-
公开(公告)号:US11762990B2
公开(公告)日:2023-09-19
申请号:US16917626
申请日:2020-06-30
IPC分类号: G06F21/55 , G06F16/955 , G06N5/04 , G06N20/00
CPC分类号: G06F21/554 , G06F16/9566 , G06N5/04 , G06N20/00 , G06F2221/034
摘要: The technology described herein identifies malicious URLs using a classifier that is both accurate and fast. Aspects of the technology are particularly well adapted for use as a real-time URL security analysis tool because the technology is able to quickly process a URL and produce a warning when a malicious URL is identified. The rapid processing speed of the technology described herein is produced, in part, by use of only a single input signal, which is the URL itself. The high accuracy produced by the technology described herein is achieved by analyzing the unstructured text on both a character-by-character level and a word-by-word level. The technology described herein uses both character-level and word-level information from the incoming URL.
-
公开(公告)号:US10963566B2
公开(公告)日:2021-03-30
申请号:US15879593
申请日:2018-01-25
摘要: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.
-
公开(公告)号:US09819689B2
公开(公告)日:2017-11-14
申请号:US14657215
申请日:2015-03-13
发明人: Himanshu Chandola , Jack Wilson Stokes, III , Gil Lapid Shafriri , Craig Henry Wittenberg , Timothy W. Burrell , Christian Seifert
CPC分类号: H04L63/1416 , G06F17/30477 , G06F17/3053 , G06F21/552
摘要: Identify a set or session of processes as having certain characteristics. A method obtains a known set or session of processes, wherein the known set or session of processes has the certain characteristics. A set or session of processes to be evaluated is obtained. A weighted similarity measure is performed between the known set or session of processes and the set or session of processes to be evaluated. The weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes.
-
公开(公告)号:US20160269424A1
公开(公告)日:2016-09-15
申请号:US14657215
申请日:2015-03-13
发明人: Himanshu Chandola , Jack Wilson Stokes, III , Gil Lapid Shafriri , Craig Henry Wittenberg , Timothy W. Burrell , Christian Seifert
CPC分类号: H04L63/1416 , G06F17/30477 , G06F17/3053 , G06F21/552
摘要: Identify a set or session of processes as having certain characteristics. A method obtains a known set or session of processes, wherein the known set or session of processes has the certain characteristics. A set or session of processes to be evaluated is obtained. A weighted similarity measure is performed between the known set or session of processes and the set or session of processes to be evaluated. The weighted similarity measure is performed element wise, where a comparison is performed for each defined element in the set or session of processes to be evaluated against elements in the known set or session of processes.
摘要翻译: 将一组或多个进程识别为具有某些特征。 一种方法获得已知的一组或多个进程会话,其中已知的一组或多个进程具有一定的特征。 获得要评估的过程的集合或会话。 在已知的一组或多个进程与待评估的进程的集合或会话之间执行加权相似性度量。 加权相似性度量是以元素方式执行的,其中针对要被评估的过程的集合或会话中的每个定义的元素进行比较,所述过程的对象或者会话被处理已知的过程集合或会话中的元素。
-
公开(公告)号:US12032687B2
公开(公告)日:2024-07-09
申请号:US17491438
申请日:2021-09-30
发明人: Jack Wilson Stokes, III , Jonathan Bar Or , Christian Seifert , Talha Ongun , Farid Tajaddodianfar
IPC分类号: G06F21/55 , G06F18/214 , G06F21/54 , G06F21/56 , G06N20/00
CPC分类号: G06F21/554 , G06F18/214 , G06F21/54 , G06F21/566 , G06N20/00
摘要: The techniques disclosed herein enable systems to train a machine learning model to classify malicious command line strings and select anomalous and uncertain samples for analysis. To train the machine learning model, a system receives a labeled data set containing command line inputs that are known to be malicious or benign. Utilizing a term embedding model, the system can generate aggregated numerical representations of the command line inputs for analysis by the machine learning model. The aggregated numerical representations can include various information such as term scores that represent a probability that an individual term of the command line string is malicious as well as numerical representations of the individual terms. The system can subsequently provide the aggregated numerical representations to the machine learning model for analysis. Based on the aggregated numerical representations, the machine learning model can learn to distinguish malicious command line inputs from benign inputs.
