公开(公告)号：US09378361B1

公开(公告)日：2016-06-28

申请号：US13731635

申请日：2012-12-31

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Ari Juels ,  Aditya Kuppa ,  Kaan Onarlioglu ,  Alina Oprea

IPC: G06F21/55 ,  H04L29/06 ,  G06F21/56

CPC classification number: G06F21/55 ,  G06F21/552 ,  G06F21/562 ,  G06F21/566 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425

Abstract: A threat detection system for detecting threat activity in a protected computer system includes anomaly sensors of distinct types including user-activity sensors, host-activity sensors and application-activity sensors. Each sensor builds a history of pertinent activity over a training period, and during a subsequent detection period the sensor compares current activity to the history to detect new activity. The new activity is identified in respective sensor output. A set of correlators of distinct types are used that correspond to different stages of threat activity according to modeled threat behavior. Each correlator receives output of one or more different-type sensors and applies logical and/or temporal testing to detect activity patterns of the different stages. The results of the logical and/or temporal testing are used to generate alert outputs for a human or machine user.

Abstract translation: 用于检测受保护计算机系统中的威胁活动的威胁检测系统包括不同类型的异常传感器，包括用户活动传感器，主机活动传感器和应用活动传感器。 每个传感器在训练期间建立相关活动的历史，并且在随后的检测期间，传感器将当前活动与历史进行比较以检测新的活动。 在相应的传感器输出中识别出新的活动。 根据建模的威胁行为，使用一组不同类型的相关器对应于威胁活动的不同阶段。 每个相关器接收一个或多个不同类型传感器的输出，并且应用逻辑和/或时间测试来检测不同级的活动模式。 逻辑和/或时间测试的结果用于为人类或机器用户生成报警输出。