公开(公告)号：US09516039B1

公开(公告)日：2016-12-06

申请号：US14139047

申请日：2013-12-23

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Alina Oprea ,  Kaan Onarlioglu ,  Todd Leetham ,  William Robertson ,  Ari Juels ,  Engin Kirda

IPC: H04L29/06

CPC classification number: H04L63/14 ,  H04L63/0245 ,  H04L63/1425

Abstract: Methods, apparatus and articles of manufacture for behavioral detection of suspicious host activities in an enterprise are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices; extracting one or more features from said log data on a per host device basis, wherein said extracting comprises: determining a pattern of behavior associated with the multiple host devices based on said processing; and identifying said features representative of host device behavior based on the determined pattern of behavior; clustering the multiple host devices into one or more groups based on said one or more features; and identifying a behavioral anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices.

Abstract translation: 本文提供了企业中可疑主机活动行为检测的方法，装置和制造。 一种方法包括处理在给定时间段内从与企业网络相关联的一个或多个数据源导出的日志数据，其中所述企业网络包括多个主机设备; 基于每个主机设备从所述日志数据中提取一个或多个特征，其中所述提取包括：基于所述处理确定与所述多个主机设备相关联的行为模式; 以及基于所确定的行为模式来识别代表主机设备行为的所述特征; 基于所述一个或多个特征将所述多个主机设备聚类成一个或多个组; 以及通过将所述主机设备与所述多个主机设备中的所述一个或多个组进行比较来识别与所述多个主机设备之一相关联的行为异常。

公开(公告)号：US09503468B1

公开(公告)日：2016-11-22

申请号：US14698222

申请日：2015-04-28

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Alina Oprea ,  Kaan Onarlioglu

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1425 ,  G06F17/30864 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/101 ,  H04L63/1408

Abstract: Methods, apparatus and articles of manufacture for detecting suspicious web traffic are provided herein. A method includes generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time; and analyzing said filtered connections against the database to identify a connection to a destination external to the enterprise network that is not included in the information in the database.

公开(公告)号：US09430501B1

公开(公告)日：2016-08-30

申请号：US13731654

申请日：2012-12-31

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Ari Juels ,  Kaan Onarlioglu ,  Alina Oprea

IPC: G06F17/30

CPC classification number: G06F17/30283 ,  G06F17/30008 ,  G06F17/30067 ,  G06F17/30144 ,  G06F17/30241 ,  G06F17/30303

Abstract: Time correction records are created for correcting timestamps of network logs to identify timing of network events in a predetermined time reference frame, the network logs being created by logging devices generating the timestamps in device time reference frames. For each logging device, one or more network events are generated or identified at respective event times in the predetermined time reference frame, each network event having a corresponding event-related network log from the logging device and a respective timestamp in a device time reference frame. For each network event, a respective difference value is calculated as a difference between the event time and a respective timestamp from a network log. For each logging device, a selection function is applied to the difference values to calculate a correction value, and the correction value is stored along with an identifier of the logging device in a time correction record.

Abstract translation: 创建时间校正记录用于校正网络日志的时间戳以识别预定时间参考帧中的网络事件的定时，网络日志是通过记录在设备时间参考帧中生成时间戳的设备来创建的。 对于每个记录设备，在预定时间参考帧中的相应事件时间生成或识别一个或多个网络事件，每个网络事件具有来自记录设备的对应的事件相关网络日志以及设备时间参考帧中的相应时间戳 。 对于每个网络事件，相应的差值被计算为来自网络日志的事件时间和相应时间戳之间的差。 对于每个记录装置，对差值应用选择功能以计算校正值，并且将校正值与记录装置的标识符一起存储在时间校正记录中。

公开(公告)号：US09378361B1

公开(公告)日：2016-06-28

申请号：US13731635

申请日：2012-12-31

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Ari Juels ,  Aditya Kuppa ,  Kaan Onarlioglu ,  Alina Oprea

IPC: G06F21/55 ,  H04L29/06 ,  G06F21/56

CPC classification number: G06F21/55 ,  G06F21/552 ,  G06F21/562 ,  G06F21/566 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425

Abstract: A threat detection system for detecting threat activity in a protected computer system includes anomaly sensors of distinct types including user-activity sensors, host-activity sensors and application-activity sensors. Each sensor builds a history of pertinent activity over a training period, and during a subsequent detection period the sensor compares current activity to the history to detect new activity. The new activity is identified in respective sensor output. A set of correlators of distinct types are used that correspond to different stages of threat activity according to modeled threat behavior. Each correlator receives output of one or more different-type sensors and applies logical and/or temporal testing to detect activity patterns of the different stages. The results of the logical and/or temporal testing are used to generate alert outputs for a human or machine user.

