Detecting and predicting cyber-attack phases in data processing environment regions
First Claim
Patent Images
1. A method comprising:
- selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time;
classifying the events corresponding to the collections in the set into a class of cyber-attack;
determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class;
predicting the determined phase as likely to occur during the future time window in the region;
selecting, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time;
classifying the events corresponding to the collections in the past set into a past class of cyber-attack;
determining, from the mapping, a past phase that corresponds to the past class; and
outputting the determined past phase as having occurred during the past time window in the region.
2 Assignments
0 Petitions
Accused Products
Abstract
A set of collections of forecasted feature vectors is selected from a repository for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time. The events corresponding to the collections in the set are classified into a class of cyber-attack. From a mapping between a set of phases of the cyber-attack and a set of classes, a phase is determined that corresponds to the class. The determined phase is predicted as likely to occur during the future time window in the region.
20 Citations
15 Claims
-
1. A method comprising:
-
selecting, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time; classifying the events corresponding to the collections in the set into a class of cyber-attack; determining, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; predicting the determined phase as likely to occur during the future time window in the region; selecting, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time; classifying the events corresponding to the collections in the past set into a past class of cyber-attack; determining, from the mapping, a past phase that corresponds to the past class; and outputting the determined past phase as having occurred during the past time window in the region. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product comprising one or more computer-readable storage medium, and program instructions stored on at least one of the one or more storage medium, the stored program instructions comprising:
-
program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time; program instructions to classify the events corresponding to the collections in the set into a class of cyber-attack; program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; program instructions to predict the determined phase as likely to occur during the future time window in the region; program instructions to select, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time; program instructions to classify the events corresponding to the collections in the past set into a past class of cyber-attack; program instructions to determine, from the mapping, a past phase that corresponds to the past class; and program instructions to output the determined past phase as having occurred during the past time window in the region. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system comprising one or more processors, one or more computer-readable memories, and one or more computer-readable storage medium, and program instructions stored on at least one of the one or more storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising:
-
program instructions to select, from a repository, a set of collections of forecasted feature vectors for a future time window after a present time, a cyber-attack being in progress in a data processing environment at the present time, a collection in the set having feature vectors that are indicative of an event related to the cyber-attack in a region of the environment at a discrete time; program instructions to classify the events corresponding to the collections in the set into a class of cyber-attack; program instructions to determine, from a mapping between a set of phases of the cyber-attack and a set of classes, a phase that corresponds to the class; program instructions to predict the determined phase as likely to occur during the future time window in the region; program instructions to select, from the repository, a past set of collections of actual feature vectors for a past time window before the present time, a cyber-attack being in progress in a data processing environment during the past time window, a collection in the past set having feature vectors that are indicative of a past event related to the cyber-attack in the region of the environment a past discrete time; program instructions to classify the events corresponding to the collections in the past set into a past class of cyber-attack; program instructions to determine, from the mapping, a past phase that corresponds to the past class; and program instructions to output the determined past phase as having occurred during the past time window in the region.
-
Specification