WO2020016906A1 - Procédé et système de détection d'intrusion dans une entreprise - Google Patents

Procédé et système de détection d'intrusion dans une entreprise Download PDF

Info

Publication number
WO2020016906A1
WO2020016906A1 PCT/IN2019/050529 IN2019050529W WO2020016906A1 WO 2020016906 A1 WO2020016906 A1 WO 2020016906A1 IN 2019050529 W IN2019050529 W IN 2019050529W WO 2020016906 A1 WO2020016906 A1 WO 2020016906A1
Authority
WO
WIPO (PCT)
Prior art keywords
intrusion
events
server
logs
enterprise
Prior art date
Application number
PCT/IN2019/050529
Other languages
English (en)
Inventor
Sriram Govindan
Original Assignee
Sriram Govindan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sriram Govindan filed Critical Sriram Govindan
Publication of WO2020016906A1 publication Critical patent/WO2020016906A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the present disclosure relates to field of information security and cyber security, particularly relates to a method and system for intrusion detection in an enterprise.
  • SIEM Security Information Event Management
  • manual efforts of an analyst may be neede to correlate a security event or incident and determine one or more reasons or inferences for the occurred security event or determine one or more reasons or inferences for an alert generated by the STEM based on the occurred security event. Further, there is need for the analyst to determine steps to be taken upon detection of the intrusion. This in turn consumes time that could run to days or weeks and may also require lots of manual efforts leading to longer cycles of investigation timelines .
  • the method includes receiving information associated with a user and an enterprise from one or more data sources in real time. Further, the method includes sorting one or more events in the received information in a chronological order based on a timestamp associated with each event. Furthermore, the method includes determining a deviation between the sorted one or more events and a behaviour pattern comprising, events routinely followed by the user. Finally, the method includes detecting an intrusion based on the determined deviation, wherein a alert is generated upon detecting the intrusion.
  • a server for intrusion detection in an enterprise
  • the server includes a processor and a memory' communicatively coupled to foe processor, wherein the memory stores the processor executable instructions, which, on execution, causes the processor to receive information associated with a user and an enterprise from one o more data sources in real time.
  • the processor is configured to sor one or more events in the received information in a chronological order based on timestamp associated with each event.
  • foe processor is configured to determine a deviation between the sorted one or more events and a behaviour pattern comprising, events routinely followed by the user.
  • the processor is configured to detect an intrusion based on the determined deviation using a machine learning technique, wherein an alert is generated upon detecting the intrusion.
  • Figure 1 illustrates an exemplary environment for detecting intrusion in an enterprise, in accordance with some embodiments of the present disclosure
  • Figure 2 illustrates a block diagram of a server for detecting intrusion in an enterprise, in accordance with some embodiments of the present di sclosure ; and figure 3 shows a flow diagram indicating a method for intrusion detection in an enterprise, in accordance with some embodiments of the present disclosure.
  • the present disclosure discloses a method to detect intrusion in an enterprise using patterns of behaviours of user and enterprise.
  • the intrusions may include, but not limited to, logging from multiple geographical locations at same time, accessing or trying to access highly sensitive documents unauthorised for a particular user, accessing multiple systems in an enterprise network, multiple concurrent sessions from same account at same time from different hosts, privileged users assigning escalated privileges to their own account or to accounts of unprivileged users, emailing classified and sensitive data to personal email ID or to the email IDs outside of network domain and so on.
  • the intrusions are detected by determining a deviation between the one or more events from a received information and a behaviour pattern comprising, events routinely followed by the user. Further, an alert may be sent to an analyst upon detecting an intrusion.
  • Figure 1 shows an exemplary environment for intrusion detection in an enterprise, fa accordance with some embodiments of the present disclosure .
  • an information security in an enterprise forms an integral part of risk management.
  • Information security system typically involves preventing and detecting an intrusion based on the information received from one or more data sources.
