公开(公告)号：US20210185080A1

公开(公告)日：2021-06-17

申请号：US16710331

申请日：2019-12-11

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Wei Wang ,  Mikhail Istomin ,  Chaim Spielman ,  Christina Monteleone ,  Kenneth Walsh ,  Carol Pincock

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: In one example, the present disclosure describes various methods, computer-readable media, and apparatuses for supporting social engineering attack prevention based on early detection and remediation of various types of social engineering attacks which may be initiated within various contexts. In one example, supporting social engineering attack prevention may include identifying a workflow to be protected, identifying, for the workflow, a set of valid resources of the workflow where the set of valid resources includes a set of artifacts and a set of templates, identifying, from a dataset associated with the workflow and based on the set of artifacts, a communication associated with the workflow, determining, based on an analysis of the communication based on the set of templates, that the communication is malicious, and initiating, based on the determination that the communication is malicious, a remediation action.

公开(公告)号：US20140007237A1

公开(公告)日：2014-01-02

申请号：US14016162

申请日：2013-09-02

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Jeremy Wright ,  John Hogoboom ,  Chaim Spielman

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L63/1416

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract translation: 提供了用于基于端点之间的通信中的异常行为来识别网络上的潜在威胁的方法，系统和计算机可读介质。 网络的流量数据在一段时间内累积。 交通数据由一个或多个键（例如源IP地址）分组，并且针对密钥计算度量值集合。 混合分布，例如负二项式混合分布，适合于每组度量值，并且基于混合分布来确定偏离度量值。 然后生成异常值列表，其包括在度量值集合中的一个或多个集合中具有超出度量值的密钥值。

公开(公告)号：US20190007296A1

公开(公告)日：2019-01-03

申请号：US16127338

申请日：2018-09-11

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Daniel G. Sheleheda ,  Samuel Norman Alexander ,  John H. Hardenbergh ,  Joseph Harten ,  James Pace ,  Chaim Spielman

IPC: H04L12/26 ,  H04L29/06 ,  H04L12/24

CPC classification number: H04L43/16 ,  H04L41/0613 ,  H04L41/0622 ,  H04L41/069 ,  H04L43/02 ,  H04L43/024 ,  H04L43/0876 ,  H04L63/1408 ,  H04L63/1458

Abstract: A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.

公开(公告)号：US20170366440A1

公开(公告)日：2017-12-21

申请号：US15185152

申请日：2016-06-17

Applicant: AT&T INTELLECTUAL PROPERTY I, L.P.

Inventor： Daniel G. Sheleheda ,  Samuel Norman Alexander ,  John H. Hardenbergh ,  Joseph Harten ,  James Pace ,  Chaim Spielman

IPC: H04L12/26 ,  H04L12/24

CPC classification number: H04L43/16 ,  H04L41/069 ,  H04L43/02 ,  H04L43/0876 ,  H04L63/1408 ,  H04L63/1458

Abstract: A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records.

公开(公告)号：US20160182552A1

公开(公告)日：2016-06-23

申请号：US15056670

申请日：2016-02-29

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Jeremy Wright ,  John Hogoboom ,  Chaim Spielman

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L63/1416

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

Abstract translation: 提供了用于基于端点之间的通信中的异常行为来识别网络上的潜在威胁的方法，系统和计算机可读介质。 网络的流量数据在一段时间内累积。 交通数据由一个或多个键（例如源IP地址）分组，并且针对密钥计算度量值集合。 混合分布，例如负二项式混合分布，适合于每组度量值，并且基于混合分布来确定偏离度量值。 然后生成异常值列表，其包括在度量值集合中的一个或多个集合中具有超出度量值的密钥值。

公开(公告)号：US20190312796A1

公开(公告)日：2019-10-10

申请号：US16442638

申请日：2019-06-17

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Paul Giura ,  Stanislav Nurilov ,  Makonnen Sankore ,  Chaim Spielman

IPC: H04L12/26 ,  H04L29/06

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

公开(公告)号：US10367704B2

公开(公告)日：2019-07-30

申请号：US15207670

申请日：2016-07-12

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Paul Giura ,  Stanislav Nurilov ,  Makonnen Sankore ,  Chaim Spielman

IPC: H04L12/26

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

公开(公告)号：US20130227045A1

公开(公告)日：2013-08-29

申请号：US13857269

申请日：2013-04-05

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Willa Kay Ehrlich ,  David A. Hoeflin ,  Danielle Liu ,  Chaim Spielman ,  Stephen Wood

IPC: H04L12/58

CPC classification number: H04L51/00 ,  H04L63/1441

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers. Bot likelihood scores are determined for the resulting IP-address-aggregate-categories based on historically known bot IP addresses.

Abstract translation: 提供一种用于确定IP地址是机器人网络的一部分的方法和系统。 确定与电子邮件发件人的IP地址相关联的IP地址聚合。 基于IP地址聚合的当前SMTP流量特性和IP地址聚合类别的已知SMTP流量特性，IP地址聚合与IP地址聚合类别相关联。 然后将IP地址聚合类别的机率分数与IP地址聚合相关联。 可以基于IP地址聚合的历史SMTP流量特性来建立IP地址聚合类别。 基于SMTP特性对IP地址聚合进行分组，IP地址聚合类别是根据具有类似SMTP流量特性的IP地址聚合的选择来定义的，这些特征是对垃圾邮件机器人与非僵尸网络的诊断 控制垃圾邮件发送者。 基于历史上已知的机器人IP地址，为生成的IP地址聚合类别确定Bot似然分数。

公开(公告)号：US20180019932A1

公开(公告)日：2018-01-18

申请号：US15207670

申请日：2016-07-12

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Paul Giura ,  Stanislav Nurilov ,  Makonnen Sankore ,  Chaim Spielman

IPC: H04L12/26

CPC classification number: H04L43/062 ,  H04L43/045 ,  H04L43/0876 ,  H04L63/1425

Abstract: Generation of behavior profiling reports is provided for enterprise server devices in a network of enterprise server devices, as well as generation and association of severity scores for behavior profiling reports generated for enterprise server devices included in the network of enterprise server devices. A method can comprise receiving historical security event data representing historical security events of a first device and owner data representing an owner of the first device, and, as a function of the historical security event data and the owner data, an anomalous contact established between the first device and the second device can be identified. Further, in response to identifying the existence of the anomalous contact, the second device can be depicted on a connected graph of anomalous contacts established by the first device.

公开(公告)号：US09276949B2

公开(公告)日：2016-03-01

申请号：US14016162

申请日：2013-09-02

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Jeremy Wright ,  John Hogoboom ,  Chaim Spielman

IPC: H04L29/06 ,  G06F21/55

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L63/1416

Abstract: Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.