System and method to detect threats to computer based devices and systems

US 10,284,570 B2
Filed: 07/24/2014
Issued: 05/07/2019
Est. Priority Date: 07/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a threat of a computing system, the method comprising:

receiving, by at least one computer, a plurality of instances of input data from at least one sensor;

generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data;

sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models;

determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model;

generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model;

determining at least one intermediate model that receives one or more scores from at least one of the first base model and the second base model, based at least in part on the type of the input data;

generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score;

assigning a threat assignment to the at least one instance of input data based on the second threat assessment score; and

disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the present disclosure relate to systems and methods for detecting a threat of a computing system. In one aspect, a plurality of instances of input data may be received from at least one sensor. A feature vector based upon at least one instance of the plurality of instances of input data may be generated. The feature vector may be sent to a classifier component, where a threat assessment score is determined for the feature vector. The threat assessment score may be determined by combining information associated with the plurality of instances of input data. A threat assignment may be assigned to the at least one instance of data based on the determined threat assessment score. The threat assignment and threat assessment score may be disseminated.

Citations

20 Claims

1. A method for detecting a threat of a computing system, the method comprising:
- receiving, by at least one computer, a plurality of instances of input data from at least one sensor;
  
  generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data;
  
  sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models;
  
  determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model;
  
  generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model;
  
  determining at least one intermediate model that receives one or more scores from at least one of the first base model and the second base model, based at least in part on the type of the input data;
  
  generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score;
  
  assigning a threat assignment to the at least one instance of input data based on the second threat assessment score; and
  
  disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the threat assignment is assigned to the at least one instance of input data by determining whether the second threat assessment score is above a first predetermined threshold or below a second predetermined threshold value.
  - 3. The method of claim 2, wherein a positive threat assignment is assigned to the at least one instance of input data when the second threat assessment score is above the first predetermined threshold, and wherein a negative threat assignment is assigned to the at least one instance of input data when the second threat assessment score is below the second predetermined threshold.
  - 4. The method of claim 2, further comprising sending at least one of the first threat assessment score and the second threat assessment score to a threat assignment component.
  - 5. The method of claim 4, wherein when the second threat assessment score is between the first predetermined threshold and the second predetermined threshold, the method further comprises:
    - reviewing at least one of the generated first feature vector and the second feature vector, and at least one of the first threat assessment score and the second threat assessment score; and
      
      assigning a threat assignment to the at least one instance based on the review.
  - 6. The method of claim 5, further comprising:
    - sending the assigned threat assignment and the at least one generated feature vector to the model training component.
  - 7. The method of claim 6, further comprising retraining the plurality of threat assessment models in response to sending the threat assignment and the at least one generated feature vector to the model training component.
  - 8. The method of claim 1, wherein the threat assignment and at least one of the first threat assessment score and the second threat assessment score are sent to at least one of an endpoint device, a server, a published white-list, and a published black-list.

9. A non-transitory computer storage medium encoding computer executable instructions that, when executed by at least one processor, perform a method for detecting a threat of a computing system, the method comprising:
- receiving, by at least one computer, a plurality of instances of input data from at least one sensor;
  
  generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data;
  
  sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models;
  
  determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model;
  
  generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model;
  
  determining at least one intermediate model that receives one or more scores from the at least one of the first base model and the second base model, based at least in part on the type of the input data;
  
  generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score;
  
  when the second threat assessment score is above a first predetermined threshold value or below a second predetermined threshold value, automatically assigning a threat assignment to the at least one instance based on the second threat assessment score; and
  
  disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The non-transitory computer storage medium of claim 9, wherein a positive threat assignment is assigned to the at least one instance of input data when the second threat assessment score is above the first predetermined threshold, and wherein a negative threat assignment is assigned to the at least one instance of input data when the second threat assessment score is below the second predetermined threshold.
  - 11. The non-transitory computer storage medium of claim 10, the method further comprising sending at least one of the first threat assessment score and the second threat assessment score to a threat assignment component.
  - 12. The non-transitory computer storage medium of claim 11, wherein when the second threat assessment score is between the first predetermined threshold and the second predetermined threshold, the method further comprises:
    - reviewing at least one of the generated first feature vector, the second feature vector, the input data, third party data, the first threat assessment score, and the second threat assessment score; and
      
