| 摘要 |
Input data is received S1 that is associated with an entity associated with a computer system (10, fig. 1), e.g. a user or device. Preferably the data includes data relating to the entitys activity on the computer system. Metrics, representative of the datas characteristics, are derived S2 from the data and may reflect usage of the computer system by the entity over time, e.g. metrics relating to network traffic. The metrics are analysed S3 using one or more models, perhaps arranged to detect different types of threat. A cyber-threat risk parameter is determined S4, S5 in accordance with the analysed metrics and a model of normal behaviour of the entity, e.g. by comparing the metrics with the model. The parameter is indicative of a likelihood of a cyber-threat, preferably the probability of such likelihood, and is preferably determined using recursive Bayesian estimation. The parameter may be compared with a threshold, possibly a moving threshold, to determine whether or not there is a threat. The model of normal behaviour may be updated in accordance with the analysed metrics. Input data associated with a second entity may also be taken into consideration. |
