Method for sharing cybersecurity threat analysis and defensive measures amongst a community
Abstract
A cyber threat defense system can leverage identifying threats by spotting deviations from normal behavior to create a system-wide inoculation regimen. The cyber threat defense system can have a comparison module to execute a comparison of input data for a network entity to at least one machine-learning model of a generic network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. The cyber threat defense system can have an inoculation module to send an inoculation notice to warn of a potential cyber threat to a target device.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for a cyber threat defense system, comprising:
comparing input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity, where the network entity is at least one of a user and a device associated with a network; identifying whether the network entity is in a breach state of the normal behavior benchmark; identifying whether the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and sending an inoculation notice having an inoculation pattern describing the breach state and the chain of relevant behavioral parameters to a target device to warn of a potential cyber threat.
2 . The method for the cyber threat defense system of claim 1 , further comprising:
sending a remediation action instruction in the inoculation notice to describe at least one action to remediate the breach state.
3 . The method for the cyber threat defense system of claim 1 , further comprising:
anonymizing the inoculation pattern to remove any personally identifiable information for the network entity from the inoculation pattern.
4 . The method for the cyber threat defense system of claim 1 , further comprising:
presenting a description of the breach state to a user analyst for review.
5 . The method for the cyber threat defense system of claim 1 , further comprising:
receiving, from a user analyst, at least one of a triggering input directing transmission of the inoculation notice to the target device and a blocking input preventing transmission of the inoculation notice to the target device.
6 . The method for the cyber threat defense system of claim 1 , further comprising:
generating a threat risk parameter listing a set of values describing aspects of the cyber threat.
7 . The method for the cyber threat defense system of claim 6 , further comprising:
populating the threat risk parameter with at least one of a confidence score indicating a threat likelihood describing a probability that the breach state is the cyber threat, a severity score indicating a percentage that the network entity in the breach state is deviating from the at least one model, and a consequence score indicating a severity of damage attributable to the cyber threat.
8 . The method for the cyber threat defense system of claim 6 , further comprising:
comparing the threat risk parameter to a benchmark matrix having a set of benchmark scores to determine whether to send the inoculation notice.
9 . The method for the cyber threat defense system of claim 8 , further comprising:
assigning a weight to each benchmark score to assign a relative importance to each benchmark score.
10 . A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 1 .
11 . A cyber-threat coordinator-component, comprising:
a comparison module configured to execute a comparison of the input data input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity representing at least one of a user and a device associated with a network; a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to store the inoculation pattern in an inoculation record in a network-accessible inoculation database.
12 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation module is configured to generate an inoculation notice having the inoculation pattern to a target device to warn of a potential breach state of normal behavior corresponding to that cyber threat by the target device and to send the inoculation notice to a target device related to the network entity.
13 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation module is configured to create an entity cluster to group the network entity with other entities of the network based on the chain of relevant behavior parameters of the inoculation pattern.
14 . The apparatus for the cyber threat defense system of claim 13 , wherein the inoculation module is configured to select a target device for notification regarding the inoculation pattern based on the entity cluster.
15 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation module is configured to send an inoculation report listing at least the inoculation record to a target device related to the network entity to instruct the target device to retrieve the inoculation record from the network-accessible inoculation database.
16 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation record associates the inoculation pattern with a remediation action instruction to describe at least one action to remediate the cyber threat.
17 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation module is configured to update the inoculation pattern in the inoculation record based on a subsequent event.
18 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation record associates the inoculation pattern with a context data set describing at least one of a network entity action and a network entity state related to the cyber threat.
19 . The apparatus for the cyber threat defense system of claim 11 , wherein the inoculation record associates the inoculation pattern with an outside data set collected from at least one data source outside the network describing at least one of an outside action and an outside state related to the cyber threat.
20 . A network, comprising:
at least one firewall; at least one network switch; multiple computing devices operable by users of the network; a cyber-threat coordinator-component that includes
a comparison module configured to execute a comparison of the input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity is at least one of a user and a device associated with a network;
a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and
an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to send an inoculation notice having the inoculation pattern to a target device, and
at least one output port to send the inoculation notice to a target device; and
wherein the cyber-threat coordinator-component leverages an improvement in the network entity to improve performance by the target device by containing the detected threat and minimizing an amount of CPU cycles, memory space, and power consumed by that detected threat in the network entity when the detected threat is contained by the initiated actions.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.