Claims:1. A processor implemented method comprising:
receiving, via one or more hardware processors, an input data comprising (i) historical activity log data comprising information pertaining to one or more activities performed by one or more users on one or more computer systems, and (ii) corresponding one or more threat patterns (302);
determining, via the one or more hardware processors, a presence or an absence of a cyber security attack from the received input data (304);
based on the determined presence or an absence of the cyber security attack, computing, via the one or more hardware processors, a survival percentage of the one or more computer systems based on a survival analysis being performed on the received input data (306); and
training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model (310).

2. The processor implemented method as claimed in claim 1, wherein the step of training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model comprises training the DL RNN-LSTM model using one or more associated recommended solutions.

3. The processor implemented method as claimed in claim 1, further comprising:
predicting, using the trained DL RNN-LSTM model, one or more threat patterns from at least one user; and
generating one or more recommended solutions specific to the one or more predicted threat patterns.

4. The processor implemented method as claimed in claim 3, further comprising obtaining an input comprising (i) an approval from an administrator or (ii) at least one feedback indicative of modification to the one or more generated recommended solutions.

5. The processor implemented method as claimed in claim 4, further comprising executing, based on the approval, the one or more generated recommended solutions into the one or more computer systems to refrain the one or more computer systems from subsequent cyber security attacks.

6. The processor implemented method as claimed in claim 4, further comprising:
modifying the one or more generated recommended solutions based on the at least one feedback to obtain one or more updated recommended solutions; and
executing the one or more updated recommended solutions to refrain the one or more computer systems from subsequent one or more cyber security attacks.

7. The processor implemented method as claimed in claim 6, further comprising retraining the trained DL RNN-LSTM model with the one or more updated recommended solutions for refraining from cyber security attacks and subsequent threat patterns.

8. A system (100), comprising:
a memory (102) storing instructions;
one or more communication interfaces (106); and
one or more hardware processors (104) coupled to the memory (102) via the one or more communication interfaces (106), wherein the one or more hardware processors (104) are configured by the instructions to:
receive an input data comprising (i) historical activity log data comprising information pertaining to one or more activities performed by one or more users on one or more computer systems, and (ii) corresponding one or more threat patterns;
determine a presence or an absence of a cyber security attack from the received input data;
based on the determined presence or an absence of the cyber security attack, compute a survival percentage of the one or more computer systems based on a survival analysis being performed on the received input data; and
train, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model.

9. The system as claimed in claim 8, wherein the step of training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model comprises training the DL RNN-LSTM model using one or more associated recommended solutions.

10. The system as claimed in claim 8, wherein the one or more hardware processors are further configured by the instructions to:
predict, using the trained DL RNN-LSTM model, one or more threat patterns from at least one user; and
generate one or more recommended solutions specific to the one or more predicted threat patterns.

11. The system as claimed in claim 10, wherein the one or more hardware processors are further configured by the instructions to obtain an input comprising (i) an approval from an administrator or (ii) at least one feedback indicative of modification to the one or more generated recommended solutions.

12. The system as claimed in claim 11, wherein the one or more hardware processors are further configured by the instructions to execute, based on the approval, the one or more generated recommended solutions into the one or more computer systems to refrain the one or more computer systems from subsequent cyber security attacks.

13. The system as claimed in claim 11, wherein the one or more hardware processors are further configured by the instructions to:
modify the one or more generated recommended solutions based on the at least one feedback to obtain one or more updated recommended solutions; and
execute the one or more updated recommended solutions to refrain the one or more computer systems from subsequent one or more cyber security attacks.

14. The system as claimed in claim 13, wherein the one or more hardware processors are further configured by the instructions to retrain the trained DL RNN-LSTM model with the one or more updated recommended solutions for refraining from cyber security attacks and subsequent threat patterns.
, Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
DEEP LEARNING RNN-LSTM MODELS FOR DETECTING CYBER SECURITY ATTACKS, GENERATING THREAT PATTERNS AND RECOMMENDING SOLUTIONS

Applicant:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.
TECHNICAL FIELD
[001] The disclosure herein generally relates to cyber security systems, and, more particularly, to Deep learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) models for detecting cyber security attacks, generating threat patterns and recommending solutions.

