The present invention relates to configuring and managing network Internet of Things (IoT) devices security policies. More specifically, the present invention relates to configuring, authenticating, and managing of network internet of things devices security at single administration points using a purpose-built security appliance in form of a software module as virtual machine, a software container or a hardware appliance or security software services provided as software as a service from public or private cloud-based data centers. Further the present invention relates to management of multi-platform, multi-types of Internet of Things devices security using services such as crypto protocols, security policies, Authentication Servers, etc.
With the explosive growth of the Internet of Things devices being connected to internet and networks including enterprise and home networks, huge streams of data as it is collected, parsed and analyzed to enable and bring much needed efficiencies and cost savings to these infrastructures. At the same time, the infrastructures of organizations, organizational networks, servers with confidential information are becoming even more vulnerable to further exposure to outside threats for being hacked, malicious software codes to be injected into these networks and servers via these internet of things devices and create new openings to access many valuable sources of information. Additionally, users are now exposed to many new perils. Such perils include downloading of destructive computer viruses to sophisticated third-party, network attacks. In response to dangers lurking from “outside” computer networks, new ways of addressing these problems have emerged and using various techniques from the field of machine learning and artificial intelligence are being applied in combination with security technologies to address these emerging attacks.
These and other limitations of conventional networks are described throughout the specification and more particularly below.
The present invention discloses methods and apparatus for configuring and managing network Internet of Things (IoT) devices security policies.
According to one embodiment, a method for configuring a plurality of network internet of things devices, includes the steps of providing a network directory services server called Authentication Type Services Sever providing directory services to a plurality of network IoT devices, each of the plurality of network IoT devices coupled to one of the plurality of network IoT security devices and IoT gateways and implementing a security policy enforcement for the plurality of network IoT security devices on the network IoT directory services server as part of the overall IoT Security Appliance engine. The step of using the network IoT Authentication/Type Service directory services to provide configuration information for the plurality of network IOT Security devices, in response to the security policy is also disclosed.
In an example, the system is an enterprise network system. The system has various elements such as a data source coupled to a network, a router coupled to the data source, a switch device coupled to the router, among other network elements. The network can include servers such as web servers, database servers, and other application servers, bridges, other routers and switches, connected to a data center or Cloud.
In an example, the present system has an engine configured with a plurality of specialized engines. The engine has an instant auto discovery engine (TAB) module coupled to switch device. In an example, the discovery module is configured to monitor traffic to the switch device to detect all of a plurality of client devices, including a plurality of IoT devices. The IAB module is coupled to the switch device and configured to detect all of a plurality of sensor devices coupled to the switch device. The IAE module is configured to detect all of a plurality input device coupled to the switch device. The IAE module comprises a catalog of each of the plurality of client devices, input devices, sensing devices, or other network devices. Each of the devices also has profile information on a common database or memory resources.
Additionally, the engine has a behavior analytics engine (BAE) module coupled to the switch device. The BAE module is configured to monitor traffic to the switch device and configured to detect one or more anomalies from a flow of traffic. Of course, there can be other variations, modifications, and alternatives.
The engine has an intelligent machine learning engine (IMLE) module configured with the BAE module. In an example, the IMLE module is configured to process the flow of data through one of a plurality of processes. The one of the plurality of processes is numbered from one through N, where N is greater than 5 or other number greater than 1. In an example, the plurality of processes is categorized into a clustering process, a classification process, a regression process, an association process, a probabilistic processes comprise a Bayesian Network, or a graph based model, alone or in combination with any of the other aforementioned processes, among others.
In an example, the engine has a smart security engine (SSE) module. In an example, the SSE module is configured to implement a security measure from feedback from the BAE module.
The engine has an autonomous decision engine (ADE) module coupled to the SSE module. In an example, the ADE module is configured for a remediation process. In an example, the remediation process comprises an autonomous decision engine comprising a sense process, plan process, and an act process (collectively the “AI processes” or “AI decision processes”), and is configured to make a decision from the flow of data to remediate and take appropriate action based upon the what signal is received from the client device, and processed through a behavior analytics engine thereby feeding information into the autonomous decision engine taking into account information selected form an a status of an internal state, a response associated with the internal state and a received input, and a model associated with the device from a catalog stored in a database for remediation to reason over achieving a future state using remediation to predict a future state and use the AI processes to ensure migration to the future state.
In an example, the engine works with the modules to collectively perform the operations described, among other operations. In an example, the IAE module, BAE module, ADE module, and SSE module are configured to discover instantly the plurality of client devices connected to the network, monitoring the flow of data from each of the plurality of the client devices, detecting at least one anomaly, and taking a remediation action for the detected anomaly.
According to another embodiment, a network of trusted network servers including a computer system for configuring security features in the network of trusted network servers is described, the computer system including a processor and a computer readable media. The computer readable media including software code that directs the processor to provide directory authentication services to the network of trusted network servers and software code that directs the processor to receive security feature configuration data for the network of trusted network servers from a remote client. The computer readable media also includes software code that directs the processor to use the Authentication Type Server directory services to provide each of the network of trusted network servers with the security feature configuration data and validate the authenticity of the IoT devices.
Further understanding of the nature and advantages of the invention may be realized by reference to the remaining portions of the specification, drawings, and attached documents
The present invention discloses methods and apparatus for configuring and managing network Internet of Things (IoT) devices security policies.
In addition to what has been described, the increased dependence of government, military, commercial, profit and non-profit organizations on Internet technologies to conduct their everyday business essentially create new challenges for cyber defense. The advancing complexity and variety of cyber-attacks have almost rendered traditional IT defense methods such as anti-virus software, firewalls or intrusion prevention systems ineffective in preventing these attacks. As corporations and other organizations connect more of their networks to these IoT devices and public Internet, the risks of endangering information assets have risen even more dramatically. Connected devices will change the way we work, live and play in the near future—per Gartner Group, 25 Billion connected devices will create about $1.7 Trillion in market opportunity in coming years. Despite this massive opportunity for organizations to be using IoT within 3 years, IoT is our single biggest security threat and biggest opportunity over the next 10 years. The rise of cyber-attack prevention across all industries and the mindset in how they approach security needs to be looked at in a whole new way. According to M-Trends, it took an average of 205 days for a company to detect a breach and though 2014 was the Year of the mega-breach, 2015 was worse, with nearly 4,000 breaches and over 750 million records stolen.
Not a day or a week passes without the mainstream media commenting on the latest episode of Internet of Things related attacks, fraud, information corruption, or other incidents that dramatically underscore the darker side of the internet and communications revolution. Computer and communications security, a topic once the exclusive province of obscure firms catering mainly to the government defense, intelligence agencies, public services networks and to financial services companies, have become mainstream for over last two decades and more and more sophisticated attacks into these networks are being perpetrated and hence, there is an immediate need to provide dynamic and innovatively adaptive security solutions based on machine learning, artificial intelligence and robotics processes that continue to become smarter and smarter as more data is fed into these systems so they can autonomously take remediation actions.
Innovative solutions and new approaches are needed for detecting and investigating malicious activity, as a single breach can cause financial losses to a tune of about $5.9 million and a major hit to institutional branding and reputation. In addition to the constantly changing IoT landscape, challenging unique dimensions of IoT security consists of limited system resources (lack of standard OS and system resources), large variety of devices (Current End Point Security Systems not designed for IoT), complex deployment topologies, and repeatable network patterns (designed for similar tasks). Monitoring Single Presence, Single Method, Single Event and Single Signal is NO longer viable for IoT infrastructure and hence, there is a need for next Generation AI-based Autonomous and multi-dimensional Threat Intelligence Solutions for IoT Cyber Security that can monitor, detect, and take action at every point similar to a Cyber kill Chain in near real time. Cyber hunting is a time consuming and intensely manual process as of today. However, with rapid advances in machine learning and autonomous systems, these technologies can help detect in near real time and hence, a huge business opportunity for using this adaptive AI-based Threat Control Technology.
The concern for network security has led to a need for more sophisticated security systems than most organizations have needed until now. Most of the security systems today are focused on information technology assets such as computers, laptops, smart phones, tablets or pads and are not focused on providing security for IoT devices which are inherently different in characteristics such as low compute and storage resources, low footprint, different types and no single operating system unlike personal computers, laptops etc. At one time, these organizations were content with the security provided by their network operating systems, network directory services, routers, firewalls, intrusion prevention and detection systems and gateways. However, these systems are now no longer sufficient to resist the attacks of legions of determined Internet hackers from variety of attack surfaces and proliferation of different devices including mobile, smart phones, internet of things devices or from insiders such as organization's own employees.
