公开(公告)号：US20160134641A1

公开(公告)日：2016-05-12

申请号：US14668595

申请日：2015-03-25

申请人： International Business Machines Corporation

发明人： Xin HU ,  Jiyong Jang ,  Douglas Schales ,  Marc Stoecklin ,  Ting Wang

IPC分类号： H04L29/06 ,  G06F3/0484

CPC分类号： H04L63/1416 ,  H04L63/101 ,  H04L63/1425

摘要： A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.

公开(公告)号：US10044737B2

公开(公告)日：2018-08-07

申请号：US14750737

申请日：2015-06-25

申请人： International Business Machines Corporation

发明人： Xin Hu ,  Jiyong Jang ,  Douglas Schales ,  Marc Stoecklin ,  Ting Wang

IPC分类号： H04L29/06

摘要： A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.

公开(公告)号：US20190230109A1

公开(公告)日：2019-07-25

申请号：US16367504

申请日：2019-03-28

申请人： International Business Machines Corporation

发明人： Xin Hu ,  Jiyong Jang ,  Douglas Schales ,  Marc Stoecklin ,  Ting Wang

IPC分类号： H04L29/06 ,  G06F21/00 ,  G06F21/55

摘要： A method for improving a detection of beaconing activity includes receiving input data into a computer-implemented processing procedure at least one listing of at least one of time series data and candidate periods of potential beaconing activity. The input data is processed, to detect candidates of potential beaconing activity. By further evaluating the time series data using techniques used for evaluating an analog signal, the performance of detecting of potential beaconing activity is improved to eliminate false positive indications of beaconing activity and/or to provide indication of multiple interleaved periodicities of beaconing.

公开(公告)号：US09832217B2

公开(公告)日：2017-11-28

申请号：US14501976

申请日：2014-09-30

申请人： International Business Machines Corporation

发明人： Stefan Berger ,  Yangyi Chen ,  Xin Hu ,  Dimitrios Pendarakis ,  Josyula Rao ,  Reiner Sailer ,  Douglas Lee Schales ,  Marc Stoecklin

IPC分类号： H04L29/06 ,  G06F21/51 ,  G06F21/56 ,  G06F21/55

CPC分类号： H04L63/1433 ,  G06F21/51 ,  G06F21/554 ,  G06F21/566 ,  H04L63/06 ,  H04L63/14 ,  H04L63/1416 ,  H04L63/1441

摘要： A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity. Remedial action(s) are performed for the determined computer system(s).

公开(公告)号：US20160261624A1

公开(公告)日：2016-09-08

申请号：US15062374

申请日：2016-03-07

申请人： International Business Machines Corporation

发明人： Stefan Berger ,  Yangyi Chen ,  Xin Hu ,  Dimitrious Pendarakis ,  Josyula Rao ,  Reiner Sailer ,  Douglas Lee Schales ,  Marc Stoecklin

IPC分类号： H04L29/06 ,  G06F9/44

CPC分类号： H04L63/1433 ,  G06F21/51 ,  G06F21/52 ,  G06F21/554 ,  G06F21/566 ,  H04L63/0236 ,  H04L63/0263 ,  H04L63/06 ,  H04L63/14 ,  H04L63/1416 ,  H04L63/1441

摘要： A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity. Remedial action(s) are performed for the determined computer system(s).

公开(公告)号：US20150264077A1

公开(公告)日：2015-09-17

申请号：US14501976

申请日：2014-09-30

申请人： International Business Machines Corporation

发明人： Stefan Berger ,  Yangyi Chen ,  Xin Hu ,  Dimitrious Pendarakis ,  Josyula Rao ,  Douglas Lee Schales ,  Reiner Sailer ,  Marc Stoecklin

IPC分类号： H04L29/06 ,  G06F9/445 ,  G06F17/30

CPC分类号： H04L63/1433 ,  G06F21/51 ,  G06F21/554 ,  G06F21/566 ,  H04L63/06 ,  H04L63/14 ,  H04L63/1416 ,  H04L63/1441

摘要： A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity. Remedial action(s) are performed for the determined computer system(s).