BACKGROUND
[002] Cyber security attacks are important aspects that have become prevalent and pose severe threats against the society, including its infrastructures, economy, and privacy. The number of cyber security attack over the Internet and Network is growing exponentially every day. Given the severe consequence of cyber security attacks, mitigating such cyber attacks needs substantial improvisation. Security analytics involves leveraging security intelligence to predict security attacks and vulnerabilities based on analysis of occurring events in the system. The conventional approaches of detecting malicious activity through the blacklists and controlling their access at the organization level may not be effective. Alternatively, traditional approaches have utilized statistical methods in the context data-driven cyber security but may have failed to predict cyber threats and may be prone to error. It is therefore pertinent to note that cyber security attack pose serious threat to systems and may lead to considerable loss such as important information affecting business and infrastructure costs and resources.

SUMMARY
[003] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one aspect, there is provided a processor implemented method for detecting cyber security attacks, generating threat patterns and recommending solutions using deep learning Recurrent Neural Network-Long Short Term Memory models. The method comprises receiving, via one or more hardware processors, an input data comprising (i) historical activity log data comprising information pertaining to one or more activities performed by one or more users on one or more computer systems, and (ii) corresponding one or more threat patterns; determining, via the one or more hardware processors, a presence or an absence of a cyber security attack from the received input data; based on the determined presence or an absence of the cyber security attack, computing, via the one or more hardware processors, a survival percentage of the one or more computer systems based on a survival analysis being performed the received input data; and training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model.
[004] In an embodiment, the step of training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model comprises training the DL RNN-LSTM model using one or more associated recommended solutions.
[005] The method further comprises: predicting, using the trained DL RNN-LSTM model, one or more threat patterns from at least one user; and generating one or more recommended solutions specific to the one or more predicted threat patterns.
[006] In an embodiment, the method further comprises obtaining at least one of an input comprising (i) an approval from an administrator or (ii) at least one feedback indicative of modification to the one or more generated recommended solutions. Based on the approval, the one or more generated recommended solutions are executed into the one or more computer systems to refrain the one or more computer systems from subsequent cyber security attacks.
[007] In an embodiment, when the feedback is obtained, the method comprises modifying the one or more generated recommended solutions based on the at least one feedback to obtain one or more updated recommended solutions; and executing the one or more updated recommended solutions to refrain the one or more computer systems from subsequent one or more cyber security attacks.
[008] The method further comprises retraining the trained DL RNN-LSTM model with the one or more updated recommended solutions for refraining from cyber security attacks and subsequent threat patterns.
[009] In another aspect, there is provided a system for detecting cyber security attacks, generating threat patterns and recommending solutions using deep learning Recurrent Neural Network-Long Short Term Memory models. The system comprises © a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to: receive an input data comprising (i) historical activity log data comprising information pertaining to one or more activities performed by one or more users on one or more computer systems, and (ii) corresponding one or more threat patterns; determine a presence or an absence of a cyber security attack from the received input data; based on the determined presence or an absence of the cyber security attack, compute a survival percentage of the one or more computer systems based on a survival analysis being performed the received input data; and train, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model.
[010] In an embodiment, training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model comprises training the DL RNN-LSTM model using one or more associated recommended solutions.
[011] In an embodiment, the one or more hardware processors are further configured by the instructions to: predict, using the trained DL RNN-LSTM model, one or more threat patterns from at least one user; and generating one or more recommended solutions specific to the one or more predicted threat patterns.

