Cognitive information security using a behavioral recognition system

US 9,507,768 B2
Filed: 08/11/2014
Issued: 11/29/2016
Est. Priority Date: 08/09/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:

receiving, by a machine learning engine executing on one or more computing systems, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;

generating a neuro-linguistic model of the information security data by;

clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words;

evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases;

generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases;

transmitting the alert to a management console; and

dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model.

View all claims

70 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words.

96 Citations

View as Search Results

15 Claims

1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:
- receiving, by a machine learning engine executing on one or more computing systems, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
  
  generating a neuro-linguistic model of the information security data by;
  
  clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words;
  
  evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases;
  
  generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases;
  
  transmitting the alert to a management console; and
  
  dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein generating the alert when the measure of unusualness for the current observation of letters, words, phrases, differs from the neuro-linguistic model of the information security data comprises determining, for at least a first, letter, word, or phrase in the current observation, the unusualness score based on a frequency of letters, words, and phrases, respectively, in the letters, words, and phrases of the neuro-linguistic model;
    - andgenerating the alert when the unusualness score for at least one of the letters, words, or phases in the current observation exceeds the specified threshold.
  - 3. The method of claim 1, wherein each value of the information security data associated with the normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 4. The method of claim 1, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 5. The method of claim 1, wherein building the dictionary comprises building a dictionary of words up to a maximum length of letters.

6. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for processing streams of data of one or more networked computer systems, the operation comprising:
- receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
  
  generating a neuro-linguistic model of the information security data by;
  
  clustering the ordered stream of vectors and assigning a letter to each cluster,outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters,building a dictionary of words from of the ordered output of letters,outputting an ordered stream of words based on the ordered output of letters, andgenerating a plurality of phrases based on the ordered output of words;
  
  evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases;
  
  generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases;
  
  transmitting the alert to a management console; and
  
  dynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The non-transitory computer-readable storage medium of claim 6, wherein generating the alert when the measure of unusualness for the current observation of letters, words, phrases, differs from the neuro-linguistic model of the information security data comprises determining, for at least a first, letter, word, or phrase in the current observation, the unusualness score based on a frequency of letters, words, and phrases, respectively, in the letters, words, and phrases of the neuro-linguistic model;
    - andgenerating the alert when the unusualness score for at least one of the letters, words, or phases in the current observation exceeds the specified threshold.
  - 8. The non-transitory computer-readable storage medium of claim 6, wherein the each value of the information security data associated with the normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 9. The non-transitory computer-readable storage medium of claim 6, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 10. The non-transitory computer-readable storage medium of claim 6, wherein building the dictionary comprises building a dictionary of words up to a maximum length of letters.

11. A system, comprising:
- a processor; and
  
  a memory storing one or more application programs configured to perform an operation for processing streams of data of one or more networked computer systems, the operation comprising;
  
  receiving an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network,generating a neuro-linguistic model of the information security data by;
  
  clustering the ordered stream of vectors and assigning a letter to each cluster;
  
  outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters;
  
  building a dictionary of words from of the ordered output of letters;
  
  outputting an ordered stream of words based on the ordered output of letters; and
  
  generating a plurality of phrases based on the ordered output of words,evaluating a current observation of letters, words, or phrases generated from one or more subsequent normalized vectors received from the ordered stream input to the neuro-linguistic model to determine a measure of unusualness for the current observation of letters, words, or phrases,generating an alert when the measure of unusualness determined for the current observation of letters, words, or phrases exceeds a specified threshold, wherein the alert corresponds to activity occurring within the computer network which resulted in the current observation of letters, words, or phrases,transmitting the alert to a management console, anddynamically updating the neuro-linguistic model based on the one or more subsequent normalized vectors from the ordered stream input to the neuro-linguistic model.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein generating the alert when the measure of unusualness for the current observation of letters, words, phrases, differs from the neuro-linguistic model of the information security data comprises determining, for at least a first, letter, word, or phrase in the current observation, the unusualness score based on a frequency of letters, words, and phrases, respectively, in the letters, words, and phrases of the neuro-linguistic model;
    - andgenerating the alert when the unusualness score for at least one of the letters, words, or phases in the current observation exceeds the specified threshold.
  - 13. The system of claim 11, wherein the each value of the information security data associated the normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 14. The system of claim 11, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 15. The system of claim 11, wherein building the dictionary comprises building a dictionary of words up to a maximum length of letters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellective Ai, Inc.
Original Assignee
Behavioral Recognition Systems Incorporated
Inventors
Cole, Curtis Edward Jr., Falcon, Cody Shay, Konosky, Benjamin A., Morgan, Charles Richard, Poffenberger, Aaron, Nguyen, Thong Toan, Cobb, Wesley Kenneth, Seow, Ming-Jung
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/457,060
Publication Number

US 20150047040A1
Time in Patent Office

841 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 40/226   Validation

G06F 40/242   Dictionaries

G06F 40/247   Thesauruses; Synonyms

G06F 40/253   Grammatical analysis; Style...

G06F 40/284   Lexical analysis, e.g. toke...

G06F 40/289   Phrasal analysis, e.g. fini...

G06F 40/30   Semantic analysis

G06F 40/40   Processing or translation o...

G06N 20/00   Machine learning

G06N 3/0409   Adaptive resonance theory [...

G06N 3/042   Knowledge-based neural netw...

G06N 3/088   Non-supervised learning, e....

G06N 5/022   Knowledge engineering; Know...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Cognitive information security using a behavioral recognition system

First Claim

70 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Cognitive information security using a behavioral recognition system

First Claim

70 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links