EP4154136A1 - Endpunkt-client-sensoren zur erweiterung der netzwerksichtbarkeit - Google Patents

Endpunkt-client-sensoren zur erweiterung der netzwerksichtbarkeit

Info

Publication number
EP4154136A1
EP4154136A1 EP21808689.0A EP21808689A EP4154136A1 EP 4154136 A1 EP4154136 A1 EP 4154136A1 EP 21808689 A EP21808689 A EP 21808689A EP 4154136 A1 EP4154136 A1 EP 4154136A1
Authority
EP
European Patent Office
Prior art keywords
network
module
data
traffic data
endpoint
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21808689.0A
Other languages
English (en)
French (fr)
Other versions
EP4154136A4 (de
Inventor
Simon David Lincoln FELLOWS
Jack Benjamin STOCKDALE
Thoams Alexander Chesney JENKINSON
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Darktrace Holdings Ltd
Original Assignee
Darktrace Holdings Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Darktrace Holdings Ltd filed Critical Darktrace Holdings Ltd
Publication of EP4154136A1 publication Critical patent/EP4154136A1/de
Publication of EP4154136A4 publication Critical patent/EP4154136A4/de
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/062Generation of reports related to network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/20Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV

Definitions

  • Embodiments of the present disclosure generally relate to a cyber security and threat defense platform. More particularly, the embodiments relate to endpoint agent cSensors implemented to monitor network traffic, perform intelligent network functionalities, and extend network visibility for a cyber threat defense system.
  • firewalls, endpoint security methods, and other detection and defense tools may be deployed to enforce specific policies and provide protection against certain threats on such an environment.
  • These tools currently form an important part of an organization’s cyber defense strategy, but they are insufficient in the new age of cyber threat.
  • these tools and strategies do not effectively protect against complex modern threats, such as employee ‘insider’ threats that are an ever-growing trend, as it is very difficult to spot malicious employees behaving inappropriately as they are integral to such an environment.
  • an endpoint agent client sensor (cSensor) for extending network visibility in an endpoint computing device is discussed.
  • a security module can have an interface to cooperate with and integrate with an operating system (OS) of the endpoint computing device.
  • a network module can cooperate with the security module.
  • the network module can monitor network information coming into and out of the endpoint computing device as a first set of traffic data.
  • the network module can ingest the first set of traffic data transmitted via one or more connections between a network interface of the endpoint computing device and at least one or more network entities.
  • a collation module can collect the ingested first set of traffic data from the network module.
  • the collation module can obtain input data from the collected first set of traffic data.
  • the input data may include identifying a computing process running in the endpoint computing device that is the sender/receiver of the first set of traffic data.
  • An analyzer module can have an intelligent deep packet inspection (DPI) engine.
  • the analyzer module can receive the input data from the first set of traffic data being transmitted via the respective connection.
  • the intelligent DPI engine can perform a first predetermined level of DPI on the input data from two or more possible levels of DPI based on one or more network parameters.
  • a communication module can securely transmit a second set of traffic data to a cyber security appliance located in a network.
  • the endpoint computing device also is part of the network.
  • the transmitted second set of traffic data is associated with the first predetermined level of DPI performed on the input data from the first set of traffic data.
  • the autonomous action module can perform one or more autonomous actions itself, rather than a human.
  • the triggered autonomous action is correlated to at least one of i) the first set of traffic data and ii) the second set of traffic data received by cyber security appliance.
  • Figure 1 A illustrates an exemplary block diagram of a cyber threat detection system having a client network defense system, a remote network defense system, and one or more client/remote cyber threat infrastructure defense systems, which are configured to cooperate with each other to monitor network entities and extend visibility of those entities with a variety of endpoint agent sensors, in accordance with an embodiment of the disclosure
  • Figure 1 B illustrates an exemplary block diagram of an endpoint agent sensor with regard to the disclosure depicted above in Figure 1 A, in accordance with an embodiment of the disclosure
  • FIG. 2 illustrates an exemplary block diagram of a cyber security system having a cyber security appliance cooperating with a plurality of endpoint agent and sensors residing on a plurality of endpoint computing devices, which are communicatively coupled to each other over a network, in accordance with an embodiment of the disclosure;
  • FIG. 3 illustrates a block diagram of an exemplary cyber security platform having a cyber security appliance configured to protect various network devices and endpoint devices communicatively coupled over a network, in accordance with an embodiment of the disclosure
  • FIG. 4 illustrates a block diagram of a cyber security appliance with various modules cooperating with one or more machine learning models trained on the discrete pattern of life of various types of network events of network entities observed by various endpoint agent sensors, in accordance with an embodiment of the disclosure
  • Figure 5 illustrates a block diagram of a graph depicting various types of observed network events of unusual behavior in relation to their respective threat scores and event launch times, in accordance with an embodiment of the disclosure
  • Figure 6 illustrates a block diagram of an exemplary Al based cyber security system having an Al based cyber security appliance with one or more endpoint agents that are protecting a network, a database server, and one or more computing devices, in accordance with an embodiment of the disclosure
  • FIGS 7A-J illustrate a series of exemplary block diagram illustrations of a cyber security system with regard to the cyber security system in Figure 1 , in accordance with embodiments of the disclosure.
  • the embodiments described herein provide a cyber threat and detection platform having one or more cSensors configured to monitor network traffic, perform intelligent network functionalities, and extend network visibility for a cyber threat defense system.
  • the cSensors may comprise a network module configured to monitor network information coming into and out of the endpoint computing device as a first set of traffic data.
  • the network module can also cooperate with other network entities such as virtual sensors (e.g., vSensors, osSensors, etc.) to ingest a first set of traffic data from one or more network connections between any of the network entities.
  • the cSensor may further include a collation module configured to collect the first set of traffic data and subsequently obtain input data associated with various observed events from the first set of traffic data.
  • the cSensor may include an analyzer module to receive the input data and to implement an intelligent DPI engine that may perform one or more predetermined levels of DPI from two or more possible levels of DPI on the input data based on various network parameters.
  • the cSensor may further include a communication module configured to transmit a second set of traffic data to a cyber security appliance in the cyber threat defense system. The transmitted second set of traffic data is associated with the specified DPI performed on the input data.
  • the cSensor may have an autonomous action module configured to thereby perform autonomous action(s) that are correlated to the first set of traffic data received by the endpoint device and/or the second set of traffic data received by the cyber security appliance.
  • the autonomous action can be directed and thus performed/triggered by the autonomous action module in the cSensor and/or by the cyber security appliance in the network.
  • Embodiments of the present disclosure generally relate to a cyber security and threat defense environment. More particularly, the embodiments relate to one or more cSensors implemented as endpoint agents to monitor network traffic, perform intelligent network functionalities, and extend network visibility in an Al-based cyber threat defense system. For example, by extending visibility to the disconnected endpoints, these cSensors may enable the system to cover branch offices and remote workers off the virtual private networks (VPNs) and/or the like. In addition, a light version of a cSensor can be employed in an loT device.
  • VPNs virtual private networks
  • these enhanced defense systems may now deploy lightweight cSenors as well as other sensors (e.g., vSensors, osSensors, etc.) on a range of managed endpoint devices.
  • This therefore, allows the systems to analyze real-time traffic of, for example, remote workers working on an endpoint device, in the same way it analyzes traffic in its network by correlating a web of connections to develop an evolving understanding of workforce behavior.
  • these cSensors described herein provide much-needed visibility of suspicious activities occurring off the VPN, for example, from insider threats and compliance issues to latent strains of malware that could move laterally when employees reconnect.
  • the cyber threat detection system 100 may include a client network defense system 125, a remote network defense system 115, a client cyber threat defense infrastructure system 145, and a remote cyber threat defense infrastructure system 135.
  • the illustrated cyber threat detection system 100 may implement the network defense system 115 in conjunction with the remote cyber threat defense infrastructure system 135 to cooperate with a cyber security appliance 120 in the client cyber threat defense infrastructure system 145 in order to monitor various network entities and extend visibility of such entities via a series of endpoint agents 111A-D and sensors 105A-D residing on endpoint computing devices 101A-D.
  • the cyber security client resident sensor (or cSensors 105A-D) and associated architecture can be configured to monitor traffic and perform intelligent functions on that traffic prior to the traffic and/or its metadata being passed onto a cyber security appliance.
  • the illustrated cSensors 105A-D extend the visibility of the cyber security appliance located in the network via the implemented endpoint agents 111 A-D that monitors devices’ network activity and delivers key data and metadata to the cyber security appliance 120. This can include remote working devices and those generally that cannot be seen adequately using bulk network traffic mirroring or other less-effective probes or sensors.
  • cSensors 105A-D may be ideally used in combination with other virtual sensors and deployment options to achieve a combination of greater and simpler visibility into loT devices as well as remote workers working off line from the company network.
  • the cSensors may also increase the amount of device identity data available in the client network system 125 and can aid device tracking in their respective user interfaces.
  • a security module of the cSensor 105A-D can have an interface to cooperate with and integrate with an operating system (OS) of the endpoint computing device.
  • a collation module of the cSensor 105A-D can cooperate with the security module to obtain input data from the collected first set of traffic data.
  • the additional collected information can include, for example, an identity of a computing process running in the endpoint computing device that is sending the first set of traffic data and/or receiving the first set of traffic data.
  • the cSensors 105A-D may be an end point agent that does packet ingestion and autonomous actions on the packets being analyzed.
  • the cSensor is an agent installed on a client device which ingests network traffic passing to and from that device and performs some processing on that network traffic before sending it on (in packet or metadata form) as a second set of traffic data to a cyber security appliance located in a network.
  • the network traffic can include, for example, packets from browsing, a Remote Desktop connection (RDP), encrypted SSH packets, etc. There are many variations on this process.
  • RDP Remote Desktop connection
  • the client sensor can ingest network traffic from any of these sources because it is resident within the endpoint device and perform deep packet inspection (DPI) on the traffic (1) to derive metadata and pass on only the metadata (i.e., “Full DPI”) (e.g., HTTP traffic); (2) the client sensor can perform DPI on just parts of the connection and pass that metadata onward (“Partial DPI”) (e.g., HTTPS traffic); or (3) the client sensor can process and forward all traffic to the secondary location (“No DPI”) (e.g., kerberos traffic) simple mirroring of information.
  • DPI deep packet inspection
  • the network parameters to determine what predetermined level of DPI from the two or more possible levels of DPI to perform on the input data can include one or more of (i) a particular protocol being used by the first set of traffic data received or sent by the endpoint device, (ii) a proximity distance between a geographic location of the cSensor and a geographic location of the cyber security appliance, (iii) a particular size of the traffic data under analysis, and (iv) a particular degree of ‘interestingness’ for the traffic data under analysis in relation to the respective connection.
  • the cSensors 105A-D may be configured to intelligently chose to pass on i) just the metadata associated with the packet traffic, ii) just a subset of the packets (e.g., packets of potential interest) and the meta data, and/or iii) pass along all of the packets to the central cyber security appliance 120 at a separate location from the cSensors 105A-D by factoring in one or more of these factors.
  • the cSensors 105A-D factors in all four network parameters to determine what predetermined level of DPI from the two or more possible levels of DPI to perform on the input data.
