Search

US-12621325-B2 - Adaptive system for network and security management

US12621325B2US 12621325 B2US12621325 B2US 12621325B2US-12621325-B2

Abstract

Systems and methods are described for monitoring third party services. A system may receive a set of input signals from third-party sources. The system may characterize rules and models for detecting organizational attributes based on the input signals to identify computer threats, attacks, performance bottlenecks, or availability issues, and other indicators of potential risk for an organization. The system may characterize the rules and models based on gaps in coverage, system updates, and consistency across multiple entities.

Inventors

  • Praveen Hebbagodi
  • Christopher Morales
  • Bikram Kachari

Assignees

  • Netenrich, Inc.

Dates

Publication Date
20260505
Application Date
20230531

Claims (20)

  1. 1 . A system for monitoring third-party services, the system including one or more computing devices having a processor and a memory, the individual one or more computing devices executing computer-executable instructions that cause the system to: receive inputs from a plurality of third-party sources, wherein the plurality of third-party sources include streaming data or historical data; dynamically configure the inputs by using one or more machine learning models to process: (i) gaps in detection coverage; (ii) system updates with information associated with at least one of structured representations of threats and attacks, or compliance controls; and (iii) consistency across multiple tenants across multi-levels including entry point modeling, high-value asset characterization, adversary behavior emulation, and risk scoring; generate first output signals by processing the dynamically configured inputs, wherein the output signals include organizational attributes including indicators of potential risk for the organization; and generate and fine-tune second output signals using the first output signals by using machine learning to: (i) analyze entities, classification of the entities, targets, entry points, or chokepoints based on the inputs; (ii) examine types of log sources based on the plurality of third-party sources; iii) examine types of signal detection policies including at least one of threats, behavioral models, threat feeds, attack surface exposures, emerging threats, latency, traffic, errors, and saturation; (iv) assess compliance controls and current status of a target of the output signal based on the input; and (v) identify trending threats relevant to the target of the output signal and the structured representation of representations of threats and attacks.
  2. 2 . The system as recited in claim 1 , further comprising a recommendations module that generates fine-tuning recommendations.
  3. 3 . The system as recited in claim 2 , wherein the fine-tuning recommendations correspond to improve precision or breadth of existing detection specifications.
  4. 4 . The system as recited in claim 2 , wherein the fine-tuning recommendations correspond to create new detections to fill gaps in coverage.
  5. 5 . The system as recited in claim 4 , wherein detections to fill gaps are based on at least one of a rule-based mechanisms, a signature or pattern match, machine learning (ML) model based mechanisms, or anomaly-based detection.
  6. 6 . The system as recited in claim 2 , wherein the fine-tuning recommendations correspond to optimize existing policies by combining rules and models having redundancy or overlapping coverage, and identifying ineffective rules.
  7. 7 . The system as recited in claim 2 , further comprising a system for generation of configuration updates.
  8. 8 . The system as recited in claim 7 , wherein the system for the generation of configuration updates includes a system for expressing signal detection models and policies as code using a declarative language including YAML.
  9. 9 . The system as recited in claim 7 , wherein the system for the generation of configuration updates includes a system for utilizing generative AI techniques to generate or update the signal detection policies.
  10. 10 . The system as recited in claim 7 , wherein the system for the generation of configuration updates includes a system for utilizing creating prompts for generative AI based on derived intelligence.
  11. 11 . The system as recited in claim 7 , wherein the system for the generation of configuration updates includes a system for utilizing allowing users to review and approve the generated recommendations before deploying them either for a specific tenant or across multiple tenants.
  12. 12 . A computer-implemented method for monitoring third-party services, the computer-implemented method implemented in one or more computing devices having a processor and a memory, wherein the one or more computing devices implement the computer-implemented method comprising: receiving inputs from a plurality of third-party sources, wherein the plurality of third-party sources include streaming data or historical data; dynamically configuring the inputs by using one or more machine learning models to process: (i) gaps in detection coverage; (ii) system updates with information associated with at least one of structured representations of threats and attacks, or compliance controls; and (iii) consistency across multiple tenants across multi-levels including entry point modeling, high-value asset characterization, adversary behavior emulation, and risk scoring; generating first output signals by processing the dynamically configured inputs, wherein the output signals include organizational attributes indicators of potential risk for the organization; and generating and fine-tuning second output signal using the first output signals by using machine learning to: (i) analyze entities, classification of the entities, targets, entry points, or chokepoints based on the inputs; (ii) examine types of log sources based on the plurality of third-party sources; (iii) examine types of signal detection policies including at least one of threats, behavioral models, threat feeds, attack surface exposures, emerging threats, latency, traffic, errors, and saturation; (iv) assess compliance controls and current status of a target of the output signal based on the input; and (v) identify trending threats relevant to the target of the output signal and the structured representation of representations of threats and attacks.