  • Intrusion prevention and detection includes at least: one of reducing the probabilit of unauthorized or inappropriate access, use, disclosure, disruption, deletion or destruction, corruption, modification, inspection, recording or devaluation, of information associated with the enterprise.
  • the information security in an enterprise may include reducing the adverse impacts of an intrusion by generating alerts to an analyst (110).
  • the information security system may be housed on a server (101 ⁇ for example an enterprise server local to the enterprise.
  • the one or more data sources providing the information associated with a user and the enterprise to the server (101) comprises at least oae of an active directory logs.
  • the one or more data sources may be housed on the one or more entities for example, a biometric device, a Radio Frequency Identification (RFID) scanner, a remote server, a database and the like.
  • the information provided by the one or more data sources to the server (101 ) may include relevant data regarding the one or more events occurring in the enterprise.
  • one or more events may include the user punch in at. the enterprise, the user login into a computer system, the user login to a data server of the enterprise, one or more webpages accessed by the user and the like.
  • a user login may be the one or more events and the information regarding the one or more events may include the employee ID of the user, the timestamp of the login, the place of the login, and the like.
  • the information associated with a user and an enterprise, received from the one or more data sources may be normalised and key value record is generated.
  • the received information from the one or more data sources in one or more file formats is converted Into a common format of data representation. For example, ail the source IP address present at different positions in the received information from the one or more data sources may be accumulated and stored in one common position.
  • the key value record indicates one or more values associated with one or more parameters (key) in the received information.
  • the key may be source IP address and the one or more values associated with the key may be 165.12.34.1, 87.92.234.10 and the like.
  • the one or more events in the received information is sorted in a chronological order based on timestamp associated with each event.
  • the sorted one or more events may be as follows, the user punch maybe at a time stamp tl , the user login to a computer system may be at the time stamp t2, the user accessing data from a remote server at the timestamp t3 and the like.
  • the sorting of the one or more events is used to trace a path of events followed fay a user.
  • the sorted one or more events/ traced path determined from the received information is compared with a behaviour pattern associated with the user an a peer group associated with the user.
  • the behaviour pattern includes events routinely followed by the user in the enterprise.
  • the behaviour pattern may include an average range of login time of the user in the enterprise as 10:00 AM to 10; 15 AM.
  • a deviation in the sorted one or more events may be determined using Artificial Intelligence (AI) techniques like unsupervised machine learning algorithm. For example, the user who works in a morning shift (iftam- 7pm) logging in at 6:00AM may be identified as the deviation with the behaviour pattern. In another example a user who works in a night shift (9pm-6am) logging out at 6am may not he identified as deviation. Further, an intrusion may be detected based on the determined deviation asing a supervised machine learning algorithm. Furthermore, an alert may be sent to the analyst (110) indicating the intrusion and a set of possible inferences for the detected intrusion.
  • AI Artificial Intelligence
  • the user login at 6:00AM along with the log in of one or more peer employees of the enterprise between 5:45 AM and 6: 15 AM, may not be detected as the intrusion.
  • tire user alone logging in at 6:00 AM may be detected as the intrusion.
  • the inferences may help the analyst ( 110) to identify the root cause of tire intrusion an foe analyst (1 10) may perform suitable actions to prevent the such intrusions in foe future or prevent further loss of information in the enterprise by denying access to the user.
  • the analyst may have to manually track each user and create patterns of user events. Creating such patterns is very cumbersome and is prone to errors.
  • the analyst (110) may validate the detected intrusion an based on the validation the supervised machine learning algorithm may be trained timber and used in the subsequent intrusion detections.
  • FIG. 2 shows an exemplary server ( 101) for intrusion detection in an enterprise, in accordance with some embodiments of the present disclosure.
  • the server (101) may receive information from the one or more data sources using one or mom Application Program Interfaces (APIs).
