Threat detection system with machine models for accounts within an organization unit
US-10803169-B1 · Oct 13, 2020 · US
Comprehensible threat detection
US2024259414A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024259414-A1 |
| Application number | US-202418632209-A |
| Country | US |
| Kind code | A1 |
| Filing date | Apr 10, 2024 |
| Priority date | Oct 26, 2021 |
| Publication date | Aug 1, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.
First claim
Opening claim text (preview).
What is claimed is: 1 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that, when executed by the one or more processors, cause the system to perform operations comprising: receiving telemetry data associated with at least a first modality and a second modality, the second modality being different from the first modality; detecting, in the telemetry data, a first abnormal event and a second abnormal event associated with security incidents, the first abnormal event associated with the first modality and the second abnormal event associated with the second modality; determining that the first abnormal event and the second abnormal event are each associated with a same user account; based at least in part on the first abnormal event and the second abnormal event being associated with the same user account, determining that a correlation between the first abnormal event and the second abnormal event is indicative of a security incident; and based at least in part on the correlation, outputting an indication of the security incident. 2 . The system of claim 1 , wherein the first modality and the second modality are associated with at least one of: a web proxy log, a file execution log, a firewall log, a network connection log, an endpoint log, an email activity log, or an instant messaging log. 3 . The system of claim 1 , wherein the indication of the security incident includes information associated with the first modality and the second modality. 4 . The system of claim 1 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same user account is based at least in part on a mapping between endpoint identifiers associated with the first modality and the second modality and network addresses associated with the same user account. 5 . The system of claim 1 , wherein the first abnormal event is detected by a first unimodal detector that is specific to the first modality and the second abnormal event is detected by a second unimodal detector that is specific to the second modality. 6 . The system of claim 1 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same user account comprises determining that the first abnormal event and the second abnormal event are each associated with a same server. 7 . The system of claim 1 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same user account comprises determining that the first abnormal event and the second abnormal event are each associated with a same user device. 8 . The system of claim 1 , the operations further comprising: assigning the first abnormal event and the second abnormal event to the same user account; and determining the correlation between the first abnormal event and the second abnormal event based at least in part on the assigning. 9 . A method comprising: receiving telemetry data associated with at least a first modality and a second modality, the second modality being different from the first modality; detecting, in the telemetry data, a first abnormal event and a second abnormal event associated with security incidents, the first abnormal event associated with the first modality and the second abnormal event associated with the second modality; determining that the first abnormal event and the second abnormal event are each associated with a same user account; based at least in part on the first abnormal event and the second abnormal event being associated with the same user account, determining that a correlation between the first abnormal event and the second abnormal event is indicative of a security incident; and based at least in part on the correlation, outputting an indication of the security incident. 10 . The method of claim 9 , further comprising: determining that the telemetry data associated with the first modality indicates that an entity is affected by the first abnormal event; and determining that the telemetry data associated with the second modality indicates that the entity is affected by the second abnormal event, wherein the correlation is associated with determining that the entity is affected by the first abnormal event and the second abnormal event. 11 . The method of claim 9 , wherein: the telemetry data associated with the first modality includes a first timestamp associated with the first abnormal event, the telemetry data associated with the second modality includes a second timestamp associated with the second abnormal event, and determining that the correlation is indicative of the security incident is further based at least in part on the first timestamp and the second timestamp. 12 . The method of claim 11 , further comprising determining a length of a period of time between the first timestamp and the second timestamp, wherein determining that the correlation is indicative of the security incident is further based at least in part on the length of the period of time. 13 . The method of claim 9 , wherein the telemetry data associated with the first modality is different from the telemetry data associated with the second modality, the telemetry data associated with the first modality comprising at least one of: a web proxy log, a file execution log, a firewall log, a network connection log, an endpoint log, an email activity log, or an instant messaging log. 14 . The method of claim 9 , further comprising: inputting, into a machine-learned model, first telemetry data associated with the first abnormal event and second telemetry data associated with the second abnormal event; and receiving, from the machine-learned model, an output indicating that the first abnormal event and the second abnormal event are indicative of the security incident. 15 . The method of claim 9 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same user account is based at least in part on a mapping between endpoint identifiers associated with the first modality and the second modality and at least one network address associated with the same user account. 16 . The method of claim 9 , wherein detecting the first abnormal event comprises employing a first unimodal detector specifically configured for the first modality and wherein detecting the second abnormal event comprises employing a second unimodal detector specifically configured for the second modality. 17 . The method of claim 9 , wherein determining that the first abnormal event and the second abnormal event are each associated with the same user account comprises at least one of: determining that the first abnormal event and the second abnormal event are each associated with a same server; or determining that the first abnormal event and the second abnormal event are each associated with a same user device. 18 . One or more non-transitory computer-readable media storing instructions that, when executed, cause one or more processors to perform operations comprising: receiving telemetry data associated with at least a first modality and a second modality, the second modality being different from the first modality; detecting, in the telemetry data, a first abnormal event and a second abnormal event associated with security incidents, the first abnormal event associated with the first modality and the second abnormal event associated with t
Assignees
Inventors
Classifications
Timestamp · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024259414A1 cover?
- Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may …
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Aug 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).