[012] In an embodiment, the one or more hardware processors are further configured by the instructions to obtaining at least one of an input comprising (i) an approval from an administrator or (ii) at least one feedback indicative of modification to the one or more generated recommended solutions. Based on the approval, the one or more generated recommended solutions are executed into the one or more computer systems to refrain the one or more computer systems from subsequent cyber security attacks.
[013] In an embodiment, when the feedback is obtained, the one or more hardware processors are further configured by the instructions to modify the one or more generated recommended solutions based on the at least one feedback to obtain one or more updated recommended solutions; and execute the one or more updated recommended solutions to refrain the one or more computer systems from subsequent one or more cyber security attacks.
[014] In an embodiment, the trained DL RNN-LSTM model is retrained with the one or more updated recommended solutions for refraining from cyber security attacks and subsequent threat patterns.
[015] In yet another aspect, there are provided one or more non-transitory machine readable information storage mediums comprising one or more instructions which when executed by one or more hardware processors cause detecting cyber security attacks, generating threat patterns and recommending solutions using deep learning Recurrent Neural Network-Long Short Term Memory models by: receiving, via one or more hardware processors, an input data comprising (i) historical activity log data comprising information pertaining to one or more activities performed by one or more users on one or more computer systems, and (ii) corresponding one or more threat patterns; determining, via the one or more hardware processors, a presence or an absence of a cyber security attack from the received input data; based on the determined presence or an absence of the cyber security attack, computing, via the one or more hardware processors, a survival percentage of the one or more computer systems based on a survival analysis being performed the received input data; and training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model.
[016] In an embodiment, the step of training, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model comprises training the DL RNN-LSTM model using one or more associated recommended solutions.
[017] The instructions which when executed by the one or more hardware processors further cause: predicting, using the trained DL RNN-LSTM model, one or more threat patterns from at least one user; and generating one or more recommended solutions specific to the one or more predicted threat patterns.
[018] In an embodiment, the instructions which when executed by the one or more hardware processors further cause obtaining at least one of an input comprising (i) an approval from an administrator or (ii) at least one feedback indicative of modification to the one or more generated recommended solutions. Based on the approval, the one or more generated recommended solutions are executed into the one or more computer systems to refrain the one or more computer systems from subsequent cyber security attacks.
[019] In an embodiment, when the feedback is obtained, the instructions which when executed by the one or more hardware processors further cause modifying the one or more generated recommended solutions based on the at least one feedback to obtain one or more updated recommended solutions; and executing the one or more updated recommended solutions to refrain the one or more computer systems from subsequent one or more cyber security attacks.
[020] The instructions which when executed by the one or more hardware processors further cause retraining the trained DL RNN-LSTM model with the one or more updated recommended solutions for refraining from cyber security attacks and subsequent threat patterns.
[021] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
[022] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[023] FIG. 1 depicts an exemplary block diagram of a system 100 implementing one or more Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) models for detecting cyber security attacks, generating threat patterns and recommending solutions, in accordance with an embodiment of the present disclosure.
[024] FIG. 2 depicts a technology stack and architecture of the system of FIG. 1 for detecting cyber security attacks, generating threat patterns and recommending solutions using DL RNN-LSTM model(s), in accordance with an embodiment of the present disclosure.
[025] FIG. 3 depicts an exemplary flow chart for detecting cyber security attacks, generating threat patterns and recommending solutions using DL RNN-LSTM model using the system of FIG. 1 in accordance with an embodiment of the present disclosure.
[026] FIG. 4 depicts padding of Predictors and Labels, in accordance with an example embodiment of the present disclosure.
[027] FIG. 5 depicts a graphical representation illustrating Survival Analysis and Kaplan-Meier Estimate, in accordance with an embodiment of the present disclosure.
[028] FIG. 6 depicts prediction of one or more threat patterns by the trained DL RNN-LSTM model as implemented by the system of FIG. 1, in accordance with an embodiment of the present disclosure.
[029] FIG. 7 depicts recommended solution generated by the DL RNN-LSTM model as implemented by the system of FIG. 1, in accordance with an example embodiment of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS
[030] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope being indicated by the following claims.
[031] As mentioned above, cyber security attacks are important aspects that have become prevalent and pose severe threats against the society, including its infrastructures, economy, and privacy. Given the severe consequence of cyber security attacks, mitigating such cyber attacks needs substantial improvisation. Security analytics involves leveraging security intelligence to predict security attacks and vulnerabilities based on analysis of occurring events in the system. The conventional approaches of detecting malicious activity through the blacklists and controlling their access at the organization level may not be effective. Alternatively, traditional approaches have utilized statistical methods in the context data-driven cyber security but may have failed to predict cyber threats and may be prone to error. It is therefore pertinent to note that cyber security attack pose serious threat to systems and may lead to considerable loss such as important information affecting business and infrastructure costs and resources.
