FIELD OF THE INVENTION

[001 ] This invention relates to cybersecurity systems and, in particular, to the use of artificial intelligence systems in cybersecurity countermeasures.

BACKGROUND TO THE INVENTION

[002] Computer security or cybersecurity is the protection of information systems from theft or damage to hardware, software and information, as well as from disruption or misdirection of services. Cybersecurity systems rely on countermeasures that include systems and procedures to identify threats, vulnerabilities or attacks and that prevent, eliminate or minimise and report potential harm. Cybersecurity countermeasures range from systems that control physical and virtual access to hardware, software and data to social engineering systems that militate against malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.

[003] The cybersecurity field is of growing importance due to the increasing reliance on computer systems, the ubiquity of the internet worldwide and the growth of "smart" devices, including smartphones, televisions and devices forming an ever expanding Internet of Things.

[004] The Center for Strategic and International Studies recently published a report on the economic impact of cybercrime entitled "Estimating the Global Cost of Cybercrime" (James A. Lewis, Stewart Baker, Center for Strategic and International Studies, Washington, D.C., June 2013). In the report the Center estimates that the global economy loses between $375 and $575 billion to cybercrime annually and points to the many aspects of national and international business, government and economies affected by cybercrime.

[005] The cybersecurity challenge can be reduced, in the simplest terms to innovation. Cybercriminals are agile and highly motivated by the lucrative nature of their illicit trade. As a result they are more willing to innovate and they are able to do so quicker and more often than the mostly bureaucratic organizations they target. As a result, the field of cybersecurity countermeasures has failed to keep pace, being constrained on the one hand, by legal systems that must of necessity rely on national laws to regulate the essentially border-free internet and, on the other hand, by countermeasures systems rooted in bureaucracy.

[006] This invention seeks to address this shortcoming.

SUMMARY AND DESCRIPTION OF EMBODIMENTS OF THE INVENTION

[007] The cybersecurity system of the invention is programmed to exploit this phenomenon by the location of an Artificial Intelligence (Al) system within a distributed computer network and configuring the Al to manage and neutralise cybersecurity threats by recording data pertaining to existing cybersecurity threats (which includes threats, vulnerabilities and mutations thereof) and countermeasures effective against such known threats and vulnerabilities, scanning the network for new threats and vulnerabilities, iteratively developing and applying countermeasures to the new threat or vulnerability until an effective countermeasure is found, and recording the threat or vulnerability and the effective countermeasure.

[008] Distributed computer networks conventionally include ISPs, Data Centres and computing devices connected or linked by communication means to the network.

[009] The Al system is preferably a machine learning system. Machine learning involves the use of computer algorithms that learn from and make predictions on data. Such algorithms operate by building a model from data inputs to make data-driven predictions or decisions rather than following strictly static program instructions.

[001 0] Al-based systems have been proposed to identify and mitigate cybersecurity threats, but then as reactive systems deployed largely on-device and on-premise. The realisation that reactive systems, even Al-based systems, are insufficient in the fight against cybercrime is central to this invention.

[001 1 ] The reactive nature of the cybersecurity industry is its main weakness, since it allows cybercriminals to take and maintain the initiative by deploying illicit systems that are constructed to avoid detection and in the event that they are detected and the code is acquired, to avoid analysis. This imposes an inevitable learning curve and a concomitant delay in the efforts of the cybersecurity industry to respond to cybercrime.

[0012] In the preferred form of the invention, the cybersecurity system relies on a machine learning kernel that is intended for location within a widely distributed computer network, the machine learning kernel being programmed to learn different behaviors, different systems and different patterns of behavior.

