-
公开(公告)号:US10887325B1
公开(公告)日:2021-01-05
申请号:US15894703
申请日:2018-02-12
申请人: Exabeam, Inc.
发明人: Derek Lin , Baoming Tang , Qiaona Hu , Barry Steiman , Domingo Mihovilovic , Sylvain Gil
摘要: The present disclosure describes a system, method, and computer program for determining the cybersecurity risk associated with a first-time access event in a computer network. In response to receiving an alert that a user has accessed a network entity for the first time, a user behavior analytics system uses a factorization machine to determine the affinity between the accessing user and the accessed entity. The affinity measure is based on the accessing user's historical access patterns in the network, as wells as context data for both the accessing user and the accessed entity. The affinity score for an access event may be used to filter first-time access alerts or weight first-time access alerts in performing a risk assessment of the accessing user's network activity. The result is that many false-positive first-time access alerts are suppressed and not factored (or not factored heavily) into cybersecurity risk assessments.
-
公开(公告)号:US12063226B1
公开(公告)日:2024-08-13
申请号:US17484348
申请日:2021-09-24
申请人: Exabeam, Inc.
发明人: Derek Lin , Domingo Mihovilovic , Sylvain Gil
IPC分类号: H04L9/40 , G06F16/901 , H04L41/0631
CPC分类号: H04L63/1416 , G06F16/9024 , H04L41/064 , H04L41/065
摘要: The present disclosure relates to a system, method, and computer program for graph-based multi-stage attack detection in which alerts are displayed in the context of tactics in an attack framework, such as the MITRE ATT&CK framework. The method enables the detection of cybersecurity threats that span multiple users and sessions and provides for the display of threat information in the context of a framework of attack tactics. Alerts spanning an analysis window are grouped into tactic blocks. Each tactic block is associated with an attack tactic and a time window. A graph is created of the tactic blocks, and threat scenarios are identified from independent clusters of directionally connected tactic blocks in the graph. The threat information is presented in the context of a sequence of attack tactics in the attack framework.
-
公开(公告)号:US11423143B1
公开(公告)日:2022-08-23
申请号:US16228071
申请日:2018-12-20
申请人: Exabeam, Inc.
发明人: Derek Lin , Barry Steiman , Domingo Mihovilovic , Sylvain Gil
摘要: A cybersecurity system, method, and computer program is provided for detecting whether an entity's collection of processes during an interval is abnormal compared to the historical collection of processes observed for the entity during previous intervals of the same length. Logs from a training period are used to calculate global and local risk probabilities for each process based on the process's execution history during the training period. Risk probabilities may be computed using a Bayesian framework. For each entity in a network, an entity risk score is calculated by summing the applicable risk probabilities of the unique processes executed by the entity during an interval. An entity's historical risk scores form a score distribution. If an entity's current score is an outlier on the historical score distribution, an alert of potentially malicious behavior is generated with respect to the entity. Additional post-processing may be performed to reduce false positives.
-
4.发明申请公开(公告)号:US20200228557A1
公开(公告)日:2020-07-16
申请号:US16828629
申请日:2020-03-24
申请人: Exabeam, Inc.
发明人: Derek Lin , Qiaona Hu , Domingo Mihovilovic , Sylvain Gil , Barry Steiman
摘要: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.
-
公开(公告)号:US11431741B1
公开(公告)日:2022-08-30
申请号:US16410181
申请日:2019-05-13
申请人: Exabeam, Inc.
发明人: Derek Lin , Domingo Mihovilovic , Sylvain Gil , Barry Steiman
摘要: The present disclosure describes a system, method, and computer program for detecting unmanaged and unauthorized assets on an IT network by identifying anomalously-named assets. A recurrent neural network (RNN) is trained to identify patterns in asset names in a network. The RNN learns the character distribution patterns of the names of all observed assets in the training data, effectively capturing the hidden naming structures followed by a majority of assets on the network. The RNN is then used to identify assets with names that deviate from the hidden naming structures. Specifically, the RNN is used to measure the reconstruction errors of input asset name strings. Asset names with high reconstruction errors are anomalous since they cannot be explained by learned naming structures. After filtering for attributes or circumstances that mitigate risk, such assets are associated with a higher cybersecurity risk.