[032] Real Time Security Analytics involves leveraging the security intelligence workbench and utilizing model to predict security attacks in near real time, external or internal threats and vulnerabilities based on analysis of currently occurring events in the system. Embodiments of the present disclosure provide systems and methods for predicting any fraudulent activities or malicious operations happening in the system which can be easily detected, wherein alarms are generated, alerts are reported and are governed towards actions to protect the enterprise systems from malicious and cyber security threats in seamless autonomous fashion.
[033] Referring now to the drawings, and more particularly to FIGS. 1 through 5, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[034] FIG. 1 depicts an exemplary block diagram of a system 100 implementing one or more Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) models for detecting cyber security attacks, generating threat patterns and recommending solutions, in accordance with an embodiment of the present disclosure. The system 100 may also be referred as ‘cyber security system’ and may be interchangeably used hereinafter. In an embodiment, the system 100 includes one or more hardware processors 104, communication interface device(s) or input/output (I/O) interface(s) 106 (also referred as interface(s)), and one or more data storage devices or memory 102 operatively coupled to the one or more hardware processors 104. The one or more processors 104 may be one or more software processing components and/or hardware processors. In an embodiment, the hardware processors can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor(s) is configured to fetch and execute computer-readable instructions stored in the memory. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud and the like.
[035] The I/O interface device(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. In an embodiment, the I/O interface device(s) can include one or more ports for connecting a number of devices to one another or to another server.
[036] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, a database 108 is comprised in the memory 102, wherein the database 108 comprises information, for example, historical activity log data comprising information on activities performed by user(s), corresponding threat patterns, presence or absence information of cyber security attack in the activity log data, training information, trained data, survival analysis data (e.g., survival percentage details, remaining lifetime of computer system(s) that are posed with threat, etc.) and the like. In an embodiment, the memory 102 may store (or stores) one of more techniques (e.g., RNN-LSTM model, and the like). The memory 102 further comprises (or may further comprise) information pertaining to input(s)/output(s) of each step performed by the systems and methods of the present disclosure. More specifically, information pertaining to training the RNN-LSTM model with associated recommended solutions for threats identified using historical activity log data, generation/prediction of new threat patterns, recommended solutions, approval and rejection information on recommended solutions by administrator (or system user or system operator or a system controller), retraining model information and the like, may be stored in the memory 102. In other words, input(s) fed at each step and output(s) generated at each step are comprised in the memory 102, and can be utilized in further processing and analysis.
[037] FIG. 2, with reference to FIG. 1, depicts a technology stack and architecture of the system 100 of FIG. 1 for detecting cyber security attacks, generating threat patterns and recommending solutions using DL RNN-LSTM model(s), in accordance with an embodiment of the present disclosure.
[038] FIG. 3, with reference to FIGS. 1-2, depicts an exemplary flow chart for detecting cyber security attacks, generating threat patterns and recommending solutions using DL RNN-LSTM model using the system 100 of FIG. 1 in accordance with an embodiment of the present disclosure. In an embodiment, the system(s) 100 comprises one or more data storage devices or the memory 102 operatively coupled to the one or more hardware processors 104 and is configured to store instructions for execution of steps of the method by the one or more processors 104. The steps of the method of the present disclosure will now be explained with reference to components of the system 100 of FIG. 1, the technology stack and architecture of FIG. 2, and the flow diagram as depicted in FIG. 3. At step 302 of the present disclosure, the one or more hardware processors 104 receive an input data comprising (i) historical activity log data comprising information pertaining to one or more activities performed by one or more users on one or more computer systems, and (ii) corresponding one or more threat patterns. In the present disclosure, the historical activity log data and the corresponding one or more threat patterns may be received (or collected) from various (telemetry) sources, for example, but are not limited to, Security Endpoint Devices (Fireye, Palo Alto, BlueCoat etc.), Machine Generated Logs (AD, App/ Web Server, Firewall, VPN etc.), intrusion detection system (IDS) such as Suricata, Snort, etc., Network Data (PCAP (packet capture), Network, Bro, etc.) and Threat Intelligence Feeds (Soltra, OpenTaxi, Third Party Feeds, etc.) for the analysis and training the model. The historical activity log data and the corresponding one or more threat patterns (or the security log files) may be consolidated from the various data sources in a text file format and stored in the database 108 comprised in the memory 102 to get a holistic view of security log data corpus for further processing. For instance, historical activity log data and the corresponding threat patterns may be pre-processing using, Metron pre-processing and enrichments technique(s), in one example embodiment. The pre-processing technique may be applied on the above data (historical activity log data and the corresponding one or more threat patterns) for removal of missing values/data, and text pre-processing may be performed to remove or eliminate stop words, special character(s), and the like as depicted in FIG. 2.
[039] In other words, below description describes the pre-processing technique(s) as implemented by the systems and methods of the present disclosure:
