System and method thereof for creating programmable security decision engines in a cyber-security system
First Claim
1. A method for generating a security decision engine (SDE) operable in a cyber-security system comprising one or more computing devices coupled to a memory device to receive information about data flows in a network, comprising:
- selecting, based on at least one input feature indicating an attribute of a behavior to be evaluated, at least one normalization function from an available plurality of normalization functions, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE, wherein the normalization function is a function applied to the input feature data to yield behavioral levels and generate respective degrees of membership;
in response to the selection of the input feature, prompting a user of the cyber-security system to program at least one engine rule to describe an anomaly that the SDE should monitor, evaluate, and detect anomalies, wherein the set of rules are programmed by selecting a logical operator and a value operator;
receiving at least one engine rule describing an anomaly to be evaluated, wherein each engine rule defines the at least one input feature and a set of logical conditions to be applied to behavioral levels of the at least one input feature;
in response to programming the at least one engine rule, creating an inference system including at least one inference unit that implements the normalization function and a process in which the behavioral level scores are projected into output functions, wherein each inference unit is determined based on one of the received at least one engine rule and to compute, a score of anomaly (SoA) based on the at least one input feature; and
executing the SDE after the inference system is created to compute (SoA) based on at least one input feature, wherein input features fed into the SDE are synchronized to detect and mitigate on-going attack campaign.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method for adaptively securing a protected entity against cyber-threats. The method comprises: determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE; receiving at least one engine rule describing an anomaly to be evaluated; and creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.
-
Citations
22 Claims
-
1. A method for generating a security decision engine (SDE) operable in a cyber-security system comprising one or more computing devices coupled to a memory device to receive information about data flows in a network, comprising:
-
selecting, based on at least one input feature indicating an attribute of a behavior to be evaluated, at least one normalization function from an available plurality of normalization functions, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE, wherein the normalization function is a function applied to the input feature data to yield behavioral levels and generate respective degrees of membership; in response to the selection of the input feature, prompting a user of the cyber-security system to program at least one engine rule to describe an anomaly that the SDE should monitor, evaluate, and detect anomalies, wherein the set of rules are programmed by selecting a logical operator and a value operator; receiving at least one engine rule describing an anomaly to be evaluated, wherein each engine rule defines the at least one input feature and a set of logical conditions to be applied to behavioral levels of the at least one input feature; in response to programming the at least one engine rule, creating an inference system including at least one inference unit that implements the normalization function and a process in which the behavioral level scores are projected into output functions, wherein each inference unit is determined based on one of the received at least one engine rule and to compute, a score of anomaly (SoA) based on the at least one input feature; and executing the SDE after the inference system is created to compute (SoA) based on at least one input feature, wherein input features fed into the SDE are synchronized to detect and mitigate on-going attack campaign. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for generating a security decision engine (SDE) operable in a cyber-security system to receive information about data flows in a network, comprising:
-
a processing device; and
a memory device, the memory device containing instructions that, when executed by the processing device, cause the system to;select, based on at least one input feature indicating an attribute of a behavior to be evaluated, at least one normalization function from an available plurality of normalization functions, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE, wherein the normalization function is a function applied to the input feature data to yield behavioral levels and generate respective degrees of membership; in response to the selection of the input feature, prompting a user of the cyber-security system to program at least one engine rule to describe an anomaly that the SDE should monitor, evaluate, and detect anomalies, wherein the set of rules are programmed by selecting a logical operator and a value operator; receive at least one engine rule describing an anomaly to be evaluated, wherein each engine rule defines the at least one input feature and a set of logical conditions to be applied to behavioral levels of the at least one input feature; in response to programming the at least one engine rule, create an inference system including at least one inference unit that implements the normalization function and a process in which the behavioral level scores are projected into output functions, wherein each inference unit is determined based on one of the received at least one engine rule and to compute, a score of anomaly (SoA) based on the at least one input feature; and executing the SDE after the inference system is created to compute (SoA) based on at least one input feature, wherein input features fed into the SDE are synchronized to detect and mitigate on-going attack campaign. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
Specification