Hierarchical feature extraction for malware classification in network traffic
US-2017134404-A1 · May 11, 2017 · US
Identifying security breaches from clustering properties
US10831785B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10831785-B2 |
| Application number | US-201615095177-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 11, 2016 |
| Priority date | Apr 11, 2016 |
| Publication date | Nov 10, 2020 |
| Grant date | Nov 10, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method of identifying security breaches in a computer system comprising: monitoring behavior of users or resources of at least one computer system and storing unlabeled information on the monitored behaviors; analyzing the stored unlabeled information on the monitored behaviors to generate clusters and train clustering models, wherein each user or resource is assigned to at least one cluster based on an unlabeled first feature of the behaviors; receiving information relating to a second feature of the behaviors of a user or resource, wherein the second feature is different than the first feature that was used to assign each user or resource to at least one cluster, and wherein the information relating to the second feature is a label of the user or resource; detecting at least one outlier within the clusters generated using the first feature by: generating an anomaly score between a user or resource and at least one cluster to which the user or resource has been assigned, wherein an anomaly score for the user or resource is increased when the second feature for the user or resource is different than the second features for a majority of other users or resources assigned to the at least one cluster; detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned based on the anomaly score of a user or resource; and generating an alert indicating detection of the outlier. 2. The method of claim 1 , wherein the first feature does not include labeling information. 3. The method of claim 1 , wherein an alert is not generated until an anomaly score of a user or resource reaches a threshold value. 4. The method of claim 3 , wherein the anomaly score of a user or resource is increased when a cluster assignment of the user or resource is moved to a differently labeled cluster, or when the user or resource is first assigned to a cluster. 5. A system for identifying security breaches in a computer system, the system comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor to perform: monitoring behavior of users or resources of at least one computer system and storing unlabeled information on the monitored behaviors; analyzing the stored unlabeled information on the monitored behaviors to generate clusters and train clustering models, wherein each user or resource is assigned to at least one cluster based on an unlabeled first feature of the behaviors; receiving information relating to a second feature of the behaviors of a user or resource, wherein the second feature is different than the first feature that was used to assign each user or resource to at least one cluster, and wherein the information relating to the second feature is a label of the user or resource; detecting at least one outlier within the clusters generated using the first feature by: generating an anomaly score between a user or resource and at least one cluster to which the user or resource has been assigned, wherein an anomaly score for the user or resource is increased when the second feature for the user or resource is different than the second features for a majority of other users or resources assigned to the at least one cluster; detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned based on the anomaly score of a user or resource; and generating an alert indicating detection of the outlier. 6. The system of claim 5 , wherein the first feature does not include labeling information. 7. The system of claim 5 , wherein an alert is not generated until an anomaly score of a user or resource reaches a threshold value. 8. The system of claim 7 , wherein the anomaly score of a user or resource is increased when a cluster assignment of the user or resource is moved to a differently labeled cluster, or when the user or resource is first assigned to a cluster. 9. A computer program product for identifying security breaches in a computer system, the computer program product comprising a non-transitory computer readable storage having program instructions embodied therewith, the program instructions executable by a computer, to cause the computer to perform a method comprising: monitoring behavior of users or resources of at least one computer system and storing unlabeled information on the monitored behaviors; analyzing the stored unlabeled information on the monitored behaviors to generate clusters and train clustering models, wherein each user or resource is assigned to at least one cluster based on an unlabeled first feature of the behaviors; receiving information relating to a second feature of the behaviors of a user or resource, wherein the second feature is different than the first feature that was used to assign each user or resource to at least one cluster, and wherein the information relating to the second feature is a label of the user or resource; detecting at least one outlier within the clusters generated using the first feature by: generating an anomaly score between a user or resource and at least one cluster to which the user or resource has been assigned, wherein an anomaly score for the user or resource is increased when the second feature for the user or resource is different than the second features for a majority of other users or resources assigned to the at least one cluster; detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned based on the anomaly score of a user or resource; and generating an alert indicating detection of the outlier. 10. The computer program product of claim 9 , wherein the first feature does not include labeling information. 11. The computer program product of claim 9 , wherein an alert is not generated until an anomaly score of a user or resource reaches a threshold value. 12. The computer program product of claim 11 , wherein the anomaly score of a user or resource is increased when a cluster assignment of the user or resource is moved to a differently labeled cluster, or when the user or resource is first assigned to a cluster.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Machine learning · CPC title
- G06F16/285Primary
Clustering or classification · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10831785B2 cover?
- Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generat…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 10 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).