Computer Event Analysis System and Method
The method and system analyze computer events by normalizing and calculating criticality scores to improve threat detection, addressing the challenge of distinguishing normal and malicious actions in evolving cyber threats.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- NUCLEON-SECURITY
- Filing Date
- 2024-12-10
- Publication Date
- 2026-06-12
AI Technical Summary
Current cyber threat detection methods rely on recognizing known malicious signatures and behaviors, struggling to distinguish between normal and potentially malicious actions in new or ambiguous contexts.
A method and system for analyzing computer events that involves receiving, normalizing, and analyzing data against reference events, calculating criticality scores based on value differences, and using these scores for decision-making.
Enhances the ability to distinguish normal activities from potentially malicious actions, improving threat detection by reducing false positives and enabling informed decision-making.
Abstract
Description
Title of the invention: System and method for analyzing computer events TECHNICAL FIELD OF THE INVENTION
[0001] The present invention relates to the technical field of computer security systems, in particular, the technical field of on-demand security event analysis systems. STATE OF THE ART
[0002] In the technical field of computer threat detection, also known as "cyber threats", current approaches mainly rely on the recognition of known malicious signatures and behaviors. The predominant examples include Yara rules for identifying malware specimens, Sigma for detection in event logs for example, the Mitre ATT&CK framework which categorizes the tactics and techniques used by attackers, as well as Living Off The Land Binaries and Scripts (LOLBAS) which identifies legitimate tools used maliciously.
[0003] These approaches rely on known malicious behaviors. Distinguishing between normal activities and potentially malicious actions in new or ambiguous contexts remains a challenge.
[0004] The present invention therefore aims to overcome, at least in part, in order to improve the detection of cyber threats.
[0005] The other objects, features and advantages of the present invention will become apparent from an examination of the following description and accompanying drawings. It is understood that other advantages may be incorporated.
[0006] SUMMARY
[0007] The present invention relates to a method for analyzing at least one computer event, said method being configured to be implemented by at least one computer system, said method comprising at least the following steps: a. Reception, by at least one communication module, of at least one computer event, said computer event comprising a plurality of fields, each field of said plurality of fields comprising at least one data point; b. Normalization, by at least one data processing module, of each data item in each field of said plurality of data items of said computer event; c. Analysis, by at least one analysis module, of said normalized data with respect to reference data associated with reference computer events from a primary database, the analysis step comprising for each normalized data point: i. Identification of at least one reference computer event, this identification step including: A. For each value of said normalized data, the search for at least one reference event comprising at least one similar value in the primary database; ii. If the reference computer event includes, preferably exactly, the same fields with the same values, then the event is legitimate; iii. If the reference computer event does not include, preferably exactly, the same fields with the same values, then: A. Calculation of a criticality score, in relation to the identified reference IT event, for the field(s) of the plurality of fields of the IT event whose values are different: • Calculation of the difference between the values associated with the IT event and the reference values associated with the same IT event; and • Comparison of this diversity with a first predetermined threshold value specific to each field in order to obtain a criticality score; B. Calculation of an overall criticality score for said IT event by adding together the calculated criticality scores; C. Said overall criticality score is configured to be used for decision-making by at least one operator.
[0008] The present invention also relates to a computer program product comprising a plurality of instructions which, when executed by at least one processor, execute the process according to the present invention.
[0009] The present invention also relates to a non-transient memory support comprising a computer program product according to the present invention.
[0010] The present invention also relates to a computer system for analyzing at least one computer event, said system comprising at least: a. A communication module configured for: i. Receive at least one computer event, said computer event comprising a plurality of fields, each field of said plurality of fields comprising at least one data point; b. A data processing module configured to: i. Normalize each piece of data in each field of said plurality of fields of said computer event; c. An analysis module configured for: i. Analyze said normalized data in relation to reference data associated with reference computer events from a primary database; ii. Identify at least one reference computer event; iii. Calculate a criticality score, in relation to said identified reference computer event, for the field(s) of said plurality of fields of said computer event whose values are different; iv. Calculate the diversity between the values associated with said computer event and the values associated with said reference computer event; v. Compare this diversity with a first predetermined threshold value specific to each field in order to obtain a criticality score; vi. Calculate the sum of the criticality scores calculated in order to calculate an overall criticality score. BRIEF DESCRIPTION OF THE FIGURES
[0011] The aims, objects, features and advantages of the invention will become clearer from the detailed description of an embodiment thereof, which is illustrated by the following accompanying drawings in which:
[0012] [Fig.1] Fig.1 schematically represents a method according to an embodiment of the present invention.
[0013] [Fig.2] Fig.2 schematically represents a system according to a mode of realization of the present invention.
[0014] [Fig. 3] Figure 3 represents a diagram illustrating several steps of a process according to an embodiment of the present invention.
[0015] [Fig.4] Fig.4 represents another diagram illustrating several other steps of a process according to an embodiment of the present invention.
[0016] The drawings are given by way of example and are not limiting of the invention. They constitute schematic representations of principle intended to facilitate understanding of the invention and are not necessarily to scale with practical applications. In particular, the dimensions are not representative of reality. DETAILED DESCRIPTION
[0017] Before proceeding with a detailed review of embodiments of the invention, optional features that may be used in combination or alternatively are listed below:
[0018] According to one example, the computer event comprises at least two components: an initiating component of at least one action, and an action component configured to perform at least one action.
[0019] According to an example, the similar value search step includes searching for a maximum number of matching fields between the computer event and the reference computer event.
[0020] According to one example, the calculation of the diversity of values includes the calculation of a variance.
[0021] According to one example, the predetermined threshold value is a variance.
[0022] According to one example, the present invention includes a decision-making step based on at least one criticality score and / or said overall criticality score.
[0023] According to one example, said decision may include the issuing of a notification, and / or the execution of a predetermined computer security protocol.
[0024] According to one example, the present invention includes an analysis step based on at least one criticality score and / or said overall criticality score.
[0025] According to one example, the present invention includes a step for calculating a pre-criticality score comprising: a. The vectorization of reference computer events so as to generate a plurality of reference vectors; b. Vectorizing the computer event so as to generate an event vector; c. Calculating a distance between the event vector and each reference vector of said plurality of reference vectors; d. Selection of the smallest of the calculated distances, this selected distance corresponding to the pre-criticality score.
[0026] According to one example, the calculation of diversity is carried out by vectorization.
