Description:Field of the Invention

Generally, the present disclosure relates to cybersecurity systems. Particularly, the present disclosure relates to a machine learning-based cyber threat detection and response system.

Background
The background description includes information that may be useful in understanding the present invention. It is not an admission that any of the information provided herein is prior art or relevant to the presently claimed invention, or that any publication specifically or implicitly referenced is prior art.
In recent years, the importance of cybersecurity in the digital era has become paramount, with organizations across the globe facing an increasing number of cyber threats which jeopardize the integrity, confidentiality, and availability of organizations information systems. Herein, threats originate from a variety of sources and employ sophisticated techniques to exploit vulnerabilities in information systems. To mitigate such risks, cybersecurity measures are continuously being developed and refined. One of the core strategies in improving cybersecurity defenses comprises the detection and response to cyber threats, which has evolved significantly with the improvement of techniques.
One approach which has been widely recognized comprises the utilization of system event logs, network traffic logs, and user behavior patterns to monitor and analyze potential security threats. Recently said logs provide a wealth of information about the activities within an information system, making them invaluable for identifying unusual or malicious behavior. However, the sheer volume and complexity of the data pose a challenge for traditional analysis methods, often leading to delays in threat detection and response.
To address said challenges, machine learning techniques have been applied to improve the efficiency and accuracy of cyber threat detection systems. The machine learning techniques involve the development of techniques which can learn from and make predictions or decisions based on data. In particular, supervised and unsupervised learning techniques are employed to develop models capable of identifying cyber threats based on patterns and anomalies in the data. Supervised learning techniques rely on labeled datasets to learn and make predictions, whereas unsupervised learning techniques detect patterns and anomalies in unlabeled datasets.
Despite the recompenses offered by machine learning in cybersecurity, the process of developing effective machine learning models is complex. Effective machine learning models requires the careful preprocessing of data, which comprises steps such as data imputation, scaling, encoding of categorical variables, and handling of missing values. The said preprocessing steps are important for providing the quality and reliability of the data fed into the machine learning techniques, directly impacting the effectiveness of the cyber threat detection system.
Moreover, the implementation of a machine learning-based cyber threat detection system necessitates the establishment of a robust response protocol. Upon detection of a cybersecurity threat, the system must be capable of initiating predetermined actions to counter the threat, thereby mitigating potential damage. The development and integration of such a response protocol are important for the overall effectiveness of the cyber threat detection system, providing timely and appropriate actions are taken against detected threats.
Furthermore, the improvement in machine learning-based cyber threat detection and response systems also comprises the acquisition and preprocessing of new incoming data. The acquisition and preprocessing of new incoming data aspect is vital for the continuous improvement and adaptation of the machine learning model, allowing the machine learning model to stay effective against evolving cyber threats. The ability to apply the developed machine learning model to new incoming data and accurately identify cybersecurity threats is essential for maintaining the security posture of an organization.
In light of the above discussion, there exists an urgent need for solutions which overcome the problems associated with conventional systems and techniques for detecting and responding to cyber threats.
All publications herein are incorporated by reference to the same extent as if each individual publication or patent application were specifically and individually indicated to be incorporated by reference. Where a definition or use of a term in an incorporated reference is inconsistent or contrary to the definition of that term provided herein, the definition of that term provided herein applies and the definition of that term in the reference does not apply.
In some embodiments, the numbers expressing quantities of ingredients, properties such as concentration, reaction conditions, and so forth, used to describe and claim certain embodiments of the invention are to be understood as being modified in some instances by the term “about.” Accordingly, in some embodiments, the numerical parameters set forth in the written description and attached claims are approximations that can vary depending upon the desired properties sought to be obtained by a particular embodiment. In some embodiments, the numerical parameters should be construed in light of the number of reported significant digits and by applying ordinary rounding techniques. Notwithstanding that the numerical ranges and parameters setting forth the broad scope of some embodiments of the invention are approximations, the numerical values set forth in the specific examples are reported as precisely as practicable. The numerical values presented in some embodiments of the invention may contain certain errors necessarily resulting from the standard deviation found in their respective testing measurements.
As used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
The recitation of ranges of values herein is merely intended to serve as a shorthand method of referring individually to each separate value falling within the range. Unless otherwise indicated herein, each individual value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g. “such as”) provided with respect to certain embodiments herein is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention otherwise claimed. No language in the specification should be construed as indicating any non-claimed element essential to the practice of the invention.
