Real-time Detection and Reconstruction of Advanced Cyber Attack Campaigns from Host Event Logs using Provenance Tags and Customizable Policy


Cyber security has grown to be a more complex field as technology evolved. Cyber attacks (or CNAs, computer network attacks) are an exploitation of computer systems or networks and often use malicious coding to alter data. This can lead to various cyber crimes, like identity or information theft. Currently platforms for cyber security are really well equipped to detect concrete indicators of compromise (IoCs), but aren't so great at detecting the root cause of unknown threats. These platforms usually lack a means of putting the pieces of an attack together, when an attack spans multiple applications or hosts over a large time frame. A manual effort is needed to piece everything together, which can prolong the process for weeks to even months. There is a need for a real-time system for detection of threats that can also produce a summary to connect the attacks. Problems with current developments include event storage, analysis, processing records efficiently and quickly, prioritizing entities, identifying impact and dealing with common usage scenarios.


This technology is both a system and method for detecting and reconstructing events from a cyber attack. It's comprised of a memory which can store instructions coupled with a processing device. It includes an application for real-time reconstruction of events and can perform a variety of operations (such as receiving an audit data stream). This system and method include: identifying trustworthiness values, assigning provenance tags based on trustworthiness values, generating initial visual representations and condensing the visual representation. The system can generate a scenario representation specifying nodes most relevant to the cyber events being analyzed.


- Identification of most pertinent attack steps - Threshold values can be customized  - Real-time detection of attacks - Eliminates subject-to-event pointers/ the need for event identifiers - Improvement in processing and space-efficiency - Shortest weighted path can be determined


- Reconstruction of cyber events extracted from audit data  - Cyber security

Patent Status

Patent application submitted

Stage Of Development

62/719,197 Utility patent application number: 16/544,401

Licensing Potential

Development partner,Licensing,Commercial partner

Licensing Status

Available for licensing.

Additional Info Source: NSWC Crane Corporate Communications,, public domain.
Patent Information:
Case ID: R050-8943
For Information, Contact:
Donna Tumminello
Assistant Director
State University of New York at Stony Brook
R. Sekar
Junao Wang
Md Nahid Hossain
Scott Stoller
Sadegh Milajerdi
Birhanu Eshete
Rigel Gjomemo
V.N. Venkatakrishnan