[0027] By way of example, the present invention comprises at least one step of constructing said primary database of reference computer events, the construction step comprising at least: a. Receiving a plurality of computer events comprising a set of fields; b. If all fields contain identical values: i. Deduplication, by said data processing module, of each event of said plurality of computer events; ii. Event, by at least one event module, of the number of times the event has occurred; c. Normalization, by said data processing module, of each piece of data from each computer event of said plurality of computer events; d. For each event in said plurality of computer events: i. Search said primary database to see if the computer event exists: A. If the computer event exists in said primary database: modification of the frequency information of said computer event to add a new occurrence of said computer event, said frequency information including at least a number of entities that have reported said computer event, a number of occurrences of said computer event, for example per day, per month, and / or per year; B. Otherwise: Search in a secondary database: • If the IT event exists in said secondary database: • Modification of the computer event frequency information, preferably with the recording of the new date on which the computer event just occurred; • If at least one of the modified frequency information is greater than a predetermined threshold, said computer event is moved in the primary database; • Otherwise, add the event to the secondary database
[0028] According to one example, the present invention includes at least one step of generating a report for each computer event comprising: a. Said computer event with its fields, its data, and its values; b. Said overall criticality score; c. Preferably, at least one criticality score from at least one field out of the plurality of fields; d. Reference IT events whose overall criticality score is less than a second threshold value.
[0029] According to one example, the operator is a human user or a machine, preferably comprising a decision-making unit.
[0030] The examples and conditional language used in this description are primarily intended to help the reader understand the principles of the present invention and not to limit its scope to those specifically cited examples and conditions. It will be understood that a person skilled in the art can conceive of various arrangements which, although not explicitly described or illustrated here, nevertheless embody the principles of the present invention and are included in its spirit and scope.
[0031] Furthermore, by way of aid to understanding, the following description may describe relatively simplified implementations of the present invention. As those skilled in the art will understand, various implementations of the present technology may be of greater complexity.
[0032] Furthermore, the following description, listing the principles, aspects, and implementations of the present invention, along with their specific examples, aims to encompass both their structural and functional equivalents, whether currently known or developed in the future. Thus, for example, it will be understood by those skilled in the art that all the functional diagrams herein represent conceptual views of illustrative circuits incorporating the principles of the present invention. Similarly, it will be understood that all the flowcharts, and the like, represent various processes that can be substantially represented on computer-readable media and thus executed by a computer or processor, whether or not that computer or processor is explicitly shown.
[0033] The functions of the various elements shown in the figures, including any functional block referred to as a "processor" or "module," can be performed using dedicated hardware as well as hardware capable of executing software in conjunction with a computer program or appropriate instructions. When provided by a processor, the instructions can be supplied by a single dedicated processor, a single shared processor, or a plurality of individual processors, some of which may be shared. In some embodiments of the present invention, the processor may be a general-purpose processor, such as a central processing unit (CPU). Furthermore, the explicit use of the term "processor" should not be interpreted as referring exclusively to hardware capable of executing software and may implicitly include, but not be limited to, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), read-only memory (ROM) for storing software, random-access memory (RAM), and non-volatile storage. Other conventional and / or custom hardware may also be included.
[0034] Software modules, or simply modules that are assumed to be software, can be represented herein as any combination of flowchart elements or other elements indicating the execution of process steps and / or a textual description. Such modules may be executed by hardware that is expressly or implicitly represented. Furthermore, it should be understood that the module may include, for example, but not limited to, computer program logic, computer program instructions, software, firmware, hardware circuits, or a combination thereof that provides the required capabilities.
[0035] In the context of the present invention, an "event" or "computer event" refers to an action or set of actions occurring within a computer system. More specifically, a computer event can comprise two distinct parts: a. An initiating part of at least one action: This part can be characterized by the fact that it takes charge of at least one action, thanks to a program that executes this action. b. An action part: This part can be characterized by the action performed by the program, as well as by the target of this action.
[0036] In the context of the present invention, "behavior" can be defined as actions or events occurring within a computer system. For example, the opening of a document named "Hello.word.docx" by a user named Charles Xavier is not generally considered an important element for analysis. However, the processing and normalization of this data requires considerable effort to ensure that it conforms to a standard and to establish criteria for evaluating events against generic standards.
[0037] In the context of the present invention, "Counting Tables" refers to one or more tables configured to count computer events daily, monthly, and annually for each type of computer event. These tables advantageously allow for statistical tracking of event occurrences.
[0038] In the context of the present invention, one or more "Data Tables" refers to one or more specific tables configured to store detailed information about files, users, paths, etc. Preferably with all possible different values identified after normalization, as described below.
[0039] According to one embodiment, the present invention offers an on-demand security event analysis service, in particular via Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) type systems.
[0040] In particular, a SIEM system is configured for security management by combining security information management (SIM) and security event management (SEM). The SIEM collects and analyzes security data from various sources (such as event logs, security alerts, etc.) to provide an overview of the organization's security. It enables the detection of security incidents, their analysis, and a rapid response to potential threats.
[0041] According to one embodiment, the present invention advantageously implements an advanced normalization and contextualization methodology for transforming heterogeneous data from multiple sources into a unified format, enabling consistent and comparative analysis. Preferably, the system evaluates events by assigning a risk score based on their deviation from normative models established in a database. This versatile and adaptable approach makes the present invention particularly relevant in a cybersecurity landscape where threats are diverse and constantly evolving, and where it is necessary to be able to quickly assess technical information.
[0042] According to one embodiment, the present invention represents a revolutionary approach to cybersecurity by focusing on the detection of abnormal behavior based on a comprehensive dataset of known normal behaviors. This invention, which may include EDR technology, offers an unconventional yet effective solution to the constantly evolving cybersecurity threat landscape. The challenges associated with implementing the present invention include defining and processing behaviors, standardizing data, and calculating event legitimacy scores.
[0043] According to one embodiment, the present invention is configured to collect security events from various sources and normalize them for a Uniformity, including the standardization of usernames, paths, and other attributes, for example, but not limited to. Preferably, the present invention is configured to exploit information stored in at least one log relating to an event so as to be able to process said event.
[0044] Preferably, computer events are preprocessed for clarity and relevance and stored in a secondary database containing all known different events. The present invention preferably uses two structured databases with advantageously 36 tables, including tables for file, execution, process access, and network events.
[0045] Preferably, the primary database contains all events common to several entities, and the secondary database contains all events. Advantageously, an event moves from the secondary database to the primary database when statistical criteria are met, in order to ensure that it is not a behavior specific to a particular scope.