[040] Dataset Preparation and Dataset Cleaning: In dataset preparation foremost step is to cleanse the log file which is a text corpus and to bring it to desired format for training the DL RNN-LSTM model. First step in text cleaning involves removal of punctuations, special characters and lower casing the words in the server logs. The text data may have directory structures, command executed histories and differentiating the sequence of patterns between fair and malicious activities in computer system/server and firewall logs helps the security analyst/system 100 to examine and troubleshoot the events. Example: /root/usr/Desktop/Serverlogs (sequence 1 attacker accessing the directory to change permissions) and /home/JohnDoe/Desktop/Serverlogs/ufwlog (next sequence after 1st attacker try to access the directory of particular user’s firewall log) and these security log present in Data Lake® (database 108 comprised in the memory 102) is leveraged and preprocessed for training of the Deep Learning model (also referred as DL RNN-LSTM model).
[041] Generating Sequence of N-gram Tokens: The language model is a statistical, analytical and is capable to predict the probability of each word given an input sequence of text. Language modelling requires a sequence of input data, as given a sequence (of words/tokens) the aim is to predict next word/token of the sequence. The next preprocessing step is Tokenization which is a process of extracting tokens (terms / words) from a text corpus. To perform tokenization Keras® is leveraged by the embodiments of the present disclosure and its system 100. Keras® which is an open source Neural Network library that has inbuilt module for tokenization which can be used to obtain tokens and their index in the corpus. Each word is encoded with an index and this index is actually the position to activate in the respective one-hot vector array. After this preprocessing, every text document in the dataset is converted into sequence of tokens for example /Serverlogs /ufwlog (N-gram) and respective Sequence of Tokens for 2 gram words which is desired format for training the model.
[042] Padding the Sequences: After the Tokenization process dataset is been converted to sequence of tokens, it is possible that different sequences have different lengths. Foremost before training of the DL RNN-LSTM model, sequences need to be padded and their lengths need to be equal. To input this data into a learning model, it requires to create N-grams sequence as predictors and the next word of the N-gram as label as shown in FIG. 4. More specifically, FIG. 4, with reference to FIGS. 1-3, depicts padding of Predictors and Labels, in accordance with an example embodiment of the present disclosure. Many-words-to-many-words context helps to train the model by pointing which sequence of words (our predictors X) leads to the final word (our label Y) and input vector X and the label vector Y which can be used for the supervised training. Recent developments and experiments have proved that Recurrent Neural Networks (RNN) have shown a good performance in sequence to sequence learning and generation on text data applications. The memory state in RNNs gives an advantage over traditional Neural Networks but a problem called Vanishing Gradient is associated with them. In this problem, while learning with a large number of layers, it becomes really hard for the network to learn and tune the parameters of the earlier layers. To address this problem, a new type of RNNs called Long Short Term Memory (LSTM) models have been developed and is discussed in the later part of the present disclosure.
[043] At step 304 of the present disclosure, the one or more hardware processors 104 are configured to determine a presence or an absence of a cyber security attack from the received input data. The presence and absence is determined based on analysis on irregular data patterns and the like wherein anomalies may be observed. In other words, consolidated data is processed through Apache Metron® which is a cyber-security application framework that provides system(s) an ability to ingest, process and store diverse security data feeds at scale in order to detect cyber anomalies and enable systems/users to rapidly respond to them.
[044] At step 306 of the present disclosure, the one or more hardware processors 104 are configured to compute a survival percentage of the one or more computer systems based on a survival analysis being performed the received input data. The survival percentage is computed based on the determined presence or an absence of the cyber security attack, in one embodiment of the present disclosure. The system 100 implements Apache Metron® for performing survival analysis and for computing survival percentage of the computer system(s) under threat. Firstly, the Apache Metron® (comprised in the memory 102) is executed (or invoked for execution) to process the input data wherein the system checks for any anomalies in the threat patterns and one or more alarms are flagged as depicted in FIG. 2.
[045] Below is an exemplary pseudo code illustrating calculation/computation of survival percentage of computer system(s)/ machine(s) after the attack is identified (or threat pattern is predicted):
Pseudo code for calculation/computation of survival percentage of computer system(s)/ machine(s):
1. Import all necessary Python packages
2. Define webhook URL for slack connection
3. Import the Cyber Attack log data for calculation
4. Start for:
a. Calculating the duration values based on the date of attacks
b. end for:
5. Define the Kaplan–Meier function for fitting the model
6. Fit the Attack log data with the model to calculate the survival percentage of the machine
7. Start for:
a. Find the maximum survival value for the survival percentage
b. end for:
8. Make an connection with slack and send the survival percentage alert to the chat group
9. Export the survival data a file (e.g., a spreadsheet file)
[046] After the sequence of attack has been alarmed, transformed data and with flags are identified as “Labels” for survival censored events and supervised training of the DL RNN-LSTM model. Survival analysis is performed to compute/calibrate survival percentage (or the remaining lifetime) of the computer system(s) after sequence of security attacks. For instance, survival percentage could be calibrated after a first attack (first attack at 13th hour the survival percentage is say 99%) and this may depreciate during consecutive attack (during the last attack at 24th hour the survival percentage is say 39%) which helps to take necessary measures to mitigation (say Action 1) against the security attack. The remaining lifetime and survival of the system after last attack is 39% which is shown in the below Table 1.
Table 1
Survival Percentage Estimate/Computation
Timeline of events KM_estimate
0 1
8 1
13 0.993769
23 0.856097