  • the APIL is a producer APIs (201 ).
  • the producer APIs (201) may be connected to the server (101 ) using a communication network (not shown) through a wired or a wireless interface.
  • a streaming platform (202A) for example, a kaika cluster (2Q2B) may be used as enterprise messaging system.
  • the kaika duster (202B) may be used to send alerts to the analyst (1 10) and receive the information from the producer APIs (201 ) associated with the one or more data sources in the form of messages.
  • Kafka cluster (202B) is a distributed publish- subscribe messaging system.
  • Kalla duster includes a robust queue capable of handling a high volume of data or information and enables the passage of messages from one end-poini to another.
  • Kafka cluster (202B) is suitable for both offline and online message consumption. Kafka messages are persisted on the disk and replicated within the cluster to prevent data loss.
  • Kafka cluster (202.B) integrates very well with various frameworks such as Storm and Spark frameworks for real-time streaming data analysis. Continuous streams of data are provided to kaik cluster (202B) Real-time analysis is performed simultaneously, and the results of analysis are provided to other systems.
  • a person of ordinary skill should appreciate tha t any existing streaming techniques can be used in place of kafka cluster (202B) and the present disclosure is not limited to kafka cluster (202B),
  • the elastic search (203) may be used to search and retrieve data regarding the one or more events in the received information and inferences regarding the detected intrusion.
  • the elastic search (203) is a search engine based on the Lucene library.
  • the elastic search (203) provides a distributed, multitenant-capable full-text search engine with a Hyper Text Transfer Protocol (HTTP) web interface and schema-free Java Script Object Notation (ISON) documents.
  • the elastic search (203) may be connected to the streaming platform using the connector APIs (204).
  • the use of elastic search (203) reduces time taken for retrieving data.
  • real-time analysis can be performed effectively. For example, consider an enterprise having 1000 employees. Databases storing a plurality of information of 1000 employees will lead to a huge storage complexity. Retrieving data from such databases using relational database can often be time consuming. Hence, to effectively detect intrusion and prevent mishaps in enterprises, elastic search (203) can be employed.
  • H20.ai (205) is used to perform data analysis like normalisation.
  • the H20.ai (205) is an open-source application for big-data analysis.
  • H2Q.ai (205) allows users to fit thousands of potential artificial intelligence based models as part of discovering patterns in received information. A person skilled in the art should acknowledge that other normalizing applications/ techniques will also fall under the purview of the present disclosure.
  • Skbarn (207) is python-based machine learning library for performing classification, regression, clustering, dimensionality reduction and the like in an embodiment, equivalents to Skleam (207) can he used to pain the unsupervised and supervised machine learning algorithms.
  • kerns and tesorflow (208) may be used to detect intrusion based on the detected one or more malicious activities and the determined deviations between the sorted one or more events in the received information and the behaviour pattern associated with the user and the enterprise.
  • TensorFlow is a free and open-source software library for dataflow and differentiable programming across a range of tasks. It is a symbolic math library an is used for machine learning applications such as neural networks.
  • Keras is an open-source neural- network library written in Python capable of running on top of TensorFlow. Keras contains numerous implementations of commonly used neural-network building blocks such as layers, objectives, activation functions, optimizers, and a host of tools to make working with image and text data easier. In addition to standard neural networks, Keras has support for convolutional and recurrent neural networks.
  • FIG. 3 shows a flow diagram showing a method for intrusion detection in an enterprise, in accordance with some embodiments of the present disclosure.
  • the server (101) receives information associated with the user and the enterprise from one or more data sources In real time.
  • the one or more data sources may be housed on the one or more entities for example, a biometric device, a Radio Frequency Identification (RFID) scanner, a remote sewer, a database and the like.
  • the information provided by the one or more data source to the server (101) may include relevant data regarding the one or more events occurring in the enterprise.
