feature engineering module on a host computer having a non-transitory memory and a processor, the feature engineering module comprising;

    an event clustering engine hosted on the non-transitory memory, wherein the event clustering engine receives event and log data related to identifiable actors from a security information and event management (SIEM) or log management module and selects behavioral groupings of the event and log data;

    an affinity-based feature generation module hosted on the non-transitory memory and in communication with the event clustering engine, wherein the affinity-based feature generation module assigns a value to each identifiable actor based on occurrences within predetermined time intervals of the identifiable actors having the selected behavioral grouping, wherein the value is assigned to each identifiable actor for each event within the event and log data;

    a time-based weighting decay module hosted on the non-transitory memory and in communication with the affinity-based feature generation module, wherein the time-based weighting decay module applies a time decaying function to the assigned values for each identifiable actor at a reference time, wherein the time decaying function is weighted based on an occurrence time of an event within the event and log data relative to the reference time; and

    a feature engineering storage module hosted on the non-transitory memory and in communication with the time-based weighting decay module, wherein information relating to the identifiable actors and their associated time-decayed values are stored on the feature engineering storage module; and

    a prediction model generated by a machine learning module on a host computer based on information received from the event clustering engine and the time-based weighting decay module, wherein the prediction model is utilized by a prediction engine on a computer to predict and classify received event and log data as malicious or non-malicious for each event within the event and log data.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×