Invented by Ilias Kotinas, Theocharis Tsigkritis, Giorgos Gkroumas, Crypteia Networks SA

As the world becomes increasingly digital, the threat of cyber attacks is on the rise. With the rise of behavioral cluster-based networks, detecting network threats has become more complex. However, the market for systems and methods to detect these threats is growing rapidly. Behavioral cluster-based networks are networks that are formed based on the behavior of users. These networks are dynamic and constantly changing, making it difficult to detect threats. Traditional security measures such as firewalls and antivirus software are not enough to protect against these threats. To combat this, companies are developing systems and methods that use machine learning and artificial intelligence to detect network threats. These systems analyze the behavior of users and identify patterns that may indicate a threat. They can also detect anomalies in the network that may indicate a breach. The market for these systems and methods is growing rapidly. According to a report by MarketsandMarkets, the global market for network security solutions is expected to reach $22.8 billion by 2023. This growth is driven by the increasing number of cyber attacks and the need for more advanced security measures. Many companies are investing in these systems and methods to protect their networks. For example, Cisco has developed a system called Stealthwatch that uses machine learning to detect threats in real-time. IBM has also developed a system called QRadar that uses artificial intelligence to detect threats. In addition to these large companies, there are also many startups that are developing innovative solutions to detect network threats. These startups are often focused on specific industries or niches, such as healthcare or financial services. Overall, the market for systems and methods to detect network threats from behavioral cluster-based networks is growing rapidly. As the threat of cyber attacks continues to increase, companies will need to invest in advanced security measures to protect their networks. With the development of these innovative solutions, businesses can stay ahead of the curve and protect their data from cyber threats.

The Crypteia Networks SA invention works as follows

Systems and methods to detect threats in a network are offered. Recoils are generated for entities that have access to a network. These records contain attributes that are associated with the entities. Based on these attributes, the system determines the features that each entity should have. Each entity is assigned a feature set by the system. Based on each entity’s attributes, the feature set is created. Based on the feature sets for each entity, the system creates clusters. Each cluster is assigned a threat severity score based on the scores of entities that formed each cluster. If the cluster’s threat severity score is greater than a threshold, the system will generate an alert for the entity.

Background for Systems and methods to detect network threats from behavioral cluster-based networks

Computer networks and systems could have vulnerabilities that could be exploited to attack or threaten. A vulnerability that is exploited can negatively affect the network’s operation. It could slow down data flow or prevent access to computer resources.

The present disclosure is generally about a network security monitor that uses behavioral clustering to detect threats within a computer network. It can be difficult to collect or obtain information from all the entities in a network infrastructure. This could include network nodes, network elements and network components. For various reasons it may prove difficult to obtain information (or similar information) from one or several network entities. This could be because the entity might be unavailable, damaged, busy processing requests, incorrectly configured, compromised, or may be inaccessible. The network security monitor may not be able to detect or determine threats to an entity in the network without gathering information about the entity. It may prove difficult to detect or deter nine threats without partial information about the network infrastructure.

Systems and methods in the present solution can be used to create a network security monitoring system that uses behavioral clustering techniques to group similar behaviors among entities. Based on the entity’s behavior, the network security monitor can assign them a threat severity score. You can add entities such as internal internet protocol addresses (??IPs), external IPs, and autonomous system numbers (??ASN). Emails, domains, and devices are all possible. A network security monitor can identify if an entity belongs to a threatful group (or threatening, or a security threat) entity. An entity that is also likely to be threatful is likely to be non-threatful.

At minimum one aspect of the invention is directed at a method for detecting threats within a network. A network security monitor can be used to obtain a number of records that are relevant to a variety of entities that have access to a network. A plurality can be made up of attributes that are associated with each entity. Based on the attributes of each entity, the network security monitor can identify multiple features for each entity. Each of the plurality can be assigned a feature set by the network security monitor. A feature set can be created from the plurality features identified based upon the attributes of each entity. Based on the feature sets for all the entities, the network security monitor can create a number of entities. Each of the plurality can be classified by the network security monitor with a threat severity score based on the scores of entities that have formed each cluster. A threat severity score greater than a threshold can be used by the network security monitor to determine if an entity is in one of the plurality clusters and trigger an alert.

In certain embodiments, the network security monitoring can combine in a time context all attributes associated with a plurality of entities. The network security monitor can combine the attributes using a feast one of the following: average, sum, count unique count minimum value, or maximum value. Based on the aggregated attributes, the network security monitor can identify the features.