  • the one or more data sources comprises at least one of an active directory' logs. Dynamic Host Control Protocol (DHCP) logs, network packets, Netilow, Domain Name System (DNS) logs, Security Information and Event Management (SIEM), firewalls, web proxy logs. Virtual Private Network (VPN) logs, Software as a Service (SAAS) logs, Cloud Access Brokers, 0365* (Office 365).
  • DHCP Dynamic Host Control Protocol
  • DNS Domain Name System
  • SIEM Security Information and Event Management
  • VPN Virtual Private Network
  • SAAS Software as a Service
  • Cloud Access Brokers 0365* (Office 365).
  • AD Active Directory
  • LDAP LDAP
  • the received information is cleansed and .normalized to generate a key value record.
  • a meaningful data is created fro raw information received from the one or more data sources.
  • the meaningful data may be created by removing noises, filling or deleting missing values, stateful ordering of data, normalization, attribute selection, discretization, concept hierarchy generation, dimensionality reduction and other steps so as to make the received information suitable for the machine learning algorithms for generating a behaviour pattern, identifying the one or more malicious activities and to detect intrusion in an enterprise.
  • Some steps like identity resolution, mappin Internet Protocol (IP) address with a location.
  • IP Internet Protocol
  • MAC address are also needed for generating the key value record from the received information.
  • Use of regular expressions, libraries like pandas, mtmpy, scipy, sklea n (207), keras utilities may be used to perform the cleaning, normalization and to generate the ke value record.
  • one or more ⁇ techniques known to a person skilled in the art ma be implemented for performing the cleaning, normalization and generating the key value record from the recei ved information.
  • the server (101) may receive information regarding the travel information of the user, badge information of the user. Virtual Private Network ( VPN) logs, active directory logs, and other login information from the one or more data sources.
  • the saver (101) sorts one or more events in the recei ed information in a chronological order. A timestamp associated with the one or more events may be extracted and the one or more events may be sorted based on the timestamp.
  • the one or more events i.e. user swiping the badge at a timestamp U , user successful log in at the location A at a timestamp t2 and a VPN used from an Internet Service Provider (ISP) at a location C at a timestamp t4, in the received information is sorted based on the timestamp of the occurrence of the one or more events in the chronological order.
  • ISP Internet Service Provider
  • the server (101) determines a deviation between the sorted one or more events and a behaviour patient comprising, events routinely followed by the user.
  • the server (101) is configured to perform an unsupervised machine learning to categorize different types of user accounts and different types of data sources in the enterprise.
  • generating the behaviour pattern includes extracting one or more features from the one or more events in the received information.
  • the feature extraction may be performed for convening high dimensional data into lower dimension to generate effective outputs from different machine learning algorithms.
  • the one or more features may be extracted using a Principal Component Analysis (PCA).
  • the feature extraction may be done using embedding of texts into vectors using the one or more algorithms of Natural Language Processing (NLP).
  • NLP Natural Language Processing
  • Word:2vec and Doc2vec models ma be used for the feature extraction.
  • the clustering algorithms may be applied on unlabelled features obtained from the received information and may be used to cluster similar features in a same group.
  • All the features in a cluster are more similar to each other as compared to features from other clusters.
  • K-meaos clustering algorithm may be used to generate one or more clusters for the user and the enterprise.
  • generating the behaviour pattern base on at least one of computed one or snore statistical parameters in the received information and the generated one or more clusters.
  • the behaviour pattern associated with a user may be for example, the log in imes of the user in one year and the average of ail the log in times with a tolerance of 5 to 10 mi nutes may be the behaviour pattern of the user.
  • the server (101 ) may use clustering analysis to determine the deviation in the one or more events and the behaviour pattern by identifying from the travel logs, if the user travelled, the time zone of the login performed at the location A and location B.
  • the IP source address of the location A and location B and the like may be used to determine location information of the user.
  • the server (101 ) detects an intrusion based on the determined deviation between the one or mom events in the recei ved information and the behaviour pattern of the user.