[0046] In one embodiment, events are filtered to retain only the most relevant ones in the primary database, also called the main database. In another embodiment, said primary database is configured to be accessed through available tools, via an Application Programming Interface API, for example.
[0047] According to one embodiment, dedicated tables, called counting tables, count events daily, monthly, and / or annually for each type of event. These tables advantageously allow for statistical tracking of event occurrences. Preferably, specific tables, called data tables, store detailed information about files, users, paths, etc. Advantageously, with all possible different values identified after normalization.
[0048] According to one embodiment, the present invention is configured to provide an on-demand analysis system, processing computer events requested (by a customer or partner, for example) in order to evaluate and score these behaviors against what is known in a database, for example.
[0049] Preferably, the score is defined as a function of the gap between a given computer event, advantageously based on an artificial intelligence model, and the closest computer event identified in the primary database.
[0050] According to one embodiment, after the preprocessing of a computer event, each text field is vectorized using a Large Language Model (LLM). For other fields, such as ports or, more generally, any field that is a number, mathematical operations are used to represent them as vectors. Preferably, all vectors Minimal values are combined into a single vector, which represents the computing event. Advantageously, these vectors are stored in a vector database. To assign a score, the vector most similar to that of the computing event is then searched in the database. Preferably, the score corresponds to the distance between the two vectors.
[0051] The present invention is advantageously designed for efficient and easy integration into cybersecurity pipelines, for example via an API, facilitating interconnection with SIEM, Security Orchestration, Automation, and Response SOAR, and other tools. This integration advantageously enables Security Operations Center (SOC) teams to benefit from enhanced security event analysis, helping to accurately distinguish legitimate activities from potential threats.
[0052] Furthermore, the present invention is preferably configured to contribute to the development of rules for security models such as Zero-Trust applied to the operating system, for example, by allowing only necessary, authenticated and legitimate actions, thereby strengthening the security posture.
[0053] According to one embodiment, the use of an API of the present invention offers great flexibility, making it possible to integrate it into various environments and systems, which can greatly benefit the proactive detection of threats and incident response in the field of cybersecurity.
[0054] According to one embodiment, the present invention relates to a method for analyzing at least one computer event. Preferably, said method is configured to be implemented by at least one computer system.
[0055] Preferably, this process comprises several steps: a. Reception: a communication module receives at least one computer event, this computer event comprising a plurality of fields. Preferably, each field of said plurality of fields contains at least one data point. b. Normalization: A data processing module normalizes each data point in each field of the aforementioned plurality of data points for the aforementioned computer event. Normalization is configured to homogenize the data to allow comparison with data from so-called reference computer events. For example, the username is replaced with "user", common names are replaced with a predetermined label, and predetermined patterns can be identified and removed to ensure data consistency. c. Analysis: An analysis module analyzes normalized data against reference data associated with computer events. reference to a primary database. Preferably, the analysis step includes, for each normalized data point: i. Identification of a reference computer event: For each value of the normalized data, a search for similar values is performed in the primary database. If the reference computer event includes exactly the same fields with the same values, then the event is legitimate. ii. Calculation of a criticality score: If the reference IT event does not include exactly the same fields with the same values, a criticality score is calculated for each field with different values. The difference between the values associated with this event and the values associated with the reference IT event is calculated and compared to a predetermined threshold value specific to each field to obtain a criticality score. Preferably, when calculating variance, this is done on the basis of all reference events; iii. Calculation of an overall criticality score by summing the calculated criticality scores, preferably by considering a weighting coefficient associated with each field of the plurality of fields. Preferably, the overall criticality score is obtained by adding the value, also called the weight, of each field. The sum of the weights can be, for example, 100, and advantageously, based on criteria of distance / difference / variance, a score corresponding to the matching of each field is assigned.
[0056] In more detail and as illustrated by Figures 1 and 2, the present invention relates to a method 100 for analyzing at least one computer event.
[0057] Preferably, said method 100 is configured to be implemented by at least one computer system 200.
[0058] According to one embodiment, said process 100 comprises at least the following steps: a. Reception 110, by at least one communication module 210, of at least one computer event, said computer event preferably comprising a plurality of fields, each field of said plurality of fields advantageously comprising at least one data; b. Normalization 120, by at least one data processing module 220, of each data item in each field of said plurality of data items of said computer event; c. Analysis 130, by at least one analysis module 230, of said normalized data with respect to reference data associated with reference computer events of a primary database.
[0059] According to one embodiment, the analysis step 130 comprises, for each normalized data point, the following steps: a. Identification 131 of a reference computer event, this identification step including: i. For each value of said normalized data, the search for similar values in the primary database; b. If the reference computer event includes, preferably exactly, the same fields with the same values, then the event is legitimate; c. If the reference computer event does not include, preferably exactly, the same fields with the same values, then: i. Calculation 132 of a criticality score, with respect to the identified reference computer event, for the field(s) of the plurality of fields of the said computer event whose values are different: A. Calculation of the diversity between the values associated with said computer event and the values associated with said reference computer event; and B. Comparison of this diversity with a first predetermined threshold value specific to each field in order to obtain a criticality score; ii. An overall criticality score of said IT event is calculated 133 by summing the calculated criticality scores, preferably considering at least one weighting coefficient associated with each field considered; iii. Said overall criticality score is configured to be used for decision-making by at least one operator or by at least one automated system.
[0060] Advantageously, the present invention enables improved threat detection. Indeed, by normalizing and analyzing data against reference events, the present invention makes it possible to distinguish normal activities from potentially malicious actions more effectively. Furthermore, the calculation A criticality score based on the diversity of values allows for an accurate assessment of the severity of IT events, thus facilitating decision-making by the operator.
[0061] Advantageously, the present invention can be implemented by various computer systems and is configured to adapt to heterogeneous data from multiple sources, making it versatile in different cybersecurity contexts. Furthermore, by using reference data and calculating criticality scores, the present invention reduces the number of false positives, thereby improving the effectiveness of security systems.
[0062] Finally, preferably, the overall criticality score obtained allows the operator to make informed and rapid decisions, which is useful in managing security incidents.
[0063] According to one embodiment, the computer event in question comprises at least two distinct parts: a. An initiating part of at least one action, that is, the indication of a computer program performing the action. This part is characterized by the fact that it takes charge of at least one action, thanks to a program that executes this action. b. An action part, that is, the action performed by the program on a target. This part is characterized by the action performed by the program, as well as by the target of this action.
[0064] According to one embodiment, the similar value search step includes searching for a maximum number of matching fields between the computer event and a reference computer event.
