公开(公告)号：US09929920B2

公开(公告)日：2018-03-27

申请号：US14989075

申请日：2016-01-06

Applicant: Verint Systems Ltd.

Inventor： Eithan Goldfarb ,  Yuval Altman ,  Naomi Frid ,  Gur Yaari

IPC: H04L12/26 ,  H04L29/06

CPC classification number: H04L43/026 ,  H04L43/04 ,  H04L63/0227 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/30 ,  H04L63/306

Abstract: Methods and systems for analyzing flows of communication packets. A front-end processor associates input packets with flows and forwards each flow to the appropriate unit, typically by querying a flow table that holds a respective classification for each active flow. In general, flows that are not yet classified are forwarded to the classification unit, and the resulting classification is entered in the flow table. Flows that are classified as requested for further analysis are forwarded to an appropriate flow analysis unit. Flows that are classified as not requested for analysis are not subjected to further processing, e.g., discarded or allowed to pass.

公开(公告)号：US09923913B2

公开(公告)日：2018-03-20

申请号：US15057164

申请日：2016-03-01

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

公开(公告)号：US09479523B2

公开(公告)日：2016-10-25

申请号：US14263097

申请日：2014-04-28

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren

IPC: G06F11/00 ,  H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/0227

Abstract: Methods and systems for automated generation of malicious traffic signatures, for use in Intrusion Detection Systems (IDS). A rule generation system formulates IDS rules based on traffic analysis results obtained from a network investigation system. The rule generation system then automatically configures the IDS to apply the rules. An analysis process in the network investigation system comprises one or more metadata filters that are indicative of malicious traffic. An operator of the rule generation system is provided with a user interface that is capable of displaying the network traffic filtered in accordance with such filters.

Abstract translation: 用于自动生成恶意流量签名的方法和系统，用于入侵检测系统（IDS）。 规则生成系统根据从网络调查系统获得的流量分析结果制定IDS规则。 规则生成系统然后自动配置IDS以应用规则。 网络调查系统中的分析过程包括指示恶意流量的一个或多个元数据过滤器。 规则生成系统的操作者具有能够显示根据这种过滤器过滤的网络流量的用户界面。

公开(公告)号：US20140201361A1

公开(公告)日：2014-07-17

申请号：US14195346

申请日：2014-03-03

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman

IPC: H04L12/26

CPC classification number: H04L43/04 ,  H04L63/102 ,  H04L63/1408 ,  H04L67/306

Abstract: Methods and systems for identifying network users who communicate with the network (e.g., the Internet) via a given network connection. The disclosed techniques analyze traffic that flows in the network to determine, for example, whether the given network connection serves a single individual or multiple individuals, a single computer or multiple computers. A Profiling System (PS) acquires copies of data traffic that flow through network connections that connect computers to the WAN. The PS analyzes the acquired data, attempting to identify individuals who login to servers.

Abstract translation: 用于识别经由给定网络连接与网络（例如，因特网）通信的网络用户的方法和系统。 所公开的技术分析在网络中流动的流量，以例如确定给定的网络连接是否服务于单个个体或多个个体，单个计算机或多个计算机。 分析系统（PS）获取通过将计算机连接到WAN的网络连接流过的数据流量的副本。 PS分析所获得的数据，尝试识别登录到服务器的个人。

公开(公告)号：US20200304519A1

公开(公告)日：2020-09-24

申请号：US16823421

申请日：2020-03-19

Applicant: Verint Systems Ltd.

Inventor： Offri Gil ,  Omer Ziv ,  Yuval Altman

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08 ,  H04L9/06 ,  G06F16/951

Abstract: A traffic-monitoring system that monitors encrypted traffic exchanged between IP addresses used by devices and a network, and further receives the user-action details that are passed over the network. By correlating between the times at which the encrypted traffic is exchanged and the times at which the user-action details are received, the system associates the user-action details with the IP addresses. In particular, for each action specified in the user-action details, the system identifies one or more IP addresses that may be the source of the action. Based on the IP addresses, the system may identify one or more users who may have performed the action. The system may correlate between the respective action-times of the encrypted actions and the respective approximate action-times of the indicated actions. The system may hypothesize that the indicated action may correspond to one of the encrypted actions having these action-times.