Groupings of alternative elements or embodiments of the invention disclosed herein are not to be construed as limitations. Each group member can be referred to and claimed individually or in any combination with other members of the group or other elements found herein. One or more members of a group can be included in, or deleted from, a group for reasons of convenience and/or patentability. When any such inclusion or deletion occurs, the specification is herein deemed to contain the group as modified thus fulfilling the written description of all Markush groups used in the appended claims.

Summary

An objective of the present disclosure aims to improve cybersecurity measures by efficiently detecting and responding to cyber threats through machine learning techniques. The system/method disclosed herein aims to data from various sources, together with system event logs, network traffic, and user behavior patterns, to develop a robust machine learning model for identifying cybersecurity threats and initiating effective response protocols.
In an aspect, the present disclosure provides a machine learning-based cyber threat detection and response system which comprises a computing device considered to gather data from a system event log, a network traffic log, and user behavior patterns. The computing device also receives new incoming data. A remote server acquires both the gathered data and new incoming data from the computing device, performs preprocessing on the acquired data to generate processed data, and analyzes the processed data using both supervised and unsupervised learning techniques to develop a machine learning model. The machine learning model is applied to new incoming data to identify cybersecurity threats. Upon detection of a threat, the system initiates a predetermined response protocol to counter the detected threat.
The system/method provides significant advantages, together with improved detection of cyber threats through the analysis of various data sources and the application of machine learning models. The predetermined response protocol enables swift and effective countermeasures against identified threats, thus mitigating potential damage. Furthermore, the system/method facilitates continuous improvement of the machine learning model through feedback mechanisms, providing adaptability and ongoing improvement of cybersecurity measures.
Various objects, features, aspects and advantages of the inventive subject matter will become more apparent from the following detailed description of preferred embodiments, along with the accompanying drawing figures in which like numerals represent like components.

Brief Description of the Drawings

The summary above, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the present disclosure, exemplary constructions of the disclosure are shown in the drawings. However, the present disclosure is not limited to specific methods and instrumentalities disclosed herein. Moreover, those in the art will understand that the drawings are not to scale. Wherever possible, like elements have been indicated by identical numbers.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following diagrams wherein:
FIG. 1 illustrates, a block diagram of a machine learning-based cyber threat detection and response system, in accordance with the embodiments of the present disclosure.
FIG. 2 illustrates, a method flow for cyber threat detection and response within a machine learning-based system, in accordance with the embodiments of the present disclosure.
FIG. 3 illustrates, a flowchart outlines a systematic process followed by a machine learning-based cyber threat detection and response system, in accordance with the embodiments of the present disclosure.
In the accompanying drawings, a number in parentheses is employed to represent an item over which the number in parentheses is positioned or an item to which the number in parentheses is adjacent. A number not in parentheses relates to an item identified by a line linking the number not in parentheses to the item. When a number is not in parentheses and accompanied by an associated arrow, the number not in parentheses is used to identify a general item at which the arrow is pointing.

Detailed Description

The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognise that other embodiments for carrying out or practising the present disclosure are also possible.
The description set forth below in connection with the appended drawings is intended as a description of certain embodiments of a motor of an electric vehicle and is not intended to represent the only forms that may be developed or utilised. The description sets forth the various structures and/or functions in connection with the illustrated embodiments; however, it is to be understood that the disclosed embodiments are merely exemplary of the disclosure that may be embodied in various and alternative forms. The figures are not necessarily to scale; some features may be exaggerated or minimised to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the present invention.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example in the drawings and will be described in detail below. It should be understood, however, that it is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternatives falling within the scope of the disclosure.
The terms “comprise”, “comprises”, “comprising”, “include(s)”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, system that comprises a list of components or steps does not include only those components or steps but may include other components or steps not expressly listed or inherent to such setup or system. In other words, one or more elements in a system or apparatus preceded by “comprises... a” does not, without more constraints, preclude the existence of other elements or additional elements in the system or apparatus.
In the following detailed description of the embodiments of the disclosure, reference is made to the accompanying drawings and which are shown by way of illustration specific embodiments in which the disclosure may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the disclosure, and it is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the present disclosure. The following description is, therefore, not to be taken in a limiting sense.
The present disclosure will be described herein below with reference to the accompanying drawings. In the following description, well known functions or constructions are not described in detail since they would obscure the description with unnecessary detail.
