| CPC G06F 21/566 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); G06F 2221/034 (2013.01)] | 27 Claims |
|
1. A computer-implemented method, executed on a computing device, comprising:
monitoring and logging, by multiple security-relevant subsystems, activity with respect to one or more computing platforms;
receiving a plurality of detection events concerning a plurality of security events occurring on the multiple security-relevant subsystems within the one or more computing platforms;
storing the plurality of detection events to form an event repository;
analyzing one or more current detection rules using machine learning;
processing the event repository using a machine learning model to identify attack patterns defined within the plurality of detection events stored within the event repository, thus defining one or more identified attack patterns;
defining a new detection rule based, at least in part, upon the one or more identified attack patterns and the one or more current detection rules, wherein defining the new detection rule includes:
defining a universal rule; and
translating the universal rule into customer specific technology rules;
directly executing the customer specific technology rules on one or more pieces of customer technology;
directly detecting security events on the one or more pieces of customer technology; and
directly executing a remedial action plan via the one or more pieces of customer technology.
|