-
公开(公告)号:US11632393B2
公开(公告)日:2023-04-18
申请号:US17072711
申请日:2020-10-16
摘要: Malware is detected and mitigated by differentiating HTTP error generation patterns between errors generated by malware, and errors generated by benign users/software. In one embodiment, a malware detector system receives traffic that includes HTTP errors and successful HTTP requests. Error traffic and the successful request traffic are segmented for further analysis. The error traffic is supplied to a clustering component, which groups the errors, e.g., based on their URI pages and parameters. During clustering, various statistical features are extracted (as feature vectors) from one or more perspectives, namely, error provenance, error generation, and error recovery. The feature vectors are supplied to a classifier component, which is trained to distinguish malware-generated errors from benign errors. Once trained, the classifier takes an error cluster and its surrounding successful HTTP requests as inputs, and it produces a verdict on whether a particular cluster is malicious. The classifier output then drives an automated mitigation operation.
-
公开(公告)号:US11330007B2
公开(公告)日:2022-05-10
申请号:US16725207
申请日:2019-12-23
IPC分类号: H04L29/06
摘要: An interactive display system enables a user to compose a graph pattern for a temporal graph on a display screen. The system comprises a canvas that provides an interactive editing surface. The editor receives an input a set of user interactions, such as the drawing of lines and boxes, the specifying of attributes, and the like, that together compose a graph pattern. During the graph pattern composition, the user may retrieve other graph patterns (e.g., from a data store) and integrate them into the pattern being composed. Once the graph pattern is composed (or as it is being composed), the system converts the graphical pattern into a text-based representation, such as a computer program in a particular graph programming language, which is then used for subsequent processing and matching in a cybersecurity threat discovery workflow. The pattern (program code) also is stored to disk, from which it may be retrieved and converted back into its graphical view on the screen, e.g., for further editing and revision.
-
公开(公告)号:US10958672B2
公开(公告)日:2021-03-23
申请号:US16712569
申请日:2019-12-12
发明人: William Alexander Bird , Suzanne Carol Deffeyes , Jiyong Jang , Dhilung Kirat , Youngja Park , Josyula R. Rao , Marc Philippe Stoecklin
摘要: An automated method for processing security events in association with a cybersecurity knowledge graph. The method begins upon receipt of information from a security system representing an offense. An initial offense context graph is built based in part on context data about the offense. The graph also activity nodes connected to a root node; at least one activity node includes an observable. The root node and its one or more activity nodes represent a context for the offense. The knowledge graph, and potentially other data sources, are then explored to further refine the initial graph to generate a refined graph that is then provided to an analyst for further review and analysis. Knowledge graph exploration involves locating the observables and their connections in the knowledge graph, determining that they are associated with known malicious entities, and then building subgraphs that are then merged into the initial graph.
-
公开(公告)号:US10956566B2
公开(公告)日:2021-03-23
申请号:US16158725
申请日:2018-10-12
IPC分类号: G06F21/00 , G06F21/55 , G06F16/901 , G06F21/57
摘要: This disclosure provides an automatic causality tracking system that meets real-time analysis needs. It solves causality tracking for cybersecurity, preferably as three sub-tasks: backward tracking, forward tracking, and path-finding. Given a set of threat indicators, the first sub-task yields the system elements (e.g., entities such as processes, files, network sockets, and the like) that contribute information to a set of threat indicators backward in time. The second sub-task yields system elements forward in time. Given two sets of threat indicators, the third sub-task yields shortest paths between them, e.g., how the two sets of indicators are connected to one another. The system enables efficient multi-point traversal analysis with respect to a set of potential compromise points, and using data from real information flows.
-
公开(公告)号:US10536472B2
公开(公告)日:2020-01-14
申请号:US15236595
申请日:2016-08-15
IPC分类号: H04L29/06
摘要: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.
-
公开(公告)号:US11184374B2
公开(公告)日:2021-11-23
申请号:US16158798
申请日:2018-10-12
IPC分类号: H04L29/06 , G06N20/00 , G06F16/951
摘要: An automated method for cyberattack detection and prevention in an endpoint. The technique monitors and protects the endpoint by recording inter-process events, creating an inter-process activity graph based on the recorded inter-process events, matching the inter-process activity (as represented in the activity graph) against known malicious or suspicious behavior (as embodied in a set of one or more pattern graphs), and performing a post-detection operation in response to a match between an inter-process activity and a known malicious or suspicious behavior pattern. Preferably, matching involves matching a subgraph in the activity graph with a known malicious or suspicious behavior pattern as represented in the pattern graph. During this processing, preferably both direct and indirect inter-process activities at the endpoint (or across a set of endpoints) are compared to the known behavior patterns. The approach herein provides for systematic modeling of inter-process behaviors for characterizing malicious or suspicious patterns among processes.
-
公开(公告)号:US20210194905A1
公开(公告)日:2021-06-24
申请号:US16725207
申请日:2019-12-23
IPC分类号: H04L29/06 , G06F16/901
摘要: An interactive display system enables a user to compose a graph pattern for a temporal graph on a display screen. The system comprises a canvas that provides an interactive editing surface. The editor receives an input a set of user interactions, such as the drawing of lines and boxes, the specifying of attributes, and the like, that together compose a graph pattern. During the graph pattern composition, the user may retrieve other graph patterns (e.g., from a data store) and integrate them into the pattern being composed. Once the graph pattern is composed (or as it is being composed), the system converts the graphical pattern into a text-based representation, such as a computer program in a particular graph programming language, which is then used for subsequent processing and matching in a cybersecurity threat discovery workflow. The pattern (program code) also is stored to disk, from which it may be retrieved and converted back into its graphical view on the screen, e.g., for further editing and revision.
-
公开(公告)号:US11025656B2
公开(公告)日:2021-06-01
申请号:US16671267
申请日:2019-11-01
发明人: Xin Hu , Jiyong Jang , Douglas Lee Schales , Marc Philippe Stoecklin , Ting Wang
IPC分类号: G06F21/00 , H04L29/06 , G06N20/00 , G06F16/28 , G06F16/901
摘要: Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures. The mapping is output for use by an IDPS for determining whether a threat has occurred to the resources in the computer environment.
-
公开(公告)号:US20210117543A1
公开(公告)日:2021-04-22
申请号:US16718844
申请日:2019-12-18
摘要: A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that are purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. In one implementation, a kernel hot-patch is used to seamlessly integrate the new filesystem module into live and existing environments.
-
公开(公告)号:US10887346B2
公开(公告)日:2021-01-05
申请号:US15691792
申请日:2017-08-31
摘要: Rapid deployments of application-level deceptions (i.e., booby traps) implant cyber deceptions into running legacy applications both on production and decoy systems. Once a booby trap is tripped, the affected code is moved into a decoy sandbox for further monitoring and forensics. To this end, this disclosure provides for unprivileged, lightweight application sandboxing to facilitate monitoring and analysis of attacks as they occur, all without the overhead of current state-of-the-art approaches. Preferably, the approach transparently moves the suspicious process to an embedded decoy sandbox, with no disruption of the application workflow (i.e., no process restart or reload). Further, the action of switching execution from the original operating environment to the sandbox preferably is triggered from within the running process.
-
-
-
-
-
-
-
-
-
搜索结果
64 条记录 (耗时 0.021 秒)
