Method and apparatus for computer intrusion detection

US 9,679,131 B2
Filed: 03/14/2013
Issued: 06/13/2017
Est. Priority Date: 01/25/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a computerized device having a processor, the method comprising:

receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities;

receiving data to be automatically analyzed related to monitored activity of the computerized system, the data comprising events containing at least an event related to an attack attempt and an event not related to an attack attempt;

grouping the events into at least two groups associated with the at least two entities;

classifying each entity by determining a probability of each entity being associated with the events within the data, and classifying the events based on when they occurred;

aggregating each group into at least two objects based on the classifications;

comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group may be identified as containing the event related to the attack attempt;

displaying or otherwise treating a plurality of events related to an attack attempt in order of their degree of non-compliance, identified via the steps of receiving the description, receiving the data, grouping, classifying, aggregating and comparing; and

wherein said receiving the description, receiving the data, groupings of classifying, comparing, and displaying or otherwise treating is performed by the processor.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.

Citations

23 Claims

1. A computer-implemented method performed by a computerized device having a processor, the method comprising:
- receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities;
  
  receiving data to be automatically analyzed related to monitored activity of the computerized system, the data comprising events containing at least an event related to an attack attempt and an event not related to an attack attempt;
  
  grouping the events into at least two groups associated with the at least two entities;
  
  classifying each entity by determining a probability of each entity being associated with the events within the data, and classifying the events based on when they occurred;
  
  aggregating each group into at least two objects based on the classifications;
  
  comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group may be identified as containing the event related to the attack attempt;
  
  displaying or otherwise treating a plurality of events related to an attack attempt in order of their degree of non-compliance, identified via the steps of receiving the description, receiving the data, grouping, classifying, aggregating and comparing; and
  
  wherein said receiving the description, receiving the data, groupings of classifying, comparing, and displaying or otherwise treating is performed by the processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, further comprising generating an alert related to the group not complying with the at least one statistical rule.
  - 3. The computer-implemented method of claim 2, further comprising issuing the alert to a person in charge.
  - 4. The computer-implemented method of claim 2, further comprising updating the description of the computerized system based on a reaction of an operator to the alert.
  - 5. The computer-implemented method of claim 1, further comprising reconstructing the group not complying with the at least one statistical rule.
  - 6. The computer-implemented method of claim 1 further comprising, aggregating a first group of the at least two groups to obtain a first object and aggregating a second group of the at least two groups to obtain a second object, and wherein comparing the at least two groups comprises comparing first object to the second object.
  - 7. The computer-implemented method of claim 6, wherein aggregating any of the least two groups comprises an option selected from the group consisting of:
    - counting items;
      
      averaging items;
      
      dividing an object sum by accumulated time; and
      
      dividing an object sum by time range.
  - 8. The computer-implemented method of claim 1, further comprising a learning component for learning the data and updating the description of the computerized system based on the data.
  - 9. The computer-implemented method of claim 1, further comprising:
    - receiving definition of the least two entities;
      
      receiving at least one attribute for each of the at least two entities;
      
      receiving at least one relationship between the at least two entities; and
      
      receiving at least one statistical rule related to the relationship.
  - 10. The computer-implemented method of claim 1, wherein each of the at least two entities is selected from a group consisting of:
    - a computer;
      
      an application;
      
      a process;
      
      a module;
      
      a user;
      
      an organizational unit; and
      
      a web site.
  - 11. The computer-implemented method of claim 1, wherein comparing the at least two groups is unrelated to event order.
  - 12. The computer-implemented method of claim 1, wherein the relationships between the at least two entities are implemented as trees or directed acyclic graphs.

13. An apparatus having a processor and a storage device, the processor being adapted to perform the steps of:
- receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities;
  
  receiving data to be analyzed related to monitored activity of the computerized system, the data comprising at least an event related to an attack attempt an and event not related to an attack attempt;
  
  grouping the events into at least two groups associated with the at least two entities, then aggregating each group into an object;
  
  classifying each entity by determining a probability of each entity being associated with the events within the data, and classifying the events based on when they occurred;
  
  aggregating each of the at least two groups to obtain at least two objects based on the classifications;
  
  comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group comprises the event related to the attack attempt; and
  
  displaying or otherwise treating a plurality of events related to an attack attempt in order of their degree of non-compliance, identified via the steps of receiving the description, receiving the data, grouping, classifying, aggregating and comparing.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The apparatus of claim 13, wherein the processor is further adapted for generating an alert related to the group not complying with the at least one statistical rule.
  - 15. The apparatus of claim 13, wherein the processor is further adapted for reconstructing the group not complying with the at least one statistical rule.
  - 16. The apparatus of claim 13, wherein the processor is further adapted for learning the data and updating the description of the computerized system based on the data.
  - 17. The apparatus of claim 16, wherein the processor is further adapted for generating an alert related to the group not complying with the at least one statistical rule, and wherein the description is updated based on a reaction of an operator to the alert.
  - 18. The apparatus of claim 13, wherein the processor is further adapted for:
    - receiving definition of the at least two entities;
      
      receiving at least one attribute for each of the at least two entities;
      
      receiving at least one relationship between the at least two entities; and
      
      receiving at least one statistical rule related to the relationship.
  - 19. The apparatus of claim 13, wherein each of the at least two entities is selected from the group consisting of:
    - a computer;
      
      an application;
      
      a process;
      
      a module;
      
      a user;
      
      an organizational unit; and
      
      a web site.
  - 20. The apparatus of claim 13, wherein comparing the at least two groups is unrelated to event order within one of the at least two groups.
  - 21. The apparatus of claim 13, wherein the relationships between the at least two entities are implemented as trees or directed acyclic graphs.

22. A computer program product comprising:
- a non-transitory computer readable medium;
  
  a first program instruction for receiving a description of a computerized system, the description comprising indication of at least two entities, at least one attribute for each of the at least two entities and at least one statistical rule related to relationships between the at least two entities;
  
  a second program instruction for receiving data to be analyzed related to monitored activity of the computerized system, the data comprising at least an event related to an attack attempt and an event not related to an attack attempt;
  
  a third program instruction for grouping the events into at least two groups associated with the at least two entities,a fourth program instruction for classifying each entity by determining a probability of an entity being associated with the events within the data, and classifying the events based on when they occurred;
  
  a fifth program instruction for aggregating each group into at least two objects based on the classifications; and
  
  a sixth program instruction for comparing the at least two objects to predetermined values which are based on at least one statistical rule, to identify a group from which an object was aggregated as not complying with the at least one statistical rule, wherein the non-compliance is not binary and degrees of non-compliance exist, wherein the non-compliant group may be identified as containing the event related to the attack attempt;
  
  a seventh program instruction for displaying or otherwise treating a plurality of events related to an attack attempt according to their degree of non-compliance, identified via the instructions for receiving the description, receiving the data, grouping, aggregating and comparing;
  
  wherein said first, second, third, fourth, fifth, sixth, and seventh program instructions are stored on said non-transitory computer readable medium and executed on a computing device.
- View Dependent Claims (23)
- - 23. The computer program product of claim 22, wherein the relationships between the at least two entities are implemented as trees or directed acyclic graphs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybereason, Inc.
Original Assignee
Cybereason, Inc.
Inventors
Striem Amit, Yonatan
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
PHAM, QUY C

Application Number

US13/826,821
Publication Number

US 20140215618A1
Time in Patent Office

1,552 Days
Field of Search

726 23, 726 24, 726 25
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and apparatus for computer intrusion detection

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for computer intrusion detection

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links