Aggregating alerts of malicious events for computer security

A method of processing malicious events in a network infrastructure determines features of malicious events detected by a firewall of an attack analyzer. Example features may indicate an origin of an attack, a target of the attack, or a type of a malicious event. The attack analyzer determines dista...

Full description

Saved in:
Bibliographic Details
Main Authors Hershkovitz, Shelly, Yehudai, Gilad, Mantin, Itsik, Fisch, Lior, Ambar, Moran Rachel, Shulman, Amichai
Format Patent
LanguageEnglish
Published 04.01.2022
Subjects
CALCULATING
COMPUTING
COUNTING
ELECTRIC DIGITAL DATA PROCESSING
HANDLING RECORD CARRIERS
PHYSICS
PRESENTATION OF DATA
RECOGNITION OF DATA
RECORD CARRIERS
Online AccessGet full text

Cover

More Information
Summary:A method of processing malicious events in a network infrastructure determines features of malicious events detected by a firewall of an attack analyzer. Example features may indicate an origin of an attack, a target of the attack, or a type of a malicious event. The attack analyzer determines distances, e.g., using a non-Euclidean distance function, between features of a given malicious event and features of statistical distribution objects (SDOs). The SDOs describe clusters of previously detected malicious events. The attack analyzer may select one of the SDOs that has features similar to those of the given malicious event. The attack analyzer can update the SDOs by including an alert of the given malicious event with an existing cluster or generating a new cluster including the alert. The attack analyzer may transmit information describing the clusters of the SDOs to a management console.
Bibliography:Application Number: US201816000779