Cyber security

US 10,268,821 B2
Filed: 08/03/2015
Issued: 04/23/2019
Est. Priority Date: 08/04/2014
Status: Active Grant

First Claim

Patent Images

1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by a processing apparatus, the method comprising:

receiving input data associated with a first entity associated with the computer system;

deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data;

analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark;

comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and

determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analyzing the metrics using one or more models, and determining, in accordance with the analyzed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

37 Citations

View as Search Results

17 Claims

1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by a processing apparatus, the method comprising:
- receiving input data associated with a first entity associated with the computer system;
  
  deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data;
  
  analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark;
  
  comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and
  
  determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, wherein the received input data includes data relating to activity on the computer system associated with the first entity.
  - 3. The method according to claim 2, wherein the derived metrics are derived from header analysis on an Internet Layer protocol level of the computer system.
  - 4. The method according to claim 1, wherein the derived metrics reflect a usage of the computer system by the first entity over a period of time.
  - 5. The method according to claim 4, wherein the derived metrics are network traffic related metrics associated with activity of the first entity on the computer system.
  - 6. The method according to claim 1, further comprising selecting the plurality of metrics from a range of possible metrics before deriving the plurality of metrics.
  - 7. The method according to claim 1, wherein the one or more models include a second model arranged to analyze data for detecting a first type of threat and a third model arranged to analyzed data for detecting a second type of threat.
  - 8. The method according to claim 1, wherein the cyber-threat risk parameter is a probability of the likelihood of a threat, where results of the cyber-threat risk parameter are projected on a 3D graphical user interface that conveys cyber threats across a packet flow and connection topology corresponding to the computing system.
  - 9. The method according to claim 8, wherein the probability is determined using a recursive Bayesian estimation.
  - 10. The method according to claim 1, further comprising:
    - predicting an expected behavior of the first entity of the computing system based on the self-learning model of normal behavior, wherein the determining the cyber-threat risk parameter comprises comparing the analyzed metrics with the predicted expected behavior and whether parameters of the analyzed metrics fall outside the parameters set by the moving benchmark.
  - 11. The method according to claim 10, further comprising:
    - receiving input data on information on and activities from a plurality of probes from of all three of i) one or more users of the computing system, ii) machine individual activity, and iii) interaction activities between two or more machines in the computing system in order to determine patterns in the information and activities to build an understanding of what is normal behavior at any given time in order to be able to detect for changes in behavior from both
      
      1) humans using the computing system, as well as
      
      2) the machine activities within the computing system, and the interaction activities between two or more machines in the computing system, wherein derivatives of metrics from these patterns are used as the parameters for the moving threshold.
  - 12. The method according to claim 11, further comprising:
    - comparing the analyzed metrics to the predicted behavior of the first entity based on the model of normal behavior of at least the first entity associated with the computing system, where the predicted behavior of the first entity based on the model includes at least one of detecting a change in a pattern in any of
      
           1) information,
      
           2) activity, or a
      
           3) combination of both in the computer system in order to be able to detect both a change in behavior of a user using the computing system as well as a change in behavior of machine.
  - 13. The method according to claim 1, further comprising receiving input data associated with a second entity, wherein the determining the cyber-threat risk parameter comprises taking the input data associated with the second entity into consideration.
  - 14. The method according to claim 1, wherein the entity is:
    - a user of the computer system;
      
      or a device forming part of the computer system;
      
      or part of an industrial control system connected to or forming part of the computer system.
  - 15. The method according to claim 1, wherein the computer system is a network of computing devices.

16. A non-transitory computer readable medium comprising:
- computer readable code operable, when executed by or more processing apparatuses in a computer system to instruct a computing device to perform a method for detection of a cyber-threat to the computer system, the method comprising;
  
  receiving input data associated with a first entity associated with the computer system;
  
  deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data;
  
  analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark;
  
  comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and
  
  determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.

17. A threat detection system comprising a processor and a non-transitory memory comprising computer readable code, where the processor is configured to execute the computer readable code in the non-transitory memory to instruct devices in a threat detection system to perform a method for detection of a cyber-threat to the computer system, the method comprising:
- receiving input data associated with a first entity associated with the computer system;
  
  deriving metrics from the received input data from probes in the computer system, the derived metrics representative of characteristics of the received input data;
  
  analyzing the derived metrics using one or more models that include a first model, which is a self-learning model trained on a normal behavior of at least the first entity associated with the computing system, where the self-learning model of normal behavior uses a non-frequentist architecture that is continuously updated, where the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark;
  
  comparing the analyzed metrics received from the probes to the moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model; and
  
  determining, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Darktrace Holdings Limited
Original Assignee
Darktrace Limited
Inventors
Stockdale, Jack, Markham, Alex
Primary Examiner(s)
Lewis, Lisa C

Application Number

US15/501,135
Publication Number

US 20170220801A1
Time in Patent Office

1,359 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/069   using logs of notifications...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Cyber security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links