System and method to detect threats to computer based devices and systems
First Claim
1. A method for detecting a threat of a computing system, the method comprising:
- receiving, by at least one computer, a plurality of instances of input data from at least one sensor;
generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data;
sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models;
determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model;
generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model;
determining at least one intermediate model that receives one or more scores from at least one of the first base model and the second base model, based at least in part on the type of the input data;
generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score;
assigning a threat assignment to the at least one instance of input data based on the second threat assessment score; and
disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure.
8 Assignments
0 Petitions
Accused Products
Abstract
Aspects of the present disclosure relate to systems and methods for detecting a threat of a computing system. In one aspect, a plurality of instances of input data may be received from at least one sensor. A feature vector based upon at least one instance of the plurality of instances of input data may be generated. The feature vector may be sent to a classifier component, where a threat assessment score is determined for the feature vector. The threat assessment score may be determined by combining information associated with the plurality of instances of input data. A threat assignment may be assigned to the at least one instance of data based on the determined threat assessment score. The threat assignment and threat assessment score may be disseminated.
-
Citations
20 Claims
-
1. A method for detecting a threat of a computing system, the method comprising:
-
receiving, by at least one computer, a plurality of instances of input data from at least one sensor; generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data; sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models; determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model; generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model; determining at least one intermediate model that receives one or more scores from at least one of the first base model and the second base model, based at least in part on the type of the input data; generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score; assigning a threat assignment to the at least one instance of input data based on the second threat assessment score; and disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer storage medium encoding computer executable instructions that, when executed by at least one processor, perform a method for detecting a threat of a computing system, the method comprising:
-
receiving, by at least one computer, a plurality of instances of input data from at least one sensor; generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data; sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models; determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model; generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model; determining at least one intermediate model that receives one or more scores from the at least one of the first base model and the second base model, based at least in part on the type of the input data; generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score; when the second threat assessment score is above a first predetermined threshold value or below a second predetermined threshold value, automatically assigning a threat assignment to the at least one instance based on the second threat assessment score; and disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
at least one processor; and memory encoding computer executable instructions that, when executed by the at least one processor, perform a method for detecting a threat of a computing system, the method comprising; receiving, by at least one computer, a plurality of instances of input data from at least one sensor; generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data; determining whether the at least one instance of input data has a threat assignment; when the at least one instance of input data has a threat assignment, sending the threat assignment and at least one of the first feature vector and the second feature vector to a threat assignment dissemination component of the at least one computer; and when the at least one instance of input data does not have a threat assignment; sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models; determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model; generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model; determining at least one intermediate model that receives one or more scores from at least one of the first base model and the second base model, based at least in part on the type of the input data; generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score; automatically assigning a threat assignment to the at least one instance of input data based on the second threat assessment score; and disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure. - View Dependent Claims (19, 20)
-
Specification