Framework for investigating events
US-2021203673-A1 · Jul 1, 2021 · US
Comprehensible threat detection
US11985154B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11985154-B2 |
| Application number | US-202217668639-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 10, 2022 |
| Priority date | Oct 26, 2021 |
| Publication date | May 14, 2024 |
| Grant date | May 14, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that, when executed by the one or more processors, cause the system to perform operations comprising: receiving telemetry data associated with one or more modalities, the one or more modalities including at least a first modality and a second modality, the second modality different from the first modality; detecting, in the telemetry data, one or more abnormal events associated with security incidents, the one or more abnormal events including at least a first abnormal event associated with the first modality and a second abnormal event associated with the second modality; determining a first mapping between a first endpoint identifier associated with the first modality and a network address associated with an entity; determining a second mapping between a second endpoint identifier associated with the second modality and the network address associated with the entity; determining, based at least in part on the first mapping and the second mapping, that the first abnormal event and the second abnormal event are each associated with a same entity; based at least in part on the first abnormal event and the second abnormal event each being associated with the same entity, determining that a correlation between the first abnormal event and the second abnormal event is indicative of a security incident; and based at least in part on the correlation, outputting an indication of the security incident. 2. The system of claim 1 , wherein the telemetry data associated with the one or more modalities comprises at least one of: web proxy logs, file execution logs, firewall logs, network connection logs, endpoint logs, email activity logs, or instant messaging logs. 3. The system of claim 1 , the operations further comprising: inputting, into a machine-learned model, first data associated with the first abnormal event and second data associated with the second abnormal event; and receiving, from the machine-learned model, an output indicating that the first abnormal event and the second abnormal event are indicative of the security incident. 4. The system of claim 1 , wherein the first abnormal event is detected by a first unimodal detector that is specific to the first modality and the second abnormal event is detected by a second unimodal detector that is specific to the second modality. 5. The system of claim 1 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same entity comprises determining that the first abnormal event and the second abnormal event are each associated with a same server. 6. The system of claim 1 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same entity comprises determining that the first abnormal event and the second abnormal event are each associated with a same user device. 7. The system of claim 1 , the operations further comprising: assigning the first abnormal event and the second abnormal event to the same entity; and determining the correlation between the first abnormal event and the second abnormal event based at least in part on the assigning. 8. The system of claim 1 , the operations further comprising assigning the first abnormal event and the second abnormal event as originating from the same entity, wherein the entity is at least one of a specific device or a specific user. 9. A method comprising: receiving, from a first unimodal detector, first data associated with a first abnormal event, the first abnormal event detected by the first unimodal detector based at least in part on first telemetry data associated with a first modality; receiving, from a second unimodal detector, second data associated with a second abnormal event, the second abnormal event detected by the second unimodal detector based at least in part on second telemetry data associated with a second modality that is different from the first modality; determining a first mapping between a first endpoint identifier associated with the first modality and a network address associated with an entity; determining a second mapping between a second endpoint identifier associated with the second modality and the network address associated with the entity; determining, based at least in part on the first mapping and the second mapping, that the first abnormal event and the second abnormal event are each associated with a same entity; based at least in part on the first abnormal event and the second abnormal event each being associated with the same entity, determining that a correlation between the first abnormal event and the second abnormal event is indicative of a security incident; and based at least in part on the correlation, outputting an indication of the security incident. 10. The method of claim 9 , wherein: the first data includes a first indication of an entity affected by the first abnormal event, the second data includes a second indication of an entity affected by the second abnormal event, and determining that the first abnormal event and the second abnormal event are each associated with the same entity is based at least in part on the first indication and the second indication. 11. The method of claim 9 , wherein: the first data includes a first timestamp associated with the first abnormal event, the second data includes a second timestamp associated with the second abnormal event, and determining that the correlation is indicative of the security incident is further based at least in part on the first timestamp and the second timestamp. 12. The method of claim 11 , further comprising determining a length of a period of time between the first timestamp and the second timestamp, wherein determining that the correlation is indicative of the security incident is further based at least in part on the length of the period of time. 13. The method of claim 9 , wherein the first telemetry data is different from the second telemetry data, the first telemetry data comprising at least one of: web proxy logs, file execution logs, firewall logs, network connection logs, endpoint logs, email activity logs, or instant messaging logs. 14. The method of claim 9 , further comprising: inputting, into a machine-learned model, the first data associated with the first abnormal event and the second data associated with the second abnormal event; and receiving, from the machine-learned model, an output indicating that the first abnormal event and the second abnormal event are indicative of the security incident. 15. The method of claim 9 , wherein the first unimodal detector is specifically configured for the first modality and the second unimodal detector is specifically configured for the second modality. 16. The method of claim 9 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same entity comprises at least one of: determining that the first abnormal event and the second abnormal event are each associated with a same server; or determining that the first abnormal event and the second abnormal event are each associated with a same user device. 17. The method of claim 9 , the operations further comprising assigning the first abnormal event and the second abnormal event as originating from the same entity, wherein the entity is at least one of a specific device or a specific user. 18. On
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Timestamp · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11985154B2 cover?
- Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may …
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 14 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).