Network security

• Main Authors: Andrew J Thomas, Karl Ackerman, Russell Humphries, Daniel Salvatore Schiappa, Kenneth D Ray
• Format: Patent
• Language: English
• Published: 15.02.2023
• Subjects: CALCULATING; COMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS; COMPUTING; COUNTING; ELECTRIC COMMUNICATION TECHNIQUE; ELECTRIC DIGITAL DATA PROCESSING; ELECTRICITY; PHYSICS; TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHICCOMMUNICATION

A system 1400 comprising a compute instance 1402 connected to an enterprise network with a number of sensors 1404 detecting events 1406, a first entity model for an entity associated with the compute instance 1402 and a local security agent 1408 executing on the compute instance 1402. The local security agent 1408 is configured to receive events 1406 from the sensors 1404, collect events 1406 into one or more event vectors 1410, calculate a first risk score based on or indicative of a first distance or deviation between the event vectors 1410 and the first entity model, and transmit or report the event vectors to a threat management facility 1412 that has greater computational resources than the local security agent 1408. A second entity model 1420 for the entity is adapted for use by the greater computational resources of the threat management facility 1412 and the threat management facility 1412 is configured to calculate a second risk score based on or indicative of a second distance or deviation between the event vectors 1410 and the second entity model 1420. Remedial action for the compute instance 1402 may be deployed from the local security agent 1408 and the threat management facility 1412 based on the first risk score meeting a first threshold and the second risk score meeting a second threshold.