Methods and apparatus for analyzing asynchronous cyber-threat event data using discrete time intervals
First Claim
1. An apparatus, comprising:
- a global workspace manager implemented in at least one of a memory device or a processor circuit, the global workspace manager, receiving, during operation and from a workspace of a plurality of workspaces, cyber-threat event data including a time of a cyber-threat event associated with a communication network,a global time interval manager implemented in at least one of a memory device or a processor circuit, the global time interval manager selecting, during operation, a discrete time interval including the time of the cyber-threat event, the global time interval manager, recursively dividing, during operation, the discrete time interval into smaller discrete time intervals, the global time interval manager storing, during operation, the smaller discrete time intervals in a time interval queue,the global workspace manager determining, during operation and for each discrete time interval in the time interval queue, a threat score function from a plurality of threat score functions and associated with each discrete time interval in the time interval queue,the global workspace manager calculating, during operation and for each discrete time interval in the time interval queue, a threat score in the time interval queue using the threat score function for that discrete time interval in the time interval queue,the global workspace manager applying, during operation and for each discrete time interval in the time interval queue, the threat score of the discrete time interval to a workspace factor graph defining a set of relationships between each workspace of the plurality of workspaces so as to initiate an update of a threat score for each remaining workspace of the plurality of workspaces based on a relationship between each of the remaining workspaces of the plurality of workspaces, the global workspace manager generating, during operation, an updated workspace factor graph in which each workspace of the plurality of workspaces is associated with an updated threat score, the generating performed without referring to past iterations of the workspace factor graph, andsending a representation of the updated workspace factor graph to a local workspace computer for analysis of the cyber-threat event.
7 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods described herein relate to a global workspace manager that can dynamically update historical cyber-threat data for a network. The global workspace manager can receive cyber-threat event data including a time of a cyber-threat event. The global workspace manager can identify a workspace node in a workspace graph associated with the cyber-threat event data, and can identify a threat score interval including a set of times that includes the time of the cyber-threat event. The global workspace manager can retrieve, from the workspace node, a threat score calculation function associated with the threat score interval, and can calculate a threat score for the workspace node during the threat score interval using the threat score calculation function and the cyber-threat event data. The global workspace manager can calculate a set of threat scores based on the threat score for the workspace nodes, such that each threat score in the set of threat scores is associated with the remaining workspace nodes in the workspace graph.
-
Citations
7 Claims
-
1. An apparatus, comprising:
-
a global workspace manager implemented in at least one of a memory device or a processor circuit, the global workspace manager, receiving, during operation and from a workspace of a plurality of workspaces, cyber-threat event data including a time of a cyber-threat event associated with a communication network, a global time interval manager implemented in at least one of a memory device or a processor circuit, the global time interval manager selecting, during operation, a discrete time interval including the time of the cyber-threat event, the global time interval manager, recursively dividing, during operation, the discrete time interval into smaller discrete time intervals, the global time interval manager storing, during operation, the smaller discrete time intervals in a time interval queue, the global workspace manager determining, during operation and for each discrete time interval in the time interval queue, a threat score function from a plurality of threat score functions and associated with each discrete time interval in the time interval queue, the global workspace manager calculating, during operation and for each discrete time interval in the time interval queue, a threat score in the time interval queue using the threat score function for that discrete time interval in the time interval queue, the global workspace manager applying, during operation and for each discrete time interval in the time interval queue, the threat score of the discrete time interval to a workspace factor graph defining a set of relationships between each workspace of the plurality of workspaces so as to initiate an update of a threat score for each remaining workspace of the plurality of workspaces based on a relationship between each of the remaining workspaces of the plurality of workspaces, the global workspace manager generating, during operation, an updated workspace factor graph in which each workspace of the plurality of workspaces is associated with an updated threat score, the generating performed without referring to past iterations of the workspace factor graph, and sending a representation of the updated workspace factor graph to a local workspace computer for analysis of the cyber-threat event. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification