METHOD, PRODUCT, AND SYSTEM FOR AUTOMATICALLY ISOLATING MALICIOUS SECURITY ALERTS FROM BENIGN ALERTS USING AN ENSEMBLE MODEL OF PATTERN RECOGNITION TECHNIQUES
Disclosed is an improved approach for managing security alerts to automatically isolate malicious security alerts from benign alerts using an ensemble model of pattern recognition techniques. In some embodiments, the approach provides for automatically isolating security alerts of malicious attack from security alerts that correspond to undesirable, yet benign, activity in computer networks, cloud infrastructures and SAAS applications. Specifically, the approach provides for qualitative contextual assessments of these alerts using an ensemble of models. These ensemble models leverage a history of security events on a computer network, cloud infrastructure and SAAS applications to determine a level of relevance for received alerts and determine, based on that level of relevance, how or if they should be presented to an administrator.
Disclosed is an improved approach for translating entity prioritization rules to a continuous numerical space. In some embodiments, the approach provided is a system for using qualitative prioritization criteria to train a system that generates quantitative urgency scores for entities. In some embodiments, this comprises an embedding scheme that enables the translation of entity infonnation and their related alerts to a set of qualitative labels based on at least quantitative information. Generally, the system includes a set of analyst actions that establish desired mappings which are used to train a more general model that maps entity embeddings to responses. In some embodiments, the approach comprises one or more models that receive an entity embedding as an input and outputs a score that characterizes the urgency of the response warranted for that entity. In some embodiments, this is performed using various features (e.g., importance, actor type, velocity', and breadth).
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
G06N 5/00 - Computing arrangements using knowledge-based models
3.
METHOD, PRODUCT, AND SYSTEM FOR TRANSLATING ENTITY PRIORITIZATION RULES TO A CONTINUOUS NUMERICAL SPACE
Disclosed is an improved approach for translating entity prioritization rules to a continuous numerical space. In some embodiments, the approach provided is a system for using qualitative prioritization criteria to train a system that generates quantitative urgency scores for entities. In some embodiments, this comprises an embedding scheme that enables the translation of entity information and their related alerts to a set of qualitative labels based on at least quantitative information. Generally, the system includes a set of analyst actions that establish desired mappings which are used to train a more general model that maps entity embeddings to responses. In some embodiments, the approach comprises one or more models that receive an entity embedding as an input and outputs a score that characterizes the urgency of the response warranted for that entity. In some embodiments, this is performed using various features (e.g., importance, actor type, velocity, and breadth).
METHOD, PRODUCT, AND SYSTEM FOR AUTOMATICALLY ISOLATING MALICIOUS SECURITY ALERTS FROM BENIGN ALERTS USING AN ENSEMBLE MODEL OF PATTERN RECOGNITION TECHNIQUES
Disclosed is an improved approach for managing security alerts to automatically isolate malicious security alerts from benign alerts using an ensemble model of pattern recognition techniques. In some embodiments, the approach provides for automatically isolating security alerts of malicious attack from security alerts that correspond to undesirable, yet benign, activity in computer networks, cloud infrastructures and SAAS applications. Specifically, the approach provides for qualitative contextual assessments of these alerts using an ensemble of models. These ensemble models leverage a history of security events on a computer network, cloud infrastructure and SAAS applications to determine a level of relevance for received alerts and determine, based on that level of relevance, how or if they should be presented to an administrator.
METHOD, PRODUCT, AND SYSTEM FOR GENERATING A SOFTWARE REPRESENTATION THAT EMBODIES NETWORK CONFIGURATION AND POLICY DATA OF A COMPUTER NETWORK FOR USE IN SECURITY MANAGEMENT
Disclosed is an approach for generating a software representation that embodies network configuration and policy data of a computer network for use in security management. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on the network configuration and network policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection. The software representation can then be stimulated with various inputs to identify sequences of state-to-state transitions which may in turn be processed to generate corresponding detection signatures for use in monitoring the network.
