Network security classification
    1.
    发明授权

    公开(公告)号:US10382462B2

    公开(公告)日:2019-08-13

    申请号:US15221838

    申请日:2016-07-28

    Abstract: In one embodiment, a method includes obtaining a set of samples, each of the set of samples including sample values for each of a plurality of variables in a variable space. The method includes receiving, for each of an initial subset of the set of samples, a label for the sample as being either malicious or legitimate; identifying one or more boundaries in the variable space based on the labels and sample values for each of the initial subset; selecting an incremental subset of the unlabeled samples of the set of samples, wherein the incremental subset includes at least one unlabeled sample including sample values further from any of the one or more boundaries than an unlabeled sample that is not included in the incremental subset; and receiving, for each of the incremental subset, a label for the sample as being either malicious or legitimate.

    Detection of malicious domains using recurring patterns in domain names

    公开(公告)号:US10178107B2

    公开(公告)日:2019-01-08

    申请号:US15091705

    申请日:2016-04-06

    Abstract: In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

    Automatic detection of network threats based on modeling sequential behavior in network traffic

    公开(公告)号:US10154051B2

    公开(公告)日:2018-12-11

    申请号:US15253659

    申请日:2016-08-31

    Inventor: Michal Sofka

    Abstract: A computer-implemented data processing method comprises: executing a recurrent neural network (RNN) comprising nodes each implemented as a Long Short-Term Memory (LSTM) cell and comprising links between nodes that represent outputs of LSTM cells and inputs to LSTM cells, wherein each LSTM cell implements an input layer, hidden layer and output layer of the RNN; receiving network traffic data associated with networked computers; extracting feature data representing features of the network traffic data and providing the feature data to the RNN; classifying individual Uniform Resource Locators (URLs) as malicious or legitimate using LSTM cells of the input layer, wherein inputs to the LSTM cells are individual characters of the URLs, and wherein the LSTM cells generate feature representation; based on the feature representation, generating signals to a firewall device specifying either admitting or denying the URLs.

    REFINED LEARNING DATA REPRESENTATION FOR CLASSIFIERS

    公开(公告)号:US20170316342A1

    公开(公告)日:2017-11-02

    申请号:US15143792

    申请日:2016-05-02

    CPC classification number: G06N20/00 G06F17/11 G06F21/552 G06N20/10 H04L63/1425

    Abstract: In one embodiment, a learning machine device initializes thresholds of a data representation of one or more data features, the thresholds specifying a first number of pre-defined bins (e.g., uniform and equidistant bins). Next, adjacent bins of the pre-defined bins having substantially similar weights may be reciprocally merged, the merging resulting in a second number of refined bins that is less than the first number. Notably, while merging, the device also learns weights of a linear decision rule associated with the one or more data features. Accordingly, a data-driven representation for a data-driven classifier may be established based on the refined bins and learned weights.

    Identifying Malware Communications with DGA Generated Domains by Discriminative Learning
    8.
    发明申请
    Identifying Malware Communications with DGA Generated Domains by Discriminative Learning 有权
    通过歧视性学习识别与DGA生成的域的恶意软件通信

    公开(公告)号:US20170026390A1

    公开(公告)日:2017-01-26

    申请号:US14806236

    申请日:2015-07-22

    Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.

    Abstract translation: 提出技术来识别与域生成算法(DGA)生成域的恶意软件通信。 获取样品域名并标记为DGA域,非DGA域或可疑域。 分类器在第一阶段根据样本域名进行培训。 获得包括DGA域的代理日志和非DGA域的代理日志的示例代理日志,以在第二阶段中基于多个示例域名和多个示例代理日志来训练分类器。 获取实时流量代理日志,并通过将实时流量代理日志分类为DGA代理日志来测试分类器,并将分类器转发到第二计算设备,以将第三计算设备的网络通信识别为与DGA域的恶意软件网络通信,通过 基于经过训练和测试的分类器的第三计算设备的网络接口单元。

    Joint anomaly detection across IOT devices

    公开(公告)号:US10193913B2

    公开(公告)日:2019-01-29

    申请号:US15228980

    申请日:2016-08-04

    Abstract: Systems and methods of the present disclosure provide technology to identify when network-connected devices are likely infected with malware. Network communications are be monitored during a specific time window and a graph is created for a conditional random field (CRF) model. Vertices of the graph represent devices connected to the network and an edge between two vertices indicates that one or more network communications occurred between two devices represented by the two vertices during the time window. Network devices can report observations about network behavior during the time window and the observations can be used as input for the CRF model. The CRF model can then be used to determine infection-status values for the network devices.

    Learning detector of malicious network traffic from weak labels

    公开(公告)号:US09923912B2

    公开(公告)日:2018-03-20

    申请号:US14960086

    申请日:2015-12-04

    CPC classification number: H04L63/1425 G06F21/53 H04L63/0281

    Abstract: Techniques are presented that identify malware network communications between a computing device and a server utilizing a detector process. Network traffic records are classified as either malware or legitimate network traffic records and divided into groups of classified network traffic records associated with network communications between the computing device and the server for a predetermined period of time. A group of classified network traffic records is labeled as malicious when at least one of the classified network traffic records in the group is malicious and as legitimate when none of the classified network traffic records in the group is malicious to obtain a labeled group of classified network traffic records. A detector process is trained on individual classified network traffic records in the labeled group of classified network traffic records and network communication between the computing device and the server is identified as malware network communication utilizing the detector process.

Patent Agency Ranking