US2022327409A1PendingUtilityA1

Real Time Detection of Cyber Threats Using Self-Referential Entity Data

66
Assignee: ELASTICSEARCH BVPriority: May 9, 2017Filed: Jun 23, 2022Published: Oct 13, 2022
Est. expiryMay 9, 2037(~10.8 yrs left)· nominal 20-yr term from priority
G06N 7/01H04L 63/1425G06F 2221/034G06F 21/554G06N 20/00H04L 63/1416G06F 16/212H04L 63/0263G06F 21/566G06N 7/005
66
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Real time detection of cyber threats using behavioral analytics is disclosed. An example method includes obtaining, in real time, attributes for an entity within a population of entities, the attributes being indicative of entity behavior; building an entity probability model using the attributes and associated values collected over a period of time; and establishing a control portion of the entity probability model associated with a portion of the period of time. The example method includes comparing any of the entity attribute values and the entity probability model for other portions of the period of time to the control portion to identify one or more anomalous differences, and executing a remediation action based thereon. Some embodiments include determining a set comprising the anomalous differences and additional anomalous differences for the entity or the entity's peer group, and calculating the set's overall probability to determine if the entity is malicious.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for real time detection of cyber threats, the method comprising:
 building an entity probability model of an entity using attributes and associated attribute values of the entity collected over a period of time;   establishing a control entity probability model, the control entity probability model including a control portion of the entity probability model, the control portion being associated with a portion of the period of time;   comparing any of the entity's attribute values and the entity probability model for other portions of the period of time to the control portion of the entity probability model to identify one or more anomalous differences in real time; and   executing a remediation action with respect to the entity based on the identification of the one or more anomalous differences.   
     
     
         2 . The method of  claim 1 , wherein the one or more anomalous differences are detected by a difference, between the control portion of the entity probability model and the other portions of the entity probability model, that exceeds a probabilistic threshold. 
     
     
         3 . The method of  claim 1 , wherein a plurality of different types of the attributes and their associated attribute values are used to build the entity probability model. 
     
     
         4 . The method of  claim 1 , wherein the remediation action is taken in accordance with the one or more anomalous differences that are identified. 
     
     
         5 . The method of  claim 1 , further comprising obtaining, in real time, the attributes for the entity within a population of entities in real time, the attributes being indicative of entity behavior. 
     
     
         6 . The method of  claim 1 , wherein the remediation action includes disabling the computing device of the entity or terminating network access of the entity. 
     
     
         7 . The method of  claim 1 , wherein the entity data is time stamped to preserve chronological information. 
     
     
         8 . The method of  claim 1 , further comprising establishing other control portions. 
     
     
         9 . The method of  claim 1 , wherein the control portion establishes a baseline for later comparison. 
     
     
         10 . The method of  claim 1 , wherein the comparing step is self-referential as the control entity probability model is compared against the model for the other remaining portions of the period of time. 
     
     
         11 . The method of  claim 1 , wherein the entity comprises any of a process, a service, a computing device, a network, an end user, a host, and any combinations thereof. 
     
     
         12 . A system, comprising:
 a processor; and   a memory for storing executable instructions, the processor executing the instructions to:
 build an entity probability model of an entity using attributes and associated attribute values of the entity collected over a period of time; 
 establish a control entity probability model, the control entity probability model including a control portion of the entity probability model, the control portion being associated with a portion of the period of time; 
 compare any of the entity's attribute values and the entity probability model for other portions of the period of time to the control portion of the entity probability model to identify one or more anomalous differences in real time; and 
 execute a remediation action with respect to the entity based on the identification of the one or more anomalous differences. 
   
     
     
         13 . The system of  claim 12 , wherein the one or more anomalous differences are detected by a difference, between the control portion of the entity probability model and the other portions of the entity probability model, that exceeds a probabilistic threshold. 
     
     
         14 . The system of  claim 12 , wherein a plurality of different types of the attributes and their associated attribute values are used to build the entity probability model. 
     
     
         15 . The system of  claim 12 , wherein the remediation action is taken in accordance with the one or more anomalous differences that are identified. 
     
     
         16 . The system of  claim 12 , wherein processor is further configured to execute instructions to obtain, in real time, the attributes for the entity within a population of entities in real time, the attributes being indicative of entity behavior. 
     
     
         17 . The system of  claim 12 , wherein the remediation action includes disabling the computing device of the entity or terminating network access of the entity. 
     
     
         18 . The system of  claim 12 , wherein the entity data is time stamped to preserve chronological information. 
     
     
         19 . The system of  claim 12 , further comprising establishing other control portions. 
     
     
         20 . The system of  claim 12 , wherein the control portion establishes a baseline for later comparison. 
     
     
         21 . The system of  claim 12 , wherein the compare step is self-referential as the control entity probability model is compared against the model for the other remaining portions of the period of time. 
     
     
         22 . The system of  claim 12 , wherein the entity comprises any of a process, a service, a computing device, a network, an end user, a host, and any combinations thereof.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.