Detecting and predicting cyber-attack phases in data processing environment regions

US 9,860,268 B2
Filed: 02/09/2016
Issued: 01/02/2018
Est. Priority Date: 02/09/2016
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;

classifying the events corresponding to the collections in the set into a class of cyber-attack;

determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class;

predicting the determined phase as likely to occur during the future time window in the region;

selecting, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;

classifying the events corresponding to the collections in the past set into a past class of cyber-attack;

determining, from the mapping, a past phase that corresponds to the past class; and

outputting the determined past phase as having occurred during the past time window in the region.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A set of collections of forecasted feature vectors is selected from a repository for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time. The events corresponding to the collections in the set are classified into a class of cyber-attack. From a mapping between a set of phases of the cyber-attack and a set of classes, a phase is determined that corresponds to the class. The determined phase is predicted as likely to occur during the future time window in the region.

20 Citations

View as Search Results

15 Claims

1. A method comprising:
- selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
  
  classifying the events corresponding to the collections in the set into a class of cyber-attack;
  
  determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class;
  
  predicting the determined phase as likely to occur during the future time window in the region;
  
  selecting, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;
  
  classifying the events corresponding to the collections in the past set into a past class of cyber-attack;
  
  determining, from the mapping, a past phase that corresponds to the past class; and
  
  outputting the determined past phase as having occurred during the past time window in the region.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the classifying into the past class occurs after the classifying into the future class.
  - 3. The method of claim 1, wherein in the mapping, a plurality of classes in the set of classes map to a single phase in the set of phases.
  - 4. The method of claim 1, further comprising:
    - determining the class such that the class applies to the time window beyond a threshold amount of fit.
  - 5. The method of claim 4, wherein the classifying occurs using a Long Short-Time Memory (LSTM) network.
  - 6. The method of claim 5, wherein the threshold amount of fit is a threshold value of an output of the LSTM network.
  - 7. The method of claim 1, wherein each collection in the set of collection indicates an event at a different discrete time in the future time window.

8. A computer program product comprising one or more computer-readable storage medium, and program instructions stored on at least one of the one or more storage medium, the stored program instructions comprising:
- program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
  
  program instructions to classify the events corresponding to the collections in the set into a class of cyber-attack;
  
  program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class;
  
  program instructions to predict the determined phase as likely to occur during the future time window in the region;
  
  program instructions to select, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;
  
  program instructions to classify the events corresponding to the collections in the past set into a past class of cyber-attack;
  
  program instructions to determine, from the mapping, a past phase that corresponds to the past class; and
  
  program instructions to output the determined past phase as having occurred during the past time window in the region.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein the program instructions to classify into the past class occurs after the classifying into the future class.
  - 10. The computer program product of claim 8, wherein in the mapping, a plurality of classes in the set of classes map to a single phase in the set of phases.
  - 11. The computer program product of claim 8, further comprising:
    - program instructions to determine the class such that the class applies to the time window beyond a threshold amount of fit.
  - 12. The computer program product of claim 11, wherein the program instructions to classify occurs using a Long Short-Time Memory (LSTM) network.
  - 13. The computer program product of claim 12, wherein the threshold amount of fit is a threshold value of an output of the LSTM network.
  - 14. The computer program product of claim 8, wherein each collection in the set of collection indicates an event at a different discrete time in the future time window.

15. A computer system comprising one or more processors, one or more computer-readable memories, and one or more computer-readable storage medium, and program instructions stored on at least one of the one or more storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising:
- program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
  
  program instructions to classify the events corresponding to the collections in the set into a class of cyber-attack;
  
  program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class;
  
  program instructions to predict the determined phase as likely to occur during the future time window in the region;
  
  program instructions to select, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;
  
  program instructions to classify the events corresponding to the collections in the past set into a past class of cyber-attack;
  
  program instructions to determine, from the mapping, a past phase that corresponds to the past class; and
  
  program instructions to output the determined past phase as having occurred during the past time window in the region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Ahmed, Mohamed N., Baughman, Aaron K., McCrory, Nicholas A., Toor, Andeep S., Welcks, Michelle
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US15/019,334
Publication Number

US 20170230408A1
Time in Patent Office

693 Days
Field of Search
US Class Current
CPC Class Codes

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 3/045   Combinations of networks

G06N 3/08   Learning methods

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detecting and predicting cyber-attack phases in data processing environment regions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and predicting cyber-attack phases in data processing environment regions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links