Abstract translation: 用于检测受保护计算机系统中的威胁活动的威胁检测系统包括不同类型的异常传感器，包括用户活动传感器，主机活动传感器和应用活动传感器。 每个传感器在训练期间建立相关活动的历史，并且在随后的检测期间，传感器将当前活动与历史进行比较以检测新的活动。 在相应的传感器输出中识别出新的活动。 根据建模的威胁行为，使用一组不同类型的相关器对应于威胁活动的不同阶段。 每个相关器接收一个或多个不同类型传感器的输出，并且应用逻辑和/或时间测试来检测不同级的活动模式。 逻辑和/或时间测试的结果用于为人类或机器用户生成报警输出。

公开(公告)号：US09338187B1

公开(公告)日：2016-05-10

申请号：US14139019

申请日：2013-12-23

Applicant: EMC Corporation

Inventor： Alina Oprea ,  Ting-Fang Yen

IPC: H04L29/06 ,  G06F21/31

CPC classification number: H04L63/20 ,  G06F21/316 ,  H04L63/1408

Abstract: Methods, apparatus and articles of manufacture for modeling user working time using authentication events within an enterprise network are provided herein. A method includes collecting multiple instances of activity within an enterprise network over a specified period of time, wherein said multiple instances of activity are attributed to a given device; creating a model based on said collected instances of activity, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; and generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters.

Abstract translation: 本文提供了使用企业网络内的认证事件建模用户工作时间的方法，装置和制造。 一种方法包括在指定的时间段内收集企业网络内的多个活动实例，其中所述多个活动实例归因于给定的设备; 基于所述收集的活动实例创建模型，其中所述模型包括与给定设备相关联的企业网络内的活动的时间模式; 以及在检测与所述给定设备相关联的所述企业网络内的活动实例时产生警报，所述企业网络与所述给定设备相关联，所述活动实例与（i）与所述模型的时间模式不一致，以及（ii）违反一个或多个安全参数。

公开(公告)号：US09256725B2

公开(公告)日：2016-02-09

申请号：US14190195

申请日：2014-02-26

Applicant: EMC Corporation

Inventor： Alina Oprea ,  Kevin D. Bowers ,  Nikolaos Triandopoulos ,  Ting-Fang Yen ,  Ari Juels

IPC: H04L29/06 ,  G06F21/44

CPC classification number: G06F21/445 ,  G06F21/32 ,  G06F21/34 ,  G06F2221/2113 ,  G06F2221/2131

Abstract: There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.

公开(公告)号：US09124585B1

公开(公告)日：2015-09-01

申请号：US13731643

申请日：2012-12-31

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Kaan Onarlioglu

IPC: G06F15/16 ,  H04L29/12

CPC classification number: H04L61/10 ,  H04L61/103 ,  H04L61/1511 ,  H04L61/2015

Abstract: Mapping network addresses in logs of network activity to corresponding host computers includes generating lists of known-dynamic addresses, static addresses and other-dynamic addresses from network addresses appearing in the logs. The static addresses and other-dynamic addresses are assigned to host computers having respective first host identifiers, and the known-dynamic addresses are associated with corresponding host computers having respective second host computer identifiers contained in dynamic address assignment activity. For the static and other-dynamic addresses, the first host identifiers are obtained, and first address-to-host bindings are created for address-based lookups of first host identifiers using respective addresses. For the known-dynamic addresses, the second host computer identifiers and log-time information from the dynamic address activity are used to create second address-to-host bindings usable to perform address-based lookup of second host identifiers and corresponding use-time information using respective addresses to which the second host identifiers are bound.