  • a secondary location may be: a) a cyber security virtual sensor (sensor) that captures VM traffic in a virtualized environment 135 located locally to the cSensors 105A-D (in the same private network or subnet) (the sensor then communicates directly with the cyber security appliance 120), b) a cloud-based secure gateway service which routes the forwarded data to the cyber security appliance 120, and/or c) an on-premises secure gateway service running on or beside a cyber security sensor.
  • the cSensors and/or gateway service may also communicate with a third-party server managing third-party agents to receive process and traffic information ingested by the third-party agent.
  • a cSensor may perform the DPI on forwarded traffic from one or more other client sensors to derive metadata which is then sent to the central cyber security appliance. This scenario may be preferable to prevent traffic passing over the network for security and bandwidth reasons.
  • the cSensors and/or secure gateway service may route the forwarded metadata or connections through to the central cyber security appliance, meaning that the client does not need to create firewall exceptions for the client devices/endpoint devices hosting the endpoint agent cSensor.
  • the gateway service may be a virtual machine, containerized service, etc.
  • the gateway service or the V- machine can securely pass on forwarded traffic or forwarded meta data onto the central cyber security appliance and does not need to create additional firewall exceptions.
  • the cSensor 105A-D may also be configured to perform autonomous actions, such as stopping certain traffic (and any other desirable actions based on the client needs, network infrastructures, and such), in response to instructions from the connected services (e.g., the sensor, the centralized master appliance 120 via the secure gateway service).
  • the cSensors 105A-D may be implemented as the respective endpoint agents 101 A-D that does packet ingestion and autonomous actions on the packets being analyzed.
  • the endpoint agent 111 A depicts the one or more modules utilized by the endpoint agent cSenors 105A-D.
  • 111 A may comprise a network module configured to monitor network information coming in and going out to one or more network entities.
  • the network module is configured to cooperate with one or more sensors to ingest a first set of traffic data transmitted via one or more connections between the network interface of the endpoint computing device and at least one or more of the network entities and sensors.
  • a security module can have an interface to cooperate with and integrate with an operating system (OS) of the endpoint computing device.
  • a collation module is configured to collect the ingested first set of traffic data from the network module.
  • the collation module can obtain input data from the collected first set of traffic data.
  • the obtained input data can include a variety of observed network events implemented by the respective network entities as well as identities of a computer process running (e.g. executable files resident) in the endpoint receiving and sending the first set of traffic currently under analysis.
  • An analyzer module having an intelligent DPI engine, the analyzer module configured to receive the input data from the first set of traffic data being transmitted via the respective connection.
  • the intelligent DPI engine is configured to perform one or more predetermined levels of DPI from its two or more possible levels of DPI on the input data based on one or more network parameters.
  • a communication module is configured to transmit a second set of traffic data to a cyber security appliance in the network. The transmitted second set of traffic data is associated with the specified DPI performed on the input data from the first set of traffic data (e.g. DPI on all or some of the meta data and/or simple mirroring - no DPI).
  • An autonomous action module is configured to perform one or more autonomous actions. In an embodiment, the autonomous action is in response to an autonomous response triggered by the cyber security appliance.
  • the cSensor is installed on an loT device with a limited amount of computing power.
  • the triggered autonomous action may come from the cyber security appliance in the network which has enough processing power to recognize a potential cyber threat and a correct autonomous response to take and send the response to the cSensor resident in the loT device.
  • the autonomous action can be correlated to the first set of traffic data received by the endpoint device and/or the second set of traffic data received by the cyber security appliance.
  • these predetermined levels of DPI may include a full DPI, a partial DPI, and/or a non-DPI, such that: (i) the full DPI is configured to process all packets in the first set of traffic data in order to derive all metadata associated with that first set of traffic data; (ii) the partial DPI is configured to process a portion of the packets in the first set of traffic data in order to derive a portion of the metadata associated with that first set of traffic data; and/or (iii) the non-DPI is configured to not process any of the packets in the first set of traffic data in order not to derive any of the metadata associated with that first set of traffic data but rather perform simple mirroring of incoming information from the network interface into the endpoint computing device and/or information going out from the endpoint computing device.
  • the transmitted second set of traffic data may be particularly configured to include: (i) only all of the derived metadata from the full DPI, (ii) the portion of the derived metadata in conjunction with the remaining portions of the packets from the partial DPI, and/or (iii) only all of the packets from the non-DPI.
  • the autonomous actions comprise at least one or more of blocking a particular connection, blocking a particular type of traffic data, preventing a particular type of activity, cooperating with the operating system to shut down one or more computer processes running on the endpoint computing device, and other similar network preventative actions.
  • the network entities can include one or more of network infrastructures, network devices, and devices/accounts associated with a specific user in one or more networks.
  • the one or more sensors comprise at least one or more of virtual sensors (vSensors), operating system sensors for a cloud environment (osSensors), security modules, and/or probes.
  • the network parameters can include at least one or more of: (i) a particular protocol being used by the first set of traffic data, (ii) a proximity distance between a geographic location of the cSensor and a geographic location of the cyber security appliance, (iii) a particular size of the traffic data under analysis, and (iv) a particular degree of interest for the traffic data under analysis in relation to the respective connection.
  • the collation module can collect network activity data from the network entities and to cooperate with a coordinator module to correlate one or more causal links between the collected network activity data from the network entities.
  • the collation module may be configured to: (i) perform passive ingestion of input data, (ii) perform potentially active collection of input data, (iii) collate connection content for any other modules in the endpoint agent cSensor and/or any other modules in any other sensors, and/or (iv) understand a plurality of characteristics of a connection event.
  • a security module is configured to have an interface, such as an API, driver, etc. to cooperate with and integrate with an operating system (OS) of the endpoint computing device.
  • the security module can cooperate with the network module to assist the linking of network information with executable files/ computing processes in the endpoint client device.
  • a multi-cloud computing services modules can monitor and collect data from one or more of a Software as a Service (SaaS), an Infrastructure as a Service (laaS), a Platform as a Service (PaaS), and/or a hybrid service.
  • SaaS Software as a Service
  • laaS Infrastructure as a Service
  • PaaS Platform as a Service
  • a collection module cooperating with the security module can monitor and collect specified data from multiple computing software processes executing on this endpoint device.
  • the collections and communication modules may cooperate with each other to transmit any of the observed activities to the cyber security appliance based on the specified data monitored and collected from the endpoint agent cSensor.
  • the types of transmitted activities include at least one or more of network connection activities, data transfer activities, and/or behavior pattern activities.
  • a cyber threat module is configured to detect potentially unusual network activity in order to provide an additional input of information in conjunction with the transmitted specified data. For example, the cyber threat module is configured to generate a score or probability score corresponding to a level of detected potential cyber threat. Thus, the cyber threat module generates a score or probability corresponding to a level of how harmful a detected potential cyber threat is maliciously harmful to the endpoint computing device.
  • the endpoint agent cSensor 111 A may have one or more machine learning models cooperating with the rest of the modules, such that these machine learning models are trained on a normal pattern of life of various network, behavior, and/or data activities within the network. When the memory and processing power is not available in an endpoint device, then the cyber security application can house and run the machine learning models.
  • any instructions of any of the modules of the endpoint agents 111 A- D and cSensors 105A-D shown in Figures 1A-B may be scripted to be stored in an executable format in one or more memories and implemented by one or more processors of the respective endpoint computing devices.
  • the Al-based cyber threat security system 200 has a cyber security appliance 120 communicatively coupled with the host endpoint agents 111A-E, endpoint agent cSensors 105A-D, endpoint computing devices 101A-D, and computing servers 202A-B over a network 210.
  • the Al based cyber security system 200 may use the cyber security appliance 120 depicted in Figure 2 to cooperate with the host endpoint agents 111 A-E and endpoint agent cSensors 105A-D on their respective endpoint computing devices 101A-D and server 102A via the secure communication channels established with the network 110.
  • the Al based cyber threat security system 200 depicted in Figure 2 may be substantially similar to the cyber threat security system 100 depicted in Figure 1A.
  • the cyber security appliance 120 can cooperate with the endpoint agent cSensors 105A-D residing on their respective endpoint computing devicesl 01 A-D and server 202A to communicate, for example, receive any collected pattern of life data.
  • the network 210 may be: (i) an information technology network, (ii) an operational technology network, (iii) a cloud infrastructure, (iv) a SaaS infrastructure, and/or (v) any combination thereof capable of being communicatively coupled to each of the respective endpoint computing devices and servers 101 A-D and 202A-B.
  • the network 210 may be used to communicatively couple the endpoint computing devices 101 A-D to the endpoint computing servers 202A-B and the cyber security appliance 120.
  • the endpoint computing server 202A may be communicatively coupled to the network 110 via a secure channel, such as through port 443.
  • endpoint computing server 202A with cSensor 205 can be similar to the endpoint computing server 202B, with the exception that the endpoint computing server 202B is not capable of receiving secured data from any of the other endpoint computing devices 101 A-D, server 202A, and/or cyber security appliance 120 that have a cSensor.
  • the endpoint agent cSensors 105A-D are configured to: (i) have a low system impact on the end-point computing-device and run without degrading the endpoint computing-device performance significantly; (ii) monitor the “pattern of life” of the end-point computing-device, its processes, such as Outlook, Word, etc., its users, events on that device, etc.
  • each host endpoint agent 111 A-E may include an endpoint agent cSensor 105A-E configured to extend visibility and monitor network entities on their respective endpoint device/server 101 A-D/202A.
  • Each cSensor cooperating with a host endpoint agents 101A-D on a same device may use the collections module to cooperate with two or more other sensors (or probes) that include, but are not limited to, at least: (i) a first type of probes specifically configured to collect data from an operating system of its respective endpoint computing devices/server 101A-D/202A; (ii) a second type of probes specifically configured to collect data from each individual process executing on that endpoint computing devices/server 101A-D/202A; and (iii) a third type of probe configured to collect system event and logging data from that endpoint computing devices/server 101 A-D/202A.
  • sensors or probes
  • the collections module may cooperate with one or more of the third type of probes to monitor and record events occurring on those endpoint computing devices/server 101 A-D/202A.
  • the collected data from the operating system and individual processes along with the recorded events may be sent in the collected pattern of life data by the collections modules to the appliance 120.
  • the collections module’s framework runs probes in communication with the other various modules and data stores.
  • the first type of probes may monitor the operating system to gather profiling pattern of life data about the system state. This information may include, for example, installed applications, software versions, operating system and pending security updates.
  • the second type of probes may monitor individual processes themselves to gather process pattern of life data such as, but not limited to, associations between parent and child processes, network connectivity and process interaction, file system interaction, etc.
  • the third type of probe may detect and record events and collaborate with default system event logging tools. This probe may gather events such as, for example, connections to new Wi-Fi or wired networks, interaction with peripheral devices (including, but not limited to, universal serial bus, visual displays, etc.) and system usage events such as power management, file modification, etc.
  • one or more models may be a self-learning model trained on a normal behavior of each of the entities in an endpoint device and/or each network entity.
  • the self-learning model of normal behavior is then continuously updated with the actual behavior of that entity.
  • the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior.