In general, a firewall is deployed as a security mechanism for controlling access between a private, trusted network and an untrusted outside network such as public Internet or public cloud or datacenter or some other part of the corporate network like a private cloud. Today, next generation Firewalls typically provide from one to three levels of security consisting of packet filtering, circuit-level gateway functionalities, and application-level firewalling capabilities including deep packet inspections. Firewalls are also of many types today from web application firewalls, application level firewalls, network security firewalls and they often differ greatly in their architecture, the types platforms they run upon, their security capabilities, and their ability to support variety of protocol networks. These firewalls do not support IoT devices and many legacy protocols such as Zigbee, ZWave, LowPan, Bluetooth, modbus, BACnet and others that number of these IoT devices are used for.
Variety of Protocols for Internet of Things Devices and Networks
The choices of connectivity options for developers working on products and systems for the Internet of Things (IoT) varies from well-known communication technologies such as WiFi, Bluetooth, ZWave, LoPan, SigFox, ZigBee and 2G/3G/4G cellular, but there are also several new emerging networking protocols supported by vendors such as Google, Apple, Alljoyn Consortium such as Thread as an alternative for home automation applications and Whitespace TV technologies being implemented in major cities for wider area IoT-based use cases. Depending on the application, factors such as range, data requirements, security and power demands and battery life will dictate the choice of one or some form of combination of technologies. Thus, mixed protocols, networks at both the protocol and operating system platform level will be around for years to come as well as the need to securely and seamlessly access the Internet and its rich information resources using
Internet of Things devices and gateways.
Current solutions for providing security for these environments are in nascent stages and quite limited in scope. For example, WiFi access points and IP gateways provide Internet connectivity for IP-enabled devices such as laptops, smartphones, computers, tablets, pads and IP-enabled IoT devices, but the security is very basic and not available for devices supporting other protocols as above. Further, the security focus of these gateway products is typically on access control and not on behavior analysis of these IP-enabled devices and not on dealing with the more serious problem of behavior fluctuations, detecting anomalies and then doing analytics to do processing, reasoning and predicting threat and providing threat intelligence in a comprehensive manner. More importantly, these gateways do not appear to provide security for IoT devices. A solution that discovers, identifies and classifies assets into IoT categories rather than treating them as IT assets by generating a baseline of normal device behavior and identifies its risk profile and as it detects the anomalous device behavior and correlates it against the normal device behavior, it can close the control loop by providing real-time policy enforcement.
The usefulness of current security systems and solutions have been limited, by their inability to work in network environments that employ devices with different protocols and different platforms. What is needed are improved security configuration and management methods and apparatus for such emerging new network environments consisting of not only information technology assets but also internet of things device assets. Further details of the present invention can be found throughout the present specification and more particularly below.
This following section defines some security terms and explains some key concepts to understanding the different architectural approaches to building Network Security Anomaly Detection, Intrusion Detection Software or Hardware Appliances and similar security concepts are used for IoT devices in a new way. In enterprises or organizations nowadays, network security Intrusion detection systems (IDS) are a significant component to help protect against increasingly sophisticated cyber-attacks being carried out by unscrupulous actors. These systems that rely solely on a database of prior known attacks or signatures are no longer effective in detecting modern day threats. Our approach is to use state-of-the-art machine learning and Artificial Intelligence techniques in novel ways to discover, monitor, detect and remediate on these unknown threats or attacks by identifying attack features from the devices these attacks get carried out. The data mining techniques have been employed with our solution and in particular, the data pre-processing stage, which includes feature selection consists of selecting relevant subsets from the original dataset in order to minimize the effect of irrelevant and redundant features without greatly decreasing the accuracy of the classifier. The files and other information, the devices use need to be protected with an automated tool.
The increased dependence of government, military and commercial organizations on Internet technologies to conduct their everyday business creates new challenges for cyber defense. The advancing complexity and variety of cyber-attacks have almost rendered traditional IT defenses, such as anti-virus software or intrusion prevention systems. A deliberate action against data, software or hardware that can destroy, degrade, disrupt or deny access to a networked computer system is called a cyber-attack. Now a day, in the area of intrusion detection, data mining techniques have been employed with success. In particular, the data pre-processing stage, which includes feature selection, has attracted much attention. Feature selection selects relevant subsets from the original dataset in order to minimize the effect of irrelevant and redundant features without greatly decreasing the accuracy of the classifier. In protecting files and other information computer use implies a need for automated tools. In cryptography basically we have to know about some terminology like plain text, cipher text, encryption, decryption and keys. Plain text: The data which are having valid meaning is called plain text. Cipher text: The data which does not having valid meaning is called cipher text. Encryption: Converting plain text into cipher text is known as encryption. Decryption: Decryption is the reverse process of encryption. This means converting cipher text into plain text. Keys: keys are two types: 1. Public key and 2. Private Key—Public key is known to every node in the network. And private key is known to only the generated node.
Cyber-Attack—Per Wikipedia, a cyberattack is any type of offensive maneuver employed by nation-states, individuals, groups, society or organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.
Intrusion Detection System: An intrusion detection system (IDS) dynamically monitors logs and network traffic, applying detection processes for past known attacks also called signatures to identify these potential intrusions with in a network. In general, Intrusion detection systems are of two types. The first one is host-based and is considered the passive component. The second one is network-based and is considered the active component. Network based IDSs are easier to deploy for each network segment and monitor network traffic traveling to all the systems. A network-based IDS sensor will listen for all the attacks on a network segment regardless of the type of the operating system the target host is running Host based systems, on the other hand, can detect attacks that network-based IDS sensors fail to detect. Host based sensors can be useful in protecting hosts from malicious internal users or inside attacks in addition to protecting systems from external attacks. IDS systems are further divided into two categories based on the detection methods they employ. For example, Misuse detection is the most common approach and uses knowledge database of known attack patterns to scan for signatures, monitor state transitions or employ correlation and data mining techniques to identify potential attacks. They can be effective for detecting a limited set of known cyber-attacks with low false alarm rates against the information stored within the database and are ineffective for detecting new classifications or unknown attacks. Therefore, Anomaly Detection methods are employed to overcome this problem by assuming that cyber-attacks are ‘abnormal’ and identifiable by noting their deviation from the ‘normal’ behavior model or profile of the devices.
Firewall: A type of security mechanism for controlling access between a private trusted network and an untrusted outside network like public internet or private cloud. It typically includes software running on general purpose or specialized hardware or running on a public cloud and protecting the services of an enterprise with cloud firewall services.
Protocol gateway: A protocol translation mechanism for connecting (for example) different protocols to an IP network, for example a public network to private network. The term ‘gateway’ is also sometimes used to refer to circuit-level and application-level firewalls but these are not protocol gateways.
Device Catalog Services Server: This is a form of Directory Services that are global, distributed information databases that stores information about all IoT devices with the manufacturer, model, specification details, access to network resources, devices information, device characteristics regardless of physical location and provides syncing with the Behavior Analytics Engine. This also can be linked to prevalent enterprise directory services that are used for users and assets. These are preferably Lightweight Directory Access Protocol, a directory protocol standard, commonly used Microsoft's Active Directory Services and other directory services provide central points of administration for entire networks of networks. These directory services typically maintain information about every resource on the network, including users, groups, printers, volumes, and other devices. This information is typically stored on a single logical database, thus, instead of logging onto many individual file servers, users and network administrators log onto the network preferably only once.
Network address translation (NAT): With the growing shortage of IP addresses, it has become increasingly difficult for organizations to obtain all the registered IP addresses they need. A network address translator solves this problem by dynamically converting between a re-usable pool of dynamically assigned registered IP addresses and the internal IP addresses used in an organization's intranet. This not only alleviates the IP address crunch, but it also eliminates the need to renumber when an organization changes Internet service providers (ISPs).
Transparent proxy: A transparent proxy provides the user with the ability to use an application process running on a firewall without explicitly requiring the client to specify that proxy. In other words, the client perceives that it is still speaking to the router gateway. This feature typically makes it considerably easier to install a firewall without having to reconfigure every client in a TCP/IP environment.
The major types of networks in terms of their security classification are as follows:
Trusted network: Users on this network are, by default, deemed to be trustworthy. Users may be physically on a common network, or linked together via a virtual private network (VPN).
DMZ: The ‘Demilitarized Zone’ lies outside the perimeter defenses provided by the firewall but contains systems that are owned by a private organization. Common examples would be Web servers and anonymous ftp servers providing information to Internet users.
Untrusted network: These are outside networks of various kinds, among the many thousands of networks connected to the Internet, or even untrusted networks that may be part of other departments or divisions within an organization.
Types of Firewalls used for Information Technology Assets
Firewalls typically provide one of three different levels of security—packet filtering, circuit-level gateway, and application gateway—or some combination of these.
Packet filtering firewalls typically provide the most basic form of firewall security and are typically a standard feature of routers, operating systems. Packet filters inspect the header of each incoming and outgoing packet for user-defined content, such as an IP address or a specific bit pattern, but do not validate or track the state of sessions. These firewalls typically also filter at the application port level—for example, ftp access generally utilizes port 21. However, since any packet with the right IP address can pass through the filter once the port is enabled, there is a security hole for other applications or sessions addressed to the same port. Packet filtering is typically the least secure form of firewall and typically the cheapest.
