Anomaly sensor framework for detecting advanced persistent threat attacks

Assignee

• EMC Corporation · US

Inventors

• Ting-Fang Yen · Sunnyvale, US
• Ari Juels · Brookline, US
• Aditya Kuppa · Foxford, IE
• Kaan Onarlioglu · Brookline, US
• Alina Oprea · Arlington, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/562
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A threat detection system for detecting threat activity in a protected computer system includes anomaly sensors of distinct types including user-activity sensors, host-activity sensors and application-activity sensors. Each sensor builds a history of pertinent activity over a training period, and during a subsequent detection period the sensor compares current activity to the history to detect new activity. The new activity is identified in respective sensor output. A set of correlators of distinct types are used that correspond to different stages of threat activity according to modeled threat behavior. Each correlator receives output of one or more different-type sensors and applies logical and/or temporal testing to detect activity patterns of the different stages. The results of the logical and/or temporal testing are used to generate alert outputs for a human or machine user.