  • the modules may compare the analyzed metrics received from the probes and hooks to a moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning model. Accordingly, the cyber threat module may then determine, in accordance with the analyzed metrics and the moving benchmark used by the self-learning model of normal behavior of the entity, an anomaly score indicative of a likelihood of a harmful cyber threat and its severity.
  • a normal behavior threshold may be used by the models as a moving benchmark of parameters that correspond to a normal pattern of life for the entities.
  • the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark.
  • any of the host endpoint agents 111 A-E cooperating with a cSensor 105A-E may have an autonomous action module that causes one or more autonomous actions to be taken to contain the cyber threat when detected and when: (i) that endpoint agent is not connected to the network 210 where the appliance 120 is installed, (ii) the appliance 120 is unavailable to communicate with the endpoint agent, and/or (iii) any combination of (i) and/or (ii) occur.
  • the autonomous action module located in that endpoint agent may take one or more autonomous action actions preapproved by a human user when predefined conditions of suspicious behavior and/or anomaly level are met, independent of the appliance 120 to autonomously attempt to contain the potential cyber threat.
  • the autonomous action module may be configured to cause one or more autonomous actions to be taken to contain the cyber threat when a potential cyber threat is detected.
  • the cyber security appliance 120 may have the autonomous action module, and/or one or more portions of the autonomous action module may exist on that host endpoint agent and/or cSensor, while the majority portion may remain on the cyber security appliance 120 due to greater processing power.
  • a user programmable interface hosted on the appliance 120 may have, any of, fields, menus, and icons that are configured to allow a user to preauthorize the autonomous action module to take actions to contain and/or respond to the cyber threat.
  • the user programmable fields/menus/icons for allowing preauthorization may include, but are not limited to, killing individual processes, revoking specific privileges, preventing the download of specific files, allowing only processes observed in the pattern of life for peer devices to be active for a set period, and asking other EPPs to quarantine suspicious files, etc., while not disturbing operations of other processes going on inside that device.
  • the user programmable interface has the granularity in options available to the user to program the autonomous action module to take very specific actions such as killing individual processes, revoking specific privileges while still permitting other permissions for that user, getting live terminal access, preventing the download of specific files, allowing only processes observed in the pattern of life for peer devices to be active for a set period, asking other EPPs to quarantine suspicious files, etc. while not shutting down an entire device, or blocking all outside communications, or revoking one or more but not all of that user’s privileges.
  • Actions such as revoking only some user privileges or enforcing the peer pattern of life allow the user to continue working but just not perform certain connections or run certain processes, which most likely a malicious piece of software was initiating, such as accessing and downloading sensitive files while the user, completely unaware of the malicious software using their credentials, is doing a normal activity for that user such as typing out a document or entering data into a program.
  • an Al based cyber security network environment 300 can have a cyber security appliance 120 configured to protect endpoint devices 101 A- B and a variety of network devices. As shown in Figure 3, the Al based cyber security network environment 300 may use the cyber security appliance 120 to cooperate with the host endpoint devices 101A-B and, for example, their respective endpoint agent cSensors in conjunction with the other network devices to communicate with each other in this network environment 300.
  • the Al based cyber security network system 300 depicted in Figure 3 may be configured similar to the cyber threat security systems 100 and 200 depicted in Figures 1A and 2.
  • FIG 4 an exemplary block illustration of a cyber security appliance 120 is shown, in accordance with an embodiment of the disclosure.
  • the cyber security appliance 120 may be substantially similar to the cyber security appliance 120 depicted above in Figure 1 A and 2-3. Furthermore, as shown in Figure 4, the illustrated embodiments of the cyber security appliance with an endpoint agent cSensor as well as a cyber threat module that references machine-learning models that are trained on the normal behavior of network activity and user activity associated with a network. The cyber threat module determines a threat risk parameter that factors in ‘what is a likelihood of a chain of one or more unusual behaviors of email activity, network activity, and user activity under analysis that fall outside of being a normal benign behavior;’ and thus, are likely malicious behavior.
  • the cyber security appliance 120 may protect against cyber security threats from an e-mail system or other communication system, as well as its network.
  • the cyber security appliance 120 may include components such as i) a trigger module, ii) a gather module, iii) a data store, iv) a collation module, v) a coordinator module, vi) a comparison module, vii) a cyber threat module, viii) a researcher module, ix) a host module (e.g., host-based endpoint agent cSensors), x) a scoring module, xi) a user interface module, xii) an autonomous action module, xiii) a communication module, xiv) at least one input or output (I/O) port to securely connect to other ports as required, xv) one or more machine-learning models such as a first Artificial Intelligence model trained on characteristics of vectors for malicious activity and related data, a second Artificial Intelligence model trained on the characteristics of external hosts and the
  • the Al model of the normal pattern of life for the independent system can use unsupervised machine learning algorithms and feedback on the data and/or the meta data from the protocols and data types in the various layers to routinely update the Al model of the normal pattern of life during an operation of the independent system.
  • the core processing is versatile and does not require tailored algorithms to each platform to produce anomaly detection outputs.
  • An Al model can be trained to model the normal pattern of life for the independent system from the data and/or the meta data from the protocols and data types in any of i) a data link layer, ii) a physical layer, or iii) both; and then, one or more of the following network stack layers when that layer is utilized in the independent system.
  • the following network stack layers can include any of iv) an application layer, v) a transport layer, vi) a network layer, and vii) any combination of these three layers when that layer is utilized in the independent system.
  • the Al model of the normal pattern of life for the independent system can use unsupervised machine learning algorithms and feedback on the data and/or the meta data from protocols and data types in the network stack layers utilized in that independent system to routinely update the Al model of the normal pattern of life of the independent system, during an operation of the independent system.
  • the cyber-defense appliance securely communicates and cooperates with a suite of different endpoint agent cSensors that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer, a physical layer, and then one or more of an application layer, a transport layer, a network layer, and any combination of these layers when a protocol is used in that layer in the independent system.
  • the centralized cyber security appliance 120 can securely communicate and cooperate with a suite of two or more different endpoint agent cSensors that have 1) one or more protocol analyzers, 2) an address and mapping to an interface with a third party protocol analyzer, 3) an address and mapping to a different interface for the cyber security appliance 120.
  • one or more endpoint agent cSensors may be integrated within an independent system to extend monitoring and gathering of data capability of the cyber security appliance 120.
  • the endpoint agent cSensor provides at least remote monitoring and gathering on 1) data, 2) meta data, and 3) a combination of both, from one or more protocols and data types utilized in any of i) a data link layer, ii) a physical layer, or iii) both; and then, one or more of the following network stack layers when that layer is utilized in the independent system.
  • the endpoint agent cSensor may be implemented external to the main system and receive system information as metadata from a third-party sensor or processor, perform a limited amount of onboard analysis or protocol parsing to retrieve the desired network-layer data, and is sensitive to the specifics of independent systems of this nature (such as, but not limited to, bandwidth limitations, power availability and intermittent network access).
  • the endpoint agent cSensors are part of a suite of two or more different endpoint agent cSensors (e.g., as shown with the cSensors 105A-D in Figure 1A).
  • Each endpoint agent cSensor can have one or more protocol analyzers for monitoring and gathering of 1) data, 2) meta data and 3) a combination of both, analyzer for monitoring and gathering of 1) data, 2) meta data and 3) a combination of both, from a first protocol and data types in the data link layer in the independent system including protocol types and data types which are encapsulated by previously unfamiliar physical layer and/or data link layer protocols to the system.
  • a first endpoint agent cSensor has a first protocol analyzer for monitoring and gathering of 1) data, 2) meta data and 3) a combination of both, from a first protocol and data types in the data link layer in the independent system.
  • the first protocol in the data link layer can be, for example, Address Resolution Protocol, Neighbor Discovery Protocol, Open Shortest Path First, Tunnels L2TP, Point-to- Point Protocol, Medium access control protocol, Logical link control (LLC), ISDN, FDDI, etc.
  • Another endpoint agent cSensor can have a second protocol analyzer for monitoring and gathering of 1) data, 2) meta data and 3) a combination of both, from a second protocol and data types in the physical layer in a second independent system.
  • Some example protocols in the physical layer can be, for example, Digital Subscriber Line, UTP, RS-232, Plesiochronous Digital Hierarchy, Synchronous Digital Hierarchy, Synchronous Optical Networking, Passive Optical Network, OTN, numerous 802 IEEE standards, Universal Serial Bus, Bluetooth, RS-449, etc.
  • the endpoint agent cSensors ingest onboard traffic from any of sensors and other components within the independent system they integrate in, in order to communicate their data and/or meta data to the cyber security appliance 120.
  • the endpoint agent cSensors ingest onboard traffic from any of the sensors and the other components within the independent system in order to derive the data and/or meta data from the one or more protocols and data types to be sent on to cyber security appliance 120.
  • the data can be routed for the express purpose of sending to the centralized appliance, and/or the data can be produced for a different purpose but then the cyber security appliance can be sent a copy of that data for its own analysis.
  • the cyber security appliance 120 securely communicates and cooperates with the suite of two or more different endpoint agent cSensors that have 1) one or more protocol analyzers, 2) an address and mapping to an interface with a third party protocol analyzer, 3) an address and mapping to an interface with the cyber security appliance 120.
  • the probes can ingest onboard traffic from a plurality of different independent systems, such as i) Internet of Things (loT) devices, ii) autonomous driving vehicles, iii) ships, iv) airplanes, v) etc., using protocols in 1) an application layer, 2) a transport layer, or 3) a network layer encapsulated in an unfamiliar data link layer, or physical layer.
  • the cyber security appliance 120 has one or more Al models configured to model a normal pattern of life in each of the independent systems using 1) data, 2) meta data and 3) a combination of both, from protocols for at least 1 ) the network layer and/or 2) the transport layer for data encapsulated by physical and datalink layer protocols specific to the independent system.
  • the Al model can model the normal pattern of life for 1) data, 2) meta data and 3) a combination of both, from one or more protocols and data types utilized in any of i) a data link layer, ii) a physical layer, or iii) both; as well as, 1) data, 2) meta data, and 3) a combination of both, from protocols in any of iv) an application layer, v) a transport layer, vi) a network layer, and vii) any combination of these three layers when a protocol is used in that layer in the independent systems.
  • the endpoint agent cSensors integrated into the independent systems may have one or more protocol analyzers to analyze the activity in the protocols and data types used in any of i) a data link layer, ii) a physical layer, iii) an application layer, iv) a transport layer, v) a network layer, and vi) any combination of these layers when a protocol is used in that layer in the independent system.
  • the data points can be securely conveyed back to the cyber security appliance 120 which has generally Al models trained, for each independent system, to model a normal pattern of life using 1) data, 2) meta data, and 3) a combination of both in the protocols and data types used in at least the physical layer and/or protocols and data types used in the data link layer.
  • the analyzer module cooperates with the one or more Al models trained to model a normal pattern of life in each of the independent systems to determine when any of i) an abnormal behavior, ii) a suspicious activity, and iii) any combination of both is detected in that independent system, which at least uses the protocols in at least one of 1) the data link layer and 2) the physical layer.
  • Each Al model can be trained to model the normal pattern of life of a given independent system, such as an loT device's pattern of life, which uses the 1) data, 2) meta data, and 3) a combination of both in the protocols of at least 1) the data link layer and 2) the physical layer.
