Search

US-20260129064-A1 - PREDICTING ZERO-DAY VULNERABILITIES USING ANOMALY DETECTION AND NEURAL NETWORK ALGORITHMS

US20260129064A1US 20260129064 A1US20260129064 A1US 20260129064A1US-20260129064-A1

Abstract

Aspects related to predicting zero-day vulnerabilities using anomaly detection and neural network algorithms are provided. A prediction platform may train an unsupervised algorithm for identifying suspicious packets and a prediction model for generating suspicion scores and behavior patterns based on network traffic information. The platform may segment information of packets of network traffic information into a plurality of segments. The platform may compare the segments with zero-day vulnerability information to identify known zero-day vulnerabilities. The platform may use the unsupervised algorithm to identify suspicious packets that do not correspond to known zero-day vulnerabilities. The platform may generate suspicion scores and behavior patterns for suspicious packets. The platform may further train the prediction model based on behavior patterns associated with certain suspicion scores to generate vulnerability scores. The platform may generate vulnerability scores for suspicious packets using the model. The platform may output zero-day vulnerability predictions based on the vulnerability scores.

Inventors

  • Abhay Kumar
  • Karen Ashley Frye
  • Krishna Sattiraju

Assignees

  • BANK OF AMERICA CORPORATION

Dates

Publication Date
20260507
Application Date
20241105

Claims (20)