[0065] According to one embodiment, this search step involves a thorough comparison of the characteristics of the two computer events in question. Advantageously, this search step may include the use of advanced search algorithms to facilitate the comparison and classification of data.
[0066] In one embodiment, the calculation of the diversity of values includes the calculation of a variance. This feature means that the analysis of the diversity of values involves the statistical calculation of the dispersion of the data around a mean. Preferably, this approach allows for the measurement and comparison of variability between different datasets. In one embodiment, the variance represents the measure of the dispersion of values around a mean and can be used to determine whether the data are dispersed or concentrated around this mean.
[0067] According to one embodiment, value diversity analysis can be used to identify significant differences between different datasets.
[0068] In one embodiment, the predetermined threshold value is a statistical dispersion measure that represents the standard deviation of the data in a population or dataset. Preferably, this threshold value is predefined and fixed. It is used to identify significant differences between two datasets, for example.
[0069] Advantageously, this threshold value can be used to identify significant differences between two variables. It can also be used to identify significant differences between two groups of data.
[0070] According to one embodiment, the present invention includes a decision-making step based on said overall criticality score. Preferably, this decision-making step is integrated into a larger system that allows for automated decision-making based on the calculated overall criticality score. It is worth noting that the accuracy of the overall criticality score can have a significant impact on the quality of the decisions made. Therefore, it is preferable to use a reliable and accurate method for calculating the overall criticality score, such as that proposed by the present invention.
[0071] Finally, it is also worth noting that the overall criticality score can be used to make decisions at different hierarchical levels within a system. For example, an overall criticality score can be calculated at a higher level to guide decisions made at a lower level.
[0072] According to one embodiment, the present invention includes an analysis step based on the overall criticality score. Preferably, this analysis step processes the overall criticality score obtained using appropriate methods to determine the consequences or actions to be taken based on the result obtained. In this way, the analysis step can help to make informed and effective decisions based on the severity or importance of an event, situation, or outcome.
[0073] According to one embodiment, the present invention may include the calculation of a pre-criticality score. Preferably, the present invention includes a step of vectorizing the reference computer events to generate a plurality of reference vectors. Advantageously, this vectorization step is performed using a specific algorithm that transforms the numerical data of the reference computer events into vectors in such a way as to preserve their structure and meaning.
[0074] According to one embodiment, the present invention also includes a step of vectorizing the computer event to generate an event vector. Preferably, this vectorization step is performed using the same algorithm as that used for vectorizing the reference computer events.
[0075] According to one embodiment, the present invention may then include a step of calculating a distance between the event vector and each reference vector of said plurality of reference vectors.
[0076] Preferably, this calculation step uses a specific algorithm that allows the difference between vectors to be measured according to their numerical composition.
[0077] According to one embodiment, the present invention then includes a step of selecting the smallest of the calculated distances.
[0078] Preferably, this selection step is carried out using a specific algorithm which makes it possible to determine the minimum distance between the event vector and a plurality of reference vectors, advantageously minimal between the event vector and each reference vector.
[0079] According to one embodiment, the selected distance corresponds to said criticality pre-score. Preferably, this distance can also be used to assess the criticality of the IT event in question.
[0080] In one embodiment, the diversity calculation is performed by vectorization. This method allows the data to be represented as vectors in a vector space, which facilitates their analysis and comparison. Preferably, each element to be analyzed is converted into a numerical representation (vectorization) so that it can be processed by diversity calculation algorithms. This technique offers several advantages: a. It allows data to be visualized in a vector space, which facilitates its analysis and comparison. b. It allows complex data (images, texts, etc.) to be processed by converting them into vectors, which simplifies their processing by algorithms. c. It allows the diversity between different elements to be calculated using specific algorithms such as the calculation of the Euclidean distance or the cosine similarity.
[0081] Furthermore, this technique can be combined with other techniques such as machine learning to improve diversity calculation results.
[0082] According to one embodiment, the present invention includes a step of constructing a primary database of reference computer events. Preferably, this step includes: a. Reception of a plurality of computer events. The received events are processed by the data processing module. b. If all fields across different events contain identical values, the data processing module performs deduplication of each event from the plurality of computer events. This means that if all fields have identical values for the same event, The same computer event is recorded only once in the primary database. c. The number of times an event has occurred, i.e., adding one unit to a counter, by at least one event module. This allows us to know the frequency of each event, that is, the number of times an event occurs. d. Normalization of each piece of data from each computer event by said data processing module. This means that the data from the different events are processed to be uniform and compatible with each other. e. For each event, a search is performed in the primary database to determine if the computer event already exists. If the event already exists, the frequency information is modified to reflect the fact that it occurred again. Otherwise, a search is performed in a secondary database. If the event already exists in the secondary database, the frequency information is modified to reflect the fact that it occurred again. f. Frequency data is examined to determine whether the event can be moved to the primary database. This is done by comparing the event's frequency with a predetermined frequency threshold and / or the number of entities that have reported the event. Note that an entity can be a computer system or even a specific application within a computer system. If the frequency data indicates that the event can be moved to the primary database because its occurrence exceeds the threshold, it is added to the primary database. g. If the event does not exist in the secondary database, it is added to the secondary database.
[0083] This step allows the primary database and the secondary database to be built continuously, bringing a dynamic dimension to the present invention and allowing its enrichment over time.
[0084] According to one embodiment, the present invention includes a step of generating a report for each computer event.
[0085] Preferably, said report includes the computer event with its fields, data and values.
[0086] Preferably, the report includes the overall criticality score associated with the computer event, or advantageously at least one criticality score associated with at least one field.
[0087] Advantageously, the report may include a predetermined number, for example 20, of reference computer events which have an overall criticality score below the second threshold and which are closest, in terms of similarity or number of closest fields, to said computer event in question.
[0088] According to one embodiment, the operator can be a human user or a machine, which allows the flexibility and adaptability of the proposed solution to be extended to various contexts.
[0089] According to one embodiment, the operator is a machine: This means that the system can be automated, making it possible to perform repetitive and monotonous tasks without human assistance.
[0090] Preferably, the operator can include a decision-making unit configured to make autonomous decisions based on the data it receives, thereby improving the performance and reliability of the system.
[0091] According to one embodiment, [Fig.3] illustrates a diagram representing at least a part of the process according to the present invention.
[0092] In [Fig.3], this diagram represents a data processing pipeline and a backend infrastructure designed for the extraction, preprocessing and analysis of computer events.