Method, product, and system for generating detection signatures based on attack paths in a computer network identified using a software representation that embodies network configuration and policy data for security management using detection signature templates
Disclosed is an approach for generating detection signatures based on analysis of a software representation of what is possible in a computer network based on network configuration data and network policy data. In some embodiments, the process includes maintaining a plurality of detection signature templates, generation of detection signatures (detection signature instances) using respective detection signature templates that are selected based on the analysis of the software representation. In some embodiments, detection signatures templates are of different type and may be deployed at different locations based on their respective type(s), such as at source, destination.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 47/762 - Admission controlResource allocation using dynamic resource allocation, e.g. in-call renegotiation requested by the user or requested by the network in response to changing network conditions triggered by the network
7.
METHOD, PRODUCT, AND SYSTEM FOR SOLVING ARBITRARY CONSTRAINT SATISFACTION PROBLEMS
Disclosed is an approach for solving arbitrary constraint satisfaction problems. In some embodiments, the approach includes a process to generate a software representation of what is possible based on a system corresponding to the constraint satisfaction problem. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on a current state of the system and parameters thereof whether global or otherwise.
Disclosed herein is an approach that includes providing a system for managing and expanding knowledge in a knowledge base. In some embodiments, the system comprises an expert system which performs a number of functions including data ingestion, application of a data retention policy, monitoring of a network system including deployments of detection signatures on the network system, response and alert management, posturing, and relevant automation. In some embodiments, the expert system interconnects with a war gaming engine to identify attack vectors to protected resources. In some embodiments, a collection of functions or modules is provided in place of the expert system—e.g., traditional programing techniques are used to provide functions or modules to perform similar processes using one or more function calls between the provided functions or modules.
Disclosed is an approach for network security management using software representation that embodies network configuration and policy data. In some embodiments, the approach includes a process to generate a software representation of what is possible based on a network configuration and policy data. The software representation comprises a state machine where different states can be reached using respective transitions or properties why are possible as determined based on the network configuration and policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection. The software representation can then be stimulated to identify sequences of state-to-state transitions which may in turn be processed to generate corresponding detection signatures for use in monitoring the network.
Method, product, and system for analyzing a computer network to identify attack paths using a software representation that embodies network configuration and policy data for security management
Disclosed is an approach for analyzing a computer network to identify attack paths using a software representation that embodies network configuration and policy data for security management. The software representation comprises a state machine where different states can be reached using respective transitions or properties which are possible as determined based on the network configuration and network policy data. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection in the software representation using crash statements. The software representation can then be stimulated using software analysis tools such as fuzzers to identify sequences of state-to-state transitions that could be used to compromise a protected resource on the computer network.
METHOD, PRODUCT, AND SYSTEM FOR ANALYZING ATTACK PATHS IN COMPUTER NETWORK GENERATED USING A SOFTWARE REPRESENTATION THAT EMBODIES NETWORK CONFIGURATION AND POLICY DATA FOR SECURITY MANAGEMENT
Disclosed is an approach for analyzing attack paths in computer network generated using a software representation that embodies network configuration and policy data for security management. In some embodiments, the approach includes a process to analyze attack paths in a computer network to determine which attack paths might be most productively covered using a corresponding detection signature. In some embodiments, the attack paths are identified using a software representation that embodies network configuration and policy data. The software representation comprises a state machine where different states can be reached using respective transitions or properties. The states correspond to respective entities on the network which may comprise resources that are identifiable for protection in the software representation using crash statements. The software representation can then be stimulated using software analysis tools such to identify sequences of state-to-state transitions that could be used to compromise a protected resource on the computer network.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer services for automating the real-time detection,
mitigation, prioritization and/or prediction of cyber
threats and strikes; computer services for the development,
implementation and delivery of artificial intelligence,
machine learning and deep learning for use in controlling
automated hunting, triaging and correlating of
cyber-security threats within network packets, system log
data, application log data, authentication log data, host
data and customer supplied data; providing software as a
service for cyber-security, detecting, mitigating,
prioritizing and/or predicting advanced on-premise, cloud
