Search

US-12627679-B2 - Cyber security system applying network sequence prediction using transformers

US12627679B2US 12627679 B2US12627679 B2US 12627679B2US-12627679-B2

Abstract

A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Inventors

  • Carl Joseph Salji

Assignees

  • Darktrace Holdings Limited

Dates

Publication Date
20260512
Application Date
20240212

Claims (19)

  1. 1 . A cyber threat defense system, the cyber threat defense system comprising: one or more processors; and a non-transitory storage medium communicatively coupled to the one or more processors, the non-transitory storage medium comprises an analyzer module configured to model network data as a sequence of events, a model communicatively coupled to the analyzer module, the model is configured to (i) identify one or more anomalous parts of an event of the sequence of events as being indicative of an anomaly and (ii) generate a notification including (a) the one or more anomalous parts of the event, (b) an expected part of the event, and (c) a confidence score that the one or more anomalous parts is an anomaly, and a user interface configured to generate a visual representation based on content within the notification of the one or more anomalous parts being indicative of an anomaly occurring in a network protected by the cyber threat defense system; and an autonomous response module configured to generate a user notification or an automatic response action in response to the analyzer module identifying the one or more anomalous parts; wherein the model is configured to provide in the notification conveyed for visual display on the user interface, where the notification includes (i) information associated with the one or more anomalous parts along with additional contextual information for the one or more anomalous parts, including (ii) the expected part of the event and (iii) the confidence score, in order to enhance a user's understanding regarding the identified one or more anomalous parts.
  2. 2 . The cyber threat defense system according to claim 1 , wherein the autonomous response module is configured to generate at least the notification to a user in response to detected one or more anomalous parts above a first threshold level and/or configured to generate an autonomous response to mitigate a cyber threat when the detected one or more anomalous parts are indicative above a second threshold level.
  3. 3 . The cyber threat defense system according to claim 1 , wherein the model corresponds to a deep learning model.
  4. 4 . The cyber threat defense system according to claim 1 , wherein the additional contextual information identifies each anomalous part of an event in the sequence of events.
  5. 5 . The cyber threat defense system according to claim 1 , wherein the additional contextual information identifies a plurality of anomalies in parts of an event in a sequence of events, when multiple anomalies were detected with the identified one or more anomalous parts in the sequence of events.
  6. 6 . The cyber threat defense system according to claim 1 , wherein the model is configured to generate likelihoods for anomaly detection and then present the likelihood for the anomaly detection on the user interface.
  7. 7 . The cyber threat defense system according to claim 1 , wherein the additional contextual information comprises (i) information about the one or more anomalous parts, (ii) a prediction of what would have been expected and/or (iii) likelihoods for anomaly detection.
  8. 8 . The cyber threat defense system according to claim 1 , wherein the model is configured to provide a notification comprising an anomaly score in addition to the additional contextual information about the one or more anomalous parts.
  9. 9 . The cyber threat defense system according to claim 1 , wherein the sequence of events is string data.
  10. 10 . The cyber threat defense system according to claim 1 , wherein the sequence of events is string data derived from a SaaS event.
  11. 11 . A method of detecting a cyber threat, the method comprising: transforming, by a modeler, network data as a sequence of events; predicting, by a predictor, a next item in the sequence of events identifying, by the predictor one or more anomalous parts of an event of the sequence of events as being indicative of an anomaly; generating, by the predictor, a notification including (a) information corresponding to the one or more anomalous parts of the event and (b) context information associated with the one or more anomalous parts including (i) information corresponding to an expected part of the event and (ii) a confidence score that the one or more anomalous parts is an anomaly; and generating, by a user interface, a visual representation based on content within the notification including the context information associated with the one or more anomalous parts occurring in a network protected by a cyber threat defense system, the information corresponding to the expected part of the event and the confidence score in order to enhance a user's understanding regarding the identified one or more anomalous parts.
  12. 12 . The method according to claim 11 , wherein the predictor is a Transformer deep learning model.
  13. 13 . The method according to claim 11 , wherein the contextual information identifies each anomalous part of an event in the sequence of events.
  14. 14 . The method according to claim 11 , wherein the contextual information identifies a plurality of anomalies in parts of the event in a sequence of events, when the plurality of anomalies were detected with the identified one or more anomalies in the sequence of events.
  15. 15 . The method according to claim 11 , further comprising the predictor generating likelihoods for anomaly detection and then present the likelihood for the anomaly detection on the user interface.
  16. 16 . The method according to claim 11 , wherein the contextual information comprises (i) information about the one or more anomalous parts, (ii) the expected part of the event representing a prediction of what would have been expected as parts of the event, and (iii) the confidence score representing a likelihood for anomaly detection.
  17. 17 . The method according to claim 11 , wherein the sequence of events is string data derived from a SaaS event.
  18. 18 . The method according to claim 11 , further comprising using the predictor to match a JA3 hash of the network data to particular user agents; and to provide in the notification information about the particular user agents.
  19. 19 . A non-transitory computer-readable medium including executable instructions that, when executed with one or more processors, cause a cyber-threat defense system to perform the method of claim 11 .

