Forecasting and classifying cyber-attacks using neural embeddings based on pattern of life data

US 9,900,338 B2
Filed: 02/09/2016
Issued: 02/20/2018
Est. Priority Date: 02/09/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

constructing a first collection, the first collection comprising a pattern of life (POL) feature vector and a Q&

A feature vector;

constructing a second collection from the first collection by inserting noise data in at least one of the POL feature vector and the Q&

A feature vector;

further constructing a third collection by using at least one of (i) combining, to crossover, at least one of a POL feature vector and a Q&

A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&

A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a POL feature vector and a Q&

A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&

A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another;

aging, using a forecasting configuration, a POL feature vector of the third collection to generate a changed POL feature vector, the changed POL feature vector containing POL feature values expected at a future time;

predicting, by inputting the changed POL feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time;

further predicting, using the trained neural network, a classification of the cyber-attack occurring at the future time;

constructing, from the first portion, natural language (NL) corpora; and

submitting the NL question against the NL corpora using a Q&

A system, wherein the Q&

A system produces the answer corresponding to the NL question based on the NL corpora.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first collection including a pattern of life (POL) feature vector and a Q&A feature vector is constructed. A second collection is constructed from the first collection by inserting noise in at least one of the vectors. A third collection is constructed by crossing over at least one of vectors of the second collection with a corresponding vector of a fourth collection, migrating at least one of the vectors of the second collection with a corresponding vector of a fifth collection. Using a forecasting configuration, a POL feature vector of the third collection is aged to generate a changed POL feature vector containing POL feature values expected at a future time. The changed POL feature vector is input into a trained neural network to predict a probability of the cyber-attack occurring at the future time.

16 Citations

View as Search Results

18 Claims

1. A method comprising:
- constructing a first collection, the first collection comprising a pattern of life (POL) feature vector and a Q&
  
  A feature vector;
  
  constructing a second collection from the first collection by inserting noise data in at least one of the POL feature vector and the Q&
  
  A feature vector;
  
  further constructing a third collection by using at least one of (i) combining, to crossover, at least one of a POL feature vector and a Q&
  
  A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&
  
  A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a POL feature vector and a Q&
  
  A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&
  
  A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another;
  
  aging, using a forecasting configuration, a POL feature vector of the third collection to generate a changed POL feature vector, the changed POL feature vector containing POL feature values expected at a future time;
  
  predicting, by inputting the changed POL feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time;
  
  further predicting, using the trained neural network, a classification of the cyber-attack occurring at the future time;
  
  constructing, from the first portion, natural language (NL) corpora; and
  
  submitting the NL question against the NL corpora using a Q&
  
  A system, wherein the Q&
  
  A system produces the answer corresponding to the NL question based on the NL corpora.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, the combining to crossover further comprising:
    - partitioning the POL feature vector of the second collection into a first partition of a first size and second partition of a second size;
      
      partitioning the POL feature vector of the fourth collection into a first partition of the first size and second partition of the second size; and
      
      constructing the POL feature vector of the third collection by substituting the first partition in the POL feature vector of the second collection with the first partition of the POL feature vector of the fourth collection.
  - 3. The method of claim 1, the combining to migrate further comprising:
    - partitioning the POL feature vector of the second collection into a first partition of a first size and second partition of a second size;
      
      partitioning the POL feature vector of the fifth collection into a first partition of the first size and second partition of the second size; and
      
      constructing the POL feature vector of the third collection by substituting the first partition in the POL feature vector of the second collection with the first partition of the POL feature vector of the fifth collection.
  - 4. The method of claim 1, further comprising:
    - aging using a second forecasting configuration, a Q&
      
      A feature vector of the third collection to generate a changed Q&
      
      A feature vector, the changed Q&
      
      A feature vector containing Q&
      
      A feature values expected at the future time, wherein the predicting also inputs the changed Q&
      
      A feature vector in the trained neural network.
  - 5. The method of claim 1, further comprising:
    - evaluating the property of the second collection, wherein the third collection has an increased value of the property.
  - 6. The method of claim 1, wherein the noise is inserted by adding a random value to the POL feature vector.
  - 7. The method of claim 1, wherein the noise is inserted by changing an existing value in the POL feature vector by a random amount.
  - 8. The method of claim 1, wherein the noise is inserted by deleting an existing value from the POL feature vector.
  - 9. The method of claim 1, wherein the answer comprises a ranked list of sub-portions in the first portion, wherein a higher ranking sub-portion is more relevant in answering the NL question than a lower ranking sub-portion.
  - 10. The method of claim 1, further comprising:
    - extracting a set of Q&
      