The term "machine learning-based cyber threat detection and response system/ system" as used throughout the present disclosure relates to a specialized system considered to identify and counteract cyber threats through the application of machine learning techniques. The machine learning-based cyber threat detection and response system encompasses various components comprising a computing device and a remote server, each fulfilling distinct roles in the detection and response process. Herein, throughout the present disclosure “machine learning-based cyber threat detection and response system” or “system” means the same.
The term "computing device" as used throughout the present disclosure relates to an electronic device configured to execute a series of operations comprising gathering data from multiple sources such as system event logs, network traffic logs, and user behavior patterns. Furthermore, the computing device is equipped to receive new incoming data pertinent to the machine learning-based cyber threat detection and response system operations and potential security threats. Optionally, the computing device may also process the gathered data to a preliminary extent before transmission to the remote server for further analysis.
The term "remote server" as used throughout the present disclosure relates to a server situated remotely from the computing device, tasked with receiving both gathered and new incoming data from the computing device. The remote server performs preprocessing on the received data, which comprises steps such as data imputation, data scaling, categorical variable encoding, and handling of missing values, to generate processed data. Subsequently, the processed data is analyzed through the implementation of both supervised and unsupervised learning techniques, facilitating the development of a machine learning model aimed at detecting cyber threats. Upon identifying a cybersecurity threat through the application of the developed machine learning model to new incoming data, the remote server initiates a predetermined response protocol considered to counter the detected cybersecurity threat. Optionally, the remote server may update the machine learning model based on feedback from the threat detection and response process to improve future threat detection capabilities.
In exemplary the machine learning-based cyber threat detection and response system comprise its deployment in corporate networks where the system continuously monitors for anomalous activities which could indicate a cyberattack. Upon detection of such activities, the system could automatically initiate countermeasures such as isolating affected network segments, alerting system administrators, or directly addressing the threat through automated scripts considered to neutralize the attack.
The components of the system comprise improved cybersecurity threat detection through the application of machine learning techniques, enabling the system to adapt to new and evolving threats. Furthermore, the integration of both supervised and unsupervised learning techniques provides analysis of diverse data sources, improving the accuracy of threat detection. The initiation of a predetermined response protocol upon threat detection facilitates immediate action against cyber threats, thereby reducing damage to the system.
FIG. 1 illustrates, block diagram of a machine learning-based cyber threat detection and response system, in accordance with the embodiments of the present disclosure. The depicted embodiment showcases a machine learning-based cyber threat detection and response system (100), which comprises two main components as indicated: a computing device (102) and a remote server (104), interconnected via a network. The computing device (102) is responsible for executing operations which comprise the gathering of data from a system event logs, a network traffic logs, and the user behavior patterns. Additionally, the computing device (102) is configured to receive new incoming data which may be pertinent to the identification and analysis of cybersecurity threats. Optionally, the computing device (102) may perform preliminary analyses to discern patterns or anomalies before forwarding the data to the remote server (104) for more in-depth processing.
The remote server (104) is tasked with acquiring both the gathered data and new incoming data from the computing device (102). The remote server (104) performs a series of preprocessing operations on acquired data, which comprise but are not limited to data imputation, data scaling, categorical variable encoding, and the handling of missing values. The preprocessing steps are important for preparing the data for subsequent analysis and for providing the data which is in an optimal format for machine learning techniques. The processed data then undergoes rigorous analysis through both supervised and unsupervised learning techniques to develop a robust machine learning model capable of detecting cyber threats. Upon the identification of a potential cybersecurity threat by applying the developed machine learning model to the new incoming data, the remote server (104) initiates a predetermined response protocol. The predetermined response is considered to counteract the detected cybersecurity threat effectively. The predetermined response protocol may comprise, but is not limited to, isolating the affected system, blocking suspicious network traffic, or alerting system administrators. Optionally, the remote server (104) may incorporate mechanisms to learn from the detected threats and responses to continually refine the machine learning model, thus improving its threat detection capabilities over time.
The system (100) comprises streamlined data processing for improved threat detection, the application of machine learning for improved cybersecurity, and proactive response measures to mitigate potential threats. The system (100) enables a cybersecurity solution by integrating the functions of data collection, processing, threat analysis, and response initiation into a cohesive context.
