Cybersecurity Detection and Mitigation System Using Machine Learning and Advanced Data Correlation
US-2020280573-A1 · Sep 3, 2020 · US
Intrusion detection
US2020311280A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2020311280-A1 |
| Application number | US-201916367676-A |
| Country | US |
| Kind code | A1 |
| Filing date | Mar 28, 2019 |
| Priority date | Mar 28, 2019 |
| Publication date | Oct 1, 2020 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are provided for intrusion detection on a computer system. In an example, a computer host device is configured to access data storage of the computer system via a communications network. It can be determined that the computer host device is behaving anomalously because a first current access by the computer host device to the data storage deviates from a second expected access by the computer host device to the data storage by more than a predefined amount. Then, in response to determining that the computer host device is behaving anomalously, the computer system can mitigate against the computer host device behaving anomalously.
First claim
Opening claim text (preview).
What is claimed is: 1 . A system, comprising: a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising: enabling a computer host device to access data storage via a communications network; determining that the computer host device is behaving anomalously because a first current access by the computer host device to the data storage deviates from a second expected access by the computer host device to the data storage by more than a predefined amount; and in response to determining that the computer host device is behaving anomalously, mitigating against the computer host device behaving anomalously. 2 . The system of claim 1 , wherein the first current access by the computer host device to the data storage the first current access by the computer host device to the data storage comprises at least one from a set, the set comprising a rate of sequential reads or writes, a rate of random reads or writes, a total number of sequential reads or writes, a total number of random reads or writes, a percentage of reads or writes that are sequential, and a percentage of reads or writes that are random. 3 . The system of claim 1 , wherein the mitigating against the computer host device behaving anomalously comprises: sending an alert to an administrator of the system. 4 . The system of claim 1 , wherein the mitigating against the computer host device behaving anomalously comprises: throttling a bandwidth of data available to the computer host device to access the data storage. 5 . The system of claim 1 , wherein the mitigating against the computer host device behaving anomalously comprises: quarantining a write request from the computer host device to the data storage. 6 . The system of claim 4 , wherein the operations further comprise: after quarantining the write request, and in response to determining that the computer host device is permitted to make the write request, effectuating the write request on the data storage. 7 . The system of claim 1 , wherein the mitigating against the computer host device behaving anomalously comprises: suspending a permission of the computer host device to read data from the data storage. 8 . A method, comprising: configuring, by a system comprising a processor, a first computer host device with access to data storage via a communications network; determining, by the system, that the computer host device is behaving anomalously because a first current access by the computer host device to the data storage deviates from a second expected access by the computer host device to the data storage by more than a predefined amount; and mitigating, by the system, against the computer host device behaving anomalously. 9 . The method of claim 8 , wherein the mitigating against the computer host device behaving anomalously comprises: terminating a communications link between the computer host device and the system. 10 . The method of claim 8 , wherein the determining that the computer host device is behaving anomalously further comprises: determining, by the system, that the computer host device is behaving anomalously based on the first current access by the computer host device to the data storage matches a first known attack signature. 11 . The method of claim 10 , wherein the computer host device is a first computer host device, and further comprising: determining the first known attack signature based on a second signature of a second computer host device and a third signature of a third computer host device that exhibit anomalous access to the data storage. 12 . The method of claim 8 , wherein the computer host device is a first computer host device, and further comprising: implementing, by the system, a first learning period for a second computer host device upon initially communicating with the system during which anomalous behavior by the second computer host device does not result in mitigation. 13 . The method of claim 8 , further comprising: determining, by the system, the second expected access by the computer host device to the data storage based on past behavior of the computer host device. 14 . The method of claim 8 , further comprising: in response to determining that the computer host device continues to behave anomalously after a predefined time period, modifying, by the system, the mitigation against the computer host device behaving anomalously. 15 . A computer-readable storage medium comprising instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising: determining that a computer host device is behaving anomalously because a first current access by the computer host device to a data storage deviates from a second expected access by the computer host device to the data storage by more than a predefined amount; and mitigating against the computer host device behaving anomalously. 16 . The computer-readable storage medium of claim 15 , wherein the second expected access by the computer host device to the data storage is based on a current time. 17 . The computer-readable storage medium of claim 15 , wherein the operations further comprise: after the mitigating, determining, by the system that the computer host device was not behaving anomalously; and updating the second expected access by the computer host device based on the determining that the computer host device was not behaving anomalously. 18 . The computer-readable storage medium of claim 15 , wherein the computer host device is a first computer host device, and wherein the second expected access by the first computer host device is determined based on a third access by a second computer host device to the data storage. 19 . The computer-readable storage medium of claim 15 , wherein the determining that the first computer host device is behaving anomalously comprises: performing machine learning on a third previous access by the computer host device to the data storage to determine the second expected access by the computer host device to the data storage. 20 . The computer-readable storage medium of claim 15 , wherein the mitigating is performed at an initiator group of the system.
Assignees
Inventors
Classifications
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Machine learning · CPC title
in relation to access · CPC title
Command handling arrangements, e.g. command buffers, queues, command scheduling · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2020311280A1 cover?
- Techniques are provided for intrusion detection on a computer system. In an example, a computer host device is configured to access data storage of the computer system via a communications network. It can be determined that the computer host device is behaving anomalously because a first current access by the computer host device to the data storage deviates from a second expected access by the…
- Who is the assignee on this patent?
- Emc Ip Holding Co Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Oct 01 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).