Circuit-level gateway firewalls validate TCP and, in some products, User Datagram Protocol (UDP) sessions before opening a connection or circuit through the firewall. The state of the session is monitored, and traffic is only allowed while the session is still open. This is more secure than packet filtering but allows any kind of data through the firewall while the session is open, creating a security hole. This is better than packet filtering but still falls short of total security. Further, if this gateway does not support UDP, it cannot support native UDP traffic such as domain name service (DNS) and SNMP.
Application-level gateway firewalls run an application process (sometimes termed a ‘proxy’) on the firewall for each application that is supported. By understanding the application and the content of the traffic flowing through the firewall, typically a high degree of control can be applied. These firewalls typically also provide highly detailed logging of traffic and security events. In addition, application-level gateway firewalls can use NAT to mask the real IP address on a node on the internal network and thus make it invisible to the outside.
Stateful inspection firewalls are essentially hybrid firewalls that have elements of all of the above firewalls but lack the full application layer inspection capabilities of an application level gateway. An example of such a firewall is a traffic inspection engine is based on a generalized scripting language. The engine executes inspection rules written in this language. The principal advantage over an application gateway is that it can provide greater simplicity in terms of adding firewall support for new applications, however it typically lacks security robustness.
Typically, the most secure form of firewall, as illustrated by the preferred embodiment of the present invention, is a ‘multi-level firewall’—one which combines the capabilities of a packet filter, a circuit level gateway and an application level gateway to provide in-depth defense. Security attacks can come at any level. For example, some kinds of attacks are best prevented at the application level (such as an illegal file write operation to a corporate server using FTP) while others are best prevented at the packet level (such as IP spoofing)—the combination of multiple levels of security is stronger than any one of them used alone.
In an example, to provide enhanced security and support for multi-protocol networks and internet of things devices, for example, with IP-enabled devices such as light bulbs, IP-Cameras, thermostats, refrigerators, door locks and any other devices connecting to Internet and supporting different protocols such as Bluetooth, ZigBee, Zwave, Thread, etc., the present application describes a new category of Internet of Things Cyber Security System—one that integrates both a multi-level security functionalities, machine learning based dynamic probes to collect and gather behavioral information pertinent to the IoT devices, behavior analytics engine and autonomous decision engine using artificial intelligence and robotics processes and technologies.
Security Policy—Firewalls and other types of security devices provide means of enforcing security policies that define acceptable uses of applications and acceptable access to information-both inbound and outbound. Since all network communications between a trusted network and all other types of network must pass through the firewall in a well-designed network, the firewall is uniquely well positioned to play the role of network traffic monitoring and policy enforcement station. The need for a new type of security appliance in IoT enabled networks is important as it needs to address variety of new devices, protocols, underlying operating systems and behaviors.
The access policy on the inbound side might define acceptable access to gateways or specific servers or other host by time of day, by type of device and its usage, or by type of application, and the like. On the outbound side, the policy might also prevent these IoT enabled devices from accessing specific Web sites, specific pages within a Web site, and the like and specific or any specific servers. A source of a communication, a destination, behavior patterns and a specific application are typically included in a security policy. Inbound or outbound communications that fall outside of the parameters of the policy are considered security violations or outside the behavior characteristics, and a Artificial Intelligence-based IoT Security Appliance can and should be configured to detect and prevent them.
However, sophisticated the hard ware and software that provides enterprise security, security is typically only as good as the organization's security policy for these devices and other applications and the users who implement it—including end users and network administrators alike. Since these devices and users are the weak link in any security system, ease of use and ease of management are essential to providing a security system that will not be abandoned because it is too hard to use or too expensive to manage. Further details of the present system and related methods are found throughout the specification and more particularly below.
Autonomous, Multi-Dimensional (A Software Appliance for Internet of Things (IoT) Threat Protection);
Discover Devices (IoT etc.) instantly;
Monitor Devices: Deviation from “device-specific behavior” and any others using new invention BAE (Behavior Analytics Engine) and new invention IMLE (Intelligent Machine Learning Engine)
Detect Anomalies (security and network);
Remediate via Surgical Specific Actions;
In an example, the system has an Autonomous Decision Engine (ADE), which is an important part of the technical infrastructure for automated response for its artificial and machine learning based engine for automated persistent threat diagnosis and response, as shown. The objective of the ADE is to use incoming sensory stream and then using its perception of the environmental context, decide in an ‘autonomous’ fashion and appropriate and actionable response to a situation it encounters. In doing so, it will evaluate multiple sources of data, which provide the ‘context’ and then use Artificial Intelligence search methods to decide what is an optimal response. The foundational basis for such a decision-making capability comes with a rich operational legacy in space and marine robotics and is therefore a mature technology for its slated goals. The key concept that the ADE deals with is to sense the network environment, based on a deterministic model, plan for dispatching commands and then to actually dispatch (or act) based on the formulated plan. The sense-plan-act paradigm then is at the core of this technology and provides the decision-making infrastructure inside the system. Further details of the ADE are shown below.
Architectural Features—Key architectural properties of the ADE are as follows:
a. it holds a temporal database of multiple co-temporal timelines—each timeline describes the state of a device (over time) and therefore tracks the device state changes. Timelines progress continuously and therefore preserve the state of each device, and consequently the state of the entire system.
b. state changes within timelines are marked by ‘tokens’, atomic entities which describe a specific instantiated state of (in this case) a device. Tokens are connected to each other, within and between timelines, via constraints—the entire connected set of timelines, tokens, constraints forms part of a temporal database.
c. data to ensure the current state of each device needs to be fed to the ADE as a result in the form of ‘events’. When a state transition occurs, a message needs to be sent to the ADE with the specifics of the device and the change of state.
d. typically, such data needs to be aggregated elsewhere outside the ADE and messaged to an DE interface.
e. equally, the Behavioral Analytics Engine (BAE), which is built on top of Machine Learning (ML) elements, need to be at the center of such event flagging. When an event of importance as decided by BAE is flagged, that event is messaged to the ADE—doing so will trigger change in state and therefore a new token on the appropriate timeline associated with a specific device.
f. the domain model is a key element of the ADE and the temporal database is an instantiation of such a model. Dependencies between elements in the model need to reflect the reality of dependence between devices. So, if a thermostat is being modeled, its location is a function of where the thermostat is measuring temperature needs to be made available. The model therefore needs to be carefully built based on the elements of the catalog. And the catalog in turn, needs to be a collection of objects which are linked in the model.
g. Actuation is based on a decision that the ADE makes. In this context, there can be two likely responses—one dealing with a security implication, namely being responsive to a determination of a cyber-attack, to which the ADE dispatches a message to the Smart Security
Engine (SSE), which in turn will be expected to respond by shutting down a device, port or connection (or all the above). Or actuation based on making a deterministic choice to make a change in state of a device, not necessarily for security related decisions. An example could be, to change ambient lighting conditions in a room, over the course of an evening, while ensuring the room is being occupied.
What should be clear is that the ADE is a universal system which can be used to collate, inform and then actuate—akin to the central notion of whole system to Monitor, Detect and Remediate. Discovery is separate to such behavior (and currently part of the Instant Auto Discovery Engine (IAE)), but can, in the future, be included as part of the ADE or as a separate software engine module in itself.
The Model—It helps to visualize the ADE as in
The catalog needs to structured in a way that such information as needed, can be generated by discovery, but also relates the elements of this catalog to one another in a generic manner, so that when instantiated, there is actionable information within the ADE. The thermostat above is a simple example—its location, and not just its function is important to contextualizing where and how it works. So, when instantiated, the thermostat needs to work in the context of recording and changing the temperature of the room it is placed in. And in doing so, therefore, the actionable aspect that the ADE can then leverage is made clear by this causal link to the room.
The core of the ADE technology lies with the notion of dealing with constraints across various variables, as, also structured representation in dealing with evolving ‘facts’ that the engine needs to reason over. Time is explicitly represented and is therefore critical to reason with. The objects associated with these constraints come from the model. And the causal structure(s) determine the constraints. So, in the above running example, not only must the catalog link the thermostat to its location, but that in turn needs to be constrain the values that the ADE should be able to set or maintain—a thermostat in a fridge will therefore operate differently from a thermostat in a meeting room.
What this implies is that in the process of reasoning, the model is a key entity. A base level catalog will be adequate but not sufficient to ensure that the ADE can operate. Conversely, the catalog will also be the source of information on how the device is to operate—for the thermostat in a fridge temperature between −10° C. to +12° C., for example, will make sense, but not for a meeting room. So the model (and hence the catalog) will be the fount of all knowledge. And therefore, it is critical that it is maintained and secured appropriately.
The Search Engine—Timelines, tokens and constraints are the atomic entities which define how the inside of the ADE is structured, as noted above.