  13. 13 . The method as recited in claim 12 , further comprising generating fine-tuning recommendations.
  14. 14 . The method as recited in claim 13 , wherein the fine-tuning recommendations correspond to improve precision or breadth of existing detection specifications.
  15. 15 . The method as recited in claim 13 , wherein the fine-tuning recommendations correspond to create new detections to fill gaps in coverage.
  16. 16 . The method as recited in claim 15 , wherein detections to fill gaps are based on at least one of a rule-based mechanisms, a signature or pattern match, machine learning (ML) model based mechanisms, or anomaly-based detection.
  17. 17 . The method as recited in claim 13 , wherein the fine-tuning recommendations correspond to optimize existing policies by combining rules and models that may have redundancy or overlapping coverage, and identifying ineffective rules.
  18. 18 . The method as recited in claim 12 , further comprising generating of configuration updates.
  19. 19 . The method as recited in claim 12 , further comprising expressing signal detection models and policies as code using a declarative language including YAML.
  20. 20 . The method as recited in claim 12 , further comprising utilizing generative AI techniques to generate or update the signal detection policies.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims the benefit of U.S. Provisional Application No. 63/348,935, entitled ADAPTIVE SYSTEM FOR NETWORK AND SECURITY MANAGEMENT and filed on Jun. 3, 2022. U.S. Provisional Application No. 63/348,935 is incorporated by reference in its entirety. BACKGROUND Generally described, computing devices and communication networks can be utilized to exchange data or information. In a common application, a computing device can request content from another computing device via the communication network. For example, a client having access to a computing device can utilize a software application to interact with one or more computing devices via the network (e.g., the Internet). In such embodiments, the client's computing device can be referred to as a client computing device, and the server computing device can be referred to as a network service provider or network service. Some network service providers can implement one or more individual services that may be configured to monitor the execution of individual services made accessible to client computing devices or utilized in servicing/interacting with client computing devices. Such network monitoring services may be configured in a manner to identify potential errors, faults, and intrusions in the execution of a network environment. Additionally, network monitoring services may be further configured to attempt to mitigate or resolve identified errors, faults and intrusions. Network service providers may also implement one or more individual services that may be configured to monitor the interaction of client computing devices with a network environment. Such monitoring services, referred to generally as security services, may be specifically configured to identify potential communications or interactions between client devices and the network environment that would be considered to be malicious or harmful to the operation of the network environment. For example, a network security service may attempt to identify and mitigate potential malicious activity that could attempt to disrupt the operation of the network environment, gain access to unauthorized data, gain control of network-based resources, and the like. BRIEF DESCRIPTION OF THE DRAWINGS This disclosure is described herein with reference to drawings of certain embodiments, which are intended to illustrate, but not to limit, the present disclosure. It is to be understood that the accompanying drawings, which are incorporated in and constitute a part of this specification, are for the purpose of illustrating concepts disclosed herein and may not be to scale. FIG. 1 is a block diagram of a network environment that includes one or more devices associated with customer/clients that can interact with one or more network services, one or more devices associated with analysts or administrators that can also interact with one or more network services, one or more third-party services that can provide or provision input signals as described herein, and a service provider for processing or configuring machine learned algorithms for processing input signals according to one or more embodiments; FIG. 2A depicts one embodiment of an architecture of an event signal processing component in accordance with one or more aspects of the present application; FIG. 2B depicts one embodiment of an architecture of risk modeling processing component in accordance with one or more aspects of the present application; FIG. 2C depicts one embodiment of an architecture of third-party monitoring services configuration component in accordance with one or more aspects of the present application; FIG. 2D depicts one embodiment of an architecture of a threat hunting processing component; FIG. 3A is a block diagram of the network environment of FIG. 1 illustrating various interactions to process a set of inputs signals to generate processing results for various functionality described in accordance with one or more aspects of the present application; FIG. 3B is a block diagram of the network environment of FIG. 1 illustrating various interactions related to machine-learning-based architecture to continuously fine tunes and configures network monitoring and collection systems in accordance with one or more aspects of the present application; FIG. 3C is a block diagram of the network environment of FIG. 1 illustrating various interactions to automate risk modeling in accordance with one or more aspects of the present application; FIG. 3D is a block diagram of the network environment of FIG. 1 illustrating various interactions illustrating modeling effort for ongoing threat detection and threat hunting processing results in accordance with one or more aspects of the present application; FIG. 4 is a flow diagram illustrative of a routine for event signal processing; FIG. 5 is a flow diagram illustrative of a routine for risk modeling; FIG. 6 is a flow diagram illustrative of a routine for a third