公开(公告)号：US09601000B1

公开(公告)日：2017-03-21

申请号：US14039875

申请日：2013-09-27

Applicant: EMC Corporation

Inventor： Eyal Gruss ,  Alex Vaystikh ,  Eyal Kolman ,  Alon Kaufman ,  Yael Villa ,  Ereli Eran

IPC: G08B23/00 ,  G06F11/00

CPC classification number: G06Q20/40 ,  G06F21/31 ,  G06F21/45 ,  G06F21/552 ,  G06Q20/4016 ,  G06Q20/405

Abstract: A technique provides alert prioritization. The technique involves selecting attributes to use as alert scoring factors. The technique further involves updating, for an incoming alert having particular attribute values for the selected attributes, count data to represent encounter of the incoming alert from perspectives of the selected attributes. The technique further involves generating an overall significance score for the incoming alert based on the updated count data. The overall significance score is a measure of alert significance relative to other alerts. Scored alerts then can be sorted so that investigators focus on the alerts with the highest significance scores. Such a technique is well suited for adaptive authentication (AA) and Security Information and Event Management (SIEM) systems among other alert-based systems such as churn analysis systems, malfunction detection systems, and the like.

公开(公告)号：US09426168B1

公开(公告)日：2016-08-23

申请号：US14471540

申请日：2014-08-28

Applicant: EMC Corporation

Inventor： Eyal Yehowa Gruss ,  Ereli Eran ,  Alex Vaystikh ,  Eyal Kolman ,  Alon Kaufman

IPC: G06F15/173 ,  H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1408 ,  H04L63/101 ,  H04L2463/144

Abstract: A processing device comprises a processor coupled to a memory and is configured to determine a first set of features from domain name system (DNS) information, the first set of features being defined over a domain, and to determine a second set of features from the DNS information, the second set of features being defined over internet protocol (IP) addresses returned for the domain. The processing device is further configured to compute a fast-flux score based on the first and second sets of features, and to utilize the fast-flux score to characterize fast-flux activity relating to the domain. For example, the processing device can be configured to compare the fast-flux score to a threshold, and to generate an indicator of the presence or absence of fast-flux activity based on a result of the comparison. The processing device may be implemented in a computer network or network security system.

Abstract translation: 处理设备包括处理器，其耦合到存储器并且被配置为从域名系统（DNS）信息确定第一组特征，所述第一组特征是通过域定义的，并且从所述第一组特征确定来自 DNS信息，第二组功能是通过为域返回的互联网协议（IP）地址定义的。 处理装置还被配置为基于第一和第二特征集来计算快速通量分数，并且利用快速通量分数来表征与该域相关的快速通量活动。 例如，处理装置可以被配置为将快速通量分数与阈值进行比较，并且基于比较的结果生成快速通量活动的存在或不存在的指标。 处理设备可以在计算机网络或网络安全系统中实现。

公开(公告)号：US09331916B1

公开(公告)日：2016-05-03

申请号：US13832280

申请日：2013-03-15

Applicant: EMC Corporation

Inventor： Eyal Kolman ,  Alex Vaystikh ,  Oshry Ben-Harush

IPC: G06F15/173 ,  H04L12/26

CPC classification number: H04L43/04 ,  H04L41/142 ,  H04L43/028

Abstract: An improved technique involves processing network traffic data to automatically establish whether a device on the network satisfies a particular set of constraints. Along these lines, a SIEM server observes and processes incoming and outgoing traffic data corresponding to a particular device at an address of the network. The SIEM server then analyzes this traffic data in order to determine whether the data satisfies a set of constraints satisfied by a client, or another set of constraints satisfied by a server. The SIEM server then applies the label of “client” or “server” to the device according to which set of constraints the SIEM server determines the data to have satisfied.

Abstract translation: 改进的技术涉及处理网络流量数据以自动建立网络上的设备是否满足特定的约束集合。 沿着这些线路，SIEM服务器在网络的地址处观察并处理与特定设备相对应的传入和传出流量数据。 然后，SIEM服务器分析此流量数据，以确定数据是否满足客户端满足的一组约束，或服务器满足的另一组约束。 然后，SIEM服务器根据SIEM服务器确定数据满足的约束集合将“客户机”或“服务器”的标签应用于设备。

公开(公告)号：US08902043B1

公开(公告)日：2014-12-02

申请号：US13630849

申请日：2012-09-28

Applicant: EMC Corporation

Inventor： Karl Ackerman ,  Kenneth D. Ray ,  Lawrence N. Friedman ,  Roy Dagan ,  Alex Vaystikh ,  Roy Hodgman

IPC: G05B19/00 ,  G05B23/00 ,  G06F7/04 ,  G06F12/00

CPC classification number: G07C9/00166 ,  G06F21/40

Abstract: An authentication method and system to combat confirmation bias provides for an authentication system that upon matching an access request to a record for a given user in an authentication system further interrogates a set of secondary sources to determine that the individual requesting access is in fact the correct user.