  • the trigger module may cooperate with one or more Al models trained with machine learning on a normal pattern of life in the system, at least one of i) an abnormal behavior, ii) a suspicious activity, and iii) any combination of both, from one or more entities in the system. Upon detecting the i) abnormal behavior, ii) a suspicious activity, and iii) any combination of both.
  • the trigger module cooperates with the analyzer module on what additional types of data points are needed to support or refute a given cyber threat and then cooperate with the data gather module to obtain that data.
  • the cyber security appliance 120 may have a cyber threat analyst module.
  • the cyber security appliance 120 may use i) one or more Al models to form and investigate hypotheses, ii) a set of scripts to form and investigate hypotheses, and iii) any combination of both, in order to form and investigate hypotheses on what are a possible set of cyber threats.
  • the cyber threat analyst module to form and investigate hypotheses on what are a possible set of cyber threats can use any of i) the one or more Al models to form and investigate hypotheses trained with supervised machine learning on human-led cyber threat investigations and then steps, data, metrics, and meta data on how to support or to refute the hypotheses on what are a possible set of cyber threats, ii) the set of scripts to form and investigate hypotheses to aid in how to form the hypotheses on what are a possible set of cyber threats and then the steps, data, metrics, and meta data to collect additional system data points to support or to refute the possible cyber threat hypotheses, and iii) any combination of both.
  • the cyber threat analyst module to form and investigate hypotheses on what are a possible set of cyber threats cooperates with the analyzer module to conduct an investigation on a possible set of cyber threats hypotheses that would include the at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more Al models trained with machine learning on the normal pattern of life in the system.
  • the trigger module may detect time stamped data indicating one or more i) events and/or ii) alerts from I) unusual or II) suspicious behavior/activity are occurring and then triggers that something unusual is happening.
  • the gather module is triggered by specific events and/or alerts of i) an abnormal behavior, ii) a suspicious activity, and iii) any combination of both.
  • the inline data may be gathered on the deployment from a data store when the traffic is observed. The scope and wide variation of data available in this location results in good quality data for analysis.
  • the collected data is passed to the comparison module and the cyber threat module.
  • the gather module may comprise of multiple automatic data gatherers that each look at different aspects of the data depending on the particular hypothesis formed for the analyzed event and/or alert.
  • the data relevant to each type of possible hypothesis will be autonomously pulled from additional external and internal sources. Some data is pulled or retrieved by the gather module for each possible hypothesis.
  • a feedback loop of cooperation occurs between the gather module, the collation module monitoring network and email activity, the comparison module to apply one or more models trained on different aspects of this process, and the cyber threat module to identify cyber threats based on comparisons by the comparison module. While an email module is mentioned, a similar module may be applied to other communication systems, such as text messaging and other possible vectors for malicious activity.
  • Each hypothesis of typical threats can have various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, or email behavior or malicious software or malware attack, inappropriate network behavior, or email behavior.
  • a machine-learning algorithm will look at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to.
  • Networks have a wealth of data and metrics that may be collected. The gatherers may then filter or condense the mass of data down into the important or salient features of data.
  • the collation module and the coordinator module may be portions of the cyber threat module.
  • a collation module can be configured to collect a set of input data gathered by a cyber defense appliance situated within a network and an optional series of probes deployed to a set of distributed entities such as SaaS or Cloud environments throughout a network.
  • the network entity represents at least one of a user and a network device interacting with the network.
  • the probe data describes any activity executed by a network entity in a distributed network located and administrated by a network administrator and associated with a first network such as a third-party Cloud or SaaS environment.
  • a distributed network may be made up of one or more combinations of devices, sub-networks, virtual networks, virtual servers, virtual devices, Cloud infrastructure, or third party laaS, PaaS and SaaS Platforms.
  • a network-administrated activity may be network activity, email activity, or other application activity.
  • the collation module may be divided into an email module and a network module.
  • the collation module monitoring network entity activity may feed collected data to a coordinator module to correlate causal links between these activities to supply this input into the cyber threat module.
  • the collation module performs i) passive ingestion of input data as well as ii) potentially active collection of input data and iii) also collates connection content for the other modules.
  • the cyber threat module may also use one or more machine-learning models trained on cyber threats in the network.
  • the cyber threat module may reference the models that are trained on the normal behavior of user activity and network activity associated with the network.
  • the cyber threat module can reference these various trained machine-learning models and data from the collation module and the trigger module.
  • the cyber threat module can determine a threat risk parameter that factors in how the chain of unusual behaviors correlate to potential cyber threats and ‘what is a likelihood of this chain of one or more unusual behaviors of the network activity and user activity under analysis that fall outside of being a normal benign behavior;’ and thus, is malicious behavior.
  • the one or more machine learning models can be self-learning models using unsupervised learning and trained on a normal behavior of different aspects of the system, for example, device activity and user activity associated with a network host, such as a website.
  • the self-learning models of normal behavior are regularly updated.
  • the self-learning model of normal behavior is updated when new input data is received that is deemed within the limits of normal behavior.
  • a normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system.
  • the normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark.
  • the comparison module can compare the analyzed metrics on the user activity and network activity compared to their respective moving benchmark of parameters that correspond to the normal pattern of life for the computing system used by the self-learning machine-learning models and the corresponding potential cyber threats.
  • the comparison module is configured to execute a comparison of input data to at least one machine-learning model to spot behavior on the network deviating from a normal benign behavior of that network entity.
  • the comparison module receives the combined data set from the coordinator module.
  • the at least one machine-learning model is trained on a normal benign behavior of a network entity.
  • the at least one machine uses a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity.
  • the comparison module can use the comparison to identify whether the network entity is in a breach state of the normal behavior benchmark.
  • the comparison module can be integrated with the cyber threat module.
  • the cyber security appliance 120 may also include one or more machine-learning models trained on gaining an understanding of a plurality of characteristics on a transmission and related data including classifying the properties of the transmission and its meta data.
  • the cyber threat module can then determine, in accordance with the analyzed metrics and the moving benchmark of what is considered normal behavior, a cyber threat risk parameter indicative of a likelihood of a cyber-threat.
  • the cyber security appliance 120 may also include one or more machine learning models trained on gaining an understanding of a plurality of characteristics of a connection event where a network entity interacted with an external host and related data including classifying the properties of the connection event and its meta data.
  • the cyber threat module can also reference the machine learning models trained on a connection event between a network entity and an external host and related data to determine if an external host connection event or a series of external host connection events under analysis have potentially malicious characteristics.
  • the cyber threat module can also factor this external host connection event characteristics analysis into its determination of the threat risk parameter.
  • the cyber threat module can generate a set of incident data describing an anomalous external host connection event by an entity, here representing a user or a device participating in the network.
  • the cyber threat module can use the incident data to determine whether the anomalous event indicates a breach state representing a malicious incident.
  • the cyber threat module can use the user interface and display module to present the incident data to a user analyst for review, response and/or resolution. Alternately, the cyber threat module can execute an autonomous analyst to use machine learning to determine whether the entity has entered a breach state.
  • the cyber threat module can execute an autonomous analyst to use machine-learning to determine whether the network entity in the breach state is a cyber threat.
  • the cyber threat module is configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat.
  • the cyber security appliance 120 may use multiple machine learning models. Each machine learning model may be trained on specific aspects of the normal pattern of life for the system such as devices, users, network traffic flow, outputs from one or more cyber security analysis tools analyzing the system, and others. One or more machine learning models may also be trained on characteristics and aspects of all manner of types of cyber threats. One or more machine learning models may also be trained by observing vectors for malicious activity, such as network activity or emails. One or more machine learning models may be trained by observing the connection events between network entities and external hosts, and the characteristics of the external hosts in question.
  • the cyber security appliance 120 may supplement the data provided to the users and cyber professionals using a researcher module.
  • the researcher module operates an artificial intelligence (Al) algorithm to assess whether the anomalous network activity has any salient features in common with activity which has previously appeared in other published threat research, whether internal or external, international security community platforms, or known lists of malicious files or internet addresses.
  • the researcher module can consult internal threat databases or external public sources of threat data.
  • the researcher module can collect an outside data set describing at least one of an action or a state related to the cyber threat present outside of the network from at least one data source outside the network.
  • the researcher module is configured to assess the validity of the threat intelligence derived from the intelligent resources through a machine learning modelling of the value of the data and assign a confidence weighting to the external host information gathered from the intelligent resources.
  • the confidence weighting can take into account features such as the internal/external nature of the source, the age of the source, the distance of the source intelligence from the specific external host seen, all assessed by machine learning models to create variable weightings.
  • the cyber security appliance 120 can then take actions to counter detected potential cyber threats.
  • the autonomous action module rather than a human taking an action, can be configured to cause one or more rapid autonomous actions to be taken to contain the cyber threat when the threat risk parameter from the cyber threat module is equal to or above an actionable threshold.
  • the cyber threat module configured cooperation with the autonomous action module, to cause one or more autonomous actions to be taken to contain the cyber threat, improves computing devices in the email system by limiting an impact of the cyber threat from consuming unauthorized CPU cycles, memory space, and power consumption in the computing devices via responding to the cyber threat without waiting for some human intervention.
  • the cyber threat defense system can collect data from a set of external third- party sources to accurately assess network hosts accessed by a network entity.
  • a network entity represents a user or a network device on a network.
  • the collation module can collect, by passive ingestion of a cyber defense appliance situated at some point within the network and one or more optional probes communicating with a distributed network entity, a host identifier identifying an external host accessed by a network entity and the characteristics of the connection event.
  • the cyber threat defense system can have a researcher module configured to collect host research data from an intelligence resource.
  • the host research data describes the external host identified by the collation module.
  • the intelligence resource is a data source not affiliated with the main network.
  • the researcher module is configured to periodically refresh this host research data to maintain up to date content regarding the external host.
  • the cyber threat defense system can have a host module configured to determine one or more host metrics using one or more machine learning models.
  • the host module can train the one or more machine learning models on a normal benign connection behavior between an external host and a network entity to spot behavior deviating from the normal benign external host connection behavior.
  • the machine learning model uses a normal host behavior benchmark.