  1. 1 . A computing platform comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor, configure the computing platform to: train, based on an object recognition algorithm, a prediction model to output suspicion scores and behavior patterns based on input of packets of network traffic information; receive a plurality of packets of network traffic information filtered by an intrusion detection system; segment information, of a first packet of the plurality of packets, into a plurality of segments; identify, by comparing the plurality of segments with historical zero-day vulnerability information, whether the first packet matches a known zero-day vulnerability, and in response: based on identifying that the first packet matches a known zero-day vulnerability, output a security alert; and based on identifying that the first packet does not match a known zero-day vulnerability, preserve the first packet as a potential new zero-day vulnerability; generate, based on preserving the first packet and by inputting the first packet into the prediction model, a suspicion score and a behavior pattern for the first packet; identify whether the suspicion score for the first packet satisfies a threshold score, and in response: based on identifying that the suspicion score satisfies the threshold score, train, based on the behavior pattern for the first packet, the prediction model to generate vulnerability scores for packets of network traffic information; and based on identifying that the suspicion score does not satisfy the threshold score, store the first packet with a suspicious packet identifier; generate, by inputting a second packet of the plurality of packets into the prediction model, a vulnerability score for the second packet; and output, based on the vulnerability score, a zero-day vulnerability prediction.
  2. 2 . The computing platform of claim 1 , wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, configure the computing platform to: train, based on the historical zero-day vulnerability information, an unsupervised anomaly detection algorithm to generate vulnerability indicators based on input of packets of network traffic information; and generate, based on the plurality of segments and using the unsupervised anomaly detection algorithm, a vulnerability indicator for the first packet indicating a likelihood of the first packet corresponding to a known zero-day vulnerability, wherein the instructions, when executed by the one or more processors, configure the computing platform to identify whether the first packet matches a known zero-day vulnerability by comparing the vulnerability indicator to a threshold likelihood, and in response: based on identifying that the vulnerability indicator meets or exceeds the threshold likelihood, identify that the first packet matches a known zero-day vulnerability, or based on identifying that the vulnerability indicator does not meet or exceed the threshold likelihood, identify that the first packet does not match a known zero-day vulnerability.
  3. 3 . The computing platform of claim 1 , wherein the object recognition algorithm comprises: an input layer configured to convert segments of network traffic information into numerical values; a pattern layer configured to generate, based on the converted segments of network traffic information, the behavior patterns; and an output layer configured to output, based on the behavior patterns, the suspicion scores and the behavior patterns.
  4. 4 . The computing platform of claim 1 , wherein the historical zero-day vulnerability information comprises one or more of: information indicating a location of a historical zero-day vulnerability, information indicating a behavior pattern associated with a historical zero-day vulnerability, or information indicating a type of threat associated with a historical zero-day vulnerability.
  5. 5 . The computing platform of claim 1 , wherein the instructions, when executed by the one or more processors, configure the computing platform to preserve the first packet by generating the suspicious packet identifier for the first packet.
  6. 6 . The computing platform of claim 1 , wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, configure the computing platform to: identify, based on outputting the zero-day vulnerability prediction, a solution action for the zero-day vulnerability prediction; implement, based on identifying the solution action, the solution action; and update, based on the zero-day vulnerability prediction, the prediction model.
  7. 7 . The computing platform of claim 1 , wherein the instructions, when executed by the one or more processors, configure the computing platform to segment the information of the first packet by: generating, by converting the network traffic information filtered by the intrusion detection system from a first format to a second format configured for the object recognition algorithm, a first segment of the plurality of segments; and generating, by preprocessing raw network traffic information and converting it to the second format, a second segment of the plurality of segments.
  8. 8 . The computing platform of claim 1 , wherein the instructions, when executed by the one or more processors, configure the computing platform to output the zero-day vulnerability prediction by: causing display, at a user device, of a user interface comprising the zero-day vulnerability prediction.
  9. 9 . The computing platform of claim 1 , wherein the zero-day vulnerability prediction comprises one or more of: an indication of a source of a predicted zero-day vulnerability, an indication of a type of threat associated with a predicted zero-day vulnerability, or an indication of a solution action associated with a predicted zero-day vulnerability.
  10. 10 . The computing platform of claim 1 , wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, configure the computing platform to: identify, by comparing the vulnerability score to a threshold score, whether the vulnerability score satisfies the threshold score; and generate, based on identifying whether the vulnerability score satisfies the threshold score, the zero-day vulnerability prediction.
  11. 11 . A method comprising: at a computing device comprising at least one processor, a communication interface, and memory: training, based on an object recognition algorithm, a prediction model to output suspicion scores and behavior patterns based on input of packets of network traffic information; receiving a plurality of packets of network traffic information filtered by an intrusion detection system; segmenting information, of a first packet of the plurality of packets, into a plurality of segments; identifying, by comparing the plurality of segments with historical zero-day vulnerability information, whether the first packet matches a known zero-day vulnerability, and in response: based on identifying that the first packet matches a known zero-day vulnerability, outputting a security alert; and based on identifying that the first packet does not match a known zero-day vulnerability, preserving the first packet as a potential new zero-day vulnerability; generating, based on preserving the first packet and by inputting the first packet into the prediction model, a suspicion score and a behavior pattern for the first packet; identifying whether the suspicion score for the first packet satisfies a threshold score, and in response: based on identifying that the suspicion score satisfies the threshold score, training, based on the behavior pattern for the first packet, the prediction model to generate vulnerability scores for packets of network traffic information; and based on identifying that the suspicion score does not satisfy the threshold score, storing the first packet with a suspicious packet identifier; generating, by inputting a second packet of the plurality of packets into the prediction model, a vulnerability score for the second packet; and outputting, based on the vulnerability score, a zero-day vulnerability prediction.
  12. 12 . The method of claim 11 , further comprising: training, based on the historical zero-day vulnerability information, an unsupervised anomaly detection algorithm to generate vulnerability indicators based on input of packets of network traffic information; and generating, based on the plurality of segments and using the unsupervised anomaly detection algorithm, a vulnerability indicator for the first packet indicating a likelihood of the first packet corresponding to a known zero-day vulnerability, wherein the identifying whether the first packet matches a known zero-day vulnerability comprises comparing the vulnerability indicator to a threshold likelihood, and in response: based on identifying that the vulnerability indicator meets or exceeds the threshold likelihood, identifying that the first packet matches a known zero-day vulnerability, or based on identifying that the vulnerability indicator does not meet or exceed the threshold likelihood, identifying that the first packet does not match a known zero-day vulnerability.
  13. 13 . The method of claim 11 , wherein the object recognition algorithm comprises: an input layer configured to convert segments of network traffic information into numerical values; a pattern layer configured to generate, based on the converted segments of network traffic information, the behavior patterns; and an output layer configured to output, based on the behavior patterns, the suspicion scores and the behavior patterns.
  14. 14 . The method of claim 11 , wherein the historical zero-day vulnerability information comprises one or more of: information indicating a location of a historical zero-day vulnerability, information indicating a behavior pattern associated with a historical zero-day vulnerability, or information indicating a type of threat associated with a historical zero-day vulnerability.
  15. 15 . The method of claim 11 , wherein the preserving the first packet comprises generating the suspicious packet identifier for the first packet.
  16. 16 . The method of claim 11 , further comprising: identifying, based on outputting the zero-day vulnerability prediction, a solution action for the zero-day vulnerability prediction; implementing, based on identifying the solution action, the solution action; and updating, based on the zero-day vulnerability prediction, the prediction model.
  17. 17 . The method of claim 11 , wherein the segmenting the information of the first packet comprises: generating, by converting the network traffic information filtered by the intrusion detection system from a first format to a second format configured for the object recognition algorithm, a first segment of the plurality of segments; and generating, by preprocessing raw network traffic information and converting it to the second format, a second segment of the plurality of segments.
  18. 18 . The method of claim 11 , wherein the outputting the zero-day vulnerability prediction comprises: causing display, at a user device, of a user interface comprising the zero-day vulnerability prediction.
  19. 19 . The method of claim 11 , wherein the zero-day vulnerability prediction comprises one or more of: an indication of a source of a predicted zero-day vulnerability, an indication of a type of threat associated with a predicted zero-day vulnerability, or an indication of a solution action associated with a predicted zero-day vulnerability.
  20. 20 . One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, configure the computing platform to: train, based on an object recognition algorithm, a prediction model to output suspicion scores and behavior patterns based on input of packets of network traffic information; receive a plurality of packets of network traffic information filtered by an intrusion detection system; segment information, of a first packet of the plurality of packets, into a plurality of segments; identify, by comparing the plurality of segments with historical zero-day vulnerability information, whether the first packet matches a known zero-day vulnerability, and in response: based on identifying that the first packet matches a known zero-day vulnerability, output a security alert; and based on identifying that the first packet does not match a known zero-day vulnerability, preserve the first packet as a potential new zero-day vulnerability; generate, based on preserving the first packet and by inputting the first packet into the prediction model, a suspicion score and a behavior pattern for the first packet; identify whether the suspicion score for the first packet satisfies a threshold score, and in response: based on identifying that the suspicion score satisfies the threshold score, train, based on the behavior pattern for the first packet, the prediction model to generate vulnerability scores for packets of network traffic information; and based on identifying that the suspicion score does not satisfy the threshold score, store the first packet with a suspicious packet identifier; generate, by inputting a second packet of the plurality of packets into the prediction model, a vulnerability score for the second packet; and output, based on the vulnerability score, a zero-day vulnerability prediction.

