Search

CN-121986338-A - Data enrichment method and system

CN121986338ACN 121986338 ACN121986338 ACN 121986338ACN-121986338-A

Abstract

A method of enriching data includes receiving event information associated with an event in an object of interest, analyzing data associated with the object of interest based at least in part on the received event information to identify an impact of the event within the object of interest and one or more mitigation measures existing associated with the event, and outputting information about the event, the output information including the identified impact and the identified one or more mitigation measures, wherein the event information includes information about abnormal behavior detected in the object of interest or information about vulnerabilities detected in the object of interest, and wherein the analyzed data is based on a plurality of sources.

Inventors

  • ROY FRIEDMAN
  • DANIEL MOSCOVICI
  • Y. Davidovic

Assignees

  • C2A安全有限公司

Dates

Publication Date
20260505
Application Date
20241015
Priority Date
20231024

Claims (20)

  1. 1. A method of enriching data, the method comprising: Receiving event information associated with an event in an object of interest; Based at least in part on the received event information, analyzing data associated with the object of interest to identify an impact of the event within the object of interest and existing one or more mitigation measures associated with the event, and Outputting information about the event, the output information including the identified impact and the identified one or more mitigation measures, Wherein the event information includes information about abnormal behavior detected in the object of interest or information about vulnerability detected in the object of interest, and Wherein the analyzed data is based on a plurality of sources.
  2. 2. The method of claim 1, wherein the plurality of sources comprises a technical article of the object of interest and a product architecture associated with the object of interest.
  3. 3. The method of claim 1 or 2, wherein the plurality of sources comprises a risk assessment analysis.
  4. 4. A method according to any of claims 1-3, wherein the plurality of sources comprises a software bill of materials SBOM.
  5. 5. The method of claim 4, further comprising identifying a component within the SBOM associated with the event, Wherein the data associated with the object of interest comprises information about the identified component.
  6. 6. The method of any of claims 1-5, wherein the plurality of sources includes a specification table associated with the target of interest.
  7. 7. The method of any of claims 1-6, wherein the plurality of sources comprises error reports.
  8. 8. The method of any of claims 1-7, wherein the plurality of sources includes data received from an electronic control unit ECU within the object of interest.
  9. 9. The method of claim 8, wherein the plurality of sources includes data received from one or more sensors associated with the ECU.
  10. 10. The method of any of claims 1-9, wherein the plurality of sources includes threat intelligence.
  11. 11. The method of any of claims 1-10, wherein the impact of the event comprises: risk influence, and An indication of which of the plurality of portions of the object of interest is likely to be affected by the event.
  12. 12. The method of claim 11, further comprising the step of identifying attacks within a plurality of attack paths associated with the object of interest, Wherein the indication of which portion of the object of interest is likely to be affected is based at least in part on an attack path that includes the identified attack step.
  13. 13. The method of any one of claims 1 to 10, further comprising the step of identifying attacks within a plurality of attack paths associated with the object of interest, Wherein the impact of the event comprises an indication of which of the plurality of portions of the object of interest is likely to be affected by the event, an Wherein the indication of which portion of the object of interest is likely to be affected is based at least in part on an attack path that includes the identified attack step.
  14. 14. The method of any one of claims 1 to 10, further comprising the step of identifying attacks within a plurality of attack paths associated with the object of interest, Wherein the output information includes an attack path including the identified attack step.
  15. 15. The method of any of claims 12 to 14, wherein identifying the attack step comprises: Identifying a corresponding component within the object of interest based at least in part on the received event information and a network model of the object of interest, and An attack step associated with the identified component is identified.
  16. 16. The method of any one of claims 1 to 15, further comprising analyzing the event information associated with the object of interest based at least in part on the received information to identify the presence or absence of a non-malicious cause of the abnormal behavior, Wherein the output information includes an indication of the presence or absence of the identified non-malicious reason.
  17. 17. The method of claim 16, further comprising analyzing the security threat data to identify the presence or absence of a known security threat associated with the identified event, Wherein the output information regarding the identified event includes an indication of the presence or absence of the identified known security threat.
  18. 18. The method of any of claims 1-17, wherein the output information is output to a transaction or event manager.
  19. 19. The method of claim 18, wherein the output information is output to a Secure Operations Center (SOC) or an event response team.
  20. 20. The method of claim 18 or 19, further comprising receiving data from the event or event manager, Wherein the analysis of the data is based at least in part on data received from the event or event manager.