  • the normal host behavior benchmark describing parameters corresponding to a normal pattern of activity for a communication between a network entity and an external host, and the ‘normal’ characteristics of observed external hosts derived by the collation module.
  • the host module is configured to associate a connection entity data set with the host identifier and derive a network entity alias for the network entity from observed behavior across the network.
  • An entity data set describes the characteristics of at least one interaction between the network entity and the external host.
  • a network alias describes the possible derived role of the network entity in the network, such as a Server or a Desktop, as identified by the cyber threat defense system from behavioral markers.
  • the cyber threat defense system can have a scoring module configured to analyze the host research data from the researcher module in collaboration with the host metrics from the host module.
  • the scoring module may take into account the confidence weightings created by the researcher module and attributed to the host research data when performing an analysis.
  • the scoring module is configured to generate an automatic threat score describing an autonomously-determined threat level presented by the external host based on at least the host research data.
  • the scoring module can factor the connection entity data set into calculation of the automatic threat score as an indicator of network-wide and peer-wide interaction with the external host.
  • the automatic threat score may be generated based upon only the host research data and a machine learned clustering of similarly characterized external hosts, before a network entity is even seen interacting with the host.
  • the scoring module is configured to update the automatic threat score based on at least one analyst threat score describing an analyst-determined threat level.
  • the scoring module is configured to update the automatic threat score based on periodically updated data from the researcher module.
  • the cyber threat defense system has a user interface module to present that score to a user analyst.
  • the user interface module is configured to generate a threat-tracking graphical user interface to present to the user analyst in a display.
  • the user interface module is configured to present input data in the threat-tracking graphical user interface.
  • the input data may list a series of host identifiers representing external hosts visited by the network entity.
  • the user interface module can identify a hover- over input over one of the external host identifiers.
  • a hover-over input is an input received by hovering a cursor over the external host identifier without clicking on the external host identifier.
  • the user interface module is configured to generate a hover- over box in response to the hover-over input.
  • the hover-over box presents the automatic threat score to the user analyst.
  • the user interface module can identify a clickthrough input in relation to the host identifier.
  • a clickthrough input is an input received by a user clicking on the external host identifier.
  • the user interface module is configured to generate a popup box to present the automatic threat score in response to a clickthrough input.
  • the user interface module is configured to operate the popup box.
  • the popup box can present an anonymized alias for network entity data values such as host name or username, representing the network entity without compromising any personally identifiable information. A system user with sufficient clearance can reveal the true value of the network entity data fields if malicious activity is discovered.
  • the popup box can present the host identifier to indicate the external host being investigated.
  • the popup box can present the host research data the researcher module has collected from an intelligence resource.
  • the popup box can present the automatic threat score describing an autonomously-determined threat level based on the host research data.
  • the popup box can receive an analyst threat score from the user analyst.
  • the analyst threat score describes an analyst- determined threat level.
  • the scoring module can create a combined threat score based on the analyst threat score and the automatic threat score.
  • the popup box can receive an analyst context comment from the user analyst.
  • the analyst context comment explains the reasoning behind the analyst threat score.
  • the popup box can receive an analyst threat score from an autonomous analyst.
  • an analyst threat score may represent a judgement based on the severity of the breach state where the external host was observed by the autonomous analyst as involved in the cyber threat breach.
  • the scoring module can create a combined threat score based on the autonomous analyst threat score and the automatic threat score.
  • the popup box can receive an analyst context comment from the autonomous analyst.
  • the autonomous analyst context comment may present salient features of the analysis by the autonomous analyst such as filenames, file hashes, and IP addresses involved in the breach.
  • the autonomous analyst context comment may also describe one or more salient features of the breach state observed by the autonomous analyst where the external host was linked to the formation of the breach state, such as IP Addresses or File Hashes.
  • the popup box can present a prior analyst threat score to the user analyst.
  • the prior analyst threat score describes a prior analyst-determined threat level assigned by a prior user analyst.
  • the prior user analyst may be in a trusted community of the user analyst assigned by the user to prevent both the inclusion of commentary which exposes confidential information to outside individuals and to avoid the inclusion of commentary or scores from unvetted or untrusted individuals with potential ulterior motives.
  • the popup box can present a prior analyst context comment from the prior user analyst. The prior analyst context comment explains the reasoning behind the prior analyst threat score.
  • the popup box can present a prior analyst address.
  • the prior analyst address represents the prior user analyst.
  • a communication module can establish a communication channel between the user analyst and the prior user analyst.
  • the communication channel may be a text or email from the current user analyst to allow the user analyst to receive guidance from the prior analyst. Alternately, if the prior user analyst is available, the communication channel may be a chat, a video chat, or telephone call between the current user analyst and the prior user analyst.
  • the host module is configured to create a host cluster, by grouping previous external hosts sharing similar characteristics to the current external host.
  • the popup box may present a cluster threat score, averaging the automatic threat scores for that host cluster.
  • a host module may place an external host in more than one cluster.
  • the host-based clustering can produce predictions on external hosts before they are observed interacting with network entities based upon a machine learning analysis of their shared characteristics and relationship to known bad external hosts.
  • the scoring module may be configured to periodically update the automatic threat score based upon the change in average automatic threat scores for the host cluster.
  • the user analyst can enter a threat tag via the popup box.
  • the threat tag describes the type of threat presented by the external host to the network, and can be determined by the user analyst. If an autonomous analyst is executed by the cyber threat appliance, the tag may be selected and assigned by the autonomous analyst after categorizing the observed breach state (such as Ransomware Attack, DNS Sinkhole).
  • the threat tag may also be suggested to a user analyst based upon closely clustered hosts.
  • the host module is configured to group the external host in a host set based on the threat tag. For example, if the user analyst determines that the external host is distributing malware, the user analyst may enter a “malware distributer” tag to be associated with the external host.
  • the popup box may present a tag threat score, averaging the automatic threat scores for hosts associated with that threat tag.
  • the scoring module may update the automatic threat score based upon the automatic threat score or user analyst score for external hosts with the same tags, or based upon a general threat score associated with specific tags (such as Malware Distributor, Botnet).
  • the host module is configured to suggest external hosts recently seen on the cyber threat appliance which share one or more characteristics, threat tags or are closely clustered with the external host under investigation.
  • the host module may prompt the user analyst to look at the breach state where this similar external host was involved, or investigate whether that previous appearance of a similar host was itself a breach state.
  • the popup box can present a malignant external host identifier set.
  • the malignant external host identifier set represents external hosts previously accessed by the network entity.
  • the host module can filter the malignant external host identifier set to those external hosts with an automatic threat score in a range specified by the user analyst.
  • the host module can set the range to a default range if no range is entered by the user analyst.
  • the researcher module, the scoring module, and the host module, or any combination thereof, may be components of a single module.
  • the autonomous action module is configured to execute at least one autonomous based on the automatic threat score generated by the scoring module.
  • the autonomous action module can alert the user analyst of an external host with an automatic threat score in a specified range.
  • the autonomous action module can preserve these alerts in a graphical user interface until a user analyst is available for review.
  • the autonomous action module can quarantine the external host, removing access by any part of the network.
  • the autonomous action module can limit the privileges in relation to the rest of the network of any network entity exposed to the external host.
  • the cyber security appliance 120 may be hosted on a device, on one or more servers, or in its own cyber threat appliance platform.
  • the graph 500 may depict a cluster of unusual behaviors detected and analyzed in a cyber security platform, where the cluster of detected unusual behaviors may include, but are not limited to, any detected unusual payload activations based on any types of observed network activity events, such as the illustrated network, data, behavior pattern activities.
  • the graph 500 may depict one or more different machine learning models (as described above) that are trained to analyze any detected unusual behavior patterns from the collected pattern of life data against the normal pattern of life from any collected data from any of the entities in the organization.
  • the endpoint agent cSensor described above may use its analyzer module and cooperating modules to ingest all (or some) of this illustrated data to create various threat visualizer instances, reports, scenarios, and so on.
  • the graph 500 may be provided as a user interface used to show a user the cluster of alerts and/or events associated with the variety of detected unusual network activity, data transfers, and behavior patterns, which may further include the respective detailed labels of the characteristics of such detected alerts and/or events.
  • the endpoint agent cSensor may utilize any of the Al models described above for any of its trained contextual knowledge of the organization which includes language-based data, email and network connectivity and behavior pattern data, and historic knowledgebase data.
  • a behavioral pattern analysis of what are the unusual behaviors of the email/network/system/device/user under analysis by the machine learning models may be as follows.
  • the cyber defense system uses unusual behavior deviating from the normal behavior and then builds a sequence of unusual behavior and the causal links between that sequence of unusual behavior to detect cyber threats as shown with the graph 600 in Figure 6.
  • the unusual patterns may be determined by filtering out what activities/events/alerts that fall within the window of what is the normal pattern of life for that network/system/device/user under analysis, and then the pattern of the behavior of the activities/events/alerts that are left, after the filtering, can be analyzed to determine whether that pattern is indicative of a behavior of a malicious actor - human, program, or other threat.
  • the cyber defense system can go back and pull in some of the filtered out normal activities to help support or refute a possible hypothesis of whether that pattern is indicative of a behavior of a malicious actor.
  • the analyzer module can cooperate with one or more models trained on cyber threats and their behavior to try to determine if a potential cyber threat is causing these unusual behaviors. If the pattern of behaviors under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose.
  • the cyber defense system is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber defense system may take when different types of cyber threats, indicated by the pattern of behaviors under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.
  • the Al models may perform by the threat detection through a probabilistic change in a normal behavior through the application of an unsupervised Bayesian mathematical model to detect behavioral change in computers and computer networks.
  • the core threat detection system is termed the 'Bayesian probabilistic'.
  • the BP approach can determine periodicity in multiple time series data and identify changes across single and multiple time series data for the purpose of anomalous behavior detection. From the email and potentially IT network raw sources of data, a large number of metrics can be derived each producing time series data for the given metric.
  • the detectors in the analyzer module including its network module (simulator can get extract meta data from network module) and email module components can be discrete mathematical models that implement a specific mathematical method against different sets of variables with the target.
  • each model is specifically targeted on the pattern of life of alerts and/or events coming from, for example, i) that cyber security analysis tool analyzing various aspects of the emails, iii) coming from specific devices and/or users within a system, etc.