[047] Here, the systems and methods of the present disclosure leveraged Kaplan Meier Fitter which is a non-parametric statistic used to estimate the survival function from lifetime data shown in graphical representation of FIG. 5. More specifically, FIG. 5, with reference to FIGS. 1-4, depicts a graphical representation illustrating Survival Analysis and Kaplan-Meier Estimate, in accordance with an embodiment of the present disclosure. This fetches a survival percentage of how much time a particular machine (or computer system) will survive after a consecutive active security attack distortion of life and cyber security events are labelled as censored observations. The Kaplan-Meier estimate of computing the survival over time associated with normal and attack situations is shown in FIG. 5. The survival curve as depicted in FIG. 5 can be created assuming various events of attacks (censored observations). This involves computing of probabilities of occurrence of event at a certain point of time and multiplying these successive probabilities by any earlier computed probabilities to get the final estimate. This can be calculated between the events of attacks and also their statistical difference in the survivals.
[048] In the present disclosure, this has been integrated with the Slack, which is a cloud-based set of proprietary team collaboration tools and services where the survival percentage of the machine after the security attack may be communicated to team of users with a real time notification from the web hooks from the backend system. Through this notification proactive measures can be taken on the cyber security attack {Alert 2} which is mentioned in the architecture as depicted in FIG. 2, discuss on the issue ,without compromising the system from security breach and mitigating the attack on time to meet the security service-level agreement (SLA).
[049] At step 308 of the present disclosure, the one or more hardware processors 104 are configured by the instructions to train, using the corresponding one or more threat patterns, a Deep Learning Recurrent Neural Network-Long Short Term Memory (DL RNN-LSTM) model. In the present disclosure, the training of DL RNN-LSTM model comprises training the DL RNN-LSTM model using one or more associated solutions that were recommended for the threat patterns obtained from the input data (which is historical input data of step 302). Below description illustrates Design and Development of LSTM Model as implemented by the system 100 of FIGS. 1-2 of the present disclosure.
[050] The core concept of LSTM's are the cell state, and it's various gates. The cell state act as a transport highway that transfers relative information all the way down the sequence chain, which can be thought of as the "memory" of the network. The cell state, in theory, can carry relevant information throughout the processing of the sequence. So even information from the earlier time steps can make its way to later time steps, reducing the effects of short-term memory. As the cell state goes on its journey, information gets added or removed to the cell state via gates. The gates are different neural networks that decide which information is allowed on the cell state. The gates can learn what information is relevant to keep or forget during training of sequences.
[051] LSTMs have an additional state called 'cell state' through which the network makes adjustments in the information flow and advantage of this state of the model can remember or forget the learning more selectively. This remembering or forget learning techniques helps to remember sequences/ patterns with higher weighted importance and forget the pattern with lesser importance. In LSTM architecture, the system 100 has used total three layers for next sequence prediction/ generative model.
a) Input Layer: Takes the sequence of words as input.
b) Bidirectional LSTM Layer: Computes the output using LSTM units and to learn the previous and future context of a sequences.
c) Dropout Layer: A regularization layer which randomly turns-off the activations of some neurons in the LSTM layer. It helps in preventing over fitting. (Optional Layer).
d) Activation using Softmax to find the most likely category(word), We are using "Softmax" as activation function and "categorical_crossentropy" as an loss function.
e) Output Layer: Computes the probability of the best possible next word (Pattern/Sequence) as output.
[052] Once the LSTM model is designed, it is optimized to fit the model for validation and testing in production.
a) Adam Optimizer: Adam is a replacement optimization algorithm for stochastic gradient descent for training Deep Learning models.
b) Sparse Categorical Cross Entropy: Cost/Loss function for multi-class classification where target outputs are integer indices instead of one-hot encoded.
c) ModelCheckpoints: To save optimal weights each time accuracy improves in Python pickle or hdf5 file formats.
d) EarlyStopping: To stop training, when validation accuracy does not increase for 4 times consecutively.