The instantiation of the tokens above is done automatically by the ADE and is at the core of a ‘plan’. So, what the FIGURE shows is how a possible future state of a conference room will look like. Execution then will be contingent on when such a plan can be activated with the arrival of one or more human occupants in the conference room. In addition, the notion of search here is then between what the system can/should do. So, for instance, if a light sensor (not shown above) shows that the window blinds are admitting enough Lumens that there is no need for turning “on” the lights, then the ADE will not do so. So, the plan above, is contingent to there not being enough Lumens in the ambient environment for it to turn the lights “on”.
So, the objective of the ‘search’ engine here is to go over all possibilities for placing the tokens on the timelines as an expectation of a plan of action to act on, sometime in the future. Actual conditions dictated by other sensors (e.g. presence sensors for humans, ambient light) will actually dictate what plan is executed.
Execution—In the ADE, projecting via timelines (or ‘planning’) and acting (or ‘executing’) are closely tied together. While
In the present example, the total devices available from a directory can be 13,557, but there can be additional or few devices. Each of the devices represents a type of device, such as a bulb, thermostat, camera, medical device, a lock, or any other entity coupled to the Internet or any Internet enabled device, which often has IP address or a unique identifier for meshed networks, or Bluetooth, or others, including any combinations thereof, and the like. Of course, there an be other variations, modifications, and alternatives.
It shows the four key components of the of the invention and the approach to “discover”, “monitor, “detect” and “remediate” over the course of its continuous operation. It also shows a range of different data sources which the system consumes continuously as a means to make intelligent network traffic decisions in real time.
In an example, the system has an autonomous decision engine (“ADE”). The ADE has been described herein, and further below. The system has a behavior analytics engine (“BAE”), which is also explained further below. Similarly, the system has smart security engine (“SSE”) and instant auto discovery engine (“IAE”). Each of the engines configured together, as shown. In an example, the method includes a step of discover, monitor, detect, and remediate, which is repeated as shown. The engines are coupled to a plurality of data collection processes from existing networking devices, infrastructure, and other entities.
In an example, the system is an enterprise network system. The system has various elements such as a data source coupled to a network, a router coupled to the data source, a switch device coupled to the router, among other network elements. The network can include servers such as web servers, database servers, and other application servers, bridges, other routers and switches, connected to a data center or Cloud.
In an example, the present system has an engine configured with a plurality of specialized engines. The engine has an instant auto discovery engine (IAE) module coupled to switch device. In an example, the discovery module is configured to monitor traffic to the switch device to detect all of a plurality of client devices, including a plurality of IoT devices. The IAE module is coupled to the switch device and configured to detect all of a plurality of sensor devices coupled to the switch device. The IAE module is configured to detect all of a plurality input device coupled to the switch device. The IAE module comprises a catalog of each of the plurality of client devices, input devices, sensing devices, or other network devices. Each of the devices also has profile information on a common database or memory resources.
Additionally, the engine has a behavior analytics engine (BAE) module coupled to the switch device. The BAE module is configured to monitor traffic to the switch device and configured to detect one or more anomalies from a flow of traffic. Of course, there can be other variations, modifications, and alternatives.
The engine has an intelligent machine learning engine (IMLE) module configured with the BAE module. In an example, the IMLE module is configured to process the flow of data through one of a plurality of processes. The one of the plurality of processes is numbered from one through N, where N is greater than 5 or other number greater than 1. In an example, the plurality of processes is categorized into a clustering process, a classification process, a regression process, an association process, a probabilistic processes comprise a Bayesian Network, or a graph based model, alone or in combination with any of the other aforementioned processes, among others.
In an example, the engine has a smart security engine (SSE) module. In an example, the SSE module is configured to implement a security measure from feedback from the BAE module.
The engine has an autonomous decision engine (ADE) module coupled to the SSE module. In an example, the ADE module is configured for a remediation process. In an example, the remediation process comprises an autonomous decision engine comprising a sense process, plan process, and an act process (collectively the “AI processes” or “AI decision processes”), and is configured to make a decision from the flow of data to remediate and take appropriate action based upon the what signal is received from the client device, and processed through a behavior analytics engine thereby feeding information into the autonomous decision engine taking into account information selected form an a status of an internal state, a response associated with the internal state and a received input, and a model associated with the device from a catalog stored in a database for remediation to reason over achieving a future state using remediation to predict a future state and use the AI processes to ensure migration to the future state.
In an example, the engine works with the modules to collectively perform the operations described, among other operations. In an example, the IAE module, BAE module, ADE module, and SSE module are configured to discover instantly the plurality of client devices connected to the network, monitoring the flow of data from each of the plurality of the client devices, detecting at least one anomaly, and taking a remediation action for the detected anomaly.
In an example, the IAE module comprises the catalog in a database, the database comprising a profile information for each of the plurality of client devices. In an example, the remediation process occurs without use of any rule based processes explicitly coded and the remediation occurs consisting of AI processes that form a template for the client device to operate. In an example, the remediation process is a parallel activity tracking all client devices from the flow of data simultaneously by monitoring each client device's state, incoming data signal, and a consulting the AI processes to decide what action is taken for the client device. In an example, the remediation process is for an output of one of the client devices leading to that output influencing a state of another client device or leading to an output of a security measure to secure the network such that one or more of the client devices or network or network portion is isolated, shut down, or off lining the one or more devices or, alternatively, the security measure places the one or more client devices, network, or network portion in an observation mode for a predetermined time to ensure that the one or more client devices, network, or network portion has not been compromised to ensure that the anomaly is not a false positive and is a real anomaly and real threat to the network. Of course, there can be other variations, modifications, and alternatives.
In an example, the system has a user-interface or dashboard to display the flow of traffic through network of devices in real time and display any off-normal patterns or behaviors. In an example, the user interface or the dashboard is configured as a web based interface, an application for a mobile device, or an interface for a tablet or portable or non-portable computer. In an example, the user interface displaying a spatial topography of the plurality of devices, including a plurality of IoT devices, connected to network, one or more compromised devices, and associated connections whether an originating connection or destination connection.
In an example, the system provides an alternative enterprise network system. The system has a data source coupled to a network, a router coupled to the data source, a switch device coupled to the router, and a discovery module coupled to switch device.
In an example, the discovery module is configured to monitor traffic to the switch device to detect all of a plurality of client devices coupled to the switch device, detect all of a plurality of sensor devices coupled to the switch device, and detect all of a plurality input device coupled to the switch device. In an example, the discovery module comprises a catalog of each of the plurality of client devices, input devices, sensing devices, or other network devices. In an example, the system has a monitoring module coupled to the switch device. In an example, the monitoring module is configured to monitor traffic to the switch device.
In an example, the system has an AI based monitoring and detection module coupled to the switch device. In an example, the AI based monitoring and detection module is configured to detect one or more anomalies from a flow of data from each of the plurality of client devices through the switch device. In an example, the detection module is configured to process the flow of information through one of a plurality of processes, one of the plurality of processes numbered from one through N, where N is greater than 5 or less than 5 but greater than one. In an example, the plurality of processes is categorized into a clustering process, a classification process, a regression process, an association process, probabilistic processes comprise a Bayesian Network, or a graph based model, alone or in combination with any of the other aforementioned processes, or others. In an example, the system has a remediation module coupled to the switch device. In an example, the remediation module is configured to initiate a remediation process based upon the detection of at least one of the anomalies from the flow of data.
In an example, AI based monitoring and detection module is configured to detect a normal behavior of one of the client devices such that the AI based monitoring and detection module is configured to model and profile a baseline behavior expected from one of the client devices coupled to the network. In an example, the client device can be a client or an IoT device.
In an example, the traffic can be selected from information on the traffic, a characteristic of one of the client devices, or any IoT devices coupled to the network.
In an example, the system has an intelligent machine learning engine configured to dynamically select one or more than one of the processes from the AI based monitoring and detection module that is desirable to identify and process the anomaly. In an example, the clustering process and the classification process are configured to be a predictive process. In an example, the regression process, and the association process are configured to be a descriptive process. In an example, the flow of data has a speed of 10 Giga bits per second (Gbps) and 100 Gbps, and higher.
In an example, the plurality of client devices comprises a computer, a laptop, a smart phone, Internet of Things (IoT) devices such as IP Cameras, smart watches, smart thermostats, smart locks, smart refrigerators, smart bulbs, smart switches, Internet of Medical Things (IoMT) devices such as X-Ray Machines, Infusion Pumps, and other devices connected to the network in a healthcare organization or hospital systems or a tablet computer or any kind of mobile computer. In an example, the network devices comprise a router, the switch, a wireless transceiver, a bridge, or an interface or a connected device.
In an example, the flow of data from one or more of the client devices, the one or more client devices is selected from a thermostat, a bulb, a camera, a printer, a smart lock, a smart refrigerator, a smart specific purpose devices that connect to the network or any other kind of IoT device.
In an example, the system has a behavior analytics engine comprises an intelligent machine learning processes engine consisting of number of processes that process the flow of data to determine an anomalous behavior while removing a false positive to ensure the anomaly is a genuine anomaly.