-
公开(公告)号:US20220006814A1
公开(公告)日:2022-01-06
申请号:US17478805
申请日:2021-09-17
申请人: Exabeam, Inc.
发明人: Derek Lin , Barry Steiman , Domingo Mihovilovic , Sylvain Gil
摘要: The present disclosure describes a system, method, and computer program for automatically classifying user accounts within an entity's computer network, using machine-based-learning modeling and keys from an identity management system. A system uses supervised machine learning to create a statistical model that maps individual keys or sets of keys to a probability of being associated with a first type of user account (e.g., a service account). To classify an unclassified user account, the system identifies identity management keys associated with the unclassified user account. The system creates an N-dimensional vector from the keys (where N=the number of keys), and uses the vector and the statistical model to calculate a probability that the unclassified user account is the first type of user account. In response to the probability exceeding a first threshold, the system classifies the unclassified user account as the first type of user account.
-
公开(公告)号:US10944777B2
公开(公告)日:2021-03-09
申请号:US16828629
申请日:2020-03-24
申请人: Exabeam, Inc.
发明人: Derek Lin , Qiaona Hu , Domingo Mihovilovic , Sylvain Gil , Barry Steiman
摘要: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.
-
公开(公告)号:US10178108B1
公开(公告)日:2019-01-08
申请号:US15169284
申请日:2016-05-31
申请人: Exabeam, Inc.
发明人: Derek Lin , Barry Steiman , Domingo Mihovilovic , Sylvain Gil
摘要: The present disclosure describes a system, method, and computer program for identifying and classifying service accounts in a network based on account behavior. For each evaluated account in the network, a plurality of behavior indicators are calculated. The behavior indicators correspond to service account behaviors and, for each account, are calculated based on network events associated with the account. Each behavior indicator is compared to a threshold specific to the corresponding behavior. If one or more behavior indicators for an account satisfies the applicable threshold, the account is deemed to display service account behavior. Consistency in which an account displays service account behavior is factored into classifying accounts as service accounts.
-
公开(公告)号:US12034732B2
公开(公告)日:2024-07-09
申请号:US17478805
申请日:2021-09-17
申请人: Exabeam, Inc.
发明人: Derek Lin , Barry Steiman , Domingo Mihovilovic , Sylvain Gil
CPC分类号: H04L63/102 , G06N20/00
摘要: The present disclosure describes a system, method, and computer program for automatically classifying user accounts within an entity's computer network, using machine-based-learning modeling and keys from an identity management system. A system uses supervised machine learning to create a statistical model that maps individual keys or sets of keys to a probability of being associated with a first type of user account (e.g., a service account). To classify an unclassified user account, the system identifies identity management keys associated with the unclassified user account. The system creates an N-dimensional vector from the keys (where N=the number of keys), and uses the vector and the statistical model to calculate a probability that the unclassified user account is the first type of user account. In response to the probability exceeding a first threshold, the system classifies the unclassified user account as the first type of user account.
-
公开(公告)号:US11956253B1
公开(公告)日:2024-04-09
申请号:US17239426
申请日:2021-04-23
申请人: Exabeam, Inc.
发明人: Derek Lin , Domingo Mihovilovic , Sylvain Gil
CPC分类号: H04L63/1416 , G06N5/04 , G06N20/00
摘要: The present disclosure relates to a machine-learning system, method, and computer program for ranking security alerts from multiple sources. The system self-learns risk levels associated with alerts by calculating risk probabilities for the alerts based on characteristics of the alerts and historical alert data. In response to receiving a security alert from one of a plurality of alert-generation sources, the alert-ranking system evaluates the security alert with respect to a plurality of feature indicators. The system creates a feature vector for the security alert based on the feature indicator values identified for the alert. The system then calculates a probability that the security alert relates to a cybersecurity risk in the computer network based on the created feature vector and historical alert data in the network. The system ranks alerts from a plurality of different sources based on the calculated cybersecurity risk probabilities.
-
-
-
-
-
-
-
-
-
搜索结果
12 条记录 (耗时 0.014 秒)