e) Model Deployment: Model optimized weights are saved in Python pickle or hdf5 file formats to deploy the trained model in production, so that reload model is predicting the next sequence of security attack {Alert 3} which is sent as webhooks notification to Slack which is shown in FIG. 6, in production environment using the history of previous sequence of patterns tried by the hackers. More specifically, FIG. 6, with reference to FIGS. 1 through 4, depicts prediction of one or more threat patterns by the trained DL RNN-LSTM model as implemented by the system 100 of FIG. 1, in accordance with an embodiment of the present disclosure. In other words, the system 100 predicts, using the trained DL RNN-LSTM model, one or more threat patterns from at least one user (who poses to be a threat).
[053] Below is an exemplary pseudo code illustrating Deep Learning model for sequence/threat pattern prediction (or threat pattern generation based on activity log data:
Pseudo code for threat pattern prediction:
1. Import the log values of sequence of patterns as a txt file
2. Convert the text to lower case
3. Mapping of unique characters to integers and reverse mapping
4. start for:
a. convert the input text file to output pairs encoded as integers
b. end for:
5. Reshape, Normalize and apply one Hot Encodings on the input data
6. Each word is encoded with an index (encoding)
7. Train the DL RNN-LSTM model with the sequence of words (predictors X) leads to the final word (label Y) and input vector X and the label vector Y which can be used for the supervised training
8. Define an LSTM model with 5 layers(1 input , 3 hidden and 1 output layers) with activation function as SOFTMAX
9. Load the pre-Trained Model weight file for the sequence prediction
10. Compile the model with loss function as categorical_crossentropy and optimiser as adam
11. start for:
a. Predict the sequence of characters with the model weight file using the pattern logs
b. end for:
12. start for:
a. process the generated characters for the proper sequence
b. end for
[054] Further, upon predicting or generating new threat patterns as depicted in FIG. 5, the system 100 or the DL RNN-LSTM model generates one or more recommended solutions specific to the one or more predicted threat patterns. Quite often the dimension of time and complex sequence of pattern occurrence plays a dominant role in the generation of a relevant recommendation. In which sequence the pattern occur ? How frequently the same sequence occurred and in which order? and what are the different combination of sequences? Traditional recommenders often neglect the dimension of precise combination of sequences completely. This means that many traditional recommenders find for each user attack pattern a latent representation based on the user’s historical attack pattern without any notion of recency and sequence of pattern for attack. To overcome and incorporate this kind of contextual information about attack pattern, sequence-based recommenders were designed and implemented by the embodiments of the present disclosure and its systems (e.g., system 100 which comprises a recommender – not shown in FIGS) which leverages model based on RNNs and LSTM. Below details the process overview of DL RNN-LSTM model for recommendation of a solution for next pattern predicted.
a. Embedding layers which maps solution ids to dense vectors.
b. Data for training the recommendation model (or recommender) is vast with history of data containing the list of patterns, sequences and the solutions implemented by the security analysts in past history.
c. Pattern/solution representations which take embedding layers to calculate latent representations and the score for a pattern/solution pair.
d. Models which takes pattern/solution representations, combinations, train and optimize the LSTM network.
e. Model optimized weights are saved in Python pickle or hdf5 file formats to deploy the trained model in production. The reloaded DL model {2} which is recommending the solutions and fix for the next sequence of attack predicted by DL Model {1} in production environment is illustrated in FIG. 6. Finally the DL RNN-LSTM model (or retrained DL RNN-LSTM model) recommends the solution/fix for the pattern predicted by the previous DL model. More specifically, FIG. 7, with reference to FIGS. 1 through 6, depicts recommended solution generated by the DL RNN-LSTM model as implemented by the system 100 of FIG. 1, in accordance with an example embodiment of the present disclosure.
[055] Once the system 100 or DL RNN-LSTM model generates the one or more recommended solutions, an approval or feedback on the generated solutions may be obtained from a user such as a system administrator. Embodiments of the present disclosure implement this by integrating Slack channel to the system 100. Below description illustrates Slack integration:
[056] Slack Integration {Action 1}: An automation integration leveraged through Slack where the survival percentage {Alert 2} of the machine deterioration status after the consecutive attacks, next possible pattern prediction and solution recommendation generated through DNN models {Alert 3} is sent to a Slack channel as web-hook notifications where all security analysts (e.g., system administrator) gets a real time notification from the analytical system, wherein administrator can discussion with others on the issue, make decision, mitigate the attack and avoid compromising the system on time from security vulnerability. In Slack channel, say a Security Analyst Leader may be given with super user permissions which has two control options like "Approve" and "Reject" button for accept or reject the recommended fix by the DL RNN-LSTM model, which gives control to senior security analyst to validate the model prediction and recommendation of fixes to be deployed and apply the fix automatically through Jenkins workflow as depicted in FIG. 2. More specifically, an input comprising (i) an approval from an administrator or (ii) at least one feedback indicative of modification to the one or more generated recommended solutions may be obtained.