In an example, a generative AI engine for company compliance functions would utilize internal and external data sources to produce an output that meets the regulatory requirements of the company. The engine would typically be trained using machine learning algorithms that enable it to learn from past compliance cases, industry regulations, and best practices. In an example, the AI engine would receive inputs from various data sources such as financial statements, employee records, regulatory frameworks, security tools, and market trends. The engine would then process this data and generate outputs that provide insights on potential risks, areas of improvement, and recommendations for compliance.
In an example, the engine would be designed to adapt and evolve as new regulations and industry standards are introduced. It would also be able to learn from feedback and adjustments made by compliance officers to ensure that its outputs remain accurate and reliable. In an example, the generative AI engine would be integrated into the company's compliance function to automate routine tasks, reduce errors, and improve efficiency. Compliance officers would be able to review the engine's outputs and make decisions based on the insights provided, ultimately leading to better compliance outcomes for the company.
Overall, the present generative AI engine for company compliance functions would provide a tool for companies to manage and mitigate compliance risks, while also improving their overall compliance posture. Further details of the present system and related methods can be found throughout the present specification and more particularly below.
In an example, the present invention provides an artificial intelligence (AI) compliance system. The system has a data source coupled to a network, the network comprising a world wide network of computers. The system has an AI based engine module coupled to the data source. The data source comprises policies, evidence, controls, artifacts, customized standards results, incidents, threats, vulnerabilities, remedies, corrective actions, feedback, notifications, and other information from both a customer and outside information. The system has an input handler coupled to the AI based engine module. The input handler is configured to receive information from the data source and is configured with the AI based engine module to parse the information and input into a knowledge database to build the AI based engine module. The system has a query (e.g., question) handler coupled to the AI based engine module and configured to receive a query from a user. In an example, the query from the user being processed using the AI based engine module including the knowledge database. In an example, the system has an output handler coupled with the AI based engine to output a first result based upon the processing of the query using the AI based engine module. In a preferred example, the result is processed using the AI based engine module using a generative AI process to output a second result, the second result being a more accurate result than the first result. By way of the AI engine, each successive input and resulting output becomes more accurate and a better fit for the query. Further details of the present system can be found throughout the present specification and more particularly below.
In an example, the AI based engine module comprises one or more processes including machine learning, deep machine learning, reinforcement learning, non-reinforcement, and natural language processes. In an example, the information is derived from an internal or an external source. In an example, the source comprises network information, database information, and policy information, among others. In an example, the system has an audit compliance module. The audit compliance module is coupled to the data source. The audit compliance module is configured to generate a report and related NFT token configured for a block chain distributed on a plurality of server devices coupled to the world wide network of computers. In an example, the AI based engine module comprises a predictive control module. In an example, the predictive control module is configured to generate the first result using cosine similarity process or other like process. In an example, the system has a graphical user interface configured to receive the query from the query handler. In an example, the system has a graphical user interface configured to output the first result to the user. In an example, the data source is derived from a plurality of client devices comprising a computer, a laptop, a smart phone, Internet of Things (IoT) devices, IP cameras, smart watches, smart thermostats, smart locks, smart refrigerators, smart bulbs, smart switches, Internet of Medical Things (IoMT) devices, X-Ray Machines, Infusion Pumps, and devices connected to a network in a healthcare organization or hospital systems or a tablet computer or mobile computer. In an example, the data source comprises a security event information management system, a financial system, a identity access and authorization system, a human resource system, a network system, a security training and background check system, and a knowledge database. Further details of the present system can be found throughout the present specification and more particularly below.
In an example, the system has a risk module coupled to the data source. In an example, the risk module is configured to manage one or more risks associated with a company. The risk module is adapted to track, identify, and remediate one or more risks of the company, and generate an output for a user of the company. Further details of the present system can be found throughout the present specification and more particularly below.
In an example, the present invention provides a trust center method and related system. In an example, the trust center page on a company's website is an important resource for customers and stakeholders to understand the company's policies, practices, and approach to data privacy and security. In an example, one or more key elements that are included in a trust center page is provided below:
Security and Privacy policies: A detailed explanation of the company's security and privacy policies, including information on how customer data is collected, used, and protected.
Compliance: Information on the company's compliance with relevant data privacy and security regulations, such as GDPR, CCPA, HIPAA, ISO 27001 or PCI DSS, and others.
Data Handling and Storage: Details on how the company handles and stores customer data, including any measures taken to protect it.
Information on Third-Party Providers: Information on any third-party providers the company uses, including how they handle customer data and what security measures are in place.
Incident Response: Information on the company's incident response plan, including how it will respond to data breaches and other security incidents.
Transparency and Accountability: Information on how the company is transparent and accountable to customers and stakeholders with regards to data privacy and security.
Contact Information: Contact information for the company's privacy and security team, as well as any relevant regulatory agencies.
By including these elements, a trust center page can provide customers and stakeholders with the information they need to make informed decisions about how they share their data with the company. Other information can include risk profile, product security, reports, self assessments, data security, access control, infrastructure, endpoint security, network security, corporate security, and other information. In a preferred example, the trust center can also include representations of a Non Fungible Token (NFT) to signify compliance with a certain regulatory board, policy, rule, law, or other body that oversees compliance.
In an example, the present invention provides a trust center system for creating visibility of compliance management of a company. In an example, the trust center system comprises a network of computers and a company database comprising internal sensitive information and external sensitive information associated with the company. The system has an independent party compliance engine coupled to the network of computers and coupled to the company database. The independent party is an outside service provider, which is not related to the company and free from conflicts with the company. The independent party provides trustworthy and secure services to the company.
In an example, the system has a company trust center coupled to the independent party compliance engine. The company trust center has a graphical web page comprising a plurality of security topics. In an example, each of the security topics is characterized by a posture, including information, a rating, and other information. For independence, the security posture is populated (and/or controlled, maintained, or audited) by the independent third party compliance engine for independence of the company trust center. In an example, the system has an access module coupled with the independent party compliance engine such that the independent party compliance engine is configured to allow a third party access using a key to one or more policy documents populated on the company database to maintain security of the one or more policy documents. In an example, the key is requested from the company to the independent third party compliance engine.
In an example, the present method and system is configured to generate responses to either a customer or a vendor's questionnaire set using the respective documents corpus comprising policies, evidences, controls, and association among these document types and any other available policies, artifacts, information, customized standards results (e.g., standards reports such as System and Organization Control Type I and II reports, ISO 27001 or other ISO reports, privacy standard reports such as GDPR, CCPA, CPRA, PCI DSS, and healthcare others), incidents, threats, vulnerabilities, remedies, and other corrective actions, and feedback, notifications, and other information from both customer and outside information, including security tools (e.g., firewalls, security information event management systems, endpoint security devices (e.g., support for Windows from Microsoft Corporation, Apple, Unix variations, mobile), identity and access authorization systems, cloud security posture data (e.g., vulnerability, configurations) (collectively “Information” as used herein) to design a comprehensive retriever and question-answering system, and resulting report for a customer.
In an example, additional techniques of generating information include:
1. Web crawl and information extraction from the organization's website. This can answers any question relating to the organizations product, marketing activities, support activities, blogs.
2. Information coming back from integrations from third party software services of them that includes configuration data, log data, actual documents, search results from SIEMS (security information event management system), security related data, change management data, user access rights data.
3. Information gathered from a risk assessment and management module in terms of what the organization thinks are their highest risks.
4. Information gathered from the document management system where various documents relating to SOPs (security operating procedures), quality metrics, life cycles and others are managed.
5. Information gathered from Asset Management systems in how the assets are configured, maintained, e.g., assets, devices, users, virtual storage, virtual machines, instances.
6. Information gathered from vulnerability scans to understand the product details.
In an example, given the questionnaire set and document corpus any of the aforementioned of an organization, an objective is to generate responses of the questions using the information provided, e.g., document corpus to extract any and all relevant text and related information from any of the aforementioned and generates a summary with the score to the corresponding question. Details of the present method and system are provided throughout the present specification and more particularly below.
In an example, the present invention provides a system for a workflow of a trust center and in particular a questionnaire, as shown in
Data Parser
In an example, the block is responsible for obtaining the document files from the storage and extracting the text information from the different formats (like pdf, doc, docx, html, md, txt). Also, it extracts the page number and paragraphs from the document corpus. This parsed data is categorized and converted into a knowledge base to be used by various algorithms.
Information Retriever:
In an example, the information retriever step is responsible for vector space creation for both questions and the knowledge base from the document corpus. It is followed by applying semantic search over the questions and the knowledge text and, for example, top 5 results of the information retrieval responses are collected based on the scores. Later, the top IR results are used for obtaining the summary of relevant document text to corresponding questions. The top 5 summaries along with the scores are created by computing the relevancy score between questions and extractive summaries in an example.