  • detecting the intrusion includes determining one or more parameters indicative of a malicious activity by applying a supervised learning-based classification algorithm on the one or more events in the received information.
  • the one or more events in the received information may be classified as malicious activity for example a suspicious DNS entry ⁇ , classifying emails received as legitimate or spam, seam, phishing and the like.
  • different types of security attacks may be .identified using the determined one or more parameters.
  • detecting the intrusion based on at least one of the determined one or more parameters and the determined deviation using an artificial intelligence based deep learning
  • the server (101 may further classify the detected intrusion to be cue of “TRUE POSITIVE” and“FALSE POSITIVE” using the artificial intelligence based deep learning technique for example Long Short Terra Memory (LSTM).
  • LSTM Long Short Terra Memory
  • the supervised teaming based classification algorithm may detect one or more parameter as the login of the user at the location on A and the location B and classi fy the one or more events as the malicious activities. Further, the login at location A and locution B using the same source IP address from the ISP may be classified as the malicious activity. Further, artificial intelligence based deep learning technique may identify the malicious activities as the “FALSE POSITIVE” stating die reasons given below:
  • VPN was used from ISP (Slovakia ISP XY2 Telecom source IP: 135.122.13.10).
  • the intrusions detected by the server (101 ) may include at least one of unauthorized access attempt on proxy, access to suspicious and prohibited web pages, critical vulnerability on critical host, access attempt through dormant or terminated employee IDs, inbound or outbound connections from or to suspicious IP addresses, data leakage attempt, logins to multiple user accounts from the same source device or IP, user or group account created or modified by non-security administrator, non -recognized signature followed by suspicious request on DNS which failed, and the like.
  • generating the alert includes determining a risk score of the detectedintrusion based on the assigned weightage to the determined deviation and one or more parameters indicative of a malicious activity. The risk score is a calculated number that reflects the severity of the detected anomaly.
  • the risk score may he calculated by a multiplying probability associated with the one or more events or the detected intrusion and the weigbtage associated with the impact of the detected intrusion and the one or more events in an enterprise. For example, a low risk score may be associated for logging into server for a different location in a same city and a high-risk score may be associated with logging into the server from a different country. Further, rendering at least one of a notification and an inference based on the determined risk score and the detected intrusion. in an embodiment, the analyst (1 10) based on the alert generated by the server (101) validates the detected intrusion and classifies the detected intrusion as at least one of "TRUE POSITIVE” or“FALSE POSITIVE”.
  • the unsupervised learning algorithm is used for generating behaviour pattern and the supervised learning algorithm for detecting malicious activity and the deep learning technique for detecting the intrusion may be further trained based on the validations provided by the analyst (110).
  • the inference may include one or more reasons for classifyin the malicious activities as “TRUE POSITIVE”.
  • the one or more reasons may be obtained from a dictionary pre- configured by foe analyst (110). For example, consider the user log in to a database with unauthorized access at a timestamp of ]2:00AM from a valid source IP address i the enterprise.
  • the classified malicious activities further detected as an intrusion ma be used to alert the analyst (110) by sending a notification message and the inferences as“Unauthorized access to a database at a timestamp of 12:00AM”.
  • Some examples o f intrus ion detection labe lled as“TRUE POSITIVE” in an enterprise with the classified malicious activity and possible attacks is given below:
  • the malicious activities classified using the supervised learning algorithm includes at least one of abnormal access to highly sensitive objects, abnormal number of activities in short time frame, activity from dormant, terminated user accounts, access from different geolocations, multiple IPs, and the possible attacks are pass the hash, and session replay.
  • the malicious activities classified using the supervised learning algorithm includes at least one of using privileged user accounts to assign escalated privileges to own account, abnormal access to classified and Sensitive documents and multiple concurrent sessions from same account, different IPs, locations etc.