In an embodiment, the remote server (104) is engaged in continuous monitoring of network activities within the cyber threat detection and response system (100). Continuous monitoring process comprises the observation of network transactions and the identification of cybersecurity threats. Additionally, the remote server (104) does not stop at threat detection; the remote server (104) also feeds information regarding detected threats and responses of the system (100) to detected threats back into the machine learning model. Feedback loop is essential for the iterative improvement of the model. By incorporating data from actual network activities and responses to threats, the machine learning model is constantly updated. The said continuous refinement process enables the model to dynamically adjust to new and evolving cyber threats, significantly improving ability of the remote server (104) to predict and identify potential security breaches accurately. As a result, the system (100) becomes more effective over time at detecting and responding to cyber threats, providing a high level of security and protection against a wide range of cyber-attacks.
In another embodiment, the machine learning model utilized by the remote server (104) within the cyber threat detection and response system (100) incorporates supervised learning techniques, specifically selecting from support vector machines (SVM), decision trees, or random forests. The adoption of just mentioned varied techniques plays a vital role in ability to analyze processed data. Each of mentioned supervised learning techniques brings a unique approach to pattern recognition and classification, making the model adept at identifying intricate patterns which signify potential cybersecurity threats.
Support vector machines (SVM) are effective for classifying data into categories, making data invaluable for distinguishing between benign activities and potential threats. Decision trees contribute by mapping out the decision paths based on the data attributes, which can simplify the complex decision-making process involved in threat detection. Random forests, an ensemble of decision trees, offer improved accuracy and robustness by aggregating the predictions from multiple decision trees to decide on the most probable classification. The utilization of all mentioned diverse supervised learning techniques enriches the machine learning model with a robust and versatile toolkit for threat detection. Supervised learning techniques improves efficiency of the system (100) in identifying cybersecurity threats and significantly improves its adaptability to various types of cyber-attacks, providing a security posture.
In a further embodiment, the remote server (104) of the cyber threat detection and response system (100) employs unsupervised learning techniques, notably clustering methods like k-means and hierarchical clustering, for analyzing data. Unlike supervised learning, which relies on labeled data for training, unsupervised learning processes data without predefined categories or labels, making unsupervised learning particularly suited for detecting new or unknown cybersecurity threats.
Clustering techniques organize data into clusters based on similarity measures, with k-means partitioning data into k distinct clusters, and hierarchical clustering building a tree of clusters. Clustering capability is vital for identifying unusual patterns or anomalies in the data which may signify emerging cyber threats. Since emerging cyber threats do not always fit into known categories or match previously identified attack patterns, the ability of the system to cluster similar data points allows the remote server (104) to uncover potential threats which have not been labeled or encountered before. By applying unsupervised learning techniques, the system (100) improves its adaptability and responsiveness, enabling it to effectively address a broader spectrum of cybersecurity threats. Threat detection approach provides the system (100) which remains vigilant against both known and emerging threats, thereby maintaining a high level of security and protection for the network it monitors.
In yet another embodiment, the cyber threat detection and response system (100), upon identifying a cybersecurity threat through the remote server (104), triggers a predetermined response protocol. The predetermined response protocol is a series of predefined actions considered to immediately mitigate the impact of the threat on the system (100) and system data. The actions comprise isolating the affected system to prevent the spread of the threat, blocking suspicious network traffic to halt further unauthorized access, and alerting system administrators to provide human oversight and intervention.
Isolating the affected system helps to contain the threat, limiting threat to inflict damage on broader network segments. Blocking suspicious traffic acts as a barrier, stopping the flow of harmful data which could exacerbate the situation. Alerting system administrators enables a swift response, allowing for a more nuanced and informed approach to addressing the threat based on threat nature and severity.
Implementing the predetermined response protocol is vital for maintaining the security, integrity, and confidentiality of the system (100) and system data. By taking immediate and appropriate action, the system (100) minimizes the risk and impact of cybersecurity threats, providing a robust defense mechanism is in place to protect against and respond to potential security breaches. The dynamic and reactive strategy underscores approach of the system (100) to cybersecurity management.
In an additional embodiment, the cyber threat detection and response system (100) is improved by integrating a data storage unit within the remote server (104). The data storage unit addition plays a pivotal role in operational efficiency of the system (100) by enabling the storage of historical data, which encompasses past incidents, threat patterns, and response outcomes. The accumulation of such data is instrumental in refining the machine learning model which lies at the core of the system (100). The presence of a data storage unit facilitates the creation of a dataset, which train and continuously improve the machine learning model. The process of continuously improving the machine learning model is crucial for adapting the model to the evolving landscape of cybersecurity threats. By analyzing historical data, the model learns to identify subtle patterns and indicators of potential threats, improving predictive accuracy and reliability of model.