Output Results:
In an example, the method includes a step of outputting results. The output step is responsible for producing final result files in intended formats (e.g., .csv, j son) containing the questions, filename, page number, relevant policy text, extractive top 5 (or other number of) summaries, and summary scores. The final answered files along with other meta data are saved in the storage (e.g., Amazon Web Services (AWS) S3, Google Cloud Storage, Azure Cloud Storage).
In an example, the present method and system is described in a simplified flow diagram of system explanation, as shown in
Input Information including, but not limited to, policies, evidences, controls, and association among all Information are transferred into the system using the method;
Parse the Information (e.g, documents) into an indexed knowledge base, as shown;
Input a question (or multiple questions in a questionnaire) to be answered into the system through a machine learning process to search and generate an answer from the knowledge base such that the knowledge base includes a model from machine learning process steps that is generated offline using the Information and any and all related data as described;
Generate an output including but not limited to a “Yes” or “No” answer, a generated text with cite references to document in the Information or both an affirmative or negative answer with generated text, including the answer, support, and reasons for the answer;
Review the output and provide feedback to the machine learning process, including the model to update the generated output;
Output a final report including any aggregated answers, including the update, into a report (e.g., Portable Document File, Spreadsheet, or Document File format).
In an example, referring to
In an example, the present method includes a training phase using a module of
Text corpus is transferred to a natural language process (NLP) for feature extraction. Output include save model, and text into numerical data. The numerical data are training data, which will be processed into a machine learning (ML) classification model. The model is saved in storage. Additional aspects of training occurs by way of the following steps.
Input—Information (e.g., text corpus): Policy documents with labeled SOC 2, HIPPA, or any other compliance criteria and standards tags and SOC 2, HIPAA, or any other criteria and standards text description, see 1a and 1b in Figure.
Classification Task:
TF-IDF (e.g., term frequency inverse document frequency) with N-Gram (e.g., n number of words) up to 3-gram are used as Natural language processing model for feature extraction—converting text data into numerical data.
Logistic regression with One Vs Classifier (e.g., fitting one classifier versus multiple classification) is used as a classification model to predict the criterias/standards tags for the policy documents.
Training Module:
Training will be done offline (e.g., not real time), and it will not be done continuously.
Training corpus has labeled in-house templates of Information, e.g., policies, similar policies corpus from customers—Company A, Company B. Company C, and others.
If there will be any change in tagged criteria in policy documents (used in training) then offline retraining will be done.
Performance checks/improvements will be done if more tagged data and test data will be available.
In an example, the present method uses an information retriever (Prediction Module), See
Input: Information, e.g., Policy document, Version Information
Classification Task:
To predict the criteria and standards tags given the policy document.
Output 1: {Policy Name, Version, {tag1, tag2, tag3 . . . n}} where the tags are criteria labels.
Controls Generation: In parallel to the Classification Task, control statements will be generated using the same input.
Extractive and Abstractive Summarization Techniques are used to generate a summary for the input Information e.g., policy document.
Statements from the summary are considered as control statements.
Associated Tags of Controls: After the control generation, an association score is calculated using cosine-similarity measures between control statements and predicted criteria tags (from classification task) to find the association map.
Output 2: {Policy name, Version, {(Control: Criteria Tags)}}
Prediction Phase:
The training phase will be only for Feature Extraction and Classification Task.
For Controls Generation, there will not be any training phase.
For Policy documents are similar to Templates, no new results will be generated, stored results will be used.
Micro-Averaged F1-Score (Mean F Score):
The F1 score can be interpreted as a weighted average of the precision and recall, where an F1 score reaches its best value at 1 and worst score at 0. The relative contribution of precision and recall to the F1 score are equal. The formula for the F1 score is:
F1=2*(precision*recall)/(precision+recall)
In the multi-class and multi-label case, this is the weighted average of the F1 score of each class.
‘Micro f1 Score’:
Calculate metrics globally by counting the total true positives, false negatives and false positives. This is a better metric when there is class imbalance.
‘Macro f1 Score’:
Calculate metrics for each label, and find their unweighted mean. This does not take label imbalance into account.
Hamming Loss:
Hamming loss is the fraction of wrong labels to the total number of labels. In multi-class classification, hamming loss is calculated as the hamming distance between y_true and y_pred. In multi-label classification, hamming loss penalizes only the individual labels.
Sample data and accuracy values for classification task is added as shown in
If the customer flags what controls (e.g., generated from controls generation) are useful and what not, then this information can also be stored along with output 2 or as a separate output in the database. Once sufficient data are stored, a recommendation processing engine is used to build over the historic data to recommend what are the most selected/useful controls associated with the given policy, rather than generating controls every time.
Similarly, a recommendation processing engine is used to recommend the most useful criteria followed by the policy, rather than predicting the criteria.
Thus, after a point of time, based on the availability of data and results, the classification processes in classification task submodule and controls generation processing steps can be replaced by recommendation processing engine.
In an example, the method uses a detailed architecture of trust center questionnaire module, See
Policy files formats-pdf, doc, docx, md, html, txt, and other formats, each of which format is commonly known or used in the future.
Question set formats-csv, xls, xlsx, each of which format is commonly known or used in the future.
As shown, two modules are included, referring to the Figure: (1) data parser; and (2) automatic questionnaire response. The descriptions for such modules are provided. In an example, the data parser is a module responsible for pre-processing of policy documents, using input and output (in italics) below.
Input—{policy_list, license_key,job_id}
Output—{Policy_name,page,policy_text,preprocessed_text}
In an example, the automatic questionnaire response is a module responsible for extracting out the relevant text from the policy documents as context to the question and summarizing that relevant policy text for the corresponding question. Such module gives two types of output: (1) one output is relevant for our internal machine learning processes and analysis. Such output is saved in csv and j son format and other suitable formats; and (2) another output is with summary and summary scores. Such scores are in csv and j son or other suitable format. Such outputs and responses can be provided in a report for customer purposes.
In an example, the method stores all the output into question bucket (customer question set) on storage and the corresponding file paths are provided below (in italics) to the service.
Input—{questions_path,preprocessed_data,job_id}
Output—
Output for internal ML analysis—
{Questions, Policy names, Pages, Policy texts, Preprocessed texts, Scores, Chunked text, Summary after chunking}
Path of output files for ML analysis—
Customerquestionset/automatic_questionnaire_response/<job_id/ml_output_directory/questions_IR.csv
customerquetionset/automatic_questionnaire_response/<job_id/ml_output_directory/questions_IR.json
Output with Text Summarization (for customer use)—
{Question, Output representation, Summary, Summary score}
Path of output files for customer use—
customerquetionset/automatic_questionnaire_response/<job_id>/customer_output_directory/questions_IR_output_representation.csv
customerquetionset/automatic_questionnaire_response/<job_id>/customer_output_directory/questions_IR_output_representation.json
Output to Microservice—{Question Answer CSV File Location, Question Answer JSON File Location, Question-Answer Output Text Summarization CSV File Location, Question-Answer Output Text Summarization JSON File Location}
In an example, the present method and system is configured with a workflow using generative AI techniques. In an example, the workflow is followed to achieve an AI powered automatic questionnaire response system by involving question sets and policy files. We have obtained relevant responses between questions and extractive text summary. In the future, we plan to use a yes/no question answering system and combining generative QA system as an improvement in the existing module.
As an example, generative AI is a type of artificial intelligence that can generate new data, images, text, or other media that has never been seen before. It works by using deep learning models that are trained on large datasets to learn patterns and generate new data based on those patterns. In an example of generative AI is ChatGPT developed by Open AI, see openai.org., a large language model developed by OpenAI that is designed to generate human-like text in response to a given prompt or question. ChatGPT uses a deep learning model called a transformer that was specifically designed for language processing. The transformer is trained on massive amounts of text data and learns to predict the next word in a sentence based on the previous words. Other types of generative AI can also be used in these applications.
In an example for the present method, to generate a response, a user inputs a prompt or question, and ChatGPT uses its transformer model to generate a new sentence or phrase that is relevant to the input. ChatGPT can also generate longer texts such as paragraphs or even entire articles, including cites. Such response includes the Information as discussed to output a comprehensive output, e.g., report, response, or summary. Further details of the present technique can be found throughout the present specification and more particularly below.
In an example, a specific method of using the system is provided below.
Workflows for Trust Center Processing
In an alternative example, a trust center allows for searching, extracting, correlating and validating information from various documents that are uploaded in the system to provide answers regarding an organization's compliance with various security standards and frameworks.
In an example, the document corpus that is preferred for process includes various features. As an example, the policies that are setup by the organization for its functioning and stating its security posture. In an example, the controls that are setup by the organization to track security posture. In an example, the evidence that are collected both thru API (application programming interface) based automated information gathering and manual upload of documents that provide the level of implementation that the organization has done as regards the controls and the overall security posture. In an example, a relationship graph that describes how the policies, controls and evidence are related to each other.
