System and method thereof for creating programmable security decision engines in a cyber-security system

US 9,967,279 B2
Filed: 05/19/2015
Issued: 05/08/2018
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method for generating a security decision engine (SDE) operable in a cyber-security system comprising one or more computing devices coupled to a memory device to receive information about data flows in a network, comprising:

selecting, based on at least one input feature indicating an attribute of a behavior to be evaluated, at least one normalization function from an available plurality of normalization functions, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE, wherein the normalization function is a function applied to the input feature data to yield behavioral levels and generate respective degrees of membership;

in response to the selection of the input feature, prompting a user of the cyber-security system to program at least one engine rule to describe an anomaly that the SDE should monitor, evaluate, and detect anomalies, wherein the set of rules are programmed by selecting a logical operator and a value operator;

receiving at least one engine rule describing an anomaly to be evaluated, wherein each engine rule defines the at least one input feature and a set of logical conditions to be applied to behavioral levels of the at least one input feature;

in response to programming the at least one engine rule, creating an inference system including at least one inference unit that implements the normalization function and a process in which the behavioral level scores are projected into output functions, wherein each inference unit is determined based on one of the received at least one engine rule and to compute, a score of anomaly (SoA) based on the at least one input feature; and

executing the SDE after the inference system is created to compute (SoA) based on at least one input feature, wherein input features fed into the SDE are synchronized to detect and mitigate on-going attack campaign.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for adaptively securing a protected entity against cyber-threats. The method comprises: determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE; receiving at least one engine rule describing an anomaly to be evaluated; and creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.

48 Citations

View as Search Results

22 Claims

1. A method for generating a security decision engine (SDE) operable in a cyber-security system comprising one or more computing devices coupled to a memory device to receive information about data flows in a network, comprising:
- selecting, based on at least one input feature indicating an attribute of a behavior to be evaluated, at least one normalization function from an available plurality of normalization functions, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE, wherein the normalization function is a function applied to the input feature data to yield behavioral levels and generate respective degrees of membership;
  
  in response to the selection of the input feature, prompting a user of the cyber-security system to program at least one engine rule to describe an anomaly that the SDE should monitor, evaluate, and detect anomalies, wherein the set of rules are programmed by selecting a logical operator and a value operator;
  
  receiving at least one engine rule describing an anomaly to be evaluated, wherein each engine rule defines the at least one input feature and a set of logical conditions to be applied to behavioral levels of the at least one input feature;
  
  in response to programming the at least one engine rule, creating an inference system including at least one inference unit that implements the normalization function and a process in which the behavioral level scores are projected into output functions, wherein each inference unit is determined based on one of the received at least one engine rule and to compute, a score of anomaly (SoA) based on the at least one input feature; and
  
  executing the SDE after the inference system is created to compute (SoA) based on at least one input feature, wherein input features fed into the SDE are synchronized to detect and mitigate on-going attack campaign.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - determining at least one of;
      
      a synchronization function to synchronize between values of the at least one input feature, and a feature function to be applied on the values of the at least one input feature.
  - 3. The method of claim 2, further comprising:
    - applying the at least one normalization function to one of the at least one input feature to yield behavioral levels, wherein the score of anomaly is further computed based on the behavioral levels.
  - 4. The method of claim 3, wherein each of the at least one normalization function is defined using at least a plurality of edge values and at least one normalization function parameter, wherein the plurality of edge values determine a degree of membership of the received input feature'"'"'s value to a certain behavioral level, wherein further the normalization function parameter sets the characteristics of the selected normalization function.
  - 5. The method of claim 1, wherein each of the received at least one engine rule includes at least a logical operator and a value operator applied on the input feature.
  - 6. The method of claim 5, wherein receiving the at least one engine rule further comprises:
    - determining the at least one engine rule based on the received input feature and the at least one normalization function.
  - 7. The method of claim 1, wherein each inference unit outputs a degree of fulfillment index based on the at least one input feature.
  - 8. The method of claim 1, wherein the score of anomaly is computed by any one of:
    - aggregating the degree of fulfillment indexes, selecting a maximum or minimum degree of fulfillment based on logical operators of the at least one engine rule, and using a centroid method.
  - 9. The method of claim 1, wherein the at least one normalization function is determined based on at least one normalization parameter instruction.
  - 10. The method of claim 9, wherein each of the at least one input feature is associated with a finite set of normalization functions.
  - 11. The method of claim 10, wherein each determined normalization function is a default normalization function for one of the at least one input feature.
  - 12. The system of claim 11, wherein the system is further configured to:
    - determine the at least one engine rule based on the at least one input feature and the at least one normalization function.
  - 13. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1.