摘要翻译： 一种方法包括收集目标计算机系统受监控应用程序调用的系统调用和调用参数。 从多个目标计算机系统上的操作系统内核接收系统调用和调用参数。 受监控应用程序的系统调用和调用参数的顺序在不同的目标计算机系统之间相互关联，以推断恶意活动。 响应通过相关的恶意活动被推断为恶意来执行补救措施。 另一种方法包括确定在特定时间的网络活动被认为是可疑的。 使用涉及可疑网络活动的IP地址，确定作为可疑网络活动的来源的计算机系统。 基于具体时间和确定的计算机系统，确定正在导致可疑网络活动的确定的计算机系统上执行的应用程序。 对所确定的计算机系统执行补救动作。

公开(公告)号：US11153337B2

公开(公告)日：2021-10-19

申请号：US16367504

申请日：2019-03-28

申请人： International Business Machines Corporation

发明人： Xin Hu ,  Jiyong Jang ,  Douglas Schales ,  Marc Stoecklin ,  Ting Wang

IPC分类号： H04L29/06 ,  G06F21/00 ,  G06F21/55

摘要： A method for improving a detection of beaconing activity includes receiving input data into a computer-implemented processing procedure at least one listing of at least one of time series data and candidate periods of potential beaconing activity. The input data is processed, to detect candidates of potential beaconing activity. By further evaluating the time series data using techniques used for evaluating an analog signal, the performance of detecting of potential beaconing activity is improved to eliminate false positive indications of beaconing activity and/or to provide indication of multiple interleaved periodicities of beaconing.

公开(公告)号：US10375101B2

公开(公告)日：2019-08-06

申请号：US15062374

申请日：2016-03-07

申请人： International Business Machines Corporation

发明人： Stefan Berger ,  Yangyi Chen ,  Xin Hu ,  Dimitrious Pendarakis ,  Josyula Rao ,  Reiner Sailer ,  Douglas Lee Schales ,  Marc Stoecklin

IPC分类号： H04L29/06 ,  G06F21/51 ,  G06F21/56 ,  G06F21/52 ,  G06F21/55

摘要： A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity. Remedial action(s) are performed for the determined computer system(s).

公开(公告)号：US10284584B2

公开(公告)日：2019-05-07

申请号：US15166468

申请日：2016-05-27

申请人： International Business Machines Corporation

发明人： Xin Hu ,  Jiyong Jang ,  Douglas Schales ,  Marc Stoecklin ,  Ting Wang

IPC分类号： H04L29/06 ,  G06F21/00 ,  G06F21/55

摘要： A method (and structure) includes receiving, as input data into a computer-implemented processing procedure, at least one listing of at least one of time series data and potential candidate periods of potential beaconing activity. The input data is processed, using a processor on a computer, to evaluate the input data as if the input data represents data points of an input analog signal subject to principles of communication theory and having determinable statistical characteristics.

公开(公告)号：US09591007B2

公开(公告)日：2017-03-07

申请号：US14668595

申请日：2015-03-25

申请人： International Business Machines Corporation

发明人： Xin Hu ,  Jiyong Jang ,  Douglas Schales ,  Marc Stoecklin ,  Ting Wang

IPC分类号： H04L29/06

CPC分类号： H04L63/1416 ,  H04L63/101 ,  H04L63/1425

摘要： A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.

摘要翻译： 用于检测信标行为的方法包括预处理网络记录以识别用于检测信标行为的候选源和目的地对，其中每个源和目的地对在形成时间范围的多个时间间隔中与特定时间间隔相关联，所述时间间隔和 时间范围已经预定义。 活动时间间隔信息从时域转换为频域。 从源和目的地对确定候选频率，作为信标活动的可能的候选频率/周期性。