The processing engine will allow the product to provide various services. In an example, the services include answering questions relating to the security posture of a company that is asked by customers or vendors. The services include validating that the documentation provided for the various controls comply with the various security standards and the policies that the organization has set forth. Other services include evaluating the risk still present in the various controls and providing feedback to the organization on various remediation plans.
Processing Engine
In an example, the processing engine includes a deep learning AI model to process each question using the above defined Information for a specific organization to generate answers using Generative AI techniques, as discussed. In an example, the model itself is built by deep learning methodology against a set of known Information, e.g., data and pre-filled questionnaires. The model is continuously updated with user feedback, supervised learning techniques, and other reinforcement learning techniques.
Answering Questionnaire
Organization (or company) is a user of the system and has gone through a full audit cycle. That means the Information, for example, document corpus of policies, controls, evidence and relationship exists within the present system. In an example, the organization receives a security questionnaire from one of the customers. This is processed by the processing engine.
In an example, the method using the processing engine first reads in all the Information, e.g., document corpus, and creates various classification and n-gram knowledgebase with correlation.
The method then processes the incoming question and predicts the most likely answer using the knowledge base and the current model for prediction. Using the results and Generative AI techniques, the method generates the output, e.g., text description of the answer.
In an example, the resultant output is then presented to the user for their approval and any reviewed text and feedback is fed back into the model generation system.
As shown, one or more differences from standard text searching and processing system are provided. In an example, the present system is multi-tenant, cloud hosted, or on site, or private data center, or any combination. In an example, the system has a separate knowledge base for each organization or Information, e.g., document corpus. That Information and knowledge base is a continuous process as the organization keeps adding new documents to the Information. In an example the system is a prediction model built by combining multiple different techniques and machine learning processes (e.g., deep learning, reinforcement learning, natural language processing, supervised learning, non-supervised learning) to generate the best answers. The model itself is a single model across all the different Information, e.g., knowledge corpus. In an example, the system has a method that uses feedback from the user to keep the model updated and to ensure that the best answer (e.g., most relevant) is provided. Of course, there can be variations, alternatives, and modifications.
Risk Evaluation
In an example, the method starts with an organization (or company) stated above with Information, e.g., its corpus of documents and processes Information using a risk module. In an example, the risk module automates the process for a customer to maintain a risk management module. The module has one or more of the following. The module allows users to create new risks, link the risks to threats, vulnerabilities and controls, and provide a treatment plan for a risk. The module assigns risk to risk owners. The module calculates risk impact, risk profile, inherent risk, residual risk, among others, and tracks which risks are overdue, among others, which remediation should be performed. In an example, the module contains a preloaded library of threats, vulnerabilities, and controls. Also, users of the module can create custom entries for any of the risks. The module provides a comprehensive report(s) in a dashboard. In an example, the module allows users to download an output in an output file, e.g., CSV file. Examples of various risks that are managed using the present techniques are shown below.
Security Risks: These risks can come from external threats, such as cyber attacks, hacking, and theft of data, or internal threats such as employee fraud, theft, and sabotage. To mitigate these risks, companies can implement strong cybersecurity measures, conduct background checks on employees, limit access to sensitive information, and conduct regular audits.
Network Security Risks: Similar to security risks, network security risks can come from external and internal threats. Companies can mitigate these risks by implementing firewalls, intrusion detection systems, and encryption technologies.
Regulatory Risks: Companies can face regulatory risks from changes in laws and regulations or failure to comply with existing regulations. To mitigate these risks, companies must stay up-to-date with changes in regulations, have a compliance plan in place, and conduct regular internal audits.
Legal Risks: These risks can arise from lawsuits, legal disputes, or failure to comply with contractual obligations. To mitigate these risks, companies can work with legal counsel to ensure that all contracts are legally binding and in compliance with laws and regulations.
Human Risks: Human risks can include accidents, injuries, illnesses, and other health and safety issues. Companies can mitigate these risks by providing proper training, safety protocols, and protective equipment.
Technology Risks: Technology risks can come from equipment failure, system downtime, and failure to keep up with advancements in technology. To mitigate these risks, companies can implement redundancy and backup systems, conduct regular maintenance and upgrades, and have a disaster recovery plan in place. Market Risks: Market risks can arise from changes in consumer preferences, economic downturns, and shifts in industry trends. Companies can mitigate these risks by diversifying their product offerings, staying up-to-date with market trends, and conducting market research.
Financial Risks: Financial risks can come from changes in interest rates, foreign exchange rates, and credit risks. Companies can mitigate these risks by implementing financial controls, diversifying their investments, and conducting regular financial audits.
Physical Risks: Physical risks can include natural disasters, accidents, and vandalism. Companies can mitigate these risks by implementing safety protocols, securing their facilities, and having a disaster recovery plan in place.
Acts of God: These risks can include natural disasters such as earthquakes, hurricanes, and floods. Companies can mitigate these risks by having a disaster recovery plan in place, implementing insurance coverage, and conducting regular risk assessments.
In summary, companies using the present techniques identify and mitigate risks across multiple areas, including security, regulatory, legal, human, technology, market, financial, physical, and acts of God. Implementing risk management strategies can help companies avoid or minimize the impact of potential risks.
In an example, there are several AI algorithms that can be used for risk management in a company. Decision Trees: Decision trees are used to evaluate different possible outcomes and their respective probabilities based on a set of criteria or factors. This algorithm can be used to identify the likelihood of different types of risks and their potential impacts on the business.
Artificial Neural Networks (ANNs): ANNs are commonly used in risk management to predict potential risks based on historical data. By analyzing patterns and trends in data, ANNs can help identify potential future risks and provide insight into how to mitigate them.
Random Forest: Random forest is a machine learning algorithm that is commonly used in risk management to classify risks into different categories based on a set of factors. This algorithm can help businesses identify the most significant risks and prioritize them accordingly.
Support Vector Machines (SVMs): SVMs are another machine learning algorithm that can be used for risk management. This algorithm is used to identify patterns in data and predict the likelihood of future events based on historical data. SVMs can help identify potential risks and provide insight into how to mitigate them.
Bayesian Networks: Bayesian networks are used in risk management to model complex systems and identify the likelihood of different types of risks. This algorithm can help identify potential risks and provide insight into how to mitigate them.
In an example, the choice of AI algorithm will depend on the specific needs and requirements of the business, as well as the available data and resources. It is also preferred to work with experienced data scientists and risk management professionals to develop an effective strategy that incorporates these algorithms.
In an example, the present invention provides a risk module coupled to a data source. The risk module is configured to manage one or more risks associated with a company. In an example, the risk module comprises a database comprising a plurality of fields. Each of the fields represents a line item of a risk associated with the company. Each line item comprises a process selected from a control, a control type, a threat event, a vulnerability, an agent, a source type, a flag, an action plan, a risk control, and one or more views associated with the risk, among others. In an example, the risk module has a risk AI engine configured to the database and configured to process one or more of the process, and output an assignment of the line item to an appropriate user of the company to mitigate the risk associated with the line item.
Issue NFT Token for Blockchain
In an example, the present technique issues an NFT Token for Compliance Audit Report. In an example, the Non-Fungible Token (NFT) is a unique digital asset that is stored on a blockchain, which is a decentralized digital ledger. NFTs are used to represent ownership of a particular digital asset, such a digital certificate. Each NFT is unique and cannot be exchanged for another NFT on a one-to-one basis. NFTs use blockchain technology to verify ownership and authenticity of the digital asset. The blockchain records all transactions related to the NFT, including the initial creation and subsequent sales, and provides an immutable and transparent ledger of the NFT's ownership history.
To issue a NFT for certifying a company for a security compliance report after a compliance audit has been completed, the method follows these general steps, which can be modified, improved, replaced, or altered:
Choose a blockchain platform: Choose a blockchain platform that supports NFTs, such as Ethereum or Binance or other smart or block chains.
Create a smart contract: Write and deploy a smart contract that will define the properties and attributes of the NFT, including the name, symbol, and metadata associated with the security compliance report. The smart contract should also include the conditions that need to be met for the NFT to be minted, such as the successful completion of a compliance audit.
Mint the NFT: Once the smart contract is deployed, the process mints the NFT by invoking the contract with the required parameters, such as the report ID, company name, date of the compliance audit, and other relevant information.
Verify the compliance audit: Before issuing the NFT, it is preferred to verify the results of the compliance audit to ensure that the company has met the necessary security standards administered by the appropriate standards body or organization.
Issue the NFT: Once the compliance audit has been verified, the method issues the NFT to the company by transferring it to the company's digital wallet. The NFT will serve as a unique and verifiable digital certificate that certifies the company's security compliance report.
In an example, if the company is sold or merged, the method can transfer the NFT to the acquiring company or merged entity. The company can then transfer and trade the NFT on a blockchain marketplace, where it can be bought, sold, and traded among other users. The NFT can serve as proof of the company's security compliance and can also be used as a valuable asset for fundraising or other purposes.