  • the endpoint agent cSensor as well as the cyber security appliance may mathematically characterize what constitutes ‘normal’ behavior in line with the normal pattern of life for that entity and organization based on the analysis of a large number/set of different measures of a device’s network behavior.
  • Such red team and appliance can build a sophisticated ‘pattern of life’ - that understands what represents normality for every person, device, entity, email activity, and network activity in the system being protected by the cyber threat defense system.
  • the analyzer module may rank supported candidate cyber threat hypotheses by a combo of likelihood that this candidate cyber threat hypothesis is supported and a severity threat level of this incident type.
  • the correlation of the reporting and formatting modules may be configured to generate the report (or the graphs) with the identified critical devices connecting to the virtualized instance of the network under analysis that should have the priority to allocate security resources to them, along with one or more portions of the constructed graph.
  • the formatting module may have an autonomous email- report composer that cooperates with the various Al models and modules of the Al adversary red team as well as at least a set of one or more libraries of sets of contextual text, objects, and visual representations to populate on templates of pages in the email threat report based on any of the training and/or simulated attacking scenarios observed.
  • the autonomous email-report composer can compose an email threat report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience being able to understand the terminology and the detail.
  • Such modules and Al models may cooperate with the autonomous email-report composer to indicate in the email threat report, for example, an email attack’s purpose and/or targeted group (such as members of the finance team, or high-level employees).
  • the formatting module may format, present a rank for, and output the current email threat report, from a template of a plurality of report templates, that is outputted for a human user’s consumption in a medium of, any of 1) a printable report, 2) presented digitally on a user interface, 3) in a machine-readable format for further use in machine-learning reinforcement and refinement, and 4) any combination of the three.
  • the system may use at least three separate machine learning models or any particular number of separate Al machine learning models. For example, a machine learning model may be trained on specific aspects of the normal pattern of life for entities in the system, such as devices, users, email/network traffic flow, outputs from one or more cyber security analysis tools analyzing the system, etc.
  • One or more machine learning models may also be trained on characteristics and aspects of all manner of types of cyber threats.
  • One or more machine learning models may also be trained on composing email threat reports.
  • the various modules cooperate with each other, the Al models, and the data store to carry out the operations discussed above with regard to the Al adversary red team.
  • Such modules may cooperate to improve the analysis of the how vulnerable the organization is based on any of the observed (or trained/simulated/pentested) unusual events are to that specific organization and thus improve the formalized report generation with specific vulnerabilities and the extend of those vulnerabilities with less repetition to consume less CPU cycles, as well as doing this more efficiently and effectively than humans.
  • the modules can repetitively go through these steps and re-duplicate steps to filter and rank the one or more supported possible cyber threat hypotheses from the possible set of cyber threat hypotheses and/or compose the detailed information to populate into the email threat report.
  • one or more processing units are configured to execute software instructions associated with the Al adversary red team and any of its cooperating modules in that depicted system.
  • one or more non-transitory storage mediums are configured to store at least software associated with the endpoint agent cSensor simulator/apparatus, the other modules, and the Al models and classifiers.
  • the illustrated cyber security system 600 may include a network of computer systems 650 implementing the cyber threat detection systems, methods, and devices described herein.
  • the cyber threat defense system 600 depicted in Figure 6 may be similar to the cyber security systems 100 and 200 depicted above in Figures 1-2.
  • the cyber threat defense system 600 may configure the endpoint agents 111 A-B with their respective cSensors 105A-B (and/or the cyber security appliance 120) to extend visibility and monitor the computing devices 610 and 640 communicatively coupled over the network 610.
  • the cyber threat defense system 600 may include a network of computer systems 650 that may be using the endpoint agent cSensors 105A-B as well as the cyber security appliance 120.
  • the exemplary system 600 depicted by Figure 6 may be a simplified illustration, which is provided for ease of explanation of the present disclosure.
  • the network of computer systems 650 may comprise a first computer system 610 within a building, which uses the cyber threat detection system 600 to detect and thereby attempt to prevent threats to computing devices within its bounds.
  • the first computer system 610 may comprise one or more computers 601-603, a local server 604, and a multifunctional device 605 that may provide printing and facsimile functionalities to each of the respective computers 601-603.
  • All of the devices within the first computer system 610 may be communicatively coupled via a first network 606, such as a Local Area Network (LAN) and/or the like. Consequently, all of the computers 601-603 may be able to access the local server 604 via the network 606 and use the functionalities of the multifunctional device 605 via the network 606.
  • a first network 606 such as a Local Area Network (LAN) and/or the like. Consequently, all of the computers 601-603 may be able to access the local server 604 via the network 606 and use the functionalities of the multifunctional device 605 via the network 606.
  • LAN Local Area Network
  • the network 606 of the first computer system 610 may be communicatively coupled to the network 110 (e.g., the Internet), which may in turn provide the computers 601-603 with access to a multitude of other computing devices including the database server 630 and the second computer system 640.
  • the network 110 e.g., the Internet
  • the second computer system 640 may also include one or more computers 641-642 that may be communicatively coupled to each other via a second network 643 (or a second LAN).
  • a second network 643 or a second LAN
  • a real-time threat detection system having autonomous actions with definitive network and/or endpoint evidence to enable rapid threat investigation and remediation is needed.
  • a system that gives the ability to deploy instances of a host-based endpoint agent in a computing device as well as the capability to integrate the host-based endpoint agent with various operating systems (OSs) residing in the computing device is needed.
  • OSs operating systems
  • a cyber defense platform having a series of endpoint agent sensors to monitor various types of network activities of remote entities and promptly deliver key network activity data to master appliances within a remote network defense system is needed.
  • the computer 601 on the first computer system 610 may be configured by an Al cyber threat security detection system, such as the system 600 and any of the other Al based systems 100 and 200 depicted above, and therefore runs the necessary Al based threat detection processes for pentesting various attacks on the first computer system 610 for training and/or detecting vulnerabilities in that system 610.
  • Al cyber threat security detection system such as the system 600 and any of the other Al based systems 100 and 200 depicted above, and therefore runs the necessary Al based threat detection processes for pentesting various attacks on the first computer system 610 for training and/or detecting vulnerabilities in that system 610.
  • processor arranged to run the steps of the processes described herein, memory required to store information related to the running of such processes, as well as a network interface for collecting the required information and so on. This process shall now be described in greater detail below with reference to Figure 6.
  • the computer 601 may build and maintain a dynamic, ever-changing model of the 'normal behavior' of each user and machine within the system 610.
  • the approach is based on Bayesian mathematics, and monitors all interactions, events and communications within the system 610 - which computer is talking to which, files that have been created, networks that are being accessed, and so on.
  • the computer 602 may be based in a company's San Francisco office and operated by a marketing employee who regularly accesses the marketing network, usually communicates with machines in the company's U.K. office in second computer system 640 between 9:30 AM and midday and is active from about 8:30 AM until 6 PM.
  • the same employee virtually never accesses the employee time sheets, very rarely connects to the company's Atlanta network and has no dealings in South-East Asia.
  • the Al based cyber threat detection system takes all the information that is available relating to this employee and establishes a 'pattern of life' for that person, which is dynamically updated as more information is gathered.
  • the 'normal' model is used as a moving benchmark, allowing the system to spot behavior on a system that seems to fall outside of this normal pattern of life, and flags this behavior as anomalous, requiring further investigation.
  • the cyber security system with the cSensors and other similar apparatus/simulators may be built to deal with the fact that today's attackers are getting stealthier and an attacker may be 'hiding' in a system to ensure that they avoid raising suspicion in an end user, such as by slowing their machine down, using normal software protocol. Any attack process thus stops or 'backs off automatically if the mouse or keyboard is used.
  • Yet more sophisticated attacks try the opposite, hiding in memory under the guise of a normal process and stealing CPU cycles only when the machine is active, in an attempt to defeat a relatively-simple policing process. These sophisticated attackers look for activity that is not directly associated with the user's input.
  • APT Advanced Persistent Threat
  • processor cycles may be stolen so infrequently that they do not impact machine performance. But however cloaked and sophisticated the attack is, there will always be a measurable delta, even if extremely slight, in typical machine behavior, between pre and post compromise. This behavioral delta may be observed and acted on with the form of Bayesian mathematical analysis used by the Al based cyber threat security detection system installed on the computer 601.
  • the Al-based cyber threat security/defense self-learning platform may use machine-learning technology.
  • the machine-learning technology using advanced mathematics, may detect previously unidentified threats, without rules, and automatically defend networks. Note, today’s attacks may be of such severity and speed that a human response may not happen quickly enough. Thanks to these self learning advances, it is now possible for a machine to uncover emerging threats and deploy appropriate, real-time responses to fight back against the most serious cyber threats.
  • This system may therefore be built and trained to have a sophisticated ‘pattern of life’ - that understands what represents normality for every person, device, and network activity associated with any of the users and/or entities in such system being protected by such Al cyber threat security system.
  • the cyber security system may have the ability to self-learn and detect normality in order to spot true anomalies, allowing organizations of all sizes to understand any unusual behaviors of users, machines, tokens (or symbols, process chains, etc.), and so on, observed within any respective and discrete host device(s) and network(s) at both an individual and group level.
  • Monitoring behaviors, rather than using predefined descriptive objects and/or signatures, means that more attacks may be spotted ahead of time and extremely subtle indicators of wrongdoing may be detected.
  • a behavioral defense approach mathematically models both machine and human activity behaviorally, at and after the point of compromise, in order to predict and catch today's increasingly sophisticated cyber attack vectors. It is thus possible to computationally establish what is normal, in order to then detect what is abnormal.
  • This Al cyber security system with the cSensors and other sensors may thus be capable of making value judgments and carrying out higher value, more thoughtful tasks.
  • Machine learning requires complex algorithms to be devised and an overarching framework to interpret the results produced. However, when applied correctly these approaches may facilitate machines to make logical, probability- based decisions and undertake thoughtful tasks.
  • Machine-learning Utilizing machine-learning in cyber security technology is difficult, but when correctly implemented it is extremely powerful.
  • the machine-learning means that previously unidentified threats may be detected, even when their manifestations fail to trigger any rule set or signature. Instead, machine-learning allows the system to analyze large sets of data and learn a ‘pattern of life’ for what it sees.
  • Machine learning may approximate some human capabilities to machines, such as: (i) thought: it uses past information and insights to form its judgments; (ii) real time: the system processes information as it goes; and (iii) self-improving: the model's machine-learning understanding is constantly being challenged and adapted, based on new information. New unsupervised machine-learning therefore allows computers to recognize evolving threats, without prior warning or supervision.
  • one or more other detectors and data analysis process may be employed as detailed below, without limitations.
  • FIG. 7A-J a series of exemplary block illustrations of a cyber security system 700-710 is shown, in accordance with embodiments of the disclosure.
  • the cyber security system 700-710 may be substantially similar to the cyber security system 100 depicted in Figure 1 , with the exceptions that the respective systems 700-710 depict one or more different network configurations using the same components and processes described above in Figure 1.