-
公开(公告)号:US12003535B2
公开(公告)日:2024-06-04
申请号:US17246352
申请日:2021-04-30
发明人: Jack Wilson Stokes, III , Pranav Ravindra Maneriker , Arunkumar Gururajan , Diana Anca Carutasu , Edir Vinicio Garcia Lazo
CPC分类号: H04L63/1483 , G06F40/284 , G06N3/045 , G06N3/08
摘要: The technology described herein can identify phishing URLs using transformers. The technology tokenizes useful features from the subject URL. The useful features can include the text of the URL and other data associated with the URL, such as certificate data for the subject URL, a referrer URL, an IP address, etc. The technology may build a joint Byte Pair Encoding for the features. The token encoding may be processed through a transformer, resulting in a transformer output. The transformer output, which may be described as a token embedding, may be input to a classifier to determine whether the URL is a phishing URL. Additional or improved URL training data may be generated by permuting token order, by simulating a homoglyph attack, and by simulating an a compound word attack.
-
7.
公开(公告)号:US11930020B2
公开(公告)日:2024-03-12
申请号:US17317573
申请日:2021-05-11
发明人: Zheng Dong , Jack Wilson Stokes, III , Jie Li , Jinyuan Jia
IPC分类号: H04L29/06 , G06F16/901 , G06N20/00 , H04L9/40 , H04L61/4511
CPC分类号: H04L63/1416 , G06F16/9024 , G06N20/00 , H04L61/4511
摘要: The disclosure is directed towards the real-time detection and mitigation of security threats to a domain name system (DNS) for a communication network. A graph-theoretic method is applied to detect compromised DNS assets (e.g., DNS servers and web servers that DNS servers map domain names to). A graph is generated from domain name resolution (DNR) transactions. The nodes of the graph represent the DNS assets and edges between the nodes represent the DNR transactions. The graph is analyzed to detect features that signal compromised assets. The detection of such features serves to act as a binary classifier for the represented assets. The binary classifier acts to classify each node as non-compromised or compromised. The analysis is guided by supervised and/or unsupervised machine learning methods. Once the assets are classified, DNR transactions are analyzed in real-time. If the transaction involves a compromised asset, an intervention is performed that mitigates the threat.
-
公开(公告)号:US11689561B2
公开(公告)日:2023-06-27
申请号:US16821722
申请日:2020-03-17
IPC分类号: H04L9/40 , G06F21/56 , G06N20/00 , G06F9/54 , G06F18/214 , G06V10/764 , G06V10/82
CPC分类号: H04L63/145 , G06F9/54 , G06F18/2148 , G06F21/561 , G06F21/563 , G06F21/565 , G06N20/00 , G06V10/764 , G06V10/82
摘要: Various embodiments discussed herein enable the detection of malicious content. Some embodiments do this by determining a similarity score between content, computer objects, or indications (e.g., vectors, file hashes, file signatures, code, etc.) known to be malicious and other content (e.g., unknown files) or indications based on feature weighting. Over various training stages, certain feature characteristics for each labeled malicious content or indication can be learned. For example, for a first malware family of computer objects, the most prominent feature may be a particular URL, whereas other features change considerably for different iterations of the first malware family of computer objects. Consequently, the particular URL can be weighted to determine a particular output classification corresponding to malicious behavior.
-
公开(公告)号:US10938840B2
公开(公告)日:2021-03-02
申请号:US16160540
申请日:2018-10-15
摘要: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.
-
公开(公告)号:US10922409B2
公开(公告)日:2021-02-16
申请号:US15949873
申请日:2018-04-10
摘要: Technologies for detecting malware based on reinforcement learning model to detect whether a file is malicious or benign and to determine the best time to halt the file's execution in so detecting. The reinforcement learning model combined with an event classifier and a file classifier learns whether to halt execution after enough state information has been observed or to continue execution if more events are needed to make a highly confident determination. The algorithm disclosed allows the system to decide when to stop on a per file basis.
-
-
-
-
-
-
-
-
-