Description

BACKGROUND Aspects described herein are related to predicting zero-day vulnerabilities using anomaly detection and neural network algorithms. In some instances, entities such as an enterprise organization (e.g., a financial institution, and/or other institutions) may maintain cybersecurity systems and/or policies configured to protect certain information managed by, for example, the enterprise organization. However, conventional cybersecurity systems remain susceptible to threat actors taking advantage of vulnerabilities. Some of these vulnerability may be zero-day vulnerabilities, meaning that the enterprise organization has zero days to fix the vulnerability once it is identified. Zero-day vulnerabilities may be present in an operating system, web browser, application, open-source component, firmware, and/or other elements of a system associated with an enterprise organization. Conventional cybersecurity systems lack a specific mechanism and/or methodology to reliably and accurately predict these various potential zero-day vulnerabilities before they are used by threat actors, increasing the strain zero-day vulnerabilities impose upon systems managed by the enterprise organization. Accordingly, there exists a need for an effective and reliable system for predicting zero-day vulnerabilities in systems such as those managed by an enterprise organization. SUMMARY Aspects of the disclosure provide effective, efficient, scalable, and convenient technical solutions that address and overcome the technical problems associated with current methods of responding to zero-day vulnerabilities. In accordance with one or more arrangements of the disclosure, a computing platform with at least one processor, a communication interface, and memory storing computer-readable instructions may train a prediction model based on an object recognition algorithm. The computing platform may train the prediction model to output suspicion scores and behavior patterns based on input of packets of network traffic information. The computing platform may receive a plurality of packets of network traffic information filtered by an intrusion detection system. The computing platform may identify, by comparing the plurality of segments with historical zero-day vulnerability information, whether the first packet matches a known zero-day vulnerability. In response, the computing platform may, based on identifying that the first packet matches a known zero-day vulnerability, output a security alert and, based on identifying that the first packet does not match a known zero-day vulnerability, preserve the first packet as a potential new zero-day vulnerability. The computing platform may generate, based on preserving the first packet and by inputting the first packet into the prediction model, a suspicion score and a behavior pattern for the first packet. The computing platform may identify whether the suspicion score for the first packet satisfies a threshold score. Based on identifying that the suspicion score satisfies the threshold score, the computing platform may train, based on the behavior pattern for the first packet, the prediction model to generate vulnerability scores for packets of network traffic information. Based on identifying that the suspicion score does not satisfy the threshold score, the computing platform may store the first packet with a suspicious packet identifier. The computing platform may generate, by inputting a second packet of the plurality of packets into the prediction model, a vulnerability score for the second packet. The computing platform may output, based on the vulnerability score, a zero-day vulnerability prediction. In one or more examples, the computing platform may train, based on the historical zero-day vulnerability information, an unsupervised anomaly detection algorithm to generate vulnerability indicators based on input of packets of network traffic information. The computing platform may generate, based on the plurality of segments and using the unsupervised anomaly detection algorithm, a vulnerability indicator for the first packet indicating a likelihood of the first packet corresponding to a known zero-day vulnerability. The computing platform may identify whether the first packet matches a known zero-day vulnerability by comparing the vulnerability indicator to a threshold likelihood. Based on identifying that the vulnerability indicator meets or exceeds the threshold likelihood, the computing platform may identify that the first packet matches a known zero-day vulnerability. Based on identifying that the vulnerability indicator does not meet or exceed the threshold likelihood, the computing platform may identify that the first packet does not match a known zero-day vulnerability. In one or more arrangements, the object recognition algorithm may comprise an input layer configured to convert segments of network traffic information into numerical values. The object recognition algorithm may also