Abstract translation: 一种用于对抗确认偏差的认证方法和系统提供了认证系统，其在认证系统中将访问请求与给定用户的记录相匹配时进一步询问一组次要来源以确定所述个人请求访问实际上是正确的 用户。

公开(公告)号：US09560027B1

公开(公告)日：2017-01-31

申请号：US13852187

申请日：2013-03-28

Applicant: EMC Corporation

Inventor： Eyal Kolman ,  Alon Kaufman ,  Yael Villa ,  Alex Vaystikh ,  Ereli Eran ,  Liron Liptz

IPC: G06Q40/02 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04W4/027 ,  H04W12/06

Abstract: There is disclosed some techniques for processing an authentication request. In one example, a method comprises the step of determining the velocity between authentication requests of a user associated with the requests. Additionally, the method determines the likelihood that a location associated with one of the requests is associated with the user location. Furthermore, the method generates an authentication result based on the likelihood that a location associated with one of the requests is associated with the user location.

Abstract translation: 公开了一些用于处理认证请求的技术。 在一个示例中，方法包括确定与请求相关联的用户的认证请求之间的速度的步骤。 此外，该方法确定与一个请求相关联的位置与用户位置相关联的可能性。 此外，该方法基于与一个请求相关联的位置与用户位置相关联的可能性来生成认证结果。

公开(公告)号：US09558346B1

公开(公告)日：2017-01-31

申请号：US13903390

申请日：2013-05-28

Applicant: EMC Corporation

Inventor： Eyal Kolman ,  Alon Kaufman ,  Yael Villa ,  Alex Vaystikh ,  Ereli Eran

IPC: G06F21/50 ,  G06F21/55 ,  G06F21/51 ,  G06F21/57

CPC classification number: G06F21/50 ,  G06F21/51 ,  G06F21/552 ,  G06F21/554 ,  G06F21/57 ,  G06F21/577 ,  G06F2221/2101 ,  H04L63/1441

Abstract: An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events.

Abstract translation: 信息处理系统实现安全系统。 安全系统包括分类器，其被配置为处理表征事件的信息以产生相应的风险分数;以及数据存储，其耦合到分类器并且被配置为存储与风险评分的评估相关联的一个或多个属性的反馈， 更多用户 分类器被配置为利用关于风险分数的反馈来学习特定事件的风险，并且基于所学习的风险来调整其操作，使得分类器为给定的一个事件产生的风险评分至少基于 部分收到关于为一个或多个以前的事件产生的风险分数的反馈。

公开(公告)号：US09462009B1

公开(公告)日：2016-10-04

申请号：US14501485

申请日：2014-09-30

Applicant: EMC Corporation

Inventor： Eyal Kolman ,  Alex Vaystikh ,  Alon Kaufman ,  Ereli Eran ,  Eyal Gruss

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: There is disclosed a technique for detecting risky domains. The technique comprises collecting information in connection with a domain. The technique also comprises generating a profile comprising at least one metric associated with the domain based on the collected information. The technique further comprises determining the riskiness in connection with the domain based on the generated profile.

Abstract translation: 公开了一种用于检测风险域的技术。 该技术包括收集与域相关的信息。 该技术还包括基于所收集的信息生成包括与域相关联的至少一个度量的简档。 该技术还包括基于所生成的简档来确定与域相关联的风险。

公开(公告)号：US09160726B1

公开(公告)日：2015-10-13

申请号：US13931151

申请日：2013-06-28

Applicant: EMC Corporation

Inventor： Alon Kaufman ,  Marcelo Blatt ,  Alex Vaystikh ,  Triinu Magi Shaashua ,  Yael Villa

IPC: G06F17/30 ,  H04L29/06

CPC classification number: H04L63/08

Abstract: Authentication systems are provided that select an authentication method to be applied to a given transaction from among a plurality of available authentication methods based on risk reasoning. An authentication request from an authentication requestor for a given transaction is processed by receiving the authentication request from the authentication requester and selecting an authentication method to be applied to the given transaction from among a plurality of available authentication methods based on an evaluation of one or more predefined risk reasons with respect to the available authentication methods. The predefined risk reasons associated with a given transaction comprise, for example, a set of risk reasons that contribute to a risk score that has been assigned to the given transaction. The evaluation may employ one or more of rule-based, heuristic and Bayesian techniques.

