US2021306360A1PendingUtilityA1

Cybersecurity incident detection systems and techniques

Assignee: CARBON BLACK INCPriority: Sep 14, 2016Filed: Mar 25, 2021Published: Sep 30, 2021
Est. expirySep 14, 2036(~10.2 yrs left)· nominal 20-yr term from priority
G06F 21/552H04L 63/1425G06F 21/566G06F 16/951H04L 63/1416H04L 63/1441G06N 5/02
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Behavioral baselines for a computer system may be accurately and efficiently established by (1) monitoring occurrences on the computer system, (2) determining, based on security rules or heuristics, which of the observed occurrences are associated with potential security risks, (3) identifying patterns of activity based on the suspicious occurrences, and (4) prompting a user to indicate whether the observed patterns of suspicious activity are expected or unexpected. Behavior baselines established in this manner can then be used to differentiate between expected and unexpected patterns of activity on the computer system.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented cybersecurity method, comprising:
 obtaining occurrence data indicative of a plurality of occurrences observed in a computer system;   identifying, based on the occurrence data, at least one pattern of activity in the computer system;   comparing the at least one pattern of activity to a plurality of second patterns of activity in a behavioral baseline database, the plurality of second patterns of activity in the behavioral baseline database classified as expected or unexpected based on a user identifier of a user initiating an activity, said comparing comprising:
 identifying one or more attributes of the at least one pattern of activity; and 
 querying the behavioral baseline database to identify one or more second patterns of activity having same user identifier as the at least one pattern of activity; 
   based on the comparing, determining an association between the at least one pattern of activity and the identified one or more second patterns of activity in the behavioral baseline database is above a threshold and identifying the at least one pattern of activity as unexpected; and   based on identifying the at least one pattern of activity as unexpected, issuing a security alert related to the at least one pattern of activity.   
     
     
         2 . The method of  claim 1 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences is relevant to computer security or that changes in patterns of the plurality of occurrences are relevant to computer security, or both. 
     
     
         3 . The method of  claim 1 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences includes one or more suspicious patterns of activity. 
     
     
         4 . The method of  claim 1 , wherein the at least one pattern of activity includes a rate at which a resource of the computer system is accessed, the resource including one or more of the following: a server, a database, a file, a communication port, and a power supply. 
     
     
         5 . The method of  claim 1 , wherein the at least one pattern of activity includes a rate at which a type of activity is performed, the type of activity including at least one of loading a module, performing a file operation, performing a registry operation, performing an inter-process operation, or communicating with a particular remote device or domain. 
     
     
         6 . The method of  claim 5 , wherein data stored in the behavioral baseline database is indicative of an expected pattern of an activity, and wherein a deviation from the expected pattern of the activity is deemed suspicious when the type of the activity is not suspicious. 
     
     
         7 . The method of  claim 1 , wherein the behavioral baseline database includes data defining exceptions to general definitions of suspicious behavior embodied by data in a suspicious activity database. 
     
     
         8 . The method of  claim 1 , further comprising:
 determining, based on the comparing, the at least one pattern of activity matches the identified one or more second patterns of activity if a difference between the at least one pattern of activity and the identified one or more second patterns of activity is less than a predetermined difference; and   identifying the at least one pattern of activity as expected.   
     
     
         9 . A cybersecurity system, comprising:
 a data processing apparatus comprising a memory and a processor, the data processing apparatus programmed to perform operations including:
 obtaining occurrence data indicative of a plurality of occurrences observed in a computer system; 
 identifying, based on the occurrence data, at least one pattern of activity in the computer system; 
 comparing the at least one pattern of activity to a plurality of second patterns of activity in a behavioral baseline database, the plurality of second patterns of activity in the behavioral baseline database classified as expected or unexpected based on a user identifier of a user initiating an activity, said comparing comprising:
 identifying one or more attributes of the at least one pattern of activity; and 
 querying the behavioral baseline database to identify one or more second patterns of activity having same user identifier as the at least one pattern of activity; 
 
 based on the comparing, determining an association between the at least one pattern of activity and the identified one or more second patterns of activity in the behavioral baseline database is above a threshold and identifying the at least one pattern of activity as unexpected; and 
 based on identifying the at least one pattern of activity as unexpected, issuing a security alert related to the at least one pattern of activity. 
   