  • the cyber security systems 700-710 depicted in Figures 7A-J may be configured based on: (1) most common basic arrangement with an on-prem master appliance; (2) moves some PCAP storage from the on-prem master to the cloud, the aim here is to reduce the bandwidth of the Master ⁇ -> Cloud connection by retaining PCAP data in the Cloud and serving requests for it from there; (3) basic arrangement with a Cloud Master; (4) a hybrid arrangement with an on-prem Master, where most of the original Cloud server functions and database now reside on the Master and there is a fully on-prem route for local cSensor data to take, such that the aim is to remove the need for most cSensor bandwidth to go out of and back into the on-prem network if the cSensor itself is already within that network; and (5) a hybrid arrangement with a Cloud Master and an on-prem vSensor, the aim here is to retain PCAP data within the on-prem network instead of sending it to the Cloud.
  • Unsupervised learning works things out without pre-defined labels. In the case of sorting the series of different animals, the system analyzes the information and works out the different classes of animals. This allows the system to handle the unexpected and embrace uncertainty. The system does not always know what it is looking for, but may independently classify data and detect compelling patterns.
  • the cyber threat defense system does not require training data with pre-defined labels. Instead, they are able to identify key patterns and trends in the data, without the need for human input.
  • the advantage of unsupervised learning is that it allows computers to go beyond what their programmers already know and discover previously unknown relationships.
  • the cyber threat defense system uses unique implementations of unsupervised machine learning algorithms to analyze network data at scale, intelligently handle the unexpected, and embrace uncertainty. Instead of relying on knowledge of past threats to be able to know what to look for, it is able to independently classify data and detect compelling patterns that define what may be considered to be normal behavior. Any new behaviors that deviate from those, which constitute this notion of ‘normality,’ may indicate threat or compromise.
  • the cyber threat defense system s probabilistic approach to cyber security is based on a Bayesian framework. This allows it to integrate a huge number of weak indicators of potentially anomalous network behavior to produce a single clear measure of how likely a network device is to be compromised. This probabilistic mathematical approach provides an ability to understand important information, amid the noise of the network - even when it does not know what it is looking for.
  • the cyber threat defense system accounts for the inevitable ambiguities that exist in data and distinguishes between the subtly differing levels of evidence that different pieces of data may contain. Instead of generating the simple binary outputs ‘malicious’ or ‘benign,’ the cyber threat defense system's mathematical algorithms produce outputs that indicate differing degrees of potential compromise. This output enables users of the system to rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach.
  • the cyber threat defense system mathematically characterizes what constitutes ‘normal’ behavior based on the analysis of a large number/set of different measures of a devices network behavior, examples include at least one or more of: server access; data access; timings of events; credential use; DNS requests; and/or any other similar parameters. Each measure of network behavior is then monitored in real time to detect anomalous behaviors.
  • the cyber threat defense system simultaneously employs a number of different clustering methods including matrix based clustering, density based clustering and hierarchical clustering techniques.
  • the resulting clusters are then used to inform the modeling of the normative behaviors of individual devices.
  • clustering (i) Analyzes behavior in the context of other similar devices on the network; (ii) Algorithms identify naturally occurring groupings of devices - impossible to do manually; and (iii) Simultaneously runs a number of different clustering methods to inform the models.
  • Any cyber threat detection system must also recognize that a network is far more than the sum of its individual parts, with much of its meaning contained in the relationships among its different entities, and that complex threats may often induce subtle changes in this network structure. To capture such threats, the cyber threat defense system employs several different mathematical methods in order to be able to model multiple facets of a networks topology.
  • the cyber threat defense system has employed a cutting edge large-scale computational approach to learn sparse structure in models of network behavior and connectivity based on applying L1 -regularization techniques (e.g., a lasso method). This allows for the discovery of true associations between different network components and events that may be cast as efficiently solvable convex optimization problems and yield parsimonious models.
  • L1 -regularization techniques e.g., a lasso method
  • the cyber threat defense system takes advantage of the power of Recursive Bayesian Estimation (RBE) via an implementation of the Bayes filter.
  • the cyber threat defense system uses RBE to constantly adapt themselves, in a computationally efficient manner, as new information becomes available to the system. They continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors where conventional signature-based methods fall down.
  • the cyber threat defense system's innovative approach to cyber security has pioneered the use of Bayesian methods for tracking changing device behaviors and computer network structures.
  • the core of the cyber threat defense system's mathematical modeling is the determination of normative behavior, enabled by a sophisticated software platform that allows for its mathematical models to be applied to new network data in real time. The result is a system that is able to identify subtle variations in machine events within a computer networks behavioral history that may indicate cyber-threat or compromise.
  • the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks.
  • the cyber threat defense system approach means that detection no longer depends on an archive of previous attacks. Instead, attacks may be spotted against the background understanding of what represents normality within a network.
  • the cyber threat defense system may create digital antibodies automatically, as an immediate response to the most threatening cyber breaches.
  • the cyber threat defense system approach both detects and defends against cyber threat.
  • Genuine unsupervised machine learning eliminates the dependence on signature-based approaches to cyber security, which are not working.
  • the cyber threat defense system’s technology may become a vital tool for security teams attempting to understand the scale of their network, observe levels of activity, and detect areas of potential weakness. These no longer need to be manually sought out, but are flagged by the automated system and ranked in terms of their significance.
  • Machine learning technology is the fundamental ally in the defense of systems from the hackers and insider threats of today, and in formulating response to unknown methods of cyber-attack. It is a momentous step change in cyber security. Defense must start within.
  • the threat detection system that has been discussed above therefore implements a propriety form of recursive Bayesian estimation to maintain a distribution over the probability state variable. This distribution is built from the complex set of low-level host, network and traffic observations or 'features'. These features are recorded iteratively and processed in real time on the platform.
  • I/O problems such as the observation of packet traffic and host activity within a distributed digital enterprise, where both input and output may contain tens of thousands, sometimes even millions of interrelated features (data transport, host-web-client dialogue, log change and rule trigger, etc.), learning a sparse and consistent structured predictive function is challenged by a lack of normal distribution.
  • the threat detection system consists of a data structure that decides on a rolling continuum rather than a stepwise method in which recurring time cycles such as the working day, shift patterns and other routines are dynamically assigned.
  • a non-frequentist architecture for inferring and testing causal links between explanatory variables, observations and feature sets. This permits an efficiently solvable convex optimization problem and yield parsimonious models.
  • the threat detection processing may be triggered by the input of new data.
  • the threat detection processing may be triggered by the absence of expected data.
  • the processing may be triggered by the presence of a particular actionable event.
  • the method and system are arranged to be performed by one or more processing components with any portions of software stored in an executable format on a computer readable medium.
  • the computer readable medium may be non- transitory and does not include radio or other carrier waves.
  • the computer readable medium could be, for example, a physical computer readable medium such as semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disc, and an optical disk, such as a CD-ROM, CD-R/W or DVD.
  • the various methods described above may be implemented by a computer program product.
  • the computer program product may include computer code arranged to instruct a computer to perform the functions of one or more of the various methods described above.
  • the computer program and/or the code for performing such methods may be provided to an apparatus, such as a computer, on a computer readable medium or computer program product.
  • a transitory computer readable medium may include radio or other carrier waves.
  • An apparatus such as a computer may be configured in accordance with such code to perform one or more processes in accordance with the various methods discussed herein.
  • a computing system may be, wholly or partially, part of one or more of the server or client computing devices in accordance with some embodiments.
  • Components of the computing system may include, but are not limited to, a processing unit having one or more processing cores, a system memory, and a system bus that couples various system components including the system memory to the processing unit.
  • the system bus may be any of several types of bus structures selected from a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures.
  • the computing system typically includes a variety of computing machine- readable media.
  • Computing machine-readable media may be any available media that may be accessed by computing system and includes both volatile and nonvolatile media, and removable and non-removable media.
  • computing machine-readable media use includes storage of information, such as computer-readable instructions, data structures, other executable software or other data.
  • Computer-storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible medium which may be used to store the desired information, and which may be accessed by the computing device 900.
  • Transitory media such as wireless channels, are not included in the machine-readable media.
  • Communication media typically embody computer readable instructions, data structures, other executable software, or other transport mechanism and includes any information delivery media.
  • the system memory includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) and random access memory (RAM).
  • ROM read only memory
  • RAM random access memory
  • BIOS basic input/output system
  • RAM typically contains data and/or software that are immediately accessible to and/or presently being operated on by the processing unit.
  • the RAM may include a portion of the operating system, application programs, other executable software, and program data.
  • the drives and their associated computer storage media discussed above, provide storage of computer readable instructions, data structures, other executable software and other data for the computing system.
  • a user may enter commands and information into the computing system through input devices such as a keyboard, touchscreen, or software or hardware input buttons, aa microphone, a pointing device and/or scrolling input component, such as a mouse, trackball or touch pad.
  • the microphone may cooperate with speech recognition software.
  • These and other input devices are often connected to the processing unit through a user input interface that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port, or a universal serial bus (USB).
  • a display monitor or other type of display screen device is also connected to the system bus via an interface, such as a display interface.
  • computing devices may also include other peripheral output devices such as speakers, a vibrator, lights, and other output devices, which may be connected through an output peripheral interface.
  • the computing system may operate in a networked environment using logical connections to one or more remote computers/client devices, such as a remote computing system.
  • the logical connections may include a personal area network ("PAN”) (e.g., Bluetooth ® ), a local area network (“LAN”) (e.g., Wi-Fi), and a wide area network (“WAN”) (e.g., cellular network), but may also include other networks.
  • PAN personal area network
  • LAN local area network
  • WAN wide area network
  • a browser application or direct app corresponding with a cloud platform may be resident on the computing device and stored in the memory.
  • the present design may be carried out on a single computing system and/or on a distributed system in which different portions of the present design are carried out on different parts of the distributed computing system.
  • an application described herein includes but is not limited to software applications, mobile apps, and programs that are part of an OS. Some portions of this description are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated.
  • a module may be implemented with electronic hardware, software stored in a memory, and/or a combination of both to perform its functions as discussed herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
EP21808689.0A 2020-05-18 2021-05-18 Endpunkt-client-sensoren zur erweiterung der netzwerksichtbarkeit Pending EP4154136A4 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202063026446P 2020-05-18 2020-05-18
PCT/US2021/032995 WO2021236661A1 (en) 2020-05-18 2021-05-18 Endpoint client sensors for extending network visibility