Abstract translation: 提供认证系统，其基于风险推理从多个可用认证方法中选择要应用于给定交易的认证方法。 通过从认证请求者接收认证请求来处理来自给定事务的认证请求者的认证请求，并且基于一个或多个的评估从多个可用认证方法中选择要应用于给定交易的认证方法 关于可用认证方法的预定义风险原因。 与给定交易相关联的预定风险原因包括例如有助于已经分配给给定交易的风险分数的一组风险原因。 评估可以采用基于规则，启发式和贝叶斯技术中的一种或多种。

公开(公告)号：US09154516B1

公开(公告)日：2015-10-06

申请号：US14039881

申请日：2013-09-27

Applicant: EMC Corporation

Inventor： Alex Vaystikh ,  Ereli Eran ,  Eyal Kolman

IPC: G06F15/173 ,  H04L29/06

CPC classification number: H04L63/1425

Abstract: A technique detects riskiness of a communication in a network based on behavior profiling. The technique involves generating a network history baseline (e.g., normal and abnormal behavior profiles) from prior network communications occurring in the network. The technique further involves, for a new network communication, assigning the new network communication a risk score based on a comparison of the new network communication to the network history baseline. The risk score is a numerical measure of behavioral normalcy relative to the prior network communications occurring in the network. The technique further involves providing an output signal having a first value when the risk score is above a predefined risk threshold to indicate that the communication is risky, and a second value which is different than the first value when the risk score is below the predefined risk threshold to indicate that the communication is not risky.

Abstract translation: 一种技术可以基于行为分析来检测网络中的通信风险。 该技术涉及从网络中发生的先前网络通信产生网络历史基线（例如，正常和异常行为简档）。 该技术还涉及对于新的网络通信，基于新的网络通信与网络历史基线的比较来分配新的网络通信风险评分。 风险分数是相对于在网络中发生的先前网络通信的行为正常性的数值测量。 所述技术还涉及当所述风险评分高于预定风险阈值时提供具有第一值的输出信号，以指示所述通信是有风险的，以及当所述风险评分低于所述预定风险时所述第二值与所述第一值不同的第二值 表示通信没有风险的阈值。

公开(公告)号：US09130985B1

公开(公告)日：2015-09-08

申请号：US13931830

申请日：2013-06-29

Applicant: EMC Corporation

Inventor： Eyal Kolman ,  Alon Kaufman ,  Yael Villa ,  Alex Vaystikh ,  Ereli Eran ,  Eyal Yehowa Gruss

IPC: G06F7/00 ,  H04L29/06 ,  G06F17/30 ,  G06N5/02

CPC classification number: H04L63/1433 ,  G06F7/00 ,  G06F17/30 ,  G06F21/44 ,  G06F2221/2129 ,  G06N5/02 ,  G06N7/005 ,  H04L63/0876 ,  H04L63/205

Abstract: Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate device if the associated maximum probability value satisfies a predefined threshold. The predefined threshold can be a function, for example, of whether the given user has previously used this device. The obtained feature values can be obtained for a selected set of features satisfying one or more predefined characteristic criteria. The device attributes can be obtained, for example, from a profile for each of the plurality of potential devices.

Abstract translation: 提供数据驱动装置检测，由此通过获得给定装置的多个特征值来检测装置; 获得一组用于多个潜在设备的设备属性; 计算所述给定设备是所述多个潜在设备内的每个潜在设备的概率值; 识别在所计算的概率值中与最大概率值相关联的候选设备; 以及如果所述相关联的最大概率值满足预定阈值，则将所述给定设备标记为候选设备。 预定义的阈值可以是例如给定用户先前使用该设备的功能。 可以针对满足一个或多个预定特征标准的所选择的特征集获得所获得的特征值。 可以例如从多个潜在设备中的每一个的配置文件获得设备属性。