公开(公告)号：US20190238572A1

公开(公告)日：2019-08-01

申请号：US15884978

申请日：2018-01-31

Applicant: EntIT Software LLC

Inventor： Pratyusa K. Manadhata ,  Kyle Williams ,  Barak Raz ,  Martin Arlitt

IPC: H04L29/06 ,  H04L29/12 ,  G06F17/27

CPC classification number: H04L63/1425 ,  G06F17/275 ,  H04L61/1511 ,  H04L63/145

Abstract: In some examples, a system identifies, in a domain name, n-grams that do not appear in words of a given language, where n is greater than two. The system compares a value based on a number of the identified n-grams to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

公开(公告)号：US20180337935A1

公开(公告)日：2018-11-22

申请号：US15596042

申请日：2017-05-16

Applicant: EntIT Software LLC

Inventor： Manish Marwah ,  Alexander Ulanov ,  Carlos Zubieta ,  Luis Mateos ,  Pratyusa K. Manadhata

IPC: H04L29/06

Abstract: In some examples, a system generates a graphical representation of entities associated with a computing environment, and derives features for the entities represented by the graphical representation, the features comprising neighborhood features and link-based features, a neighborhood feature for a first entity of the entities derived based on entities that are neighbors of the first entity in the graphical representation, and a link-based feature for the first entity derived based on relationships of other entities in the graphical representation with the first entity. The system determines, using a plurality of anomaly detectors based on respective features of the derived features, whether the first entity is exhibiting anomalous behavior.

公开(公告)号：US10965697B2

公开(公告)日：2021-03-30

申请号：US15884983

申请日：2018-01-31

Applicant: EntIT Software LLC

Inventor： Pratyusa K. Manadhata ,  Kyle Williams ,  Barak Raz ,  Martin Arlitt

IPC: H04L29/06 ,  H04L29/12 ,  G06F40/10 ,  G06F40/284

Abstract: In some examples, a system counts a number of digits in a domain name. The system compares a value based on the number of digits to a threshold, and indicates that the domain name is potentially generated by malware in response to the value having a specified relationship with respect to the threshold.

公开(公告)号：US20190334931A1

公开(公告)日：2019-10-31

申请号：US15963336

申请日：2018-04-26

Applicant: ENTIT SOFTWARE LLC

Inventor： Martin Arlitt ,  Pratyusa K. Manadhata

IPC: H04L29/06 ,  H04L29/12

Abstract: In some examples, a Domain Name System (DNS) server is to receive, over a network, a DNS query containing a domain name, the DNS query sent by a device. The DNS server is to determine whether the domain name is potentially generated by malware. In response to determining that the domain name is potentially generated by malware, the DNS server is to generate a DNS response containing information indicating that the domain name is potentially generated by malware, and send the DNS response to the network.

公开(公告)号：US20190327253A1

公开(公告)日：2019-10-24

申请号：US15959461

申请日：2018-04-23

Applicant: ENTIT SOFTWARE LLC

Inventor： Pratyusa K. Manadhata ,  Mijung Kim

IPC: H04L29/06 ,  G06K9/62

Abstract: In some examples, a system identifies, for a given authentication event between a plurality of devices in a network, a context comprising a set of authentication events that are temporally related to the given authentication event. The set of authentication events occur at the devices. A classifier is applied on a collection of features associated with the set of authentication events, the collection of features comprising a number of machines or a number of users associated with the set of authentication events. The system determines, based on an output of the classifier, whether the given authentication event is an unauthorized authentication event.

公开(公告)号：US20190064752A1

公开(公告)日：2019-02-28

申请号：US15689047

申请日：2017-08-29

Applicant: EntIT Software LLC

Inventor： Manish Marwah ,  Mijung Kim ,  Pratyusa K. Manadhata

IPC: G05B13/02 ,  G06F15/18

Abstract: In some examples, a system balances a number of positive data points and a number of negative data points, to produce a balanced training data set, where the positive data points comprise features associated with authentication events that are positive with respect to an unauthorized classification, and the negative data points comprise features associated with authentication events that are negative with respect to the unauthorized classification. The system trains a plurality of models using the balanced training data set, wherein the plurality of models are trained according to respective different machine learning techniques. The system selects a model from the trained plurality of models based on relative performance of the plurality of models.

公开(公告)号：US11245720B2

公开(公告)日：2022-02-08

申请号：US16433151

申请日：2019-06-06

Applicant: ENTIT Software LLC

Inventor： Pratyusa K. Manadhata ,  Martin Arlitt

IPC: H04L29/06

Abstract: For each of a number of naming deviation types, the number of deviations within a domain name of a domain is determined. Each naming deviation type is a different type of deviation from domain name naming rules. For each naming deviation type for which the number of deviations is non-zero, first benign and malicious probabilities that benign and malicious domains, respectively, have the naming deviation type are estimated. Second benign and malicious probabilities that any given domain is respectively benign and malicious are estimated. Probabilities that the domain is benign and malicious are estimated based on the number of deviations for each naming deviation type and based on the estimated first and second benign and malicious probabilities. Whether the domain is benign or malicious is determined based on the estimated probabilities that the domain is benign and malicious.

公开(公告)号：US10984099B2

公开(公告)日：2021-04-20

申请号：US15689043

申请日：2017-08-29

Applicant: EntIT Software LLC

Inventor： Pratyusa K. Manadhata ,  Mijung Kim ,  Manish Marwah

IPC: G06F21/55 ,  G06F21/62 ,  G06F21/45 ,  H04L29/06 ,  G06N20/20 ,  G06F21/31 ,  G06F16/00 ,  G06K9/62

Abstract: In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system applies a classifier on a collection of features associated with the set of events, and determines, based on an output of the classifier, whether the given authentication event is an unauthorized authentication event.

公开(公告)号：US10592666B2

公开(公告)日：2020-03-17

申请号：US15692655

申请日：2017-08-31

Applicant: EntIT Software LLC

Inventor： Mijung Kim ,  Pratyusa K. Manadhata ,  Manish Marwah ,  Alexander Ulanov ,  Jun Li

IPC: G06F11/00 ,  G06F21/55 ,  G06N3/08 ,  G06F21/57 ,  G06N3/04 ,  G06N5/02

Abstract: In some examples, a system extracts features from event data representing events in a computing environment, trains ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules, and detects, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data.

公开(公告)号：US20190065762A1

公开(公告)日：2019-02-28

申请号：US15689045

申请日：2017-08-29

Applicant: EntIT Software LLC

Inventor： Mijung Kim ,  Pratyusa K. Manadhata ,  Manish Marwah

IPC: G06F21/60 ,  H04L29/06 ,  G06F17/30

Abstract: In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system extracts features from the set of events by aggregating event data of the set of events. The system provides the extracted features to a classifier that detects unauthorized authentication events.