Technology - Real-time Detection and Reconstruction of Advanced Cyber Attack Campaigns from Host Event Logs using Provenance Tags and Customizable Policy

Real-time Detection and Reconstruction of Advanced Cyber Attack Campaigns from Host Event Logs using Provenance Tags and Customizable Policy

A system and method for identifying cyber attacks and events and reconstruction thereof with improvements in efficiency

Background:

Cyber security has grown to be a more complex field as technology evolved. Cyber attacks (or CNAs, computer network attacks) are an exploitation of computer systems or networks and often use malicious coding to alter data. This can lead to various cyber crimes, like identity or information theft. Currently platforms for cyber security are really well equipped to detect concrete indicators of compromise (IoCs), but aren't so great at detecting the root cause of unknown threats. These platforms usually lack a means of putting the pieces of an attack together, when an attack spans multiple applications or hosts over a large time frame. A manual effort is needed to piece everything together, which can prolong the process for weeks to even months. There is a need for a real-time system for detection of threats that can also produce a summary to connect the attacks. Problems with current developments include event storage, analysis, processing records efficiently and quickly, prioritizing entities, identifying impact and dealing with common usage scenarios.

Technology Overview:

This technology is both a system and method for detecting and reconstructing events from a cyber attack. It's comprised of a memory which can store instructions coupled with a processing device. It includes an application for real-time reconstruction of events and can perform a variety of operations (such as receiving an audit data stream). This system and method include: identifying trustworthiness values, assigning provenance tags based on trustworthiness values, generating initial visual representations and condensing the visual representation. The system can generate a scenario representation specifying nodes most relevant to the cyber events being analyzed.
Source: NSWC Crane Corporate Communications, www.navsea.navy.mil/Media/Images/igphoto/2001963531, public domain.

Advantages:

- Identification of most pertinent attack steps - Threshold values can be customized  - Real-time detection of attacks - Eliminates subject-to-event pointers/ the need for event identifiers - Improvement in processing and space-efficiency - Shortest weighted path can be determined

Applications:

- Reconstruction of cyber events extracted from audit data  - Cyber security

Intellectual Property Summary:

Patent application submitted

Stage of Development:

62/719,197 Utility patent application number: 16/544,401

Licensing Status:

Available for licensing.

Licensing Potential:

Development partner,Licensing,Commercial partner

Additional Information:

 

Patent Information:
Direct Link:
https://suny.technologypublisher.com/tech/Real-time_Detection_and_Reconstruct ion_of_Advanced_Cyber_Attack_Campaigns_from_Host_Event_Logs_using_Provenance _Tags_and_Customizable_Policy