     
     
         10 . The cybersecurity system of  claim 9 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences is relevant to computer security or that changes in patterns of the plurality of occurrences are relevant to computer security, or both. 
     
     
         11 . The cybersecurity system of  claim 9 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences includes one or more suspicious patterns of activity. 
     
     
         12 . The cybersecurity system of  claim 9 , wherein the at least one pattern of activity includes a rate at which a resource of the computer system is accessed, the resource including at least one of a server, a database, a file, a communication port, or a power supply. 
     
     
         13 . The cybersecurity system of  claim 9 , wherein the at least one pattern of activity includes a rate at which a type of activity is performed, the type of activity including at least one of loading a module, performing a file operation, performing a registry operation, performing an inter-process operation, or communicating with a particular remote device or domain. 
     
     
         14 . The cybersecurity system of  claim 13 , wherein data stored in the behavioral baseline database is indicative of an expected pattern of an activity, wherein a deviation from the expected pattern of the activity is deemed suspicious when the type of the activity is not suspicious. 
     
     
         15 . The cybersecurity system of  claim 9 , wherein the behavioral baseline database includes data defining exceptions to general definitions of suspicious behavior embodied by data in a suspicious activity database. 
     
     
         16 . The cybersecurity system of  claim 9 , wherein the data processing apparatus is further programmed to perform operations including:
 determining, based on the comparing, the at least one pattern of activity matches the identified one or more second patterns of activity if a difference between the at least one pattern of activity and the identified one or more second patterns of activity is less than a predetermined difference; and   identifying the at least one pattern of activity as expected.   
     
     
         17 . One or more non-transitory computer storage media having computer-executable instructions that, upon execution by a processor, cause the processor perform a cybersecurity method, comprising:
 obtaining occurrence data indicative of a plurality of occurrences observed in a computer system;   identifying, based on the occurrence data, at least one pattern of activity in the computer system;   comparing the at least one pattern of activity to a plurality of second patterns of activity in a behavioral baseline database, the plurality of second patterns of activity in the behavioral baseline database classified as expected or unexpected based on a user identifier of a user initiating an activity, said comparing comprising:
 identifying one or more attributes of the at least one pattern of activity; and 
 querying the behavioral baseline database to identify one or more second patterns of activity having same user identifier as the at least one pattern of activity; 
   based on the comparing, determining an association between the at least one pattern of activity and the identified one or more second patterns of activity in the behavioral baseline database is above a threshold and identifying the at least one pattern of activity as unexpected; and   based on identifying the at least one pattern of activity as unexpected, issuing a security alert related to the at least one pattern of activity.   
     
     
         18 . The one or more non-transitory computer storage media of  claim 17 , wherein the at least one pattern of activity includes a rate at which a resource of the computer system is accessed, the resource including at least one of a server, a database, a file, a communication port, or a power supply. 
     
     
         19 . The one or more non-transitory computer storage media of  claim 17 , wherein the at least one pattern of activity includes a rate at which a type of activity is performed, the type of activity including at least one of loading a module, performing a file operation, performing a registry operation, performing an inter-process operation, or communicating with a particular remote device or domain. 
     
     
         20 . The one or more non-transitory computer storage media of  claim 17 , wherein the processor performs the cybersecurity method, further comprising:
 determining, based on the comparing, the at least one pattern of activity matches the identified one or more second patterns of activity if a difference between the at least one pattern of activity and the identified one or more second patterns of activity is less than a predetermined difference; and   identifying the at least one pattern of activity as expected.

Join the waitlist — get patent alerts

Track US2021306360A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.