and/or hybrid network threats and strikes using artificial
intelligence, machine learning and/or deep learning;
computer services for the development of artificial
intelligence and machine learning computer systems,
including deep learning for continuous data collection,
acquisition, compilation, correlation, retrieval, analysis
and classification of data from on-premise, cloud and/or
hybrid network traffic, on-premise, cloud and/or hybrid
network communication, on-premise, cloud and/or hybrid
network flow data, and on-premise, cloud and/or hybrid
network intercommunication; providing computer services,
namely, developing customized artificial intelligence
services for continuous monitoring, identifying, verifying,
analyzing, correlating, comparing, classifying, sorting and
scoring of data collection, acquisition from on-premise,
cloud and/or hybrid network traffic, on-premise, cloud
and/or hybrid network communication, on-premise, cloud
and/or hybrid network flow data, and on-premise, cloud
and/or hybrid network intercommunication, acquisition and
compilation of data into specific areas, event triage,
threat analysis threat correlation and system and
application logs created and identified by artificial
intelligence, machine learning and/or deep learning;
computer services for others, namely, development of Natural
Language Processing (NLP), Computational Linguistics (CL),
Information Retrieval (IR) and Machine Learning (ML)
computer systems which are capable of understanding general
human queries and formulating responses; computer systems
analysis; integration of computer systems and on-premise,
cloud and/or hybrid networks; computer services, namely,
computer system administration for systems used in
commercial interactions over global computer on-premise,
cloud and/or hybrid networks; scientific and industrial
research, namely, research and development of new
cybersecurity products or threat intelligence systems;
Technical research in the field of computers that integrate
Natural Language Processing (NLP), Computational Linguistics
(CL), Information Retrieval (IR) and Machine Learning (ML)
which is capable of understanding general human queries and
formulating responses, and scientific research for
cyber-security purposes; computer consultation services for
threat detection and response; computer consulting services
in the field of security operations; all of the above
relating specifically to analytical computing technologies
that provide multi-modal natural language processing,
generation, reasoning and machine learning for contextual
cyber-security threat analysis and response, and natural
interaction.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer services for automating the real-time detection, mitigation, prioritization and prediction of cyber threats and strikes, namely, software as a service (SAAS) services featuring software for automating the real-time detection, mitigation, prioritization and prediction of cyber threats and strikes; development and implementation of software in the field of artificial intelligence, machine learning and deep learning for use in controlling automated hunting, triaging and correlating of cyber-security threats within network packets, system log data, application log data, authentication log data, host data and customer supplied data; providing software as a service (SAAS) services featuring software for cyber-security in the nature of detecting, mitigating, prioritizing and predicting advanced on-premise, cloud and hybrid network threats and strikes using artificial intelligence, machine learning and deep learning; computer services for the development of artificial intelligence and machine learning computer software systems using deep learning for the purpose of continuous data collection, acquisition, compilation, correlation, retrieval, analysis and classification of data from on-premise, cloud and hybrid network traffic, on-premise, cloud and hybrid network communication, on-premise, cloud and hybrid network flow data, and on-premise, cloud and hybrid network intercommunication, namely, development of computer software systems; computer services for others in the nature of development of Natural Language Processing (NLP), Computational Linguistics (CL), Information Retrieval (IR) and Machine Learning (ML) computer systems which are capable of understanding general human queries and formulating responses, namely, development of computer software systems to provide real-time detection, mitigation, prioritization and prediction of cyber threats and strikes to benefit others; computer systems analysis; integration of computer systems and on-premise, cloud and hybrid networks, namely, integration of computer systems and networks to provide real-time detection, mitigation, prioritization and prediction of cyber threats and strikes to benefit others; Computer services, namely, computer system administration for others for systems used in commercial interactions over global computer on-premise, cloud and hybrid networks; scientific and industrial research, namely, research and development of new cybersecurity products and threat intelligence computer software systems; technological research in the field of computers that integrate Natural Language Processing (NLP), Computational Linguistics (CL), Information Retrieval (IR) and Machine Learning (ML) for the purpose of understanding general human queries and formulating responses, and scientific research for cyber-security purposes; computer consultation services for threat detection and response, namely, computer network security consultancy to provide real-time detection, mitigation, prioritization and prediction of cyber threats and strikes to benefit others; Computer consulting services in the field of security operations, namely, computer network security consultancy to provide real-time detection, mitigation, prioritization and prediction of cyber threats and strikes to benefit others; all of the above relating specifically to analytical computing technologies that provide multi-modal natural language processing, generation, reasoning and machine learning for contextual cybersecurity threat analysis and response, and natural interaction
14.
