公开(公告)号：US11671449B2

公开(公告)日：2023-06-06

申请号：US17493903

申请日：2021-10-05

Applicant: Nozomi Networks Sagl

Inventor： Alexey Kleymenov ,  Alessandro Di Pinto ,  Moreno Carullo ,  Andrea Carcano

IPC: H04L9/40

CPC classification number: H04L63/1491

Abstract: The present invention relates to a method for automatic aggregating and enriching data from honeypots comprising defining a plurality of identified honeypots of a different type to be monitored in a network; collecting metadata and samples from said honeypots of a different type in said network, which in turn comprises defining a predefined collection model for the honeypots such as to collect homogeneous metadata and samples among the honeypots of a different type, extracting the metadata according to the collection model defining a model metadata, and extracting the samples according to the collection model defining model samples; enriching said metadata and sample collected, which in turn comprises scanning the model metadata to extract IoCs, scanning the model samples to extract IoCs, recursively scanning the model samples to generate secondary model metadata and scanning the secondary model metadata to extract IoCs, until no further IoCs can be generated, recursively obtaining secondary samples from the extracted IoCs and scanning the secondary model samples to extract IoCs, until no further secondary samples are obtained; and aggregating said metadata and samples collected and/or enriched, which in turn comprises aggregating metadata by a predefined metadata model aggregation and aggregating samples by a predefined samples model aggregation.

公开(公告)号：US11722504B2

公开(公告)日：2023-08-08

申请号：US17134336

申请日：2020-12-26

Applicant: Nozomi Networks Sagl

Inventor： Alessandro Di Pinto ,  Moreno Carullo ,  Andrea Carcano ,  Mario Marchese ,  Fabio Patrone ,  Alessandro Fausto ,  Giovanni Battista Gaggero

IPC: H04L61/4511 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L61/4511 ,  H04L63/1416 ,  H04L63/1441

Abstract: The present invention relates to a method and an apparatus for detecting anomalies of a DNS traffic in a network comprising analysing, through a network analyser connected to said network, each data packets exchanged in the network, isolating, through the network analyser, from each of the analysed data packets the related DNS packet, evaluating, through a computerized data processing unit, each of the DNS packets generating a DNS packet status, signaling, through the computerized data processing unit, an anomaly of the DNS traffic when the DNS packet status defines a critical state, wherein the evaluating further comprises assessing, through the computerized data processing unit, each of the DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of the evaluating algorithms, aggregating, through the computerized data processing unit, the DNS packet classifications generating the DNS packet status, and wherein the critical state is identified when the DNS packet status is comprised in a critical state database stored in a storage medium.

公开(公告)号：US11930027B2

公开(公告)日：2024-03-12

申请号：US17563106

申请日：2021-12-28

Applicant: Nozomi Networks Sagl

Inventor： Alexey Kleymenov ,  Alessandro Di Pinto ,  Moreno Carullo ,  Andrea Carcano

IPC: G06F21/00 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416 ,  H04L63/1466 ,  H04L63/20

Abstract: The present invention relates to a method for evaluating quality of signature-based detections in an infrastructure provided with a plurality of sensors, comprising defining predefined rules for the rule-based detections, wherein the rules are of a silent type such that operate without generating alerts to the user of the infrastructure, collecting telemetry events at each of the sensors, storing the telemetry events of each of the sensors to respective local sensor databases operatively connected to the sensors, aggregate, at predetermined aggregating time intervals, the telemetry events from the local sensor databases to a central database, analyzing the telemetry events at the central database, by evaluating the telemetry events with respect to the rules and calculating the quality measurements of the rules, according to a plurality of predefined quality metrics in a predefined metrics time interval, wherein the quality metrics comprise precision metric, by counting the instances of false positives of the telemetry events with respect to the predefined rules, recall metric, by counting the instances of false negatives of the telemetry events with respect to the predefined rules and performance metric, by counting the instances of rules hits over predefined evaluation time interval and the ratio between the partial and full of the rules matching, wherein the method for evaluating quality of rule-based detections further comprises releasing verified rules for the rule-based detections as predefined rules having the quality measurements within a predetermined quality target range, and wherein the verified rules are of alerting type such that operate generating alerts to the user of the infrastructure.

公开(公告)号：US11906943B2

公开(公告)日：2024-02-20

申请号：US17400947

申请日：2021-08-12

Applicant: Nozomi Networks Sagl

Inventor： Roberto Bruttomesso ,  Alessandro Di Pinto ,  Moreno Carullo ,  Andrea Carcano

IPC: G05B19/05

CPC classification number: G05B19/054 ,  G05B19/056 ,  G05B2219/1164 ,  G05B2219/13018 ,  G05B2219/13019 ,  G05B2219/15023

Abstract: The present invention relates to a method for automatic translation of ladder logic to a SMT-based model checker in a network comprising defining (10) the topology of the network as an enriched network topology based on packets exchanged in the network, extracting (20) a program from the packets relating to a PLC in the network and identifying inputs, outputs, variables and a ladder diagram of the PLC, translating (30) the inputs, outputs, variables and ladder diagram into a predefined formal model, wherein the predefined formal model is a circuit-like SMT-based model checker, and wherein the translating (30) comprises translating the set of data types of the program according to a predefined model set of data types of the circuit-like SMT-based model checker, translating the inputs of the PLC as model inputs of the circuit-like SMT-based model checker of the same type, translating the outputs of the PLC as model output latches of the circuit-like SMT-based model checker of the same type, translating the variables of the PLC as model variable latches of the circuit-like SMT-based model checker of the same type, translating comparators and arithmetic operators of the ladder diagram into a plurality of predefined model functions of the circuit-like SMT-based model checker, translating contacts and coils of the ladder diagram according to predefined model recursive procedures relating to the predefined model set of data types, the model inputs, the model output latches, the model variable latches and the plurality of predefined model functions, wherein the contacts are switches that can block or allow the flow of the current in a connection and each of the contacts is controlled by a Boolean input or variable, and wherein the coils are assignments to Boolean variables.

公开(公告)号：US11444971B2

公开(公告)日：2022-09-13

申请号：US17064010

申请日：2020-10-06

Applicant: Nozomi Networks Sagl

Inventor： Ivan Speziale ,  Alessandro Di Pinto ,  Moreno Carullo ,  Andrea Carcano

IPC: H04L9/40

Abstract: The present invention relates to a method for assessing the quality of network-related Indicators of Compromise comprising the phase of calculating, by a computerized data processing unit, a quality score for Indicators of Compromise of the IP Address type, the steps of assigning an autonomous system score of the IP Address according to a predefined range of values based on a database of autonomous system owners, assigning a subnet score of said IP Address according to a predefined range of values based on a database of subnet owners, assigning a services hosted score of the IP Address according to a predefined range of values based on known malicious services hosted by the IP Address before the phase of calculating the quality score, calculating the IP Address quality score as sum of the autonomous system score, subnet score and services hosted score and wherein the method comprises a phase of evaluating the calculated quality score comprises, for each of the Indicators of Compromise of the IP Address type, the step of assessing the Indicators of Compromise of the IP Address type as malicious when the IP Address quality score exceed a predefined IP Address quality threshold.