US 12,170,678 B2
Automatic incident generator
Nickolay Berko, Schaffhausen (CH); Serg Bell, Singapore (SG); and Stanislav Protasov, Singapore (SG)
Assigned to Acronis International GmbH, Schaffhausen (CH)
Filed by Acronis International GmbH, Schaffhausen (CH)
Filed on May 31, 2022, as Appl. No. 17/804,830.
Prior Publication US 2023/0388321 A1, Nov. 30, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/1433 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for automatic detection of security incidents in a computer system with access to a database of previously recorded security incidents comprising incident signatures based on a sequence of at least three events related to the security incidents, the method comprising:
monitoring an event stream comprising a sequence of at least three system events in the computer system;
calculating an incident signature based on the sequence of at least three system events;
calculating a degree of variance (DoV) of the monitored sequence of events from the incident signature, wherein the DoV is the distance between the incident signature and an incident signature based on previously recorded security incidents;
comparing the calculated DoV to a predetermined variance threshold;
determining that the monitored sequence of events is a security incident associated with the incident signature of the previously recorded activities when the calculated DoV is less than or equal the threshold;
determining that the monitored sequence of events is not a security incident associated with the incident signature of the previously recorded activities when the calculated DoV is greater than the threshold;
executing instructions on the computer system based on the calculated DoV, wherein the instructions add the determined security incident to the database of previously recorded security incidents when the calculated DoV is less than or equal to the threshold and wherein the instructions do not add the monitored sequence of events to the database of previously recorded security incidents when the calculated DoV is greater than the threshold; and
when the calculated DoV is less than or equal to the threshold,
apply the security incident to a security policy which prevents sending a message to a receiver.