Moreover, the stored historical data allows for retrospective analyses, which can uncover insights and trends which were not previously apparent. Therefore, retrospective analyses contribute to a more robust and nuanced understanding of cybersecurity threats, enabling the system (100) to anticipate and mitigate potential attacks more effectively. Overall, the inclusion of a data storage unit enriches capabilities of the system (100), providing the machine learning model which remains dynamic and evolves in response to new information. Further, embodiment underscores the importance of historical data in improving the accuracy and efficacy of cyber threat detection and response mechanisms.
In a subsequent embodiment, the cyber threat detection and response system (100) structures a predetermined response protocol which, beyond immediate threat mitigation actions, comprises the generation of forensic reports upon the detection of cybersecurity threats. Forensic reports are instrumental in conducting a thorough investigation and analysis of each identified threat. Forensic reports provide detailed insights into the nature of the threat, together with threat origin, the methods threat employed, threats behavior within the system (100), and the extent of threats impact.
The ability to generate forensic reports is a critical component of the system’s (100) broader security strategy. Forensic reports go beyond the mere identification and neutralization of threats by adding a layer of post-incident analysis which is essential for learning from each attack. By dissecting the anatomy of a threat, security teams can uncover vulnerabilities which were exploited, understand the sequence of events leading to the breach, and identify the data or assets which were compromised. Such in-depth understanding enables the formulation of more effective strategies to prevent similar attacks in the future, thereby improving the resilience of the system (100) against cyber threats. Forensic reports generation also aids in compliance with regulatory requirements by documenting incidents and responses, which is vital for legal and audit purposes. Overall, the generation of forensic reports enriches capability of the system (100) to respond to threats and to evolve the system (100) defenses based on empirical evidence and strategic analysis.
In another embodiment, the cyber threat detection and response system (100) incorporates a sophisticated response strategy by activating deception mechanisms upon the detection of a cybersecurity threat. Deception mechanisms are considered to mislead and confuse attackers, essentially serving as digital decoys which mimic valuable system resources or data. A common form of such a deception technique is the use of honeypots, which are systems or segments of the network which appear vulnerable and attractive to attackers but are closely monitored and isolated from actual critical assets.
The strategic deployment of honeypots and similar deception mechanisms plays a dual role in cybersecurity defense. Additionally, deception mechanisms protect critical system assets by diverting attackers towards the decoy targets, thereby reducing the risk of direct attacks on sensitive or essential data and infrastructure. further, deception mechanisms provide a unique opportunity to observe attacker behavior in a controlled environment, allowing the system (100) administrators and security teams to gather valuable intelligence on attack methods, strategies, and even the identity of the attackers. Additionally, the system (100) intelligence can be analyzed to further refine and strengthen security measures of the system (100), improving the system (100) resilience against future attacks. Additionally, the insights gained from interactions can contribute to broader cybersecurity knowledge, aiding in the development of more effective defense strategies and technologies. By incorporating deception mechanisms into predetermined response protocol, the system (100) mitigates immediate threats and improves the system (100) long-term security posture through strategic learning and adaptation.
In a further embodiment, the cyber threat detection and response system (100) incorporates a strategic component within its predetermined response protocol which prioritizes detected cybersecurity threats based on threat impact and urgency. Such approach provides that not all threats are treated equally; instead, prioritizes detected cybersecurity threats allows for a nuanced response which allocates resources and attention according to the severity of the threat. By categorizing threats in terms of their potential damage and the immediacy with which threat must be addressed, the system (100) can effectively focus its efforts on neutralizing the most dangerous threats first.
The prioritization mechanism is crucial for efficient resource management, especially in environments where security resources may be limited. Prioritization mechanism provides the most critical vulnerabilities which are secured and the threats with the highest potential for harm are mitigated first, thereby minimizing the overall risk to the system (100). Such a targeted response improves the effectiveness of security measures of the system (100) and provides lesser threats which do not divert attention away from more severe risks. Implementing a threat prioritization protocol within response strategy of the system (100) improves resilience of the system (100) against attacks by providing a stance towards cybersecurity management. The threat prioritization strategic approach to threat management bolsters defenses of the system (100), making the system (100) more adept at safeguarding against and responding to cybersecurity challenges in a dynamic threat landscape.
