US2021097172A1PendingUtilityA1
Cybersecurity event detection system and method
Est. expirySep 26, 2039(~13.2 yrs left)· nominal 20-yr term from priority
Inventors:Elliot ColquhounAndrew EggletonAlexandra SerenhovAnkit ShankarBrian KeohaneCorinne PetroschkeDarren ZhaoIonut IordacheXiao TangSimon VahrTareq AlkhatibAthanasios KontonasiosThomas Mathew
G06F 21/53G06F 2221/2149H04L 63/1425G06F 21/554G06F 21/57G06F 21/566H04L 63/1441G06F 21/552
54
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A method, performed by one or more processors, includes: receiving an indication of a desired modification to a cybersecurity event detector that is being contemporaneously used for the detection of potential cybersecurity events in a production environment; modifying, in a sandbox environment, the cybersecurity event detector based on the indication of the desired modification to the cybersecurity event detector; and for each system event in a set of system events, determining, in the sandbox environment, whether the respective system event is indicative of a potential cybersecurity event using the modified cybersecurity event detector. Related apparatus are also disclosed.
Claims
exact text as granted — not AI-modified1 . A method, performed by one or more processors, comprising:
receiving an indication of a desired modification to a cybersecurity event detector that is being contemporaneously used for the detection of potential cybersecurity events in a production environment; modifying, in a sandbox environment, the cybersecurity event detector based on the indication of the desired modification to the cybersecurity event detector; and for each system event in a set of system events, determining, in the sandbox environment, whether the respective system event is indicative of a potential cybersecurity event using the modified cybersecurity event detector.
2 . The method of claim 1 , wherein the set of system events comprises a set of detected production system events, wherein each system event of the set of detected production system events has been determined, using the cybersecurity event detector, to be indicative of a potential cybersecurity event.
3 . The method of claim 2 , wherein one or more system events determined to be indicative of a potential cybersecurity event are excluded, using a cybersecurity event allowlisting rule, from the set of detected production system events.
4 . The method of claim 2 , wherein each system event of a true positive subset of the set of detected production system events has been labelled as an actual cybersecurity event.
5 . The method of claim 4 , comprising:
calculating the number of system events of the true positive subset of the set of detected system events determined, using the modified cybersecurity event detector, to be indicative of a potential cyber security event.
6 . The method of any one of claims 3 , wherein each system event of a false positive subset of the set of detected production system events has been labelled as not being an actual cybersecurity event.
7 . The method of claim 6 , comprising:
calculating the number of system events of the false positive subset of the set of detected system events determined, using the modified cybersecurity event detector, to be indicative of a potential cybersecurity event.
8 . The method of claim 1 wherein the set of system events comprises a set of undetected production system events, wherein each system event of the set of undetected production system events has been determined, using the cybersecurity event detector, not to be indicative of a potential cybersecurity event.
9 . The method of claim 8 , wherein each system event of a false negative subset of the set of undetected production system event has been labelled as being an actual cybersecurity event.
10 . The method of claim 9 , comprising:
calculating the number of system events of the false negative subset of the set of detected system events determined, using the modified cybersecurity event detector, to be indicative of a potential cybersecurity event.
11 . The method of claim 1 , wherein determining, in the sandbox environment, that one or more system events of a set of system events are indicative of a potential cybersecurity event comprises processing the one or more system events using a search engine library.
12 . The method of claim 1 , comprising:
determining, in the production environment, that one or more system events occurring in the production environment are indicative of potential cybersecurity events using the cybersecurity event detector.
13 . The method of claim 12 , wherein determining, in the production environment, that one or more system events occurring in the production environment are indicative of potential cybersecurity events comprises processing the one or more system events using a cluster-computing framework.
14 . The method of claim 1 comprising sending, to a client device, one or more cybersecurity event detection statistics, wherein each of the cybersecurity event detection statistics is based on the number of system events of a respective subset of the set of system events determined, using the modified cybersecurity event detector, to be indicative of a potential cybersecurity event.
15 . A method, performed by one or more processors, comprising:
sending, to a server device, an indication of a desired modification to a cybersecurity event detector that is being contemporaneously used for the detection of potential cybersecurity events in a production environment; receiving one or more cybersecurity event detection statistics, wherein each of the one or more cybersecurity event detection statistics is based on the number of system events of a respective subset of a set of system events determined, in a sandbox environment, to be indicative of a potential cybersecurity event using the modified cybersecurity event detector; and displaying the one or more cybersecurity event detection statistics.
16 . The method of claim 15 , comprising receiving, from the server device, one or more cybersecurity event detection statistics dependent on the number of system events of the set of system events determined to be indicative of a potential cybersecurity event using the cybersecurity event detector.
17 . The method of claim 15 , comprising:
receiving, from the server device, a representation of the cybersecurity event detector; displaying one or more properties of the cybersecurity event detector; and receiving one or more user inputs indicative of the desired modification to the cybersecurity event detector.
18 . The method of any one of claims 15 , comprising:
receiving, from the server device, one or more properties of a system event determined to be indicative of a potential cybersecurity event using the modified cybersecurity event detector; and displaying the one or more properties of the system event.
19 . An apparatus comprising:
memory comprising stored executable instructions; one or more processors, operatively coupled to the memory, and operative to execute the stored instructions wherein the instructions when executed by the one or more processors cause the one or more processors to:
receive an indication of a desired modification to a cybersecurity event detector that is being contemporaneously used for the detection of potential cybersecurity events in a production environment;
modify, in a sandbox environment, the cybersecurity event detector based on the indication of the desired modification to the cybersecurity event detector; and
for each system event in a set of system events, determine, in the sandbox environment, whether the respective system event is indicative of a potential cybersecurity event using the modified cybersecurity event detector.
20 . The apparatus of claim 19 , wherein the set of system events comprises a set of detected production system events, wherein each system event of the set of detected production system events has been determined, using the cybersecurity event detector, to be indicative of a potential cybersecurity event.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.