  • the malicious activities classified using the supervised learning algorithm includes at least one of downloading classifie and sensitive documents, emails to personal accounts, file uploads to cloud storage or Suspicious IPs, and accessing suspicious IPs or competitor websites.
  • the malicious activities classified using the supervised learning algorithm includes at least one of endpoint security alerts, i ntros ion timeline base on user accounts, alerts and activities associated with the enterprise and the possible atacks are advanced persistent threat, and data exfiltrarion.
  • incidents generated may he rich in information.
  • the analysts for detecting the intrusion may easily deep-dive into issues without finding root cause o f the incident.
  • labelled dataset may also be created for identifying categories of new users and enterprise as well as different anomalous behaviour resulting in‘TRUE POSITIVE”. Said labelled data can be used for training the supervised machine learning models that can be used for predicting type of the user and the enterprise, along with identification of the intrusion to be‘TRUE POSITIVE” or“FALSE POSITIVE”.
  • IP reputation models also may be helpful in detecting the TCP SYN FLOOD attack by checking if the LP address is spoofed or not and filtering out TCP packets to check if there are a lot of SYN and RST packets. Malicious UDP packets volume can be traced using Firewall logs. Apart from this, risk can be assessed beforehand by training machine learning models for identifying the critical assets, soft spots in the network or single point of failure and monitoring them more closely.
  • Embodiments of the present disclosure addresses manual correlation efforts of a security analyst, and, involves the process of context identification, incident storytelling, timeline derivations,“why” incident: occurred. Tims, threats to enterprise can be instantly identified and data loss can be prevented.
  • FIGURE 4 illustrates a block diagram of an exemplary computer system (400) for implementing embodiments consistent with the present disclosure.
  • the computer system (400) may be used to implement the method for detecting intrusion in an enterprise.
  • the computer system (400) may comprise a central processing unit (“CPU” or “processor”) (402).
  • the processor (402) may comprise at least one data processor for executing program components for dynamic resource allocation at ran time.
  • the processor (402) may include specialized processing units such as integrated system (bus) controllers, memory management control units, floating point units, graphics processing units, digital signal processing units, etc.
  • the processor (402) may be disposed in communication with one or more input/output (I/O) devices (not shown) via TO interface (401 ).
  • the I/O interface (401 ) may employ communication protocols/methods such as, without limitation, audio, analog, digital, monoauraL RCA, stereo, IEEE- 1394, serial bus, universal serial bus (USB), infrared, PS/2, BMC, coaxial, component, composite, digital visual interface (DVT), high-definition multimedia interlace (HDMI), RF antennas, 5-Video, VGA, IEEE 802,n /b/g/n/x, Bluetooth, cellular (e.g , code-division multiple access (CDMA), high-speed packet access (HSPA+X global system for mobile communications (GSM), long-term evolution (EXE), WiMax, or the like), etc.
  • CDMA code-division multiple access
  • HSPA+X global system for mobile communications
  • EXE long-term evolution
  • WiMax wireless wide area network
  • the computer system (400) may communicate with one or more I/O devices.
  • the input device (410) may be tut antenna, keyboard, mouse, joystick, (infrared) remote control, camera, card reader, fax machine, dongle, biometric reader, microphone, touch screen, touchpad, trackball, stylus, scanner, storage device, transceiver, video device/source, etc.
  • the output device (41 1 ) may be a printer, fax machine, video display (e.g., cathode ray tube (CRT) liquid crystal display (LCD), light-emitting diode (LED), plasma, Plasma display panel (POP), Organic light-emitting diode display (OLBD) or the like), audio speaker, etc.
  • video display e.g., cathode ray tube (CRT) liquid crystal display (LCD), light-emitting diode (LED), plasma, Plasma display panel (POP), Organic light-emitting diode display (OLBD) or the like
  • audio speaker e.g., a printer, fax machine, video display (e.g., cathode ray tube (CRT) liquid crystal display (LCD), light-emitting diode (LED), plasma, Plasma display panel (POP), Organic light-emitting diode display (OLBD) or the like), audio speaker, etc.
  • CTR cathode ray tube
  • LCD liquid
  • the computer system (400) is connected to the service operator through a communication network (409).