[057] Jenkins Automation {Action 2}: Continuous Integration (CI) developers frequently integrate their code into a common repository. Rather than building features in isolation and submitting each of them at the end of the cycle, they continuously build software work products several times on any given day. Continuous Delivery (CD) aims to automate the software delivery process to enable easy and assured deployments into production at any time. CI/CD processes are followed to give an advantage to get real time notifications and control to security analyst to deploy the code seamless and track the build in lesser time , bring down the time to react and cost in deployments over traditional methods and also outperforms the traditional deployment method performances.
[058] Referring back to the input comprising, an approval or at least one feedback, wherein if the approval is obtained, the one or more generated recommended solutions are executed into the one or more computer systems to refrain the one or more computer systems from subsequent cyber security attacks. For instance, if the senior analyst "approves" the request (of generated recommended solutions to be implemented in computer systems wherein there is a possible threat, then the Slack automatically triggers a Jenkins build which starts the Jenkins build workflow (refer FIG. 2). The Jenkins uses the scripts from the Github repository which consists of the solution fix scripts for all the solution recommended by the DL RNN-LSTM model to be deployed to overcome the security attack.
[059] In case there is a feedback such as a recommendation from an analyst to modify the recommended solution, then the system 100 utilizes the recommended solution by the analyst and the same is executed in the computer system that may have a future threat based on the threat pattern predicted. Alternatively, the one or more generated recommended solutions based on the at least one feedback to obtain one or more updated recommended solutions and the one or more updated recommended solutions may be executed in the computer systems that may have possible threats to refrain the one or more computer systems from subsequent one or more cyber security attacks. In other words, if the senior analyst "rejects" the request by suggesting different solution then the pattern predicted by the DL RNN-LSTM model is rejected and new recommendation by the analyst may be considered as feedback to the DL RNN-LSTM model and new recommendation by the analyst is pushed for retraining the Deep Learning network, so that the model is self-evolving and learning with new patterns and recommendations to make in future. In other words, when recommended solutions are provided by the analyst, the DL RNN-LSTM model may be retained with the analyst provided recommended solutions for refraining from cyber security attacks and subsequent threat patterns.
[060] Below is an exemplary pseudo code illustrating Deep Learning RNN-LSTM model that recommends generated solutions for executing on computer systems that are or possible are under threat and fixing of solutions thereof:
Pseudo code for fixing solutions recommended for predicted threat patterns:
1. Tokenise the predicted sequence from the deep learning model
2. Define a 3 layer LSTM model (1 input, 1 hidden and 1 output layers) with the activation function as SOFTMAX
3. Compile the model with loss function as categorical_crossentropy and optimiser as adam
4. Load the pre-Trained Model weight file for the solution recommendation
5. Predict the solution recommendation for the new Sequence predicted by the DL model
6. start for:
a. Decode the predicted solution from the model
b. end for:
7. Connect to slack channel and push the new sequence and the solution recommendation to the slack channel for approval and further automation workflow.
[061] Systems and methods of the present disclosure DL RNN-LSTM model that analyses real time, past data, localized considerations and provides valuable insights to decision makers for monitoring of security threats and vulnerabilities. The model is created based on new data sources and provides enhanced threat detection capability with self-evolving capabilities to detect, generate/predict patterns, recommend solutions and security process automation to deploy the security fixes.
[062] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[063] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[064] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[065] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[066] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[067] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.