[0093] According to [Fig. 3], the present invention includes a computational layer. This computational layer comprises: a. Extraction of Events: i. Raw data is processed to extract significant events. ii. This step involves parsing the data to identify relevant entities or actions. b. Deduplication: i. Eliminates duplicates to ensure unique entries in the data. ii. May include algorithms to compare event identifiers or metadata. c. Pre-processing - Normalization: i. Cleans, transforms, or normalizes events to prepare them for further analysis. ii. May include standardization of formats, filling in missing values, or other data cleaning techniques. d. Calculation of Metrics: i. Generates metrics from events, such as: A. The accounts (e.g., frequency of events) B. Date-based metrics (e.g., timelines or event durations) e. Indexing Events in a database, for example of type SQL (Structured Query Language): i. Events are indexed to facilitate their quick search and retrieval. ii. A structured format, such as JSON or a reverse index, can be used for quick lookups. f. CSV file per entity: i. The processed and indexed events are stored in files, for example of type CSV. ii. Each card represents a specific entity or category. iii. Preferably, each CSV file includes the computer events of a computer, which belongs to an entity. g. Storage: i. Intermediate data, including extracted or pre-processed events, is recorded in storage for quick access and backups.
[0094] According to [Fig. 3], the present invention includes a backend layer. This backend layer comprises: a. An API: i. A RESTful API framework, for example, can act as the backbone of the backend system, enabling interaction between users and the database. ii. Main API features: A. Collection of logs, for example CSV files: • Aggregates incoming logs or raw data for processing. B. Event search, preferably in the primary database: • Allows users to query and retrieve specific events or information. C. Event Analysis (Score): • Applies scoring or ranking mechanisms to evaluate events based on predefined metrics. b. Database: i. Serves as a persistent storage layer. ii. Stores processed and indexed events, metrics and other relevant data. iii. Enables efficient querying and data retrieval. c. Backing up files to a disk: i. Raw logs or intermediate processing results are recorded on disk to ensure their durability and traceability. ii. Serves as a backup or audit log.
[0095] According to [Fig.3], the data flow can be as follows: a. The pipeline starts with the raw data, i.e. the CSV files, which are processed sequentially through the steps of extraction, deduplication and preprocessing / normalization. b. The metrics are calculated and indexed before being stored in CSV files or in the database. c. The backend API facilitates access to this data for further analysis or visualization. d. The storage, potentially temporary, ensures that intermediate results are not lost, offering reliability and flexibility in the workflow.
[0096] This figure illustrates a diagram that efficiently combines computationally intensive processing with a scalable backend to support real-time event analysis and querying.
[0097] According to one embodiment, [Fig.4] illustrates a diagram representing an embodiment of event indexing according to the present invention.
[0098] In [Fig.4], and according to one embodiment, a diagram illustrates the indexing steps of a computer event, more specifically the steps enabling the construction of the primary database.
[0099] Thus, according to [Fig.4], this diagram comprises: a. A step of acquiring one or more CSV files, each file being able to include at least one computer event: The present invention thus includes the import of CSV files containing data related to one or more computer events. b. Adding the computer event(s) to one or more event tables: The present invention includes extracting the identification of each computer event from the CSV file(s), and then associating these identifications with a dedicated table called "Entity table". Preferably, each event is broken down into one or more tables, and linked to a dedicated table called an "entity" table; c. Event handling: i. Each event is checked to see if it already exists in a secondary database: A. Yes: If the event exists, the present invention updates the number of occurrences (Ccounf) as well as the dates associated with this event. B. No: If the event does not exist, it is added to the secondary database with its corresponding dates. d. Adding events to a frequency table: Once the verification and addition step is complete, the events can be added to a frequency table called the "Freq table". e. Addition to the primary database according to defined thresholds: Events are then transferred to the primary database, respecting predefined thresholds or criteria, as previously described.
[0100] Figure 4 illustrates a structured process for integrating, verifying, updating and managing computer event data from CSV files in databases, while respecting processing rules and thresholds.
[0101] In order to illustrate the present invention, examples will now be described in a non-limiting manner.
[0102] Here is an example of field mapping and notation:
[0103] According to one embodiment, the present invention is configured to evaluate different fields, such as: source_process_filename_id, target_process_filename_id, source_process_extension_id, etc.
[0104] For each field, the present invention preferably checks whether the field value corresponds to a specific target value. If a match is found, advantageously a predefined score is added to the overall similarity score for that event. If no match is found, a score of 0 is added. The total similarity score for each event is preferably the sum of the individual scores of the corresponding fields. Advantageously, this total score, also called the overall criticality score of the event, can then be rounded to two decimal places using the ROUND function.
[0105] According to one example, the "users" field consists of a domain or computer name followed by a backslash "\", then a username or account name. The present invention can be configured to extract the username or account name. If it is a common generic user such as "NT SYSTEM", "NETWORK", "SYSTEM", "IIS_USRS", For example, the name "ADMINISTRATOR", "SERVICE", "LOCAL SERVICE", "NETWORK SERVICE", "GUEST", "ANONYMOUS", "SA", "ROOT", "WWW-DATA", "NOBODY", and "FTP". Preferably, this name is retained as is. In another embodiment, this name can be standardized. Then, preferably, the present invention is configured to check this name to distinguish whether it is a local user or a domain user, for example.
[0106] Here are some examples: a. Dupont\MY_COMPANY => Domain User b. System\NT AUTHORITY NTSystem c. nucleon-pc\DESKTOP-B0MV2OM => Local User d. NETWORK SERVICE\NT AUTHORITY Network Service
[0107] Regarding the domain, the present invention can be configured to separate the domain into two parts: an upper domain and a lower domain.
[0108] Here are some examples: a. example.nucleon-security.com => top-level domain: nucleon-security.com, => bottom-level domain: example b. Eu-teams.events.data.microsoft.com => top-level domain: microsoft.com, => bottom-level domain: eu-teams.events.data
[0109] Regarding Internet Protocol IP addresses, the present invention can be configured to detect the type of IP address and the version of that address via the use, for example, of a well-known Python library.
[0110] Here is an example: has. 142.250.179.72 => version: Ipv4 => type: public IP
[0111] Regarding the path, the present invention can be configured to extract first the device, then the file name, the file extension, and then data called data_path.
