Invented by Ilias Kotinas, Theocharis Tsigkritis, Giorgos Gkroumas, Crypteia Networks SA
The Crypteia Networks SA invention works as follows
Systems and methods to detect threats in a network are offered. Recoils are generated for entities that have access to a network. These records contain attributes that are associated with the entities. Based on these attributes, the system determines the features that each entity should have. Each entity is assigned a feature set by the system. Based on each entity’s attributes, the feature set is created. Based on the feature sets for each entity, the system creates clusters. Each cluster is assigned a threat severity score based on the scores of entities that formed each cluster. If the cluster’s threat severity score is greater than a threshold, the system will generate an alert for the entity.Background for Systems and methods to detect network threats from behavioral cluster-based networks
Computer networks and systems could have vulnerabilities that could be exploited to attack or threaten. A vulnerability that is exploited can negatively affect the network’s operation. It could slow down data flow or prevent access to computer resources.
The present disclosure is generally about a network security monitor that uses behavioral clustering to detect threats within a computer network. It can be difficult to collect or obtain information from all the entities in a network infrastructure. This could include network nodes, network elements and network components. For various reasons it may prove difficult to obtain information (or similar information) from one or several network entities. This could be because the entity might be unavailable, damaged, busy processing requests, incorrectly configured, compromised, or may be inaccessible. The network security monitor may not be able to detect or determine threats to an entity in the network without gathering information about the entity. It may prove difficult to detect or deter nine threats without partial information about the network infrastructure.
Systems and methods in the present solution can be used to create a network security monitoring system that uses behavioral clustering techniques to group similar behaviors among entities. Based on the entity’s behavior, the network security monitor can assign them a threat severity score. You can add entities such as internal internet protocol addresses (??IPs), external IPs, and autonomous system numbers (??ASN). Emails, domains, and devices are all possible. A network security monitor can identify if an entity belongs to a threatful group (or threatening, or a security threat) entity. An entity that is also likely to be threatful is likely to be non-threatful.
At minimum one aspect of the invention is directed at a method for detecting threats within a network. A network security monitor can be used to obtain a number of records that are relevant to a variety of entities that have access to a network. A plurality can be made up of attributes that are associated with each entity. Based on the attributes of each entity, the network security monitor can identify multiple features for each entity. Each of the plurality can be assigned a feature set by the network security monitor. A feature set can be created from the plurality features identified based upon the attributes of each entity. Based on the feature sets for all the entities, the network security monitor can create a number of entities. Each of the plurality can be classified by the network security monitor with a threat severity score based on the scores of entities that have formed each cluster. A threat severity score greater than a threshold can be used by the network security monitor to determine if an entity is in one of the plurality clusters and trigger an alert.
In certain embodiments, the network security monitoring can combine in a time context all attributes associated with a plurality of entities. The network security monitor can combine the attributes using a feast one of the following: average, sum, count unique count minimum value, or maximum value. Based on the aggregated attributes, the network security monitor can identify the features.
The network security monitor can transform the plurality features for each entity as at least one of a logarithmic, exponential, or root function. The transformed plurality features can be used to generate the feature sets for each entity by the network security monitor.
The network security monitor is able to determine if a plurality of entities has more features than a threshold. In response to this determination, the network security monitor can apply a linear dimension reduction technique to reduce the entity’s number of features. The entity’s feature set can be generated by the network security monitor using a reduced number of features. Linear dimensionality reduction can include at minimum one of the following: kernel principal component analysis or principal component analysis. Graph-based kernel principal analysis techniques are also possible.
The network security monitor is able to weight the plurality features for each entity. The network security monitor can create the feature set for each entity using the weighted plurality features. A feature set can be equivalent to a data point within a multidimensional space.
The network security monitor is capable of creating a plurality of clusters of entities by using a density-based spatial clumping technique. The network security monitor is capable of forming a plurality of clusters from entities by using a dynamic clustering method and at least two density based spatial clustering methods.
In some embodiments, the plurality can include internal internet protocol addresses, external IPs and autonomous system numbers. Domains, electronic mail, and devices are all examples of such entities. The plurality of features may correspond to at most one of the following: traffic related counters; security related counters; policy violations, alerts related counters; device identifiers or organization identifiers.
The network security monitor can generate an alert for the entity if there is no attack detected within a specified time period. The alert can be transmitted by the network security monitor. It includes an indication of whether to disable, reset, or apply a patch to the entity.
At minimum one aspect is directed towards a system of threat detection in a networking. A network security monitor can be included in the system. It may include one or more memory processors. A network security system can contain a data collector and feature generator as well as a cluster generator, classifier, threat mitigator, and classifier. A data collection component can be configured so that it obtains a number of records for multiple entities that have access to a network. A plurality can be created from records that include attributes related to the plurality. The feature generator can be used to identify multiple features for each entity based on their attributes. A feature generator can create a feature set for each entity. A feature set can be created from the plurality features identified based upon the attributes of each entity. Based on the feature sets for each entity, the cluster generator can create a number of entities. The classifier can be set up to classify each cluster based on the feature set for each entity. A threat mitigator can be set up to issue an alert to an entity within a cluster of the plurality, if the cluster’s threat severity score is greater than a threshold.
The network security monitor may be able to aggregate the attributes of multiple entities in a given time context. The network security monitor is able to aggregate the attributes using at minimum one of the following: average, sum, count unique count, minimum or maximum value. Based on the aggregated attributes, the network security monitor can identify the features.
The network security monitoring can transform the plurality features for each entity using at least one of the following: a Logarithmic, exponential, or root function. The transformed plurality features can be used to generate the feature set by the network security monitor.
Read Also – Invention For Methods, Apparatus, And Methods To Collect User Information For Media ImpressionsThe network security monitor is able to determine if a plurality of entities has more features than a threshold. In response to this determination, the network security monitor can apply a linear dimension reduction technique to reduce the entity’s number of features. The entity’s feature set can be generated by the network security monitor using a reduced number of features. Linear dimensionality reduction can include at minimum one of the following: kernel principal component analysis or principal component analysis. Graph-based kernel principal analysis techniques are also possible.
The network security monitor is able to weight the plurality features for each entity. The network security monitor can create the feature set for each entity using the weighted plurality features. A feature set can be equivalent to a data point within a multidimensional space.
The network security monitor is capable of creating a plurality of clusters of entities by using a density-based spatial clumping technique. The network security monitor is capable of forming a plurality of clusters from entities by using a dynamic clustering method and at least two density based spatial clustering methods.
In some embodiments, the plurality can include internal internet protocol addresses, external IPs and autonomous system numbers. Domains, electronic mail, and devices are all examples of such entities. The plurality of features may correspond to at most one of the following: traffic related counters; security related counters; policy violations; alerts-related counters; device identifiers or organization identifiers.
The network security monitor can generate an alert for the entity if there is no attack detected within a specified time period. The alert can be transmitted by the network security monitor. It includes an indication to disable, reset, or apply software patches to the entity.
The following sections of the specification with their respective contents can be useful for reading the descriptions of various embodiments:
Section A” describes a computing environment and network environment that may be helpful in the practice of embodiments.
Click here to view the patent on Google Patents.