In an example, the term “handler” for input data is responsible for managing the data that is provided as input to a computing process. The handler is typically responsible for performing a variety of functions. In an example, the handler will validate the input data to ensure that it meets one or more requirements of the computing process. The requirements include checking for missing or invalid data, and ensuring that the data is in the correct format. In an example, the handler may perform pre-processing on the input data to prepare it for use by the computing process. This may include tasks such as cleaning the data, transforming it into a different format, or normalizing it. In an example, the handler may store the input data in a suitable location, such as a database or file system, to make it available for later use. In an example, the handler may retrieve the input data from the storage location when it is required by the computing process.
On the other hand, a handler for output data is responsible for managing the data that is produced as output by a computing process. This handler is typically responsible for performing one or more functions. In an example, the handler may perform post-processing on the output data to transform it into a format that is suitable for use by downstream processes or applications. In an example, the handler may store the output data in a suitable location, such as a database or file system, to make it available for later use. In an example, the handler may retrieve the output data from the storage location when it is required by downstream processes or applications. In an example, the handler may transmit the output data to other systems or applications that desire it.
In an example, various hardware elements of the invention can be implemented using a “pizza box” computer also called a rack or tower server or using a smart phone according to an embodiment of the present invention.
Additionally, these devices or micro devices such as smart phones include a housing, display, and interface device, which may include a button, microphone, or touch screen. Preferably, the phone has a high-resolution camera device, which can be used in various modes. An example of a smart phone can be an iPhone from Apple Computer of Cupertino Calif. Alternatively, the smart phone can be a Galaxy from Samsung or others.
In an example, the smart phone includes the following features (which are found in an iPhone from Apple Computer, although there can be variations), see www.apple.com, which is incorporated by reference. In an example, the phone can include 802.11b/g/n Wi-Fi (802.11n 2.4 GHz only), Bluetooth 2.1+EDR wireless technology, Assisted GPS, Digital compass, Wi-Fi, Cellular, Retina display, 5-megapixel iSight camera, Video recording, HD (720p) up to 30 frames per second with audio, Photo and video geotagging, Three-axis gyro, Accelerometer, Proximity sensor, and Ambient light sensor. Of course, there can be other variations, modifications, and alternatives.
An exemplary electronic device may be a portable electronic device, such as a media player, a cellular phone, a personal data organizer, or the like. Indeed, in such embodiments, a portable electronic device may include a combination of the functionalities of such devices. In addition, the electronic device may allow a user to connect to and communicate through the Internet or through other networks, such as local or wide area networks. For example, the portable electronic device may allow a user to access the internet and to communicate using e-mail, text messaging, instant messaging, or using other forms of electronic communication. By way of example, the electronic device may be a model of an iPod having a display screen or an iPhone available from Apple Inc.
In certain embodiments, the mobile device may be powered by one or more rechargeable and/or replaceable batteries. Such embodiments may be highly portable, allowing a user to carry the electronic device while traveling, working, exercising, and so forth. In this manner, and depending on the functionalities provided by the electronic device, a user may listen to music, play games or video, record video or take pictures, place and receive telephone calls, communicate with others, control other devices (e.g., via remote control and/or Bluetooth functionality), and so forth while moving freely with the device. In addition, device may be sized such that it fits relatively easily into a pocket or a hand of the user. While certain embodiments of the present invention are described with respect to a portable electronic device, it should be noted that the presently disclosed techniques may be applicable to a wide array of other, less portable, electronic devices and systems that are configured to render graphical data, such as a desktop computer.
In the presently illustrated embodiment, the exemplary device includes an enclosure or housing, a display, user input structures, and input/output connectors. The enclosure may be formed from plastic, metal, composite materials, or other suitable materials, or any combination thereof. The enclosure may protect the interior components of the electronic device from physical damage and may also shield the interior components from electromagnetic interference (EMI).
The display may be a liquid crystal display (LCD), a light emitting diode (LED) based display, an organic light emitting diode (OLED) based display, or some other suitable display. In accordance with certain embodiments of the present invention, the display may display a user interface and various other images, such as logos, avatars, photos, album art, and the like. Additionally, in one embodiment, the display may include a touch screen through which a user may interact with the user interface. The display may also include various function and/or system indicators to provide feedback to a user, such as power status, call status, memory status, or the like. These indicators may be incorporated into the user interface displayed on the display.
In an embodiment, one or more of the user input structures are configured to control the device, such as by controlling a mode of operation, an output level, an output type, etc. For instance, the user input structures may include a button to turn the device on or off. Further the user input structures may allow a user to interact with the user interface on the display. Embodiments of the portable electronic device may include any number of user input structures, including buttons, switches, a control pad, a scroll wheel, or any other suitable input structures.
The user input structures may work with the user interface displayed on the device to control functions of the device and/or any interfaces or devices connected to or used by the device. For example, the user input structures may allow a user to navigate a displayed user interface or to return such a displayed user interface to a default or home screen.
The exemplary device may also include various input and output ports to allow connection of additional devices. For example, a port may be a headphone jack that provides for the connection of headphones or other devices. Additionally, a port may have both input/output capabilities to provide for connection of a headset (e.g., a headphone and microphone combination). Embodiments of the present invention may include any number of input and/or output ports, such as headphone and headset jacks, universal serial bus (USB) ports, IEEE-1394 ports, and AC and/or DC power connectors. Further, the device may use the input and output ports to connect to and send or receive data with any other device, such as other portable electronic devices, personal computers, printers, or the like. For example, in one embodiment, the device may connect to a personal computer via an IEEE-1394 connection to send and receive data files, such as media files. Further details of the device can be found in U.S. Pat. No. 8,294,730, assigned to Apple, Inc.
Having described various embodiments, examples, and implementations, it should be apparent to those skilled in the relevant art that the foregoing is illustrative only and not limiting, having been presented by way of example only. Many other schemes for distributing functions among the various functional elements of the illustrated embodiment or example are possible. The functions of any element may be carried out in various ways in alternative embodiments or examples.
Also, the functions of several elements may, in alternative embodiments or examples, be carried out by fewer, or a single, element. Similarly, in some embodiments, any functional element may perform fewer, or different, operations than those described with respect to the illustrated embodiment or example. Also, functional elements shown as distinct for purposes of illustration may be incorporated within other functional elements in a particular implementation. Also, the sequencing of functions or portions of functions generally may be altered. Certain functional elements, files, data structures, and so one may be described in the illustrated embodiments as located in system memory of a particular or hub. In other embodiments, however, they may be located on, or distributed across, systems or other platforms that are co-located and/or remote from each other. For example, any one or more of data files or data structures described as co-located on and “local” to a server or other computer may be located in a computer system or systems remote from the server. In addition, it will be understood by those skilled in the relevant art that control and data flows between and among functional elements and various data structures may vary in many ways from the control and data flows described above or in documents incorporated by reference herein. More particularly, intermediary functional elements may direct control or data flows, and the functions of various elements may be combined, divided, or otherwise rearranged to allow parallel processing or for other reasons. Also, intermediate data structures of files may be used and various described data structures of files may be combined or otherwise arranged.
In other examples, combinations or sub-combinations of the above disclosed invention can be advantageously made. The block diagrams of the architecture and flow charts are grouped for ease of understanding. However, it should be understood that combinations of blocks, additions of new blocks, re-arrangement of blocks, and the like are contemplated in alternative embodiments of the present invention.
Further information regarding Intrusion Detection Systems can be found in the following references:
Gartner: Defining Intrusion Detection and Prevention Systems”. Retrieved Sep. 20, 2016. Scarfone, Karen; Mell, Peter (February 2007). “Guide to Intrusion Detection and Prevention Systems (IDPS)” (PDF). Computer Security Resource Center. National Institute of Standards and Technology (800-94). Retrieved 1 Jan. 2010
Engin Kirda; Somesh Jha; Davide Balzarotti (2009). Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, Sep. 23-25, 2009, Proceedings. Springer. p. 162. ISBN 978-3-642-04341-3. Retrieved 29 Jun. 2010
Intrusion Detection Systems (Advances in Information Security) 2008th Edition, by Roberto Di Pietro (Editor), Luigi V. Mancini
Snort Primer: A FAQ Based Introduction To The Most Popular Open-Source IDS/IPS Program, Nov. 27, 2015, by Ashley Thomas
The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that various modifications and changes may be made thereunto without departing from the broader spirit and scope of the invention as set forth in the claims.
This application is a continuation in part of and claims priority to U.S. Ser. No. 16/942,639 filed Jul. 29, 2020, now U.S. Pat. No. 11,601,455 issued on Mar. 7, 2023, which is a continuation of and claims priority to U.S. patent application Ser. No. 16/006,707 filed Jun. 12, 2018, now U.S. Pat. No. 10,771,489 issued on Sep. 8, 2020, each of which is commonly assigned, and hereby incorporated herein by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
Parent | 16006707 | Jun 2018 | US |
Child | 16942639 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 16942639 | Jul 2020 | US |
Child | 18176325 | US |