[0112] Here are some examples: a. For a device: i. The present invention may include a step of checking if the path starts with "\\", which indicates a network share, for example. ii. Next, the present invention can check for the presence of a colon ":" in the path, which generally indicates a local drive or a removable drive; if the drive is C or D, it is possible to assume that it is a local drive; otherwise, it is possible to assume that it is not a local drive. b. For a file: i. The present invention can be configured to extract the file name and check if it is in a list of known system files. ii. If it is a known system file, the file can retain the name. iii. If it is a random name, the present invention is configured to rename it. iv. The present invention can also be configured to extract the file extension. v. The present invention can also be configured to extract the list of components from the path, and / or the folders and subfolders from the access path, for example.
[0113] Let us now look at some examples related to the steps of normalizing a computer event.
[0114] Example of an event to analyze: has. {"type": "read", "timestamp": "2024-09-05Tll:10:55.948Z", "user": "DESKTOP-NJCOClD\\hp", "process_path": "C:\\ProgramFiles\\WindowsApps\\Microsoft.WindowsTerminal_l .20.11781.0_x 64__8wekyb3d8bbweWelevate-shim.exe", "file_path": "C:\\Windows\\System32Wntdll.dll", "event_type": "read"}
[0115] According to one embodiment, the present invention may include a pretreatment phase. Preferably, this pretreatment may comprise several steps.
[0116] This preprocessing can begin with a string normalization step to replace specific values or elements of values. For example, IP addresses can be replaced with the labels {ipv4} or {ipv6} depending on their version. Numbers in the "command" field of execution events can be replaced with {integer}.
[0117] The present invention is preferably configured to also identify random strings using methods of the Natural Language Processing (NLP) type, this then allows these strings to be replaced by {RANDOM}, as well as versions by {VERSION}, for example.
[0118] Furthermore, the present invention can apply a similar approach to the username which may be present in a path, it will be replaced by {USER}, for example, unless it is a known name, such as NTSystem.
[0119] In the above case, the following path: has. C:\\ProgramFiles\\WindowsApps\\Microsoft.WindowsTer minal_l .20.11781.0_x64__8wekyb3d8bbweWelevate-shim.exe After normalization, it becomes as follows: has. Microsoft.WindowsTerminal_1.20.11781.0_x64__8wekyb3d8bbwe =>microsoft.windowsterminal_{VERSION]_x64_{RANDOM}
[0120] After pre-processing the event, the present invention is configured to decompose the event into a predetermined format, such as json, with fields specific to each type of event.
[0121] For example, the “user” field: DESKTOP-NJCOClD\\hp =>{USER]
[0122] For example, the common fields for all types of events => the source program that performs the action: a. Source_process_filename b. Source_process_extension c. Source_process_path d. Source_process_device e. source_proces s_(md5 / sha l / sha256) f. source_process_signature
[0123] For the “File” event (file access: read / write / rename / delete) a. target_file_filename b. target_file_extension c. target_file_path d. target_file_device e. target_file_(md5 / shal / sha256) f. target_file_signature
[0124] For the “Executed” event (program execution) a. target_process_filename b. target_process_extension c. target_process_path d. target_process_device e. target_process_(md5 / shal / sha256) f. target_process_signature g. command
[0125] For the “Open process” event (access to one program's memory by another) a. target_process_filename b. target_process_extension c. target_process_path d. target_process_device e. target_process_(md5 / shal / sha256) f. target_process_signature
[0126] For the “Network” event (establishment of a network connection by a program) a. Port b. Protocol c. IP (IP address version, IP address type) d. Domain (higher domain, lower domain)
[0127] Example of the event in JSON after pre-processing: a. {'user': USER, b. 'source_process_md5': None, c. 'source_process_shal': None, d. 'source_process_sha256': None, e. 'source_process_path': 'Wprogram f. files\\windowsapps\\microsoft.windowsterminal_{version}_x64__{random }, g. 'source_process_device': {'device_letter': “C”, 'device_type': Local], h. 'source_process_filename': elevate-shim, i. 'source_process_extension': exe, j. 'source_process_signature': None, k. 'target_file_md5': None, 1. 'target_file_shal': None, m. 'target_file_sha256': None, n. 'target_file_path': Wwindows\\system32', o. 'target_file_device': {'device_letter': “C”, 'device_type': Local], p. 'target_file_filename': ntdll, q. 'target_file_extension':dll, r. 'target_file_signature': None, s. 'event_type': read
[0128] We will now discuss examples of assigning a score.
[0129] According to one embodiment, each field of the plurality of fields comprises a weighting, that is to say a predefined weighting value, such as a weighting coefficient, otherwise called a predefined weight, for example: a. Common weights (used in multiple events): i. user: 1 ii. source_process_md5: 1 iii. source_process_shal: 1 iv. source_process_sha256: 1 v. source_process_signature: 2 vi. source_process_path: 2 (for "read", "rename", "write", "delete" and "open_process") seen. source_process_device: 1.25 (for "read", "rename", "write", "delete" and "open_process") viii. target_process_md5:1 (for "execute" and "open_process") ix. target_process_shal: 1 (for "execute" and "open_process") x. target_process_sha256: 1 (pour "execute" et "open_process") xi. target_process_signature: 2 (pour "execute" et "open_process") b. Événements "read", "rename", "write", "delete" : i. source_process_filename: 7 ii. source_process_extension: 1.5 iii. target_file_md5: 1 iv. target_file_shal: 1 v. target_file_sha256: 1 vi. target_file_filename: 8 vii. target_file_extension: 1.5 viii. target_file_path: 2 ix. target_file_device: 1.25 x. target_file_signature: 2 c. Événement "execute" : i. source_process_filename: 6 ii. source_process_extension: 3 iii. source_process_path: 4 iv. source_process_device: 2 v. target_process_filename: 7 vi. target_process_extension: 3 vii. target_process_path: 4 viii. target_process_device: 2 ix. command: 10 d. Événement "open_process" : i. source_process_filename: 8 ii. source_process_extension: 1.5 iii. target_process_filename: 9 iv. target_process_extension: 1.5 v. target_process_path: 2 vi. target_process_device: 1.25 e. Événement "network" : i. source_process_filename: 5 ii. source_process_extension: 3 iii. source_process_path: 4 iv. source_process_device: 2 v. port: 7 vi. protocol: 7 vii. domain: 8 viii. ip: 6
[0130] According to one embodiment, the weighting coefficient of each field of said plurality of fields is considered in the calculation of the sum of the calculated criticality scores, said sum corresponding to said overall criticality score.
