×

System and methods for adaptive model generation for detecting intrusion in computer systems

  • US 9,497,203 B2
  • Filed: 10/08/2014
  • Issued: 11/15/2016
  • Est. Priority Date: 01/25/2002
  • Status: Active Grant
First Claim
Patent Images

1. A system for detecting intrusions in the operation of a computer system comprising:

  • (a) a plurality of sensors, each sensor configured to gather information regarding the operation of the computer system, to format the information in a data record, and to transmit the data record;

    (b) one or more databases configured to receive the data record from the sensor, to store the data record, and to store an intrusion detection model;

    (c) a detection model generator configured to request training data from a plurality of data records from the one or more databases, said training data comprising data from at least two sensors, to generate the intrusion detection model based on said training data from a plurality of data records, and to transmit the intrusion detection model to the one or more databases;

    (d) a data analysis engine configured to request a data record from the one or more databases and to perform a data processing function on the data record;

    (e) the detection model generator further configured to update the intrusion detection model in real-time;

    (f) a detection model distributor configured to receive said intrusion detection model from the one or more databases and to transmit the detection model to at least one detector;

    (g) one or more detectors configured to receive a data record from the sensor and to determine in real-time whether said data record corresponds to an attack based on said intrusion detection model;

    (h) a visualization analysis engine configured to;

    display the requested data record from the one or more databases in real time;

    enable a system administrator to identify suspicious activity, not automatically identified by the intrusion detection model, as an attack in real-time; and

    update the intrusion detection model based on the suspicious activity identified by the system administrator; and

    (i) a data labeling tool configured to label the requested data record from the one or more databases if the data record corresponds to an attack.

View all claims
  • 0 Assignments
Timeline View
Assignment View
    ×
    ×