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) This application claims the benefit and priority of 35 USC 120 from U.S. patent application Ser. No. 17/187,379, filed Feb. 26, 2021, titled “A CYBER SECURITY SYSTEM APPLYING NETWORK SEQUENCE PREDICTION USING TRANSFORMERS”, which claims the benefit of priority of U.S. Provisional Application No. 62/983,307 entitled ‘AN ARTIFICIAL INTELLIGENCE BASED CYBER SECURITY SYSTEM’ filed on Feb. 28, 2020 and of U.S. Provisional Application No. 63/078,092 entitled ‘AN INTELLIGENT CYBER SECURITY SYSTEM’ filed on Sep. 14, 2020; the disclosure of each are hereby expressly incorporated by reference in their entirety. NOTICE OF COPYRIGHT A portion of this disclosure contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the material subject to copyright protection as it appears in the United States Patent & Trademark Office's patent file or records, but otherwise reserves all copyright rights whatsoever. FIELD Embodiments of the design provided herein generally relate to a cyber threat defense system. In an embodiment, Artificial Intelligence is applied to analyzing cyber security threats. BACKGROUND In the cyber security environment, firewalls, endpoint security methods and other tools such as SIEMs and sandboxes are deployed to enforce specific policies, and provide protection against certain threats. These tools currently form an important part of an organization's cyber defense strategy, but they are insufficient in the new age of cyber threat. Legacy tools are failing to deal with new cyber threats because the traditional approach relies on being able to pre-define the cyber threat in advance, by writing rules or producing signatures. In today's environment, this approach to defend against cyber threats is fundamentally flawed: Threats are constantly evolving—novel attacks do not match historical-attack “signatures”, and even subtle changes to previously understood attacks can result in them going undetected by legacy defenses;Rules and policies defined by organizations are continually insufficient—security teams simply can't imagine every possible thing that may go wrong in future; andEmployee ‘insider’ threat is a growing trend—it is difficult to spot malicious employees behaving inappropriately as they are a legitimate presence on the business network. The reality is that modern threats bypass the traditional legacy defense tools on a daily basis. These tools need a new tool based on a new approach that can complement them and mitigate their deficiencies at scale across the entirety of digital organizations. In the complex modern world it is advantageous that the approach is fully automated as it is virtually impossible for humans to sift through the vast amount of security information gathered each minute within a digital business. Existing methods such as vulnerability scanning performed by humans are less targeted and may lead to security resource allocation in the wrong places. Also, some vulnerability scanners actually test and compromise the actual network devices themselves, which may adversely affect the network during this testing and scanning. Cyber threat protection systems generally ingest network data to detect cyber threats but not to assess how a cyber threat might spread through a network. A human Red team of cyber security professionals typically is hired to test a network's vulnerability to cyber-attacks. DRAWINGS The drawings refer to some embodiments of the design provided herein in. While the design is subject to various modifications, equivalents, and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and will now be described in detail. It should be understood that the design is not limited to the particular embodiments disclosed, but—on the contrary—the intention is to cover all modifications, equivalents, and alternative forms using the specific embodiments. FIG. 1 illustrates a block diagram of an embodiment of a cyber-threat defense system embodying an aspect of the present invention with an analyzer module comprising a modeler configured to model network data as a sequence of events; and a predictor configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. FIG. 2 illustrates a block diagram of an embodiment of the cyber-threat defense system comprising an analyzer module comprising a modeler configured to model network data as a sequence of events; and a predictor configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. FIG. 3 illustrates a real-time or re-playable radial diagram where user activity is represented as paths between a series of nodes and their sub-nodes in a tree-like format. FIG. 4 illustrates a block diagram of an embodiment of an example chain of unusual behaviour for the