[0131] According to one embodiment, the step of calculating an overall criticality score may comprise at least two steps: a. Determination of variances: If the relationship between two fields has a large variance, i.e. greater than a predetermined threshold value (for example, a source process accesses many target files or processes), the weight, i.e. the weighting coefficient, of the field in question can be removed, because all values of the target field are possible. i. To this end, the present invention may include a variance table; this table contains the unique count of each field relative to another, and if the count exceeds a predefined threshold, it is then considered to have very high variance. For example, if the chrome.exe process accesses nearly 3000 IP addresses, the weight of the IP field is eliminated. ii. After eliminating all fields that have a large variance, the present invention can be configured to neglect fields that are not present in the event under consideration. iii. Then, the present invention can be configured to normalize the weighting coefficients of the remaining fields so that their sum equals 100%. Here is the result for the previous example: {'source_process_filename': 29.166666666666668, 'target_file_filename': 33.33333333333333, 'source_process_extension': 6.25, 'target_file_extension': 6.25, 'source_process_path': 8.333333333333332, 'target_file_path': 8.333333333333332, 'event_type': 4.166666666666666, 'user': 4.166666666666666} ; b. Next, the present invention includes searching the primary database for similar events: To this end, the present invention can be configured to generate an SQL query that calculates, for each event in the primary database, its similarity using les coefficients de pondération associés aux différents champs, puis les scores les plus élevés sont considérés. Voici un exemple de requête : SELECT id, ROUND((CASE WHEN "source_process_filename_id" = 5107981 THEN 29.166666666666668 ELSE 0 END + CASE WHEN "target_file_filename_id" = 11937 THEN 33.33333333333333 ELSE 0 END + CASE WHEN "source_process_extension_id" = 1 THEN 6.25 ELSE 0 END + CASE WHEN "target_file_extension_id" = 25 THEN 6.25 ELSE 0 END + CASE WHEN "source_process_path_id" = 85 THEN 8.333333333333332 ELSE 0 END + CASE WHEN "target_file_path_id" = 7 THEN 8.333333333333332 ELSE 0 END + CASE WHEN "event_type_id" = 3 THEN 4.166666666666666 ELSE 0 END + CASE WHEN "userjd" = 1 THEN 4.166666666666666 ELSE 0 END), 2) AS similarity_score FROM "File_event" ORDER BY similarity_score DESC LIMIT 1; According to one embodiment, the similarity between a computer event and a reference computer event takes into account the weighting coefficients of the fields considered. Ideally, the query is configured to scan all rows in the event table and check if each field exists. If so, a weighting coefficient is added. The result is a score for each row that reflects the row's similarity to the event in question—that is, a criticality score for each field of that event.
[0132] Advantageously, through field extraction and normalization, the present invention makes it possible to build a primary database, known as a reference database, and to detect suspicious or “abnormal” behavior.
[0133] According to one embodiment, the present invention also relates to a computer system 200 for analyzing at least one computer event. This system 200 advantageously comprises several distinct modules that work together to analyze data from computer events and identify abnormal behavior.
[0134] The first module is the communication module 210, configured to receive at least one computer event. Each computer event comprises a plurality of fields, each field comprising at least one data point. The communication module collects this data and transmits it to the data processing module.
[0135] The second module is the data processing module 220, configured to normalize each data point in each field of said plurality of fields of said computer event. This normalization step consists of replacing the values or specific value elements by standardized values, such as IP addresses by the labels {ipv4} or {ipv6} depending on their version, as previously explained
[0136] . The third module is the analysis module 230, configured to analyze normalized data against reference data associated with reference computer events in a primary database. This analysis step consists of identifying at least one reference computer event, calculating a criticality score for fields with different values, and calculating the diversity between the values associated with this event and the values associated with the reference event, preferably by considering the weighting coefficients of the fields under consideration.
[0137] Advantageously, the first analysis step is configured to identify a reference computer event in the primary database.
[0138] The second analysis step is configured to calculate a criticality score for each field whose values are different. This score is defined based on the difference between the value of this event and the value of the reference event identified in the primary database.
[0139] The third analysis step is configured to calculate the diversity between the values associated with this event and the values associated with the reference event. This diversity is defined as the uniqueness of each field relative to another, such as the uniqueness of target processes relative to a source process. For example, if a number exceeds a predefined threshold, this diversity is considered very high, and that field is removed from the analysis.
[0140] The fourth, and potentially final, analysis step can be configured to compare the calculated diversity with a predetermined threshold value specific to each field to obtain a criticality score for each field considered. Then, an overall criticality score is calculated from the criticality scores of each field. If the overall criticality score is higher than the predefined threshold, the IT event is considered abnormal and a security alert is generated.
[0141] As illustrated in [Fig. 2], the computer system 200 according to one embodiment of the present invention comprises several distinct modules 210, 220, 230 that work together to analyze data from computer events and identify abnormal behavior. The communication module 210 collects data from computer events, the data processing module 220 normalizes this data, and the analysis module 230 compares this data with known data to identify abnormal behavior. The results of this analysis are used to generate security alerts in the event of detected abnormal behavior.
[0142] More precisely and according to one embodiment, the present invention relates to a computer system for analyzing at least one computer event.
[0143] Preferably, said system 200 comprises at least: i. A communication module 210 configured to receive at least one computer event 110, said computer event comprising a plurality of fields, each field of said plurality of fields comprising at least one data item; ii. A 220 data processing module configured to normalize 120 each piece of data from each field of said plurality of fields of said computer event; iii. An analysis module 230 configured for: i. Analyze 130 of the said normalized data in relation to reference data associated with reference computer events from a primary database; ii. Identify 131 a reference computer event, this identification step; iii. Calculate 132 a criticality score, with respect to said identified reference computer event, for the field(s) of said plurality of fields of said computer event whose values are different; iv. Calculate the diversity between the values associated with said computer event and the values associated with said reference computer event; v. Compare this diversity with a first predetermined threshold value specific to each field in order to obtain a criticality score; vi. Calculate the sum of the criticality scores calculated in order to calculate an overall criticality score of 133.
[0144] According to one embodiment, the computer system 200 comprises a central server and several workstations.
[0145] According to one embodiment, each workstation is connected to the central server via a network connection.
[0146] According to one embodiment, the computer system 200 is equipped with an advanced security system to protect users' sensitive data and information.
[0147] According to one embodiment, the computer system 200 is designed to be scalable and able to handle a large number of users simultaneously.
[0148] According to one embodiment, the computer system 200 is equipped with an automatic data backup system to ensure the security of user data.
[0149] According to one embodiment, the computer system 200 is designed to be compatible with different types of peripherals and software.
[0150] According to one embodiment, the computer system 200 is equipped with an automatic update management system to ensure system security and performance.