[0013] In this form of the invention, the cybersecurity system is programmed for location within a distributed computer network and comprises: a threats database containing data pertaining to cybersecurity threats and vulnerabilities; a countermeasures database containing data pertaining to cybersecurity mitigation processes in respect of the threats and vulnerabilities stored in the threats database; a vulnerability scanning engine programmed to monitor a plurality of computer networks and to identify cybersecurity threats and vulnerabilities existing on such networks; a vulnerability management engine that includes a machine learning kernel programmed: to receive data pertaining to threats and vulnerabilities existing on computer networks monitored by the vulnerability scanning engine; to compare the received threat and vulnerability data to threat and vulnerability data stored in the threats database and to classify the received threat or vulnerability as known or unknown in dependence on the existence or nonexistence, respectively, of data pertaining to that threat or vulnerability in the threats database; if the received threat or vulnerability data is classified as a known threat or vulnerability, to interrogate the countermeasures database for an applicable countermeasure; if an applicable countermeasure is found, to apply the countermeasure to the threat or vulnerability; if the threat or vulnerability is classified as unknown or if an applicable countermeasure is not found in the countermeasures database, to store data pertaining to the received threat or vulnerability in the threats database; to compare the received threat or vulnerability to similar threats or vulnerabilities recorded in the threats database; on the basis of such comparison, to develop a model of the received threat or vulnerability; to interrogate the countermeasures database for countermeasure data pertaining to the compared threats or vulnerabilities; on the basis of such interrogation, to develop a model countermeasure for the received threat or countermeasure; to apply the model countermeasure to the received threat or vulnerability; if a newly developed model countermeasure is successful in mitigating the received threat or vulnerability, to store the successful countermeasure in the countermeasures database in respect of that threat or vulnerability. if the model countermeasure fails to mitigate the received threat or vulnerability to repeat the process of developing a model countermeasure for the received threat or vulnerability and to apply each such newly developed model countermeasure successively to the received threat or vulnerability.

[0014] Threats and vulnerabilities are preferably catalogued in a threats database.

[0015] Countermeasures may be catalogued in the threats database, but are preferably catalogued in a separate countermeasures database in which each countermeasure is relationally linked to each threat or vulnerability in respect of which that countermeasure is effective or likely to be effective.

[0016] The machine learning kernel, in effect "learns" everything there is to know by acquiring all available data available on the network pertaining to threats, vulnerabilities and countermeasures thereto and it is programmed not only to record or map the threats, vulnerabilities and countermeasures, but also to model and map the potential outcomes of all possible deployments of the threats, vulnerabilities and countermeasures. Therefore the more information the machine learning kernel is provided with, the more readily it is able to model all potential deployments, which makes it possible for the machine learning kernel to respond immediately to prevent an intrusion, breach or attack, whereas humans and traditional systems might take much longer to respond. [001 7] Furthermore the machine learning kernel can in effect teach itself to analyse a multitude of different systems, to learn all possible weak points and different ways of breaching such systems. From this analysis, the machine learning kernel can learn to find all possible means for breaching, perpetrating attacks and how to detect and to prevent attacks before they occur. The machine learning kernel can, over time, evolve the level of readiness and security to approach impenetrability.

[001 8] Instead of being deployed on-device or on-premises, the cybersecurity system of this invention is deployed as widely as possible and on as many computer networks as possible, thereby to enable the system to monitor all systems within the connected world for vulnerabilities and countermeasures.

[001 9] The system is preferably programmed to monitor and learn the origins of all vulnerabilities and countermeasures encountered by the system and to map the full spectrum of possible actions these different systems can take (malicious or otherwise).

[0020] The machine learning kernel may conveniently be programmed to record and map as many details as possible of all legitimate code on the network, including operating systems, application software and other legitimate software code, to scan and monitor the network for all deployments of such legitimate code, to compare code found on the network, to store the originals of such code with a view to detecting deviations or anomalies in the found code and to flag computer systems in which such deviations or anomalies occur as potential cybersecurity risks.

[0021 ] In this implementation of the invention, the system may be programmed either to rectify the deviations or anomalies, either automatically or with the support and supervision of a human operator, including possibly the human operator of the affected computer system.

[0022] Instead of just reacting on-device or on-premises, the system of the invention is preferably programmed immediately to apply a countermeasure or to develop and apply a countermeasure as soon as a cybersecurity threat or vulnerability is detected, for instance to shut down malicious systems, put down botnets and shut down all sources of malicious traffic including distributed attacks before they are able to cause any damage.

[0023] In addition, and having mapped the origin of a vulnerability or threat, the system can be deployed automatically or under human supervision, to counterattack the threat or vulnerability at source. [0024] In essence, this constitutes a policing function and to this end, the system of the invention may be provided with an appropriate man-machine interface to enable collaboration with law enforcement and cybersecurity professionals to bring the owners, originators and users of malicious systems to book.

[0025] To militate against the system of the invention acting entirely on its own or going rogue, the system includes a rules engine that requires human authorisation of predetermined system actions before these actions are carried out.

[0026] In the embodiments of the invention described above, the basic detection mechanism of the cybersecurity system is learned detection from malicious systems catalogued by the Al. However, learned detection from legitimate (non-malicious) systems can also be used as a detection mechanism.