Abstract translation: 将网络活动日志中的网络地址映射到相应的主机包括从出现在日志中的网络地址生成已知动态地址，静态地址和其他动态地址的列表。 将静态地址和其他动态地址分配给具有各自的第一主机标识符的主计算机，并且已知动态地址与具有包含在动态地址分配活动中的各自的第二主机计算机标识符的相应主计算机相关联。 对于静态和其他动态地址，获得第一主机标识符，并且使用相应地址创建第一主机标识符的基于地址的查找的第一地址到主机绑定。 对于已知的动态地址，来自动态地址活动的第二主机计算机标识符和日志时间信息用于创建可用于执行基于地址的第二主机标识符查找和对应的使用时间信息的第二地址到主机绑定 使用绑定第二主机标识符的相应地址。

公开(公告)号：US09674210B1

公开(公告)日：2017-06-06

申请号：US14554492

申请日：2014-11-26

Applicant: EMC Corporation ,  The University of North Carolina at Chapel Hill

Inventor： Alina M. Oprea ,  Ting-Fang Yen ,  Viktor Heorhiadi ,  Michael Kendrick Reiter ,  Ari Juels

IPC: G06F21/00 ,  G06F21/56 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1425 ,  H04L63/0272 ,  H04L63/1433 ,  H04L67/22

Abstract: A processing device comprises a processor coupled to a memory and is configured to obtain data characterizing host devices of a computer network of an enterprise. The data is applied to a logistic regression model to generate malware infection risk scores for respective ones of the host devices. The malware infection risk scores indicate likelihoods that the respective host devices will become infected with malware. The logistic regression model incorporates features of the host devices including at least user demographic features, virtual private network (VPN) activity features and web activity features of the host devices, and the data characterizing the host devices comprises data for the incorporated features. Proactive measures are taken to prevent malware infection in a subset of the host devices based at least in part on the malware infection risk scores. The processing device may be implemented in the computer network or an associated network security system.

公开(公告)号：US09231962B1

公开(公告)日：2016-01-05

申请号：US14138961

申请日：2013-12-23

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Alina Oprea

IPC: G06F21/31 ,  H04L29/06

CPC classification number: H04L63/1408 ,  G06F21/316 ,  G06F21/552 ,  H04L63/08 ,  H04L63/1425

Abstract: Methods, apparatus and articles of manufacture for identifying suspicious user logins in enterprise networks are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; generating a set of profiles, wherein the set comprises a profile corresponding to each of multiple users and a profile corresponding to each of the multiple hosts, wherein each profile comprises one or more login patterns based on historical login information derived from said log data; and analyzing a login instance within the enterprise network against the set of profiles.

Abstract translation: 本文提供了用于识别企业网络中可疑用户登录的方法，装置和制造。 一种方法包括处理从与企业网络相关联的一个或多个数据源导出的日志数据，其中所述企业网络包括多个主机; 生成一组简档，其中所述集合包括对应于多个用户中的每一个的简档和对应于所述多个主机中的每一个的简档，其中每个简档包括基于从所述日志数据导出的历史登录信息的一个或多个登录模式; 以及针对该组配置文件分析企业网络内的登录实例。

公开(公告)号：US09049221B1

公开(公告)日：2015-06-02

申请号：US14139003

申请日：2013-12-23

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Alina Oprea ,  Kaan Onarlioglu

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30864 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/101 ,  H04L63/1408

Abstract: Methods, apparatus and articles of manufacture for detecting suspicious web traffic are provided herein. A method includes generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time; and analyzing said filtered connections against the database to identify a connection to a destination external to the enterprise network that is not included in the information in the database.

Abstract translation: 本文提供了用于检测可疑网络流量的方法，装置和制品。 一种方法包括生成包括与企业网络外部的一个或多个目的地与企业网络内的一个或多个主机之间的多个连接中的每一个相对应的信息的数据库，其中所述多个连接在给定的时间段内发生; 通过一个或多个过滤操作来处理企业网络外部的一个或多个目的地与企业网络内的一个或多个主机之间的多个附加连接以产生一个或多个过滤的连接，其中所述多个附加连接在所述给定时间段之后发生 ; 以及分析针对所述数据库的所述经过过滤的连接以识别到不包括在所述数据库中的所述信息中的与所述企业网络外部的目的地的连接。