The network security monitor can transform the plurality features for each entity as at least one of a logarithmic, exponential, or root function. The transformed plurality features can be used to generate the feature sets for each entity by the network security monitor.

The network security monitor is able to determine if a plurality of entities has more features than a threshold. In response to this determination, the network security monitor can apply a linear dimension reduction technique to reduce the entity’s number of features. The entity’s feature set can be generated by the network security monitor using a reduced number of features. Linear dimensionality reduction can include at minimum one of the following: kernel principal component analysis or principal component analysis. Graph-based kernel principal analysis techniques are also possible.

The network security monitor is able to weight the plurality features for each entity. The network security monitor can create the feature set for each entity using the weighted plurality features. A feature set can be equivalent to a data point within a multidimensional space.

The network security monitor is capable of creating a plurality of clusters of entities by using a density-based spatial clumping technique. The network security monitor is capable of forming a plurality of clusters from entities by using a dynamic clustering method and at least two density based spatial clustering methods.

In some embodiments, the plurality can include internal internet protocol addresses, external IPs and autonomous system numbers. Domains, electronic mail, and devices are all examples of such entities. The plurality of features may correspond to at most one of the following: traffic related counters; security related counters; policy violations, alerts related counters; device identifiers or organization identifiers.

The network security monitor can generate an alert for the entity if there is no attack detected within a specified time period. The alert can be transmitted by the network security monitor. It includes an indication of whether to disable, reset, or apply a patch to the entity.

At minimum one aspect is directed towards a system of threat detection in a networking. A network security monitor can be included in the system. It may include one or more memory processors. A network security system can contain a data collector and feature generator as well as a cluster generator, classifier, threat mitigator, and classifier. A data collection component can be configured so that it obtains a number of records for multiple entities that have access to a network. A plurality can be created from records that include attributes related to the plurality. The feature generator can be used to identify multiple features for each entity based on their attributes. A feature generator can create a feature set for each entity. A feature set can be created from the plurality features identified based upon the attributes of each entity. Based on the feature sets for each entity, the cluster generator can create a number of entities. The classifier can be set up to classify each cluster based on the feature set for each entity. A threat mitigator can be set up to issue an alert to an entity within a cluster of the plurality, if the cluster’s threat severity score is greater than a threshold.

The network security monitor may be able to aggregate the attributes of multiple entities in a given time context. The network security monitor is able to aggregate the attributes using at minimum one of the following: average, sum, count unique count, minimum or maximum value. Based on the aggregated attributes, the network security monitor can identify the features.

The network security monitoring can transform the plurality features for each entity using at least one of the following: a Logarithmic, exponential, or root function. The transformed plurality features can be used to generate the feature set by the network security monitor.

Read Also – Invention For Methods, Apparatus, And Methods To Collect User Information For Media Impressions

The network security monitor is able to determine if a plurality of entities has more features than a threshold. In response to this determination, the network security monitor can apply a linear dimension reduction technique to reduce the entity’s number of features. The entity’s feature set can be generated by the network security monitor using a reduced number of features. Linear dimensionality reduction can include at minimum one of the following: kernel principal component analysis or principal component analysis. Graph-based kernel principal analysis techniques are also possible.

The network security monitor is able to weight the plurality features for each entity. The network security monitor can create the feature set for each entity using the weighted plurality features. A feature set can be equivalent to a data point within a multidimensional space.

The network security monitor is capable of creating a plurality of clusters of entities by using a density-based spatial clumping technique. The network security monitor is capable of forming a plurality of clusters from entities by using a dynamic clustering method and at least two density based spatial clustering methods.

In some embodiments, the plurality can include internal internet protocol addresses, external IPs and autonomous system numbers. Domains, electronic mail, and devices are all examples of such entities. The plurality of features may correspond to at most one of the following: traffic related counters; security related counters; policy violations; alerts-related counters; device identifiers or organization identifiers.

The network security monitor can generate an alert for the entity if there is no attack detected within a specified time period. The alert can be transmitted by the network security monitor. It includes an indication to disable, reset, or apply software patches to the entity.

The following sections of the specification with their respective contents can be useful for reading the descriptions of various embodiments:

Cluster Based Networks

Section A” describes a computing environment and network environment that may be helpful in the practice of embodiments.

Cluster Based NetworksClick here to view the patent on Google Patents.