  • the processor (402) may be disposed in communication with the communication network (409) via a network interlace (403).
  • the network interface (403) may communicate with the communication network (409).
  • the network interlace (403) may employ connection protocols including, without limitation, direct connect, Ethernet (e.g., twisted pair 10/100/1000 Base T), transmission control protocol/lniemel protocol (TCP/IP), token ring, IEEE 802.1 la h/g/n/x, etc.
  • the communication network (409) may include, without limitation, a direct interconnection, e-commerce network, a peer to peer (P2P) network, local area network (LAN), wide area network (WAN), wireless network (e.g., using Wireless Application Protocol), the Internet, Wi-Fi, etc.
  • P2P peer to peer
  • LAN local area network
  • WAN wide area network
  • wireless network e.g., using Wireless Application Protocol
  • the Internet e.g., Wi-Fi, etc.
  • Wi-Fi Wi-Fi
  • the processor (402) may be disposed in communication with a memory' (405) (e.g., RAM, ROM, etc. not shown in Figure 4 via a storage interface (404).
  • the storage interlace (404) may connect to memory (405) including, without limitation, memory drives, removable disc drives, etc., employing connection protocols such as serial advanced technology attachment (SATA), Integrated Drive Electronics ( DE), IEEE-1394, Universal Serial Bus (USB), fiber channel. Small Computer Systems Interface (SCSI), etc.
  • the memory drives may further include a drum, magnetic disc drive, magneto-optical drive, optical drive, Redundant Array of Independent Discs (RAID), solid-state memory devices, solid-state drives.
  • the memory (405) may store a collection of program or database components, including, without limitation, user interlace (406), an operating system (407), web server (408) etc.
  • computer system (400) may store user/apphcation data (406), such as the data, variables, records, etc. as described in this disclosure.
  • databases may be implemented as fault-tolerant, relational, scalable, secure databases such as Oracle or Sybase.
  • the operating system (407) may facilitate resource management and operation of the computer system (400).
  • operating systems include, without limitation, APPLE# MACINTOSH OS X®, UNIX®, UNIX-like system distributions (E.G., BERKELEY SOFTWARE DISTRIBUTION® (BSD), FREEBSD®, NETBSD®, OPBNBSD, etc.), LINUX® DISTRIBUTIONS (E.G., RED HAT®, UBUNTU®, KUBUNTU®, etc.), IBM®QS/2®, MICROSOFT® WINDOWS® (XP®, ViSTA «/7/8, 10 etc.), APPLE® IOS®, GOOGLETM ANDROIDTM, BLACKBERRY® OS, or the like.
  • APPLE# MACINTOSH OS X® UNIX®
  • UNIX-like system distributions E.G., BERKELEY SOFTWARE DISTRIBUTION® (BSD), FREEBSD®, NETBSD®, OPBNBSD, etc.
  • the computer system (400) may implement a web browser (408) stored program component.
  • the web browser (408) may be a hypertext viewing application, such as MICROSOFT® INTERNET EXPLORER®, GOOGLETM CHROMETM, MOZILLA® FIREFOX®, APPLE® SAFARI®, etc. Secure web browsing may be provided using Secure Hypertext Transport Protocol (HTTPS), Secure Sockets Layer (SSL), Transport Layer Security (TLS), etc.
  • Web browsers (408) may utilize facilities such as AJAX, HTML, ADOBE® FLASH®, JAVASCRIPT®, JAVA®, Application Programming Interlaces (APIs), etc.
  • the computer system (400) may implement a mail server stored program component.
  • the ad server may be an Internet mail server such as Microsoft Exchange, or the like.
  • the mail server may utilize facilities such as Active Server Pages (ASP), ACTIVEX®, ANSI® C-H-/C#, MICROSOFT®, .NET, CGI SCRIPTS, JAVA®, JAVASCRIPT®, PERL®, PHP, PYTHON®, WEBOBJECTS®, etc.
  • the mail server may utilize communication protocols such as Internet Message Access Protocol (IMAP), Messaging Application Programming interlace (MAPI), MICROSOFT® Exchange, Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), or the like.
  • the computer system (400) may implement a mail client stored program component.
  • the mail client may be a mail viewing application, such as APPLE® MAIL, MICROSOFT® ENTOURAGE®, MICROSOFT® OUTLOOK®, MOZILLA® THUNDERBIRD®, etc.
  • a computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored.
  • a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processors to perform steps or stages consistent with the embodiments described herein.
  • the term“computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., non-transitory. Examples include Random Access memory (RAM), Read-Only memory (ROM), volatile memory, non-volatile memory, hard drives, Compact Disc (CD) ROMs, Digital. Video Disc (DVDs), flash drives, disks, and any other known physical storage media.
  • RAM Random Access memory
  • ROM Read-Only memory
  • volatile memory volatile memory
  • non-volatile memory hard drives
  • CD Compact Disc
  • DVDs Digital. Video Disc
  • flash drives disks, and any other known physical storage media.
  • the information associated with the user and the enterprise may be received from the remote devices (71