[0027] According to the first embodiment of this invention, the Al is programmed: to scan for legitimate systems, including legitimate operating systems, software and apps; to catalogue the normal functioning of the legitimate systems; to catalogue, separately and as an abnormal function, any operation or function of a legitimate system outside of catalogued normal functioning of that system; and to react to the abnormal function as a potential threat or vulnerability; the Al being programmed iteratively to develop and apply countermeasures to the potential threat or vulnerability until an effective abnormal function countermeasure is found and to record the threat or vulnerability and the effective countermeasure.

[0028] Since the Al is resident on the network, the Al scanning function is applied to the network and network-connected computing-capable devices. However, the scanning function need not be restricted to network scanning only, since the Al could also be provided with programs and data injected into the Al or the network from sources external to the network. The Al will be required to apply the scanning function also to this externally injected information.

[0029] The legitimate systems are preferably catalogued in a separate legitimate systems database.

[0030] In implementations of the system in which countermeasures are catalogued in a separate countermeasures database, the abnormal function countermeasures may conveniently be recorded in the countermeasures database, with each abnormal function countermeasure being relationally linked to each abnormal function vulnerability in respect of which that abnormal function countermeasure is effective or likely to be effective.

[0031 ] In this embodiment of the invention, the Al may be programmed iteratively to develop and apply variations of the abnormal function to the related legitimate system: if a variation proves to be a legitimate variation, to flag the variation as legitimate; and if a variation proves to be a potential threat or vulnerability, to flag the variation as non-legitimate and to react to the non-legitimate variation as a threat or vulnerability; the Al being programmed iteratively to develop and apply countermeasures to the potential threat or vulnerability until an effective abnormal function countermeasure is found and to record the threat or vulnerability and the effective abnormal function countermeasure.

[0032] Reactive cybersecurity systems are, by definition, unable immediately to develop and apply countermeasures in respect of all threats or vulnerabilities found on the distributed network.

[0033] In a further embodiment of the invention, therefore, the Al is programmed to simulate, predict and catalogue, in respect of the threats or vulnerabilities catalogued in the threats database, how the threats and vulnerabilities are and may be exploited and to prepare countermeasures to such simulated and predicted threats and vulnerabilities.

[0034] In this embodiment of the invention: the Al is preferably programmed iteratively to develop and apply, in respect of one or more of the threats or vulnerabilities catalogued in the threats database, one or more implementations of the threats or vulnerabilities; if an implementation proves to be a potential new threat or vulnerability, to catalogue the implementation as a threat or vulnerability in the threats database; to react to the threat or vulnerability, the Al being programmed iteratively to develop and apply countermeasures to the implementation until an effective countermeasure is found; and to catalogue the effective countermeasure in the countermeasures database.

[0035] This embodiment of the invention relies on the appreciation that only a small percentage of cybersecurity threats and vulnerabilities are genuinely new and most cybersecurity threats are constituted by mutations of previously existing threats.

[0036] In this embodiment of the invention, the Al, effectively, produces mutations of existing threats before such mutations are produced in the wild, develops countermeasures for such mutations and catalogues the mutations and countermeasures. In this manner, the Al is in a position to pre-empt the emergence of any such mutation on the distributed network and to apply an effective countermeasure immediately the mutation emerges.

[0037] In the embodiments of the invention outlined above, the Al is described as residing on or in a distributed network which, conventionally, might include ISPs, Data Centres and computing devices connected or linked by communication means to the network.

[0038] As a result of continued miniaturisation of computing-capable devices, the population of internet-connected devices has expanded and continues to expand to include devices that until very recently were not computing-capable, including vehicles, appliances, sensors, IP cameras, residential gateways, baby monitors and more, a phenomenon that has been termed the internet of things (loT).

[0039] In October 2016, Dyn, a subsidiary of Oracle Corp., was subjected to multiple distributed denial of service (DDoS) attacks that, according to experts, is to date the largest DDoS on record. The attack targeted the Domain Name System (DNS) provided by Dyn which made major Internet platforms and services unavailable to large swathes of users in Europe and North America. The attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses believed to have been executed through a botnet consisting of a large number of Internet-connected devices, such as printers, IP cameras, residential gateways and baby monitors— the so-called internet of things (loT), that had been infected with malware known as Mirai.

