Background

Cyber security has grown to be a more complex field as technology evolved. Cyber attacks (or CNAs, computer network attacks) are an exploitation of computer systems or networks and often use malicious coding to alter data. This can lead to various cyber crimes, like identity or information theft. Currently platforms for cyber security are really well equipped to detect concrete indicators of compromise (IoCs), but aren't so great at detecting the root cause of unknown threats. These platforms usually lack a means of putting the pieces of an attack together, when an attack spans multiple applications or hosts over a large time frame. A manual effort is needed to piece everything together, which can prolong the process for weeks to even months. There is a need for a real-time system for detection of threats that can also produce a summary to connect the attacks. Problems with current developments include event storage, analysis, processing records efficiently and quickly, prioritizing entities, identifying impact and dealing with common usage scenarios.

Technology

This technology is both a system and method for detecting and reconstructing events from a cyber attack. It's comprised of a memory which can store instructions coupled with a processing device. It includes an application for real-time reconstruction of events and can perform a variety of operations (such as receiving an audit data stream). This system and method include: identifying trustworthiness values, assigning provenance tags based on trustworthiness values, generating initial visual representations and condensing the visual representation. The system can generate a scenario representation specifying nodes most relevant to the cyber events being analyzed.

Advantages

- Identification of most pertinent attack steps - Threshold values can be customized  - Real-time detection of attacks - Eliminates subject-to-event pointers/ the need for event identifiers - Improvement in processing and space-efficiency - Shortest weighted path can be determined

Application

- Reconstruction of cyber events extracted from audit data  - Cyber security