Cognitive information security using a behavioral recognition system
First Claim
1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:
- receiving at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
processing, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases;
generating, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words;
dynamically updating the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase;
evaluating at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and
publishing an alert based on the unusualness score, the alert indicating malicious activity associated with the information security data.
5 Assignments
0 Petitions
Accused Products
Abstract
Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words.
111 Citations
15 Claims
-
1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:
-
receiving at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; processing, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases; generating, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words; dynamically updating the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase; evaluating at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and publishing an alert based on the unusualness score, the alert indicating malicious activity associated with the information security data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable storage medium storing computer-executable instructions, which, when executed on a processor, performs an operation for processing streams of data of one or more networked computer systems, the computer-executable instruction comprising instructions to:
-
receive at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; process, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases; generate, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words; dynamically update the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase; evaluate at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and publish an alert based on the unusualness score, the alert indicative of malicious activity. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system, comprising:
-
a processor; and a memory in communication with the processor and storing one or more application programs configured to perform an operation for processing streams of data of one or more networked computer systems, the one or more application programs comprising instructions for the processor to; receive at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network; process, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases; generate, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words; dynamically update the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase; evaluate at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and publish a malicious activity alert based on the unusualness score. - View Dependent Claims (14, 15)
-
Specification