[0040] The use of the term "network" in this specification, therefore includes traditional computing-capable devices and loT devices as well as the wiring and communication networks interlinking these devices, unless the context clearly indicates otherwise. [0041 ] A further embodiment of this invention seeks, therefore, to address the threats constituted by loT devices.

[0042] In this embodiment of the invention, the cybersecurity system is preferably programmed to operate in conjunction with a network that includes a multiplicity of loT devices, the system including a module, app or programmable logic tool programmed to reside within an loT device.

[0043] In a preferred form of this embodiment of the invention, the loT module is preferably constituted by programmable logic programmed to reside in programmable logic means in the loT device, the loT module being programmed to be self-concealing, the programmable logic of the loT module being concealed from the programmed application or applications of the loT device and programmed to monitor the loT device program functions and internet communication.

[0044] In effect, the loT module mimics monitoring malware, with the exception that the loT module is programmed to monitor for abnormal functions and communications.

[0045] In this embodiment of the cybersecurity system: the Al is programmed to scan for loT devices, to catalogue the normal functioning of the loT devices and to catalogue, separately and as an abnormal function, any operation or function of an loT device outside of catalogued normal functioning of that loT device; the Al is programmed to distribute and install the loT module in the loT devices on the network; the loT module is programmed to monitor the functioning of the loT device in which it is installed, together with communication to and from the loT device and to communicate communications to and from the loT device to the Al; the Al being programmed to compare the effect of such communications on the functioning of the loT device against normal functioning of the loT device and to react to the abnormal function as a potential threat or vulnerability; the Al being programmed iteratively to develop and apply countermeasures to the potential threat or vulnerability until an effective abnormal function countermeasure is found and to record the threat or vulnerability and the effective countermeasure. [0046] In a preferred embodiment of the cybersecurity system of the invention, the Al is programmed to receive data pertaining to encryption technologies in use on the network, the functioning of such encryption technologies and the functioning of related decryption technologies.

[0047] The Al and the loT module are preferably programmed to exclude from monitoring, the content or meaning of communications to and from the systems and loT devices it monitors. It is not the intention, with the cybersecurity system of the invention, to listen in on any communication, whether encrypted or not. Instead, it is the intention to understand the impact of a particular communication on its recipient system.

[0048] In this regard, it is generally accepted that software/IT systems have the ability to scan and monitor data without actually giving access to anyone or anything beyond the software/IT system, so that the integrity of encrypted communications would still be preserved.

[0049] In addition, the cybersecurity system of the invention will be programmed not to save or duplicate the information communicated and only to save data pertaining to threats and vulnerabilities, legitimate systems, non-legitimate systems, normal and abnormal functioning of computers, computing systems and loT devices and countermeasures against threats, vulnerabilities, non-legitimate systems and abnormal functions.

[0050] Stealth and concealment are key requirements for optimal functioning of the cybersecurity system of the invention.

[0051 ] The programmable logic or code making up the monitoring, reporting and recording modules of the system must be capable of insertion into and removal from any programmable logic system without being detectable or noticeable.

[0052] In addition, the programmable logic must be capable of communicating to and from any programmable logic system without being detected or noticed.

[0053] To this end, the cybersecurity system of the invention is provided with a stealth engine of forming part of the Al, the stealth engine being programmed to learn from all current data on stealth networking to date and to improve on it continually. The stealth engine is programmed to interoperate with all the other modules of the cybersecurity system to achieve this.

[0054] For instance, the cybersecurity system catalogues operating systems, software, apps, malicious software/code and the like.

[0055] In this form of the invention, therefore, the stealth engine is programmed to access and use all data catalogued by the system and any learning or inferred intelligence derived from the system, particularly the vulnerability management engine, iteratively to derive means to first identify the operating environment of any target system and then to insert or remove programmable logic forming part of the system into or out of the target system and to communicate into and out of any target system without detection.

[0056] On a system level, the cybersecurity system of the invention is preferably programmed not to remove programmable logic, code or data from any target system, even if the programmable logic, code or data is potentially malicious.

[0057] To implement this principle, the cybersecurity system of the invention, in its preferred form, is programmed to identify potentially malicious programmable logic, code or data as a potential threat or vulnerability; to quarantine the potential threat or vulnerability; and to notify a human operator of the quarantined threat or vulnerability.

[0058] The notification to the human operator might include identification of the target system affected by the threat or vulnerability and the steps that could be taken, including removal of the threat or vulnerability, to militate against system risks posed by the threat or vulnerability.

