Cognitive information security using a behavioral recognition system
First Claim
1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:
- receiving, by a machine learning engine executing on one or more computing systems, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
generating a neuro-linguistic model of the information security data by;
clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words;
evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases;
generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases;
transmitting the alert to a management console; and
dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model.
70 Assignments
0 Petitions
Accused Products
Abstract
Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words.
96 Citations
15 Claims
-
1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:
-
receiving, by a machine learning engine executing on one or more computing systems, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; generating a neuro-linguistic model of the information security data by; clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words; evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases; generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases; transmitting the alert to a management console; and dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for processing streams of data of one or more networked computer systems, the operation comprising:
-
receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; generating a neuro-linguistic model of the information security data by; clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words; evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases; generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases; transmitting the alert to a management console; and dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system, comprising:
-
a processor; and a memory storing one or more application programs configured to perform an operation for processing streams of data of one or more networked computer systems, the operation comprising; receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network, generating a neuro-linguistic model of the information security data by; clustering the ordered stream of vectors and assigning a letter to each cluster; outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters; building a dictionary of words from of the ordered output of letters; outputting an ordered stream of words based on the ordered output of letters; and generating a plurality of phrases based on the ordered output of words, evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases, generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases, transmitting the alert to a management console, and dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model. - View Dependent Claims (12, 13, 14, 15)
-
Specification