Method and system for detecting malicious payloads
Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.
Disclosed is an approach for detecting malicious network activity (e.g. based on a data hoarding activity identifies using a graph mixture density neural network (GraphMDN)). Generally, the approach includes generating embeddings using a graph convolution process and then processing the embeddings using a mixture density neural network. The approach may include collecting network activity data, generating a graph representing the network activity, or an aggregation thereof that maintains the inherent graphical nature and characteristics of the data, and training a GraphMDN in order to generate pluralities of distributions characterizing one or more aspects of the graph representing the network activity. The approach may also include capturing new network activity data, and evaluating that data using the distributions generated by the trained GraphMDN, and generation corresponding detection results.
G06F 18/2134 - Feature extraction, e.g. by transforming the feature spaceSummarisationMappings, e.g. subspace methods based on separation criteria, e.g. independent component analysis
Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network
Disclosed is an improved approach for identifying security risks and breaches in a network by applying machine learning methods that learn resource access patterns in the network. Specifically, by observing the access pattern of the network entities (e.g. accounts, services, and hosts) from authorization requests/responses, the model through unsupervised learning, organizes the entity relationships into an ensemble of hierarchical models. The ensemble of hierarchical models can then be leveraged to create a series of metrics that can be used to identify various types of abnormalities in the access of a resource on the network. For instance, by further classifying the access request for a resource using abnormality scores into detection scenarios, the model is able to detect both an abnormality and the type of abnormality and include such information in a corresponding alarm when a security breach happens.
Disclosed is an improved approach for detecting potentially malicious activity on a network. The present improved approach generates a multi-dimensional activity model based on captured network activity. Additional network activity is captured, and relative activity values are determined therefor. Determination of whether the additional network activity corresponds to potentially malicious activity is obtained by fitting the relative activity values of the additional network activity to the multi-dimensional relative activity model.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer security systems, namely, a hardware/software
platform that combines learning, automated analysis and
prioritized reporting to detect unauthorized access or
attacks on computer systems and networks; computer systems,
namely, a hardware/software platform for network security,
network analytics and business intelligence analytics; and
software for use in monitoring and maintaining the safety
and data integrity of a computer network or a computer
system. Development and implementation of computer security systems,
namely, a hardware/software platform that combines learning,
automated analysis and prioritized reporting to detect
unauthorized access or attacks on computer systems and
networks; development and implementation of computer
systems, namely, a hardware/software platform for network
security, network analytics and business intelligence
analytics; and development and implementation of software
for use in monitoring and maintaining the safety and data
integrity of a computer network or a computer system.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer hardware and computer software platforms for
network security, network analytics and business
intelligence analytics. Development of computer hardware and software platforms for
network security, network analytics and business
intelligence analytics; Providing on-line non-downloadable
software platforms for network security, network analytics
and business intelligence analytics.
An approach for high-volume network threat tracing and detection may be implemented by storing network communications received from a plurality of hosts in an initial recording data structure, such as a rolling buffer. Identifiers may be generated for the plurality of hosts associated with the network communications by according to host identity or the behavior of a given host. Extended trace time values may be assigned to a portion of the plurality of hosts based at least in part on the identifiers, and storing the portion of the network communications that have extended trace time values may be recorded as packet capture files in long term memory.