[0059] It will be appreciated that the amount of data and programmable logic gathered and generated, respectively, by the cybersecurity system of the invention will, in time, give rise to a massive amount of data and programs, a substantial amount of which might be constituted by duplications, redundancies and potentially conflicting data and programs, which could render the system insufficiently agile to perform its core function of neutralising cybersecurity threats and vulnerabilities rapidly and independently.

[0060] To address this requirement, the cybersecurity system of the invention preferably includes a code cleansing engine.

[0061 ] In this embodiment of the cybersecurity system, the code cleansing engine is implemented in Al, which is programmed to scan the system and system catalogues for undesirable programmable logic (for example duplicated or redundant code or programs) and to quarantine such undesirable programmable logic from the system and system catalogues.

[0062] Examples of undesirable programmable logic include, without restriction, code duplication, code redundancies and potentially conflicting data and programs.

[0063] Being a machine learning system, the cybersecurity system Al is preferably programmed to scan for code cleansing and optimising programmable logic tools and to incorporate all or some of such programmable logic to supplement the functionality of the code cleansing engine continuously and iteratively, essentially to learn from and build on the body of work and knowledge available.

[0064] In the preferred form of this embodiment of the invention, the code cleansing engine is programmed to evaluate code cleansing and optimising programmable logic tools and code optimising and cleansing programmable logic tools Incorporated in the code cleansing engine: by continuously and iteratively applying such code cleansing and optimising programmable logic tools to the programmable logic found on the system and system catalogues; assessing the impact of such application on the system and catalogues and the effectiveness and functioning of the system and catalogues before and after application of the code cleansing and optimising programmable logic tools; and selecting for the code cleansing and optimising programmable logic tools that render the system and catalogues equally or more effective than before application of the code cleansing and optimising programmable logic tools.

[0065] In these embodiments of the invention, the Al preferably includes a rollback engine that is programmed to subject all code developed by any one or more of the code developing engines in the Al, including the stealth engine and the code cleansing engine, to assessment by the vulnerability management engine to ensure that no threats or vulnerabilities are created or introduced into the cybersecurity system as a result of the introduction of code developed by the Al.

[0066] In this form of the invention, the rollback engine is preferably programmed to force the quarantining, removal or rollback of any code or change introduced by a system code developing engine that is assessed, by the vulnerability management engine, to constitute a potential or actual threat or vulnerability to the system.

[0067] The code cleansing and rollback engines optimise the programming of the entire system to ensure that, at all times the cybersecurity system of the invention is lightweight, agile and capable of moving swiftly and stealthily in and out of the targeted devices, networks, computers and computer systems protected by the system.

[0068] The cybersecurity system of this invention comprises a number of modules or engines that need to work together interactively and optimally to ensure the most effective functioning of the system.

[0069] Being an Al-driven machine learning system, the cybersecurity system of the invention is preferably programmed, therefore, to perform overarching system management functions, which functions the Al will develop and learn from the network.

[0070] In the preferred form of this embodiment of the invention, the Al includes a management engine programmed to: develop programmable logic capable of performing system management functions as required by the system; scan system management programs and programmable logic tools capable of performing system management functions; evaluate the system management programs and programmable logic tools developed by the management engine and those found: by continuously and iteratively applying such system management programs and programmable logic tools to the system and the system engines and modules; assessing the impact of such application on the system and system engines and modules and the effectiveness and functioning of the system and system engines and modules before and after application of the system management programs and programmable logic tools; and selecting for the system management programs and programmable logic tools that render the system and system engines and modules equally or more effective than before application of the system management programs and programmable logic tools.

[0071 ] The cybersecurity system of this invention includes a reporting engine.

[0072] The reporting engine is programmed, largely by the Al, to interact with the management engine to maintain and update management data pertaining to the operation and functioning of the system.

[0073] The reporting engine is a part of the Al that is programmed to learn the best way for human-machine communication, to report on changes made to system programming by the Al and human operators and to provide assessments of the resultant effectiveness of these changes.

[0074] In addition, the reporting engine is programmed to assist the operator of the cybersecurity system in presenting such reports and assessments internally, to the human operators of the cybersecurity system as well as externally, to authorised recipients of such reports and assessments.

[0075] The reporting engine may include conventional reporting and presentation tools, such as dashboards and screens programmed to allow interaction between the system and the human operators of the system.