14. A system for generating a security decision engine (SDE) operable in a cyber-security system to receive information about data flows in a network, comprising:
- a processing device; and
  
  a memory device, the memory device containing instructions that, when executed by the processing device, cause the system to;
  
  select, based on at least one input feature indicating an attribute of a behavior to be evaluated, at least one normalization function from an available plurality of normalization functions, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE, wherein the normalization function is a function applied to the input feature data to yield behavioral levels and generate respective degrees of membership;
  
  in response to the selection of the input feature, prompting a user of the cyber-security system to program at least one engine rule to describe an anomaly that the SDE should monitor, evaluate, and detect anomalies, wherein the set of rules are programmed by selecting a logical operator and a value operator;
  
  receive at least one engine rule describing an anomaly to be evaluated, wherein each engine rule defines the at least one input feature and a set of logical conditions to be applied to behavioral levels of the at least one input feature;
  
  in response to programming the at least one engine rule, create an inference system including at least one inference unit that implements the normalization function and a process in which the behavioral level scores are projected into output functions, wherein each inference unit is determined based on one of the received at least one engine rule and to compute, a score of anomaly (SoA) based on the at least one input feature; and
  
  executing the SDE after the inference system is created to compute (SoA) based on at least one input feature, wherein input features fed into the SDE are synchronized to detect and mitigate on-going attack campaign.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The system of claim 14, wherein the memory is further configured to contain a plurality of normalization functions.
  - 16. The system of claim 14, wherein the system is further configured to:
    - determine at least one of;
      
      a synchronization function to synchronized between values of the least one at least one input feature, and a feature function to be applied on the values of the at least one input feature.
  - 17. The system of claim 14, wherein the system is further configured to:
    - apply the at least one normalization function to one of the at least one input feature to yield behavioral levels, wherein the score of anomaly is further computed based on the behavioral levels.
  - 18. The system of claim 17, wherein each of the at least one normalization function is defined using at least a plurality of edge values and at least one normalization function parameter, wherein the plurality of edge values determine a degree of membership of the received input feature'"'"'s value to a certain behavioral level, wherein further the normalization function parameter sets the characteristics of the selected normalization function.
  - 19. The system of claim 14, wherein each of the received at least one engine rule includes at least a logical operator and a value operator applied on the input feature.
  - 20. The system of claim 14, wherein each inference unit outputs a degree of fulfillment index based on the at least one input feature.
  - 21. The system of claim 14, wherein the score of anomaly is computed by any one of:
    - aggregating the degree of fulfillment indexes, selecting a maximum degree of fulfillment, and using a centroid method.
  - 22. The system of claim 14, wherein each of the at least one input feature is associated with a finite set of normalization, wherein each determined normalization function is a default normalization function for one of the at least one input feature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybereason, Inc.
Original Assignee
empow Cyber Security Ltd.
Inventors
Chesla, Avi, Medalion, Shlomi
Primary Examiner(s)
Gracia, Gary S

Application Number

US14/716,359
Publication Number

US 20160021135A1
Time in Patent Office

1,085 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/02   for separating internal fro...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/20   for managing network securi...

System and method thereof for creating programmable security decision engines in a cyber-security system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method thereof for creating programmable security decision engines in a cyber-security system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links