Real-time detection and reconstruction of advanced cyber attack campaigns from host event logs
A system and method for identifying cyber attacks and events and reconstruction thereof with improvements in efficiency Background: Cyber security has grown to be a more complex field as technology evolved. Cyber attacks (or CNAs, computer network attacks) are an exploitation of computer systems or networks and often use malicious coding to alter data. This can lead to various cyber crimes, like identity or information theft. Currently platforms for cyber security are really well equipped to detect concrete indicators of compromise (IoCs), but aren't so great at detecting the root cause of unknown threats. These platforms usually lack a means of putting the pieces of an attack together, when an attack spans multiple applications or hosts over a large time frame. A manual effort is needed to piece everything together, which can prolong the process for weeks to even months. There is a need for a real-time system for detection of threats that can also produce a summary to connect the attacks. Problems with current developments include event storage, analysis, processing records efficiently and quickly, prioritizing entities, identifying impact and dealing with common usage scenarios. Technology Overview: This technology is both a system and method for detecting and reconstructing events from a cyber attack. It's comprised of a memory which can store instructions coupled with a processing device. It includes an application for real-time reconstruction of events and can perform a variety of operations (such as receiving an audit data stream). This system and method include: identifying trustworthiness values, assigning provenance tags based on trustworthiness values, generating initial visual representations and condensing the visual representation. The system can generate a scenario representation specifying nodes most relevant to the cyber events being analyzed. Advantages: - Identification of most pertinent attack steps - Threshold values can be customized - Real-time detection of attacks - Eliminates subject-to-event pointers/ the need for event identifiers - Improvement in processing and space-efficiency - Shortest weighted path can be determined Applications: - Reconstruction of cyber events extracted from audit data - Cyber security Intellectual Property Summary: Patent application submitted Stage of Development: 62/719,197 Utility patent application number: 16/544,401 Licensing Potential: Development partner,Licensing,Commercial partner Licensing Status: Available for licensing. 050-8943 Additional Information: reconstruction,cyber,audit,policy,cyber security,security,computers,networks,coding,theft,identity,computer network,indicator,threat,cyber attack,data stream,nodes,cyber defence,cyber threat,cyber-resilience,cyber areas,cyber architecture,cyber protection,data security,digital security,information security,computer security,network security,internet security,web security,online security,ip-based security,network attack https://stonybrook.technologypublisher.com/files/sites/p7zx7vs3saoomqbhe1jh_180907-n-bk152-003.jpeg Source: NSWC Crane Corporate Communications, www.navsea.navy.mil/Media/Images/igphoto/2001963531, public domain.