公开(公告)号：US20160255110A1

公开(公告)日：2016-09-01

申请号：US15057164

申请日：2016-03-01

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

Abstract translation: 通过识别恶意软件和远程主机之间的C＆C通信来检测恶意软件的恶意软件检测技术，并区分进行C＆C通信的通信事务和无害流量的交易。 该系统使用恶意软件识别模型区分恶意软件事务和无害事务，它使用机器学习算法进行调整。 然而，可以从受保护的网络获得的恶意交易的数量和种类往往太有限，以有效地训练机器学习算法。 因此，系统从已知相对较丰富的恶意活动的另一计算机网络获得额外的恶意事务。 因此，该系统能够基于大量正面示例来适应恶意软件识别模型 - 从受保护网络和受感染网络获得的恶意交易。 因此，恶意软件识别模型以高速度和准确度进行了调整。

公开(公告)号：US09203712B2

公开(公告)日：2015-12-01

申请号：US14195346

申请日：2014-03-03

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman

IPC: G01R31/08 ,  H04L12/26 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L43/04 ,  H04L63/102 ,  H04L63/1408 ,  H04L67/306

Abstract: Methods and systems for identifying network users who communicate with the network (e.g., the Internet) via a given network connection. The disclosed techniques analyze traffic that flows in the network to determine, for example, whether the given network connection serves a single individual or multiple individuals, a single computer or multiple computers. A Profiling System (PS) acquires copies of data traffic that flow through network connections that connect computers to the WAN. The PS analyzes the acquired data, attempting to identify individuals who login to servers.

Abstract translation: 用于识别经由给定网络连接与网络（例如，因特网）通信的网络用户的方法和系统。 所公开的技术分析在网络中流动的流量，以例如确定给定的网络连接是否服务于单个个体或多个个体，单个计算机或多个计算机。 分析系统（PS）获取通过将计算机连接到WAN的网络连接流过的数据流量的副本。 PS分析所获得的数据，尝试识别登录到服务器的个人。

公开(公告)号：US20150215221A1

公开(公告)日：2015-07-30

申请号：US14604144

申请日：2015-01-23

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman

IPC: H04L12/851 ,  H04L12/26 ,  H04L12/859 ,  H04L29/06

CPC classification number: H04L47/2483 ,  H04L43/10 ,  H04L43/106 ,  H04L47/2475 ,  H04L63/0428 ,  H04L63/306

Abstract: Systems and methods for extracting user identifiers over encrypted communication traffic are provided herein. An example method includes monitoring multiple flows of communication traffic. A sequence of messages is then sent to a user in accordance with a first temporal pattern. A flow whose activity has a second temporal pattern that matches the first pattern is then identified among the monitored flows. The identified flow is then associated with the user.

Abstract translation: 本文提供了通过加密通信业务提取用户标识符的系统和方法。 示例性方法包括监视多个通信业务流。 然后根据第一时间模式将消息序列发送给用户。 然后在监视的流中识别其活动具有与第一模式匹配的第二时间模式的流。 所识别的流然后与用户相关联。

公开(公告)号：US20140165198A1

公开(公告)日：2014-06-12

申请号：US14060933

申请日：2013-10-23

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  G06F21/554 ,  G06F21/561 ,  G06F21/564 ,  H04L63/1416 ,  H04L63/145 ,  H04L2463/144

Abstract: Methods and systems for malware detection techniques, which detect malware by identifying the Command and Control (C&C) communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The fine-granularity features are examined, which are present in the transactions and are indicative of whether the transactions are exchanged with malware. A feature comprises an aggregated statistical property of one or more features of the transactions, such as average, sum median or variance, or of any suitable function or transformation of the features.

Abstract translation: 用于恶意软件检测技术的方法和系统，通过识别恶意软件和远程主机之间的命令和控制（C＆C）通信来检测恶意软件，并区分进行C＆C通信的通信事务和无害流量的交易。 检查细粒度特征，这些功能存在于交易中，并指示交易是否与恶意软件交换。 特征包括交易的一个或多个特征的聚合统计特性，例如平均值，中值或方差，或任何合适的函数或特征的变换。