Disclosed is an improved method, system, and computer program product for detecting hosts and connections between hosts that are being used as relays by an actor to gain control of hosts in a network. It can further identify periods of time within the connection when the relay activities occurred. In some embodiments, the invention can also chain successive relays to identify the true source and true target of the relay.
Disclosed is an improved method, system, and computer program product for learning representations or embeddings of network flow traffic. The disclosed invention operates on network flow data which are then used as inputs to a deep-learning architecture that learns to embed the data into a vector space.
Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.
Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.
A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.
Disclosed is an improved approach to implement a system and method for detecting insider threats, where models are constructed that is capable of defining what constitutes the normal behavior for any given hosts and quickly find anomalous behaviors that could constitute a potential threat to an organization. The disclosed approach provides a way to identify abnormal data transfers within and external to an organization without the need for individual monitoring software on each host, by leveraging metadata that describe the data exchange patterns observed in the network.
An approach for detecting network attacks using metadata vectors may initially involve receiving network communications or packets, extracting metadata items from the packets. The metadata items describe the communications without requiring deep content inspection of the data payload or contents. The communications may be clustered into groups using the metadata items. If a cluster exceeds a threshold, an alarm may be generated.
An approach for detecting network threats is disclosed, that may involve receiving network traffic, plotting the network traffic in a n-dimensional feature space to form a network map, generating a client signature at least by placing new client points in the map, setting a threshold, and generating an alarm if one or more client activity points exceed the threshold. In some embodiments, the network map and the client signature are updated using sliding windows and distance calculations.
A host identification engine receives network traffic from a network and uses one or more artifact extractors to extract artifact data items that can identify a host. The artifact data items can be stored in a host signature database. Network addresses to which the hosts correspond can be stored in a network address database. A mapping table can be implemented to match the data in the signature database and network database to generate durable host identification data that can accurately track hosts as they use different identification data and/or move between hosts.
Approaches for detecting network intrusions, such as malware infection, Trojans, worms, or bot net mining activities includes: identifying one or more threat detections in session datasets, the session datasets corresponding to network traffic from a plurality of hosts; determining a layered detection score, the layered detection score corresponding to a certainty score and threat score; determining a layered host score, the layered host score corresponding to a certainty score and threat score; and generating alarm data comprising the layered detection score and the layered host score. In some embodiments, the network traffic may be received passively through a network switch; for example, by “tapping” the switch. Other additional objects, features, and advantages of the invention are described in the detailed description, figures and claims.
A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.
A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers.
A bot detection engine to determine whether hosts in an organization's network are performing bot-related activities is disclosed. A bot detection engine can receive network traffic between hosts in a network, and/or between hosts across several networks. The bot engine may parse the network traffic into session datasets and discard the session datasets that were not initiated by hosts in a given network. The session datasets may be analyzed and state data may be accumulated. The state data may correspond to actions performed by the hosts, such as requesting a website or clicking ads, or requesting content within the website (e.g. clicking on a image which forms a HTTP request/response transaction for the image file).
A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.
A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators.
Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer security systems, namely, a hardware/software platform that combines learning, automated analysis and prioritized reporting to detect unauthorized access or attacks on computer systems and networks; computer systems, namely, a hardware/software platform for network security, network analytics and business intelligence analytics; and software for use in monitoring and maintaining the safety and data integrity of a computer network or a computer system Development and implementation of computer security systems, namely, a hardware/software platform that combines learning, automated analysis and prioritized reporting to detect unauthorized access or attacks on computer systems and networks; development and implementation of computer systems, namely, a hardware/software platform for network security, network analytics and business intelligence analytics; and development and implementation of software for use in monitoring and maintaining the safety and data integrity of a computer network or a computer system
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software platform; hardware/software platform for network security, network analytics and business intelligence analytics. Development of computer software platform; development of hardware/software platform for network security, network analytics and business intelligence analytics.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer hardware and computer software platforms for network security, network analytics and business intelligence analytics Development of computer hardware and software platforms for network security, network analytics and business intelligence analytics; Providing on-line non-downloadable software platforms for network security, network analytics and business intelligence analytics
