Cybersecurity incident detection systems and techniques
Abstract
Behavioral baselines for a computer system may be accurately and efficiently established by (1) monitoring occurrences on the computer system, (2) determining, based on security rules or heuristics, which of the observed occurrences are associated with potential security risks, (3) identifying patterns of activity based on the suspicious occurrences, and (4) prompting a user to indicate whether the observed patterns of suspicious activity are expected or unexpected. Behavior baselines established in this manner can then be used to differentiate between expected and unexpected patterns of activity on the computer system.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer-implemented cybersecurity method, comprising:
obtaining occurrence data indicative of a plurality of occurrences observed in a computer system; identifying, based on the occurrence data, at least one pattern of activity in the computer system; comparing the at least one pattern of activity to a plurality of second patterns of activity in a behavioral baseline database, the plurality of second patterns of activity in the behavioral baseline database classified as expected or unexpected based on a user identifier of a user initiating an activity, said comparing comprising:
identifying one or more attributes of the at least one pattern of activity; and
querying the behavioral baseline database to identify one or more second patterns of activity having same user identifier as the at least one pattern of activity;
based on the comparing, determining an association between the at least one pattern of activity and the identified one or more second patterns of activity in the behavioral baseline database is above a threshold and identifying the at least one pattern of activity as unexpected; and based on identifying the at least one pattern of activity as unexpected, issuing a security alert related to the at least one pattern of activity.
2 . The method of claim 1 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences is relevant to computer security or that changes in patterns of the plurality of occurrences are relevant to computer security, or both.
3 . The method of claim 1 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences includes one or more suspicious patterns of activity.
4 . The method of claim 1 , wherein the at least one pattern of activity includes a rate at which a resource of the computer system is accessed, the resource including one or more of the following: a server, a database, a file, a communication port, and a power supply.
5 . The method of claim 1 , wherein the at least one pattern of activity includes a rate at which a type of activity is performed, the type of activity including at least one of loading a module, performing a file operation, performing a registry operation, performing an inter-process operation, or communicating with a particular remote device or domain.
6 . The method of claim 5 , wherein data stored in the behavioral baseline database is indicative of an expected pattern of an activity, and wherein a deviation from the expected pattern of the activity is deemed suspicious when the type of the activity is not suspicious.
7 . The method of claim 1 , wherein the behavioral baseline database includes data defining exceptions to general definitions of suspicious behavior embodied by data in a suspicious activity database.
8 . The method of claim 1 , further comprising:
determining, based on the comparing, the at least one pattern of activity matches the identified one or more second patterns of activity if a difference between the at least one pattern of activity and the identified one or more second patterns of activity is less than a predetermined difference; and identifying the at least one pattern of activity as expected.
9 . A cybersecurity system, comprising:
a data processing apparatus comprising a memory and a processor, the data processing apparatus programmed to perform operations including:
obtaining occurrence data indicative of a plurality of occurrences observed in a computer system;
identifying, based on the occurrence data, at least one pattern of activity in the computer system;
comparing the at least one pattern of activity to a plurality of second patterns of activity in a behavioral baseline database, the plurality of second patterns of activity in the behavioral baseline database classified as expected or unexpected based on a user identifier of a user initiating an activity, said comparing comprising:
identifying one or more attributes of the at least one pattern of activity; and
querying the behavioral baseline database to identify one or more second patterns of activity having same user identifier as the at least one pattern of activity;
based on the comparing, determining an association between the at least one pattern of activity and the identified one or more second patterns of activity in the behavioral baseline database is above a threshold and identifying the at least one pattern of activity as unexpected; and
based on identifying the at least one pattern of activity as unexpected, issuing a security alert related to the at least one pattern of activity.
10 . The cybersecurity system of claim 9 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences is relevant to computer security or that changes in patterns of the plurality of occurrences are relevant to computer security, or both.
11 . The cybersecurity system of claim 9 , wherein the occurrence data is obtained based on security data indicating that the plurality of occurrences includes one or more suspicious patterns of activity.
12 . The cybersecurity system of claim 9 , wherein the at least one pattern of activity includes a rate at which a resource of the computer system is accessed, the resource including at least one of a server, a database, a file, a communication port, or a power supply.
13 . The cybersecurity system of claim 9 , wherein the at least one pattern of activity includes a rate at which a type of activity is performed, the type of activity including at least one of loading a module, performing a file operation, performing a registry operation, performing an inter-process operation, or communicating with a particular remote device or domain.
14 . The cybersecurity system of claim 13 , wherein data stored in the behavioral baseline database is indicative of an expected pattern of an activity, wherein a deviation from the expected pattern of the activity is deemed suspicious when the type of the activity is not suspicious.
15 . The cybersecurity system of claim 9 , wherein the behavioral baseline database includes data defining exceptions to general definitions of suspicious behavior embodied by data in a suspicious activity database.
16 . The cybersecurity system of claim 9 , wherein the data processing apparatus is further programmed to perform operations including:
determining, based on the comparing, the at least one pattern of activity matches the identified one or more second patterns of activity if a difference between the at least one pattern of activity and the identified one or more second patterns of activity is less than a predetermined difference; and identifying the at least one pattern of activity as expected.
17 . One or more non-transitory computer storage media having computer-executable instructions that, upon execution by a processor, cause the processor perform a cybersecurity method, comprising:
obtaining occurrence data indicative of a plurality of occurrences observed in a computer system; identifying, based on the occurrence data, at least one pattern of activity in the computer system; comparing the at least one pattern of activity to a plurality of second patterns of activity in a behavioral baseline database, the plurality of second patterns of activity in the behavioral baseline database classified as expected or unexpected based on a user identifier of a user initiating an activity, said comparing comprising:
identifying one or more attributes of the at least one pattern of activity; and
querying the behavioral baseline database to identify one or more second patterns of activity having same user identifier as the at least one pattern of activity;
based on the comparing, determining an association between the at least one pattern of activity and the identified one or more second patterns of activity in the behavioral baseline database is above a threshold and identifying the at least one pattern of activity as unexpected; and based on identifying the at least one pattern of activity as unexpected, issuing a security alert related to the at least one pattern of activity.
18 . The one or more non-transitory computer storage media of claim 17 , wherein the at least one pattern of activity includes a rate at which a resource of the computer system is accessed, the resource including at least one of a server, a database, a file, a communication port, or a power supply.
19 . The one or more non-transitory computer storage media of claim 17 , wherein the at least one pattern of activity includes a rate at which a type of activity is performed, the type of activity including at least one of loading a module, performing a file operation, performing a registry operation, performing an inter-process operation, or communicating with a particular remote device or domain.
20 . The one or more non-transitory computer storage media of claim 17 , wherein the processor performs the cybersecurity method, further comprising:
determining, based on the comparing, the at least one pattern of activity matches the identified one or more second patterns of activity if a difference between the at least one pattern of activity and the identified one or more second patterns of activity is less than a predetermined difference; and identifying the at least one pattern of activity as expected.Join the waitlist — get patent alerts
Track US2021306360A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.