[0151] According to one embodiment, the computer system 200 shown in [Fig. 2] can be equipped with a processor configured for data processing, to perform calculations and execute operations. Preferably, it also has an intuitive user interface to facilitate use by inexperienced users.
[0152] According to one embodiment, the computer system 200 can be connected to a communication network to enable the transmission and exchange of data with other similar systems. Advantageously, it is also equipped with an advanced security system to protect sensitive data from intrusions and malicious attacks, said security system being configured to cooperate with the present invention.
[0153] According to one embodiment, the computer system 200 can be equipped with high-capacity data storage to allow for the backup and archiving of important data. Furthermore, a backup system can be added to ensure data security in the event of system failure.
[0154] According to an advantageous embodiment, the computer system 200 is equipped with an intuitive and ergonomic graphical interface to facilitate user navigation.
[0155] The present invention provides an on-demand security event analysis system that uses an advanced normalization and contextualization methodology to transform heterogeneous data from multiple sources into a unified format. This approach enables consistent and comparative analysis of security events, which are evaluated by a risk-scoring system. One of the objectives of the present invention is to identify any deviation from known normal behavior that could indicate a potential threat. This invention is particularly relevant in the cybersecurity landscape where threats are diverse and constantly evolving. It operates according to the Zero Trust philosophy, which focuses on listing known elements and creating rules to allow them. EDR technology can be used to collect data from the endpoints and create a database of known events.
[0156] The invention is not limited to the embodiments previously described and extends to all embodiments covered by the claims.
Claims
Demands
1. A method (100) for analyzing at least one computer event, said method (100) being configured to be implemented by at least one computer system (200), said method (100) comprising at least the following steps: a. Reception (110), by at least one communication module (210), of at least one computer event, said computer event comprising a plurality of fields, each field of said plurality of fields comprising at least one data point; b. Normalization (120), by at least one data processing module (210), of each data item in each field of said plurality of data items of said computer event; c. Analysis (130), by at least one analysis module (230), of said normalized data with respect to reference data associated with reference computer events of a primary database, the analysis step comprising for each normalized data item: i. Identification (131) of at least one reference computer event, this identification step comprising: • For each value of said normalized data, the search for at least one reference event including at least one similar value in the primary database; ii. If the reference computer event includes, preferably exactly, the same fields with the same values, then the event is legitimate; iii. If the reference IT event does not include, preferably exactly, the same fields with the same values, then: • Calculation (132) of a criticality score, with respect to said identified reference IT event, for the field(s) of said plurality of fields said computer event, the The values are different: d. Calculation of the diversity between the values associated with said IT event and the values associated with said reference IT event; and e. Comparison of this diversity with a first predetermined threshold value specific to each field in order to obtain a criticality score; f. Calculation (133) of an overall criticality score for said IT event by adding together the calculated criticality scores. g. Said overall criticality score is configured to be used for decision-making by at least one operator.
2. A method (100) according to the preceding claim in which the computer event comprises at least two components: an initiating component of at least one action, and an action component configured to perform at least one action.
3. Method (100) according to any one of the preceding claims wherein the similar value search step includes searching for a maximum matching field between the computer event and the reference computer event.
4. Method (100) according to any one of the preceding claims wherein the calculation of the diversity of values includes the calculation of a variance.
5. Method (100) according to any one of the preceding claims wherein the predetermined threshold value is a variance.
6. Method (100) according to any one of the preceding claims comprising a decision-making step based on at least one criticality score and / or said overall criticality score.
7. Method (100) according to any one of the preceding claims comprising an analysis step based on at least one criticality score and / or said overall criticality score.
8. A method (100) according to any one of the preceding claims comprising a step of calculating a pre-criticality score comprising: a. Vectorizing the reference computer events so as to generate a plurality of reference vectors;
9.
10. b. Vectorizing the computer event so as to generate an event vector; c. Calculating a distance between the event vector and each reference vector of said plurality of reference vectors; d. Selection of the smallest of the calculated distances, this selected distance corresponding to the pre-criticality score. Method (100) according to the preceding claim in which the calculation of diversity is carried out by vectorization. Method (100) according to any one of the preceding claims comprising at least one step of constructing said primary database of reference computer events, the construction step comprising at least: a. Receiving a plurality of computer events comprising a set of fields; b. If all fields contain identical values: i. Deduplication, by said data processing module, of each event of said plurality of computer events; ii. Event, by at least one event module, of the number of times the event has occurred; c. Normalization, by said data processing module, of each piece of data from each computer event of said plurality of computer events; d. For each event in said plurality of computer events: i. Search the primary database to see if the computer event exists: • If the computer event exists in said primary database: modification of the frequency information of said computer event to add a new occurrence of said computer event, said frequency information including at least a number of entities that reported said computer event, a number of occurrences of said event
11. computer; • Otherwise: Search in a secondary database: e. If the computer event exists in said secondary database: A. Modify the frequency information of the computer event; B. If at least one of the modified frequency pieces of information is greater than a predetermined threshold, move said computer event to the primary database; f. Otherwise, add the event to the secondary database. Method (100) according to any one of the preceding claims comprising at least one step of generating a report for each computer event comprising:
12. a. Said computer event with its fields, data, and values; b. Said overall criticality score; c. Reference computer events whose criticality score is less than a second threshold value; Method (100) according to any one of the preceding claims wherein the operator is a human user or a machine, of
13. preference comprising a decision-making unit. Product computer program comprising a plurality of instructions which, when executed by at least one processor, carry out the process according to any one of claims 1 to 12.
14. Non-transient memory carrier comprising a computer program product according to the preceding claim.
15. A computer system (200) for analyzing at least one computer event, said system (200) comprising at least: a. A communication module (210) configured to: i. Receive (110) at least one computer event, said computer event comprising a plurality of fields, each field of said plurality of fields comprising at least one data item; b. A data processing module (220) configured to: i. Normalize (120) each data item in each field of said plurality of fields of said computer event; c. An analysis module (230) configured for: i. Analyze (130) said normalized data with respect to reference data associated with reference computer events from a primary database; ii. Identify (131) at least one reference computer event; iii. Calculate (132) a criticality score, with respect to said identified reference computer event, for the field or fields of said plurality of fields of said computer event whose values are different; iv. Calculate the diversity between the values associated with said computer event and the values associated with said reference computer event; v. Compare this diversity with a first predetermined threshold value specific to each field in order to obtain a criticality score; vi. Calculate the sum of the criticality scores calculated so as to calculate (133) an overall criticality score.