Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment

摘要

A computer implemented method of profiling cyber threats detected in a target environment, comprising: receiving, from a Security Information and Event Manager (SIEM) monitoring the target environment, alerts triggered by a detected potential cyber threat, and, for each alert: retrieving captured packet data related to the alert; extracting data pertaining to a set of attributes from captured packet data triggering the alert; applying fuzzy logic to data pertaining to one or more of the attributes to determine values for one or more output variables indicative of a level of an aspect of risk attributable to the cyber threat.

主权项

1. A computer implemented method of profiling cyber threats detected in a target environment, comprising:
receiving, from a Security Information and Event Manager (SIEM) monitoring the target environment, alerts triggered by a detected potential cyber threat, and, for each alert: (A) retrieving captured packet data related to the alert; (B) extracting data pertaining to a set of attributes from captured packet data triggering the alert; and (C) applying fuzzy logic to data pertaining to one or more of the attributes to determine values for one or more output variables indicative of a level of an aspect of risk attributable to the cyber threat; wherein the fuzzy logic comprises one or more rule bases comprising fuzzy rules and being usable to evaluate a CT risk indicator; wherein each fuzzy rule of a rule base has:
as an antecedent, a fuzzy set of one or more input fuzzy variables each representative of a said attribute and any logical operators connecting input fuzzy variables, andas a consequent, a fuzzy set of an output fuzzy variable representative of the CT risk indicator; and wherein step (C) comprises, for each fuzzy rule of a rule base: (i) for each input fuzzy variable of the antecedent, fuzzifying data pertaining to the attribute represented by the input fuzzy variable to determine a membership value across the fuzzy set of the input fuzzy variable; (ii) evaluating the antecedent, performing any declared fuzzy logical operators to provide a single membership value; and (iii) evaluating the consequent by performing a fuzzy implication operator on the antecedent to determine the membership value of the relevant output cyber threat indicator.