Cognitive information security using a behavioral recognition system

US 9,973,523 B2
Filed: 11/29/2016
Issued: 05/15/2018
Est. Priority Date: 08/09/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:

receiving at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;

processing, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases;

generating, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words;

dynamically updating the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase;

evaluating at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and

publishing an alert based on the unusualness score, the alert indicating malicious activity associated with the information security data.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words.

111 Citations

15 Claims

1. A computer-implemented method for processing streams of information security data from one or more networked computer systems, the method comprising:
- receiving at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
  
  processing, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases;
  
  generating, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words;
  
  dynamically updating the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase;
  
  evaluating at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and
  
  publishing an alert based on the unusualness score, the alert indicating malicious activity associated with the information security data.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein updating the plurality of letters, the dictionary of words, and the plurality of phrases includes:
    - comparing the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase against the plurality of letters, the dictionary of words, and the plurality of phrases in the existing neuro-linguistic model.
  - 3. The method of claim 1, wherein the unusualness score is determined based on a frequency of each of the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase, respectively, in the plurality of letters, the dictionary of words, and the plurality of phrases of the neuro-linguistic model.
  - 4. The method of claim 1, wherein the each value of the information security data associated with the at least one ordered stream of normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 5. The method of claim 1, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 6. The method of claim 1, wherein the dictionary of words comprises words up to a maximum length of letters.

7. A non-transitory computer-readable storage medium storing computer-executable instructions, which, when executed on a processor, performs an operation for processing streams of data of one or more networked computer systems, the computer-executable instruction comprising instructions to:
- receive at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
  
  process, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases;
  
  generate, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words;
  
  dynamically update the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase;
  
  evaluate at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and
  
  publish an alert based on the unusualness score, the alert indicative of malicious activity.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable storage medium of claim 7, wherein the computer-executable instructions to update the plurality of letters, the dictionary of words, and the plurality of phrases comprises instructions to:
    - compare the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase against the plurality of letters, the dictionary of words, and the plurality of phrases in the existing neuro-linguistic model.
  - 9. The non-transitory computer-readable storage medium of claim 8, wherein the unusualness score is determined based on a frequency of each of the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase, respectively, in the plurality of letters, the dictionary of words, and the plurality of phrases of the neuro-linguistic model.
  - 10. The non-transitory computer-readable storage medium of claim 7, wherein the each value of the information security data associated with the at least one stream of normalized vectors is normalized to a value within a range of 0 to 1, inclusive.
  - 11. The non-transitory computer-readable storage medium of claim 7, wherein the information security data comprises network packet traffic information, disk mount event information, or security log data.
  - 12. The non-transitory computer-readable storage medium of claim 7, wherein building the dictionary comprises building a dictionary of words up to a maximum length of letters.

13. A system, comprising:
- a processor; and
  
  a memory in communication with the processor and storing one or more application programs configured to perform an operation for processing streams of data of one or more networked computer systems, the one or more application programs comprising instructions for the processor to;
  
  receive at least one ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network;
  
  process, via a neuro-linguistic model, the at least one ordered stream of normalized vectors, the neuro-linguistic model including a plurality of letters, a dictionary of words, and a plurality of phrases;
  
  generate, via the neuro-linguistic model, an ordered sequence of letters based on the at least one ordered stream of normalized vectors, an ordered stream of words based on the ordered sequence of letters, and at least one phrase based on the ordered stream of words;
  
  dynamically update the plurality of letters, the dictionary of words, and the plurality of phrases based on the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase;
  
  evaluate at least one of the updated plurality of letters, dictionary of words, and plurality of phrases to determine an unusualness score; and
  
  publish a malicious activity alert based on the unusualness score.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein the instructions for the processor to update the plurality of letters, the dictionary of words, and the plurality of phrases comprises instructions to:
    - compare the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase against the plurality of letters, the dictionary of words, and the plurality of phrases in the existing neuro-linguistic model.
  - 15. The system of claim 14, wherein the unusualness score is determined based on a frequency of each of the generated ordered sequence of letters, the ordered stream of words, and the at least one phrase, respectively, in the plurality of letters, the dictionary of words, and the plurality of phrases of the neuro-linguistic model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellective Ai, Inc.
Original Assignee
Omni AI, Inc.
Inventors
Cobb, Wesley Kenneth, Seow, Ming-Jung, Cole, Jr., Curtis Edward, Falcon, Cody Shay, Konosky, Benjamin A., Morgan, Charles Richard, Poffenberger, Aaron, Nguyen, Thong Toan
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US15/363,871
Publication Number

US 20170163672A1
Time in Patent Office

532 Days
Field of Search
US Class Current
CPC Class Codes

G06F 40/226   Validation

G06F 40/242   Dictionaries

G06F 40/247   Thesauruses; Synonyms

G06F 40/253   Grammatical analysis; Style...

G06F 40/284   Lexical analysis, e.g. toke...

G06F 40/289   Phrasal analysis, e.g. fini...

G06F 40/30   Semantic analysis

G06F 40/40   Processing or translation o...

G06N 20/00   Machine learning

G06N 3/0409   Adaptive resonance theory [...

G06N 3/042   Knowledge-based neural netw...

G06N 3/088   Non-supervised learning, e....

G06N 5/022   Knowledge engineering; Know...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Cognitive information security using a behavioral recognition system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Cognitive information security using a behavioral recognition system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others