Description

Data enrichment method and system Technical Field The present disclosure relates generally to the field of network security, and more particularly to data enrichment (DATA ENRICHMENT). Background The Secure Operation Center (SOC) is responsible for protecting organizations from network threats. SOC analysts typically monitor the network of the organization around the clock and investigate any potential security events. If a network attack is detected, the SOC analyst may be responsible for taking any necessary steps to remedy it. In some examples, the SOC is operated by an external provider that provides remote monitoring and management services to the organization. One example of such an SOC is in the field of automotive network security, which is commonly referred to as a vehicle SOC (SOC). SUMMARY It is therefore a primary object of the present invention to overcome at least some of the disadvantages of prior art network security systems and methods. This is provided in some examples by a data enrichment method that includes receiving event information associated with an event in an object of interest. In some examples, based at least in part on the received event information, the method includes analyzing data associated with the object of interest to identify an impact of the event within the object of interest and/or one or more mitigation measures that are present associated with the event. In some examples, the method further includes outputting information about the event, the output information including the identified impact and the identified one or more mitigation measures. In some examples, the event information includes information about abnormal behavior detected in the object of interest or information about vulnerabilities detected in the object of interest. In some examples, the analyzed data is based on multiple sources. Additional features and advantages of the invention will be apparent from the accompanying drawings and description that follow. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. In case of conflict, the present specification, including definitions, will control. As used herein, the articles "a" and "an" mean "at least one" or "one or more" unless the context clearly indicates otherwise. As used herein, "and/or" refers to any one or more items in a list that are connected by "and/or". By way of example, "x and/or y" refers to any element in the set of three elements { (x), (y), (x, y) }. In other words, "x and/or y" refers to "x, y, or both x and y". As some examples, "x, y, and/or z" refers to any element in a set of seven elements { (x), (y), (z), (x, y), (x, z), (y, z), (x, y, z) }. Furthermore, unless explicitly stated to the contrary, "or" refers to an inclusive "or" rather than an exclusive "or". For example, condition A or B is satisfied by either A being true (or present) and B being false (or absent), A being false (or absent) and B being true (or present), and both A and B being true (or present). In addition, the elements and components of an embodiment of the inventive concept are described using "a" or "an". This is done merely for convenience and to give a general sense of the inventive concept, and "a" and "an" are intended to include one or at least one, and the singular also includes the plural unless it is obvious that it is meant otherwise. As used herein, the term "about," when referring to a measurable value (e.g., amount, duration, etc.), is meant to encompass deviations of +/-10%, more preferably +/-5%, even more preferably +/-1%, and still more preferably +/-0.1% from the specified value, as such deviations are suitable for performing the disclosed apparatus and/or method. As used herein, the term "fine tuning" means a method of training the weights of a pre-trained model on new data, as known to those skilled in the art. In some examples, fine-tuning includes inputting data into the LLM, and prompting the LLM to fine-tune a predetermined subset of its weights based on a loss function, as known to those skilled in the art. In some examples, the output of the LLM is input into a second LLM that generates an input of a loss function, as known to those skilled in the art. Note that this is just one method for performing fine tuning and is not meant to be limiting in any way. The following embodiments and aspects thereof are described and illustrated with respect to systems, tools, and methods, which are meant to be exemplary and illustrative, not limiting in scope. In various embodiments, one or more of the problems set forth above have been reduced or eliminated, while other embodiments are directed to other advantages or improvements. Brief Description of Drawings For a better understanding of the present invention and to show how the same may be carried into effect, reference will now be made, by way of example o