FIG. 2 illustrates, a method flow for cyber threat detection and response within a machine learning-based system (100), in accordance with the embodiments of the present disclosure. The method outlines a detailed approach for cyber threat detection and response within a machine learning-based system (100), emphasizing a structured sequence of operations aimed at improving cybersecurity measures. The process begins in a step (202) with the systematic collection of data from a variety of sources, specifically system event logs, network traffic logs, and patterns of user behavior, through a computing device (102). The step (202) is fundamental in creating a dataset which reflects the multifaceted aspects of network and system usage, thereby providing a rich basis for subsequent analysis.
The method continues in step (204) with the computing device (102) receiving new incoming data. The step (204) is vital for maintaining relevance of the system (100) and effectiveness, as step (204) provides the analysis which incorporates the most current information, facilitating the timely detection of potential threats. Following the accumulation of both historical and current data, in step (206) the accumulated data is transferred to a remote server (104). Further in step (208), the data undergoes a series of preprocessing activities. Preprocessing is a critical phase which comprises data imputation to fill in missing values, data scaling to normalize the range of data values, encoding of categorical variables to transform non-numeric data into a machine-readable format, and the handling of missing values to improve data quality. The aforementioned steps are essential for preparing the data for accurate and effective analysis by addressing common issues which could otherwise compromise the integrity of the machine learning model.
With the data suitably processed in step (210), the remote server (104) applies both supervised and unsupervised learning techniques to analyze threat data. The use of supervised learning techniques, such as support vector machines or decision trees, relies on pre-labeled datasets to train the model to recognize known patterns of cybersecurity threats. On the other hand, unsupervised learning techniques, like clustering, explore the data to identify fresh or previously unnoticed patterns without the need for labeled examples. The dual supervised and unsupervised learning approach enables the system (100) to detect known threats and to uncover new, emerging threats based on anomalous data patterns in step (212). Upon identifying a cybersecurity threat in step (214) through the application of the developed machine learning model to the new incoming data, the remote server (104) activates a predetermined response protocol. The predetermined response protocol comprises predefined actions considered to mitigate the threat, such as isolating the affected system components, blocking suspicious network traffic, or alerting system administrators for further investigation. The initiation of response protocol is an important step in the method, as initiation of response protocol represents active defense mechanism of the system (100) against identified threats, aiming to minimize damage and provide the security and integrity of the system (100) and the system (100) data.
FIG. 3 illustrates, a flowchart outlines a systematic process followed by a machine learning-based cyber threat detection and response system, in accordance with the embodiments of the present disclosure. Initially, the process begins with the computing device (102), which performs data collection. The computing device is responsible for gathering a vast array of data from a system event log, network traffic log, and user behavior patterns. Additionally, the computing device (102) receives new incoming data which may be indicative of cybersecurity threats. Once the data is collected, the data is sent to a remote server (104) where data preprocessing takes place. The server (104) acquires both the historical and newly incoming data from the computing device (102) and subjects the data to a variety of preprocessing steps. Such steps, chosen from a group which comprises data imputation, scaling, encoding of categorical variables, and managing missing values, prepare the data for the subsequent analysis.
Following preprocessing, the remote server (104) engages in the training of the machine learning model. The machine learning model analyzes the processed data using both supervised and unsupervised learning techniques, which enable the development of an intricate model which can detect a range of cyber threats with increasing accuracy. With the machine learning model developed, the system (100) progresses to threat detection. The remote server (104) applies the model to the new incoming data to identify any cybersecurity threats. Upon successful detection of a threat, the system (100) activates a predetermined response protocol to counteract the identified threat.
Flow of steps concludes with continuous monitoring, which is an essential part of the process. Continuous monitoring allows the system (100) to iteratively improve by using the responses and actions taken against detected threats as feedback, further refining the machine learning model and threat detection capabilities of the machine learning model. Through said cyclical process, the system (100) provides robust defense against and an effective response to cyber threats, thereby safeguarding the network it protects.