      A features from the answer, a Q&
      
      A feature in the set of Q&
      
      A features being data with the characteristic;
      
      creating a set of expanded Q&
      
      A features from the set of Q&
      
      A features; and
      
      adding, to form the Q&
      
      A feature vector, the set of Q&
      
      A features, the set of expanded Q&
      
      A features, and a timestamp corresponding to a time of collection of the raw data.
  - 11. The method of claim 1, further comprising:
    - creating the POL feature vector from raw POL data present in a data processing environment;
      
      identifying in the POL feature vector, a first portion, wherein the first portion is suitable for natural language processing (NLP);
      
      constructing, from the first portion, a natural language (NL) question, the NL question being related to a future cyber-attack on the data processing environment;
      
      constructing the Q&
      
      A feature vector based on a set of features present in an answer to the NL question.
  - 12. The method of claim 11, further comprising:
    - extracting a set of raw POL features from the raw POL data, a raw POL feature in the set of raw POL features being data with a characteristic, the characteristic being usable in detection of the cyber-attack; and
      
      creating a set of expanded POL features from the set of raw POL features; and
      
      adding, to form the POL feature vector, the set of raw POL features, the set of expanded POL features, and a timestamp corresponding to a time of collection of the raw POL data.
  - 13. The method of claim 11, further comprising:
    - normalizing, as a part of creating the set of expanded POL features, a raw POL feature in the set of raw POL features to form an extended POL feature in the set of expanded POL features.
  - 14. The method of claim 11, further comprising:
    - deriving, as a part of creating the set of expanded POL features, an expanded POL feature in the set of expanded POL features from a raw POL feature in the set of raw POL features.
  - 15. The method of claim 1, wherein the method is embodied in a computer program product comprising one or more computer-readable storage devices and computer-readable program instructions which are stored on the one or more computer-readable tangible storage devices and executed by one or more processors.
  - 16. The method of claim 1, wherein the method is embodied in a computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable storage devices and program instructions which are stored on the one or more computer-readable storage devices for execution by the one or more processors via the one or more memories and executed by the one or more processors.

17. A computer program product comprising one or more computer-readable storage devices, and program instructions stored on at least one of the one or more storage devices, the stored program instructions comprising:
- program instructions to construct a first collection, the first collection comprising a pattern of life (POL) feature vector and a Q&
  
  A feature vector;
  
  program instructions to construct a second collection from the first collection by inserting noise data in at least one of the POL feature vector and the Q&
  
  A feature vector;
  
  program instructions to further construct a third collection by using at least one of (i) combining, to crossover, at least one of a POL feature vector and a Q&
  
  A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&
  
  A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a POL feature vector and a Q&
  
  A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&
  
  A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another;
  
  program instructions to age, using a forecasting configuration, a POL feature vector of the third collection to generate a changed POL feature vector, the changed POL feature vector containing POL feature values expected at a future time;
  
  program instructions to predict, by inputting the changed POL feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time;
  
  further predicting, using the trained neural network, a classification of the cyber-attack occurring at the future time;
  
  constructing, from the first portion, natural language (NL) corpora; and
  
  submitting the NL question against the NL corpora using a Q&
  
  A system, wherein the Q&
  
  A system produces the answer corresponding to the NL question based on the NL corpora.

18. A computer system comprising one or more processors, one or more computer-readable memories, and one or more computer-readable storage devices, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising:
- program instructions to construct a first collection, the first collection comprising a pattern of life (POL) feature vector and a Q&
  
  A feature vector;
  
  program instructions to construct a second collection from the first collection by inserting noise data in at least one of the POL feature vector and the Q&
  
  A feature vector;
  
  program instructions to further construct a third collection by using at least one of (i) combining, to crossover, at least one of a POL feature vector and a Q&
  
  A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&
  
  A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a POL feature vector and a Q&
  
  A feature vector of the second collection with a corresponding at least one of a POL feature vector and a Q&
  
  A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another;
  
  program instructions to age, using a forecasting configuration, a POL feature vector of the third collection to generate a changed POL feature vector, the changed POL feature vector containing POL feature values expected at a future time;
  
  program instructions to predict, by inputting the changed POL feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time;
  
  further predicting, using the trained neural network, a classification of the cyber-attack occurring at the future time;
  
  constructing, from the first portion, natural language (NL) corpora; and
  
  submitting the NL question against the NL corpora using a Q&
  
  A system, wherein the Q&
  
  A system produces the answer corresponding to the NL question based on the NL corpora.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Ahmed, Mohamed N., Baughman, Aaron K., Behnken, John F., Marzorati, Mauro
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US15/019,300
Publication Number

US 20170230401A1
Time in Patent Office

742 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06N 3/042   Knowledge-based neural netw...

G06N 3/08   Learning methods

G06N 3/086   using evolutionary algorith...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1433   Vulnerability analysis

Forecasting and classifying cyber-attacks using neural embeddings based on pattern of life data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Forecasting and classifying cyber-attacks using neural embeddings based on pattern of life data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others