US2019251260A1PendingUtilityA1

Cyber security using one or more models trained on a normal behavior

63
Assignee: DARKTRACE LTDPriority: Aug 4, 2014Filed: Apr 22, 2019Published: Aug 15, 2019
Est. expiryAug 4, 2034(~8.1 yrs left)· nominal 20-yr term from priority
G06F 21/577H04L 63/1408G06F 21/566G06F 21/552H04L 63/1433H04L 41/069H04L 63/1425G06F 21/56
63
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.

Claims

exact text as granted — not AI-modified
1 - 22 . (canceled) 
     
     
         23 . A method for detection of a cyber-threat to a computer system, the method arranged to be performed by one or more processing apparatuses, the method comprising:
 receiving input data associated with a first entity associated with the computer system and a second entity associated with the computer system;   deriving from the received input data metrics representative of characteristics of the received input data;   analyzing the derived metrics using a first self-learning model trained on a normal behavior of at least the first entity;   analyzing one or more causal links between data associated with the first entity and data associated with the second entity;   comparing the analyzed metrics to parameters that correspond to the normal behavior of at least the first entity;   determining, in accordance with the analyzed derived metrics and the causal link, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.   
     
     
         24 . The method according to claim  1 , further comprising:
 identifying behavior deviating from a normal behavior of at least the first entity, where the first self-learning model trained on the normal behavior at least uses unsupervised learning; and   building a chain of behavior including two or more causal links between data identifying the behavior deviating from the normal behavior associated with the first entity and data associated with the second entity to detect the cyber-threat.   
     
     
         25 . The method according to claim  1 , further comprising:
 where the modelled behavior in the first model of the first entity includes at least one of detecting a change in a pattern in any of 1) information, 2) activity, or a 3) combination of both in the computer system in order to be able to detect both a change in behavior of a user using the computing system as well as a change in behavior of a device in the computing system, where the first entity is the device in the computing system and the device's behavior is compared to the normal behavior of at least the first entity, and the second entity is the user of the computing system and the user's activities are compared to a normal behavior of at least the second entity.   
     
     
         26 . The method according to claim  1 , further comprising:
 predicting an expected behavior of the first entity of the computing system based on the first self-learning model trained on normal behavior; and   wherein determining the cyber-threat risk parameter comprises comparing the analyzed, derived metrics with the predicted expected behavior and comparing whether parameters of the analyzed, derived metrics fall outside the parameters set by a threat parameter benchmark.   
     
     
         27 . The method according to claim  1 , where a normal behavior threshold is used by the first model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system. 
     
     
         28 . The method according to  claim 27 , where the first self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior, where a normal behavior threshold is used by the first self-learning model as a moving benchmark of parameters that correspond to a normal pattern of life for the first entity, and the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark. 
     
     
         29 . The method according to claim  1 , further comprising:
 using a second self-learning model trained on a normal behavior of at least the second entity to determine what is normal behavior for at least the second entity,   using a third model trained to analyze data for detecting a first type of threat, and   using a fourth model trained to analyze data for detecting a second type of threat.   
     
     
         30 . The method according to claim  1 , wherein the cyber-threat risk parameter is a probability of the likelihood of a threat determined using a recursive Bayesian estimation. 
     
     
         31 . The method according to  claim 30 , further comprising:
 dynamically assigning recurring time cycles to a normal behavior threshold.   
     
     
         32 . A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the computer system to instruct a computing device to perform the method of claim  1 . 
     
     
         33 . A threat detection system, comprising:
 at least one or more ports configured to receive input data associated with a first entity associated with a computer system and a second entity associated with the computer system;   a non-transitory memory configured to store a first self-learning model trained on a normal behavior of at least the first entity and a computer readable code; and   one or more processors configured to execute the computer readable code to derive from the received input data metrics representative of characteristics of the received input data, to analyze the derived metrics using a first self-learning model trained on a normal behavior of at least the first entity, to analyze one or more causal links between data associated with the first entity and data associated with the second entity, to comparing the analyzed metrics to parameters that correspond to the normal behavior of at least the first entity, and to determine, in accordance with the analyzed derived metrics and the causal link, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat.   
     
     
         34 . The threat detection system to claim  11 , wherein the processor is further configured to execute the computer readable code to identify behavior deviating from the normal behavior of at least the first entity and to build a chain of behavior applying at least two or more causal links to detect the cyber-threat. 
     
     
         35 . The threat detection system to claim  11 , wherein the processor is further configured to execute the computer readable code to analyze the derived metrics using a second self-learning model trained on a normal behavior of at least the second entity, to use a third self-learning model trained on a first type of threat, and to use a third self-learning model trained on a second type of threat. 
     
     
         36 . The threat detection system to claim  11 , wherein the processor is further configured to execute the computer readable code to predict an expected behavior of the first entity of the computing system based on the first self-learning model trained on normal behavior; and
 wherein determining the cyber-threat risk parameter comprises comparing the analyzed, derived metrics with the predicted expected behavior and comparing whether parameters of the analyzed, derived metrics fall outside the parameters set by a threat parameter benchmark.   
     
     
         37 . The threat detection system to claim  11 , wherein a normal behavior threshold is used by the first model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system, where the first self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior. 
     
     
         38 . The threat detection system to claim  11 , where the modelled behavior in the first model of the first entity includes at least one of detecting a change in a pattern in any of 1) information, 2) activity, or a 3) combination of both in the computer system in order to be able to detect both a change in behavior of a user using the computing system as well as a change in behavior of a device in the computing system, where the first entity is the device in the computing system and the device's behavior is compared to the normal behavior of at least the first entity, and the second entity is the user of the computing system and the user's activities are compared to a normal behavior of at least the second entity. 
     
     
         39 . The threat detection system to claim  11 , wherein the derived metrics are network traffic related metrics associated with activity of the first entity on the computer system reflecting a usage of the computer system by the first entity over a period of time. 
     
     
         40 . The threat detection system to claim  11 , wherein the cyber-threat risk parameter is a probability of the likelihood of a threat determined using a recursive Bayesian estimation, and where the processor is further configured to execute the computer readable code to dynamically assign recurring time cycles to a normal behavior threshold. 
     
     
         41 . The threat detection system to claim  11 , wherein results of the cyber-threat risk parameter are projected on a 3D graphical user interface that conveys cyber threats across a packet flow and connection topology corresponding to the computing system. 
     
     
         42 . A network, comprising:
 at least one network switch;   multiple computing devices operable by users of the network;   a threat detection system that includes
 at least one or more ports configured to receive input data associated with a first entity associated with a computer system and a second entity associated with the computer system; 
 a non-transitory memory configured to store a first self-learning model trained on a normal behavior of at least the first entity and a computer readable code; and 
 a processor configured to execute the computer readable code to derive from the received input data metrics representative of characteristics of the received input data, to analyze the derived metrics using a first self-learning model trained on a normal behavior of at least the first entity, to analyze one or more causal links between data associated with the first entity and data associated with the second entity, and to determine, in accordance with the analyzed derived metrics and the causal link, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat; and 
   wherein the threat detection system leverages an improvement in the device by identifying cyber-threats to improve performance by the target device by containing the detected threat and minimizing an amount of CPU cycles, memory space, and power consumed by that detected threat in the network entity when the detected threat is contained by the initiated actions.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.