Throughout the present disclosure, the term “computing device” relates to an electronic device, including but are not limited to, a cellular phone, a smart phone, a personal digital assistant (PDA), a handheld device, a wireless modem, a laptop, a computer, a server, a personal computer, a work station, a mobile terminal, a subscriber station, a remote station, a user terminal, a terminal, a subscriber unit, an access terminal, a wearable computer, a wearable computing device, a smart watch, a server etc. The computing device may include a casing, a memory, a processor, a network interface card, a microphone, a speaker, a keypad, and a display.
Throughout the present disclosure, the term ‘processing means’ or ‘microprocessor’ or ‘processor’ or ‘processors’ includes, but is not limited to, a microprocessor, a microcontroller, a complex instruction set computing (CISC) microprocessor, a reduced instruction set (RISC) microprocessor, a very long instruction word (VLIW) microprocessor, or any other type of processing circuit.
In an aspect, any or a combination of machine learning mechanisms such as decision tree learning, Bayesian network, deep learning, random forest, supervised vector machines, reinforcement learning, prediction models, Statistical Algorithms, Classification, Logistic Regression, Support Vector Machines, Linear Discriminant Analysis, K-Nearest Neighbours, Decision Trees, Random Forests, Regression, Linear Regression, Support Vector Regression, Logistic Regression, Ridge Regression, Partial Least-Squares Regression, Non-Linear Regression, Clustering, Hierarchical Clustering – Agglomerative, Hierarchical Clustering – Divisive, K-Means Clustering, K-Nearest Neighbours Clustering, EM (Expectation Maximization) Clustering, Principal Components Analysis Clustering (PCA), Dimensionality Reduction, Non-Negative Matrix Factorization (NMF), Kernel PCA, Linear Discriminant Analysis (LDA), Generalized Discriminant Analysis (kernel trick again), Ensemble Algorithms, Deep Learning, Reinforcement Learning, AutoML (Bonus) and the like can be employed to learn sensor/hardware components.
The term “non-transitory storage device” or “storage” or “memory,” as used herein relates to a random access memory, read only memory and variants thereof, in which a computer can store data or software for any duration.
In the description of the present invention, it is also to be noted that, unless otherwise explicitly specified or limited, the terms “disposed,” “mounted,” and “connected” are to be construed broadly, and may for example be fixedly connected, detachably connected, or integrally connected, either mechanically or electrically. They may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Modifications to embodiments and combination of different embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as “including”, “comprising”, “incorporating”, “have”, “is” used to describe and claim the present disclosure are intended to be construed in a non- exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural where appropriate.
Although embodiments have been described with reference to a number of illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by thos

I/We claims:
1. A machine learning-based cyber threat detection and response system (100), comprising:
a computing device (102) to:
gather data from a system event log, a network traffic log, and the user behavior patterns; and
receive new incoming data;
a remote server (104) to:
acquire the gathered data and new incoming data from the computing device (102);
perform preprocessing on the acquired data and generate the processed data, wherein the preprocessing comprises the steps selected from a group consisting of data imputation, data scaling, categorical variable encoding of data, and handling of missing values;
analyse the processed data by implementing a supervised learning technique and an unsupervised learning technique to develop a machine learning model for detecting the cyber threats;
apply the developed machine learning model to the acquired new incoming data, to identify a cybersecurity threat; and
initiate a predetermined response protocol upon detection of the cybersecurity threat to counter the detected cybersecurity threat.
2. The system (100) of claim 1, wherein the remote server (104) monitors the network activities and feed the cybersecurity threat and system responses back for continuous improvement of the machine learning model.
3. The system (100) of claim 1, wherein the supervised learning technique is selected from support vector machines (SVM), decision trees, or random forests.
4. The system (100) of claim 1, wherein the unsupervised learning technique is selected from clustering techniques such as k-means or hierarchical clustering.
5. The system (100) of claim 1, wherein the predetermined response protocol comprises isolating the affected system, blocking suspicious network traffic, or alerting system administrators.
6. The system (100) of claim 1, wherein the remote server (104) further comprises a data storage unit for storing historical data to improve the accuracy of the machine learning model.
7. The system (100) of claim 1, wherein the predetermined response protocol enables generation of the forensic reports for further investigation and analysis of detected cybersecurity threats.
8. The system (100) of claim 1, wherein the predetermined response protocol enables deployment of the deception mechanisms to mislead and confuse attackers.
9. The system (100) of claim 1, wherein the predetermined response protocol prioritizes detected cybersecurity threats based on their impact and urgency.