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne un système et un procédé de détection d'intrusion dans une entreprise. Selon l'invention, le serveur (101) reçoit en temps réel, d'une ou de plusieurs sources de données, des informations associées à un utilisateur et à une entreprise. De plus, un ou plusieurs événements dans les informations reçues sont triés dans un ordre chronologique d'après un horodatage associé à chaque événement. De plus, un écart est déterminé entre l'événement ou les événements triés et un motif de comportement. Le motif de comportement comprend des événements suivis systématiquement par l'utilisateur. Enfin, une intrusion basée sur l'écart déterminé est détectée à l'aide d'une technique d'apprentissage automatique, une alerte étant générée lors de la détection de l'intrusion.
PCT/IN2019/050529 2018-07-16 2019-07-16 Procédé et système de détection d'intrusion dans une entreprise WO2020016906A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN201841026525 2018-07-16
IN201841026525 2018-07-16

Publications (1)

Publication Number Publication Date
WO2020016906A1 true WO2020016906A1 (fr) 2020-01-23

Family

ID=69165032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2019/050529 WO2020016906A1 (fr) 2018-07-16 2019-07-16 Procédé et système de détection d'intrusion dans une entreprise

Country Status (1)

Country Link
WO (1) WO2020016906A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112528277A (zh) * 2020-12-07 2021-03-19 昆明理工大学 一种基于循环神经网络的混合入侵检测方法
CN113497793A (zh) * 2020-04-03 2021-10-12 中移动信息技术有限公司 模型的优化方法、告警事件的检测方法、装置和设备
CN113572757A (zh) * 2021-07-21 2021-10-29 中国工商银行股份有限公司 服务器访问风险监测方法及装置
CN114244539A (zh) * 2020-09-08 2022-03-25 中国电信股份有限公司 Web应用攻击分析方法和装置、计算机可读存储介质
WO2022205808A1 (fr) * 2021-03-31 2022-10-06 Li Stanley Yuen Système et procédé de gouvernance de cyberrisque pour automatiser la détection et la résolution de cybersécurité dans un réseau
CN118041692A (zh) * 2024-04-11 2024-05-14 武汉明合永安科技有限公司 基于入侵检测技术的网络安全测试方法及系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170063894A1 (en) * 2015-08-31 2017-03-02 Splunk Inc. Network Security Threat Detection by User/User-Entity Behavioral Analysis
WO2017127850A1 (fr) * 2016-01-24 2017-07-27 Hasan Syed Kamran Sécurité informatique basée sur l'intelligence artificielle

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170063894A1 (en) * 2015-08-31 2017-03-02 Splunk Inc. Network Security Threat Detection by User/User-Entity Behavioral Analysis
WO2017127850A1 (fr) * 2016-01-24 2017-07-27 Hasan Syed Kamran Sécurité informatique basée sur l'intelligence artificielle

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113497793A (zh) * 2020-04-03 2021-10-12 中移动信息技术有限公司 模型的优化方法、告警事件的检测方法、装置和设备
CN113497793B (zh) * 2020-04-03 2024-04-19 中移动信息技术有限公司 模型的优化方法、告警事件的检测方法、装置和设备
CN114244539A (zh) * 2020-09-08 2022-03-25 中国电信股份有限公司 Web应用攻击分析方法和装置、计算机可读存储介质
CN114244539B (zh) * 2020-09-08 2023-11-14 中国电信股份有限公司 Web应用攻击分析方法和装置、计算机可读存储介质
CN112528277A (zh) * 2020-12-07 2021-03-19 昆明理工大学 一种基于循环神经网络的混合入侵检测方法
WO2022205808A1 (fr) * 2021-03-31 2022-10-06 Li Stanley Yuen Système et procédé de gouvernance de cyberrisque pour automatiser la détection et la résolution de cybersécurité dans un réseau
CN113572757A (zh) * 2021-07-21 2021-10-29 中国工商银行股份有限公司 服务器访问风险监测方法及装置
CN113572757B (zh) * 2021-07-21 2022-10-11 中国工商银行股份有限公司 服务器访问风险监测方法及装置
CN118041692A (zh) * 2024-04-11 2024-05-14 武汉明合永安科技有限公司 基于入侵检测技术的网络安全测试方法及系统
CN118041692B (zh) * 2024-04-11 2024-06-11 武汉明合永安科技有限公司 基于入侵检测技术的网络安全测试方法及系统

Similar Documents

Publication Publication Date Title
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US11601475B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11785040B2 (en) Systems and methods for cyber security alert triage
US10686829B2 (en) Identifying changes in use of user credentials
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
Mijwil et al. The significance of machine learning and deep learning techniques in cybersecurity: A comprehensive review
WO2020016906A1 (fr) Procédé et système de détection d'intrusion dans une entreprise
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
CN110413908B (zh) 基于网站内容对统一资源定位符进行分类的方法和装置
US10721245B2 (en) Method and device for automatically verifying security event
Cao et al. Machine learning to detect anomalies in web log analysis
US20200177608A1 (en) Ontology Based Persistent Attack Campaign Detection
US11310282B1 (en) Scoring confidence in user compliance with an organization's security policies
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
Alani Big data in cybersecurity: a survey of applications and future trends
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
US20220207135A1 (en) System and method for monitoring, measuring, and mitigating cyber threats to a computer system
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Hemdan et al. Spark-based log data analysis for reconstruction of cybercrime events in cloud environment
Shukla et al. SDDA-IoT: storm-based distributed detection approach for IoT network traffic-based DDoS attacks
CN110955890A (zh) 恶意批量访问行为的检测方法、装置和计算机存储介质
EP4352674A1 (fr) Notation de confiance dans la conformité d'un utilisateur à l'aide de politiques de sécurité d'une organisation
Das et al. A Model of Cloud Forensic Application With Assurance of Cloud Log
Hyder et al. Towards digital forensics investigation of wordpress applications running over kubernetes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19837900

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19837900

Country of ref document: EP

Kind code of ref document: A1