      assigning a threat assignment to the at least one instance based on the review.
  - 13. The non-transitory computer storage medium of claim 12, the method further comprising:
    - sending the assigned threat assignment and at least one of the generated first feature vector and the second feature vector to the model training component.
  - 14. The non-transitory computer storage medium of claim 13, the method further comprising retraining the plurality of threat assessment models in response to sending the threat assignment and the at least one generated feature vector to the model training component.
  - 15. The non-transitory computer storage medium of claim 9, wherein determining the first threat assessment score for the first feature vector and the second feature vector further comprises:
    - calculating a probability that the at least one instance is a threat.
  - 16. The non-transitory computer storage medium of claim 9, wherein the threat assignment and at least one of the first threat assessment score and the second threat assessment score are sent to at least one of an endpoint device, a server, a published white-list, and a published black-list.
  - 17. The non-transitory computer storage medium of claim 12, wherein the at least one generated feature vector and at least one of the first threat assessment score and the second threat assessment score are reviewed by a third party source.

18. A system comprising:
- at least one processor; and
  
  memory encoding computer executable instructions that, when executed by the at least one processor, perform a method for detecting a threat of a computing system, the method comprising;
  
  receiving, by at least one computer, a plurality of instances of input data from at least one sensor;
  
  generating a first feature vector and a second feature vector based upon at least one instance of the plurality of instances of input data;
  
  determining whether the at least one instance of input data has a threat assignment;
  
  when the at least one instance of input data has a threat assignment, sending the threat assignment and at least one of the first feature vector and the second feature vector to a threat assignment dissemination component of the at least one computer; and
  
  when the at least one instance of input data does not have a threat assignment;
  
  sending the first feature vector and the second feature vector to a model training component of the at least one computer to train at least one threat assessment model of a plurality of threat assessment models;
  
  determining, based at least in part on a type of the input data, a first base model operable on the first feature vector and a second base model operable on the second feature vector, wherein the first base model accepts a different type of data than the second base model;
  
  generating a first threat assessment score for the first feature vector and the second feature vector using the determined first base model and the second base model;
  
  determining at least one intermediate model that receives one or more scores from at least one of the first base model and the second base model, based at least in part on the type of the input data;
  
  generating, by a classifier of the at least one computer, a second threat assessment score using the at least one intermediate model based on the first threat assessment score;
  
  automatically assigning a threat assignment to the at least one instance of input data based on the second threat assessment score; and
  
  disseminating the threat assignment and at least one of the first threat assessment score and the second threat assessment score, wherein the threat assignment is used to determine whether to employ a countermeasure.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein when the second threat assessment score is between the first predetermined threshold and the second predetermined threshold, the method further comprises:
    - reviewing at least one of the first feature vector, the second feature vector, the input data, third party data, the first threat assessment score, and the second threat assessment score;
      
      assigning a threat assignment to the at least one instance based on the review; and
      
      sending the assigned threat assignment and the at least one generated feature vector to the model training component to retrain the plurality of threat assessment models.
  - 20. The system of claim 18, wherein the threat assignment is automatically assigned to the at least one instance of input data by determining whether the second threat assessment score is above a first predetermined threshold or below a second predetermined threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Wells Fargo Bank National Association (Wells Fargo & Company)
Inventors
Schmidtler, Mauritius A. R., Dalal, Gaurav, Kovalev, Timur
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US14/340,297
Publication Number

US 20150033341A1
Time in Patent Office

1,748 Days
Field of Search

726 1, 726 21- 25, 709224, 713154, 713160
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method to detect threats to computer based devices and systems

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to detect threats to computer based devices and systems

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links