US2024022595A1PendingUtilityA1

Method for sharing cybersecurity threat analysis and defensive measures amongst a community

80
Assignee: DARKTRACE HOLDINGS LTDPriority: Feb 20, 2018Filed: Sep 26, 2023Published: Jan 18, 2024
Est. expiryFeb 20, 2038(~11.6 yrs left)· nominal 20-yr term from priority
H04L 63/1483H04L 63/101H04L 63/0428H04L 63/0209H04L 41/22G06F 21/36G06F 3/0486G06F 3/04842G06F 18/23H04L 51/212H04L 51/42G06V 30/10G06F 40/40G06N 20/10G06F 16/2455G06N 20/00G06N 20/20H04L 51/224H04L 63/1433H04L 63/14G06F 21/556G06F 21/554G06F 18/232H04L 63/20H04L 63/1416H04L 63/1441H04L 63/1425H04L 43/045H04L 67/12H04L 51/18
80
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for a cyber threat defense system, comprising:
 comparing input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity, where the network entity is at least one of a user and a device associated with a network;   identifying whether the network entity is in a breach state of the normal behavior benchmark;   identifying whether the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and   sending an inoculation notice having an inoculation pattern describing the breach state and the chain of relevant behavioral parameters to a target device to warn of a potential cyber threat.   
     
     
         2 . The method for the cyber threat defense system of  claim 1 , further comprising:
 sending a remediation action instruction in the inoculation notice to describe at least one action to remediate the breach state.   
     
     
         3 . The method for the cyber threat defense system of  claim 1 , further comprising:
 anonymizing the inoculation pattern to remove any personally identifiable information for the network entity from the inoculation pattern.   
     
     
         4 . The method for the cyber threat defense system of  claim 1 , further comprising:
 presenting a description of the breach state to a user analyst for review.   
     
     
         5 . The method for the cyber threat defense system of  claim 1 , further comprising:
 receiving, from a user analyst, at least one of a triggering input directing transmission of the inoculation notice to the target device and a blocking input preventing transmission of the inoculation notice to the target device.   
     
     
         6 . The method for the cyber threat defense system of  claim 1 , further comprising:
 generating a threat risk parameter listing a set of values describing aspects of the cyber threat.   
     
     
         7 . The method for the cyber threat defense system of  claim 6 , further comprising:
 populating the threat risk parameter with at least one of a confidence score indicating a threat likelihood describing a probability that the breach state is the cyber threat, a severity score indicating a percentage that the network entity in the breach state is deviating from the at least one model, and a consequence score indicating a severity of damage attributable to the cyber threat.   
     
     
         8 . The method for the cyber threat defense system of  claim 6 , further comprising:
 comparing the threat risk parameter to a benchmark matrix having a set of benchmark scores to determine whether to send the inoculation notice.   
     
     
         9 . The method for the cyber threat defense system of  claim 8 , further comprising:
 assigning a weight to each benchmark score to assign a relative importance to each benchmark score.   
     
     
         10 . A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of  claim 1 . 
     
     
         11 . A cyber-threat coordinator-component, comprising:
 a comparison module configured to execute a comparison of the input data input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity representing at least one of a user and a device associated with a network;   a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and   an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to store the inoculation pattern in an inoculation record in a network-accessible inoculation database.   
     
     
         12 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation module is configured to generate an inoculation notice having the inoculation pattern to a target device to warn of a potential breach state of normal behavior corresponding to that cyber threat by the target device and to send the inoculation notice to a target device related to the network entity. 
     
     
         13 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation module is configured to create an entity cluster to group the network entity with other entities of the network based on the chain of relevant behavior parameters of the inoculation pattern. 
     
     
         14 . The apparatus for the cyber threat defense system of  claim 13 , wherein the inoculation module is configured to select a target device for notification regarding the inoculation pattern based on the entity cluster. 
     
     
         15 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation module is configured to send an inoculation report listing at least the inoculation record to a target device related to the network entity to instruct the target device to retrieve the inoculation record from the network-accessible inoculation database. 
     
     
         16 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation record associates the inoculation pattern with a remediation action instruction to describe at least one action to remediate the cyber threat. 
     
     
         17 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation module is configured to update the inoculation pattern in the inoculation record based on a subsequent event. 
     
     
         18 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation record associates the inoculation pattern with a context data set describing at least one of a network entity action and a network entity state related to the cyber threat. 
     
     
         19 . The apparatus for the cyber threat defense system of  claim 11 , wherein the inoculation record associates the inoculation pattern with an outside data set collected from at least one data source outside the network describing at least one of an outside action and an outside state related to the cyber threat. 
     
     
         20 . A network, comprising:
 at least one firewall;   at least one network switch;   multiple computing devices operable by users of the network;   a cyber-threat coordinator-component that includes
 a comparison module configured to execute a comparison of the input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity is at least one of a user and a device associated with a network; 
 a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and 
 an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to send an inoculation notice having the inoculation pattern to a target device, and 
 at least one output port to send the inoculation notice to a target device; and 
   wherein the cyber-threat coordinator-component leverages an improvement in the network entity to improve performance by the target device by containing the detected threat and minimizing an amount of CPU cycles, memory space, and power consumed by that detected threat in the network entity when the detected threat is contained by the initiated actions.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.