10. A method for cyber threat detection and response in a machine learning-based system (100), comprising the steps of:
gathering data from a system event log, a network traffic log, and user behavior patterns using the computing device (102);
receiving new incoming data at the computing device (102);
acquiring the gathered data and new incoming data from the computing device (102) at the remote server (104);
performing preprocessing on the acquired data at the remote server (104) to generate processed data, wherein the preprocessing comprises steps selected from a group consisting of data imputation, data scaling, categorical variable encoding of data, and handling of missing values;
analyzing the processed data at the remote server (104) by implementing a supervised learning technique and an unsupervised learning technique to develop a machine learning model for detecting cyber threats;
applying the developed machine learning model to the acquired new incoming data at the remote server (104) to identify a cybersecurity threat; and
initiating a predetermined response protocol upon detection of the cybersecurity threat at the remote server (104) to counter the detected cybersecurity threat.

The present disclosure provides a machine learning-based cyber threat detection and response system, comprising a computing device to gather data from a system event log, a network traffic log, and the user behavior patterns; and receive new incoming data; a remote server to acquire the gathered data and new incoming data from the computing device; perform preprocessing on the acquired data and generate the processed data, wherein the preprocessing comprises the steps selected from a group consisting of data imputation, data scaling, categorical variable encoding of data, and handling of missing values; analyze the processed data by implementing a supervised learning techniques and an unsupervised learning techniques to develop a machine learning model for detecting the cyber threats; apply the developed machine learning model to the acquired new incoming data, to identify a cybersecurity threat; and initiate a predetermined response protocol upon detection of the cybersecurity threat to counter the detected cybersecurity threat. , Claims:I/We claims:
1. A machine learning-based cyber threat detection and response system (100), comprising:
a computing device (102) to:
gather data from a system event log, a network traffic log, and the user behavior patterns; and
receive new incoming data;
a remote server (104) to:
acquire the gathered data and new incoming data from the computing device (102);
perform preprocessing on the acquired data and generate the processed data, wherein the preprocessing comprises the steps selected from a group consisting of data imputation, data scaling, categorical variable encoding of data, and handling of missing values;
analyse the processed data by implementing a supervised learning technique and an unsupervised learning technique to develop a machine learning model for detecting the cyber threats;
apply the developed machine learning model to the acquired new incoming data, to identify a cybersecurity threat; and
initiate a predetermined response protocol upon detection of the cybersecurity threat to counter the detected cybersecurity threat.
2. The system (100) of claim 1, wherein the remote server (104) monitors the network activities and feed the cybersecurity threat and system responses back for continuous improvement of the machine learning model.
3. The system (100) of claim 1, wherein the supervised learning technique is selected from support vector machines (SVM), decision trees, or random forests.
4. The system (100) of claim 1, wherein the unsupervised learning technique is selected from clustering techniques such as k-means or hierarchical clustering.
5. The system (100) of claim 1, wherein the predetermined response protocol comprises isolating the affected system, blocking suspicious network traffic, or alerting system administrators.
6. The system (100) of claim 1, wherein the remote server (104) further comprises a data storage unit for storing historical data to improve the accuracy of the machine learning model.
7. The system (100) of claim 1, wherein the predetermined response protocol enables generation of the forensic reports for further investigation and analysis of detected cybersecurity threats.
8. The system (100) of claim 1, wherein the predetermined response protocol enables deployment of the deception mechanisms to mislead and confuse attackers.
9. The system (100) of claim 1, wherein the predetermined response protocol prioritizes detected cybersecurity threats based on their impact and urgency.
10. A method for cyber threat detection and response in a machine learning-based system (100), comprising the steps of:
gathering data from a system event log, a network traffic log, and user behavior patterns using the computing device (102);
receiving new incoming data at the computing device (102);
acquiring the gathered data and new incoming data from the computing device (102) at the remote server (104);
performing preprocessing on the acquired data at the remote server (104) to generate processed data, wherein the preprocessing comprises steps selected from a group consisting of data imputation, data scaling, categorical variable encoding of data, and handling of missing values;
analyzing the processed data at the remote server (104) by implementing a supervised learning technique and an unsupervised learning technique to develop a machine learning model for detecting cyber threats;
applying the developed machine learning model to the acquired new incoming data at the remote server (104) to identify a cybersecurity threat; and
initiating a predetermined response protocol upon detection of the cybersecurity threat at the remote server (104) to counter the detected cybersecurity threat.