Publications (2)

Publication Number Publication Date
EP4154136A1 true EP4154136A1 (de) 2023-03-29
EP4154136A4 EP4154136A4 (de) 2024-07-17

Family

ID=78708907

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21808689.0A Pending EP4154136A4 (de) 2020-05-18 2021-05-18 Endpunkt-client-sensoren zur erweiterung der netzwerksichtbarkeit

Country Status (3)

Country Link
EP (1) EP4154136A4 (de)
CA (1) CA3184265A1 (de)
WO (1) WO2021236661A1 (de)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201810294D0 (en) 2018-06-22 2018-08-08 Senseon Tech Ltd Cybe defence system
GB2602254B (en) 2020-12-15 2023-04-05 Senseon Tech Ltd Network traffic monitoring
US11438357B2 (en) 2018-06-22 2022-09-06 Senseon Tech Ltd Endpoint network sensor and related cybersecurity infrastructure
US11902318B2 (en) 2019-10-10 2024-02-13 Alliance For Sustainable Energy, Llc Network visualization, intrusion detection, and network healing
GB201915265D0 (en) 2019-10-22 2019-12-04 Senseon Tech Ltd Anomaly detection
IL289845A (en) * 2022-01-13 2023-08-01 Chaim Yifrach Amichai A system for detecting and preventing cyber attacks

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9088508B1 (en) * 2014-04-11 2015-07-21 Level 3 Communications, Llc Incremental application of resources to network traffic flows based on heuristics and business policies
US11005814B2 (en) * 2014-06-10 2021-05-11 Hewlett Packard Enterprise Development Lp Network security
WO2016073377A1 (en) * 2014-11-03 2016-05-12 Seven Networks, Llc Deep packet inspection (dpi) at an endpoint
US20160308898A1 (en) * 2015-04-20 2016-10-20 Phirelight Security Solutions Inc. Systems and methods for tracking, analyzing and mitigating security threats in networks via a network traffic analysis platform
US20160381049A1 (en) * 2015-06-26 2016-12-29 Ss8 Networks, Inc. Identifying network intrusions and analytical insight into the same
US10762201B2 (en) * 2017-04-20 2020-09-01 Level Effect LLC Apparatus and method for conducting endpoint-network-monitoring

Also Published As

Publication number Publication date
WO2021236661A1 (en) 2021-11-25
EP4154136A4 (de) 2024-07-17
CA3184265A1 (en) 2021-11-25

Similar Documents

Publication Publication Date Title
US20210273953A1 (en) ENDPOINT AGENT CLIENT SENSORS (cSENSORS) AND ASSOCIATED INFRASTRUCTURES FOR EXTENDING NETWORK VISIBILITY IN AN ARTIFICIAL INTELLIGENCE (AI) THREAT DEFENSE ENVIRONMENT
US12034767B2 (en) Artificial intelligence adversary red team
US11477219B2 (en) Endpoint agent and system
US11973774B2 (en) Multi-stage anomaly detection for process chains in multi-host environments
US20230011004A1 (en) Cyber security sandbox environment
US20210273973A1 (en) SOFTWARE AS A SERVICE (SaaS) USER INTERFACE (UI) FOR DISPLAYING USER ACTIVITIES IN AN ARTIFICIAL INTELLIGENCE (AI)-BASED CYBER THREAT DEFENSE SYSTEM
US20230336581A1 (en) Intelligent prioritization of assessment and remediation of common vulnerabilities and exposures for network nodes
US20220360597A1 (en) Cyber security system utilizing interactions between detected and hypothesize cyber-incidents
US20230132703A1 (en) Capturing Importance In A Network Using Graph Theory
US20230095415A1 (en) Helper agent and system
EP4154136A1 (de) Endpunkt-client-sensoren zur erweiterung der netzwerksichtbarkeit
CA3226148A1 (en) Cyber security system utilizing interactions between detected and hypothesize cyber-incidents

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20221117

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: G06F0021120000

Ipc: H04L0009400000

A4 Supplementary search report drawn up and despatched

Effective date: 20240613

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 43/20 20220101ALN20240607BHEP

Ipc: H04L 43/062 20220101ALN20240607BHEP

Ipc: H04L 41/16 20220101ALN20240607BHEP

Ipc: H04L 41/14 20220101ALI20240607BHEP

Ipc: H04L 41/0631 20220101ALI20240607BHEP

Ipc: H04L 41/046 20220101ALI20240607BHEP

Ipc: H04L 67/1004 20220101ALI20240607BHEP

Ipc: H04L 67/02 20220101ALI20240607BHEP

Ipc: H04L 67/125 20220101ALI20240607BHEP

Ipc: H04L 43/028 20220101ALI20240607BHEP

Ipc: H04L 43/026 20220101ALI20240607BHEP

Ipc: G06F 21/55 20130101ALI20240607BHEP

Ipc: G06F 21/12 20130101ALI20240607BHEP

Ipc: H04L 9/40 20220101AFI20240607BHEP