公开(公告)号：US20230224313A1

公开(公告)日：2023-07-13

申请号：US17563106

申请日：2021-12-28

Applicant: Nozomi Networks Sagl

Inventor： Alexey KLEYMENOV ,  Alessandro DI PINTO ,  Moreno CARULLO ,  Andrea CARCANO

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/20 ,  H04L63/1416 ,  H04L63/1466

Abstract: The present invention relates to a method for evaluating quality of signature-based detections in an infrastructure provided with a plurality of sensors, comprising defining predefined rules for the rule-based detections, wherein the rules are of a silent type such that operate without generating alerts to the user of the infrastructure, collecting telemetry events at each of the sensors, storing the telemetry events of each of the sensors to respective local sensor databases operatively connected to the sensors, aggregate, at predetermined aggregating time intervals, the telemetry events from the local sensor databases to a central database, analyzing the telemetry events at the central database, by evaluating the telemetry events with respect to the rules and calculating the quality measurements of the rules, according to a plurality of predefined quality metrics in a predefined metrics time interval, wherein the quality metrics comprise precision metric, by counting the instances of false positives of the telemetry events with respect to the predefined rules, recall metric, by counting the instances of false negatives of the telemetry events with respect to the predefined rules and performance metric, by counting the instances of rules hits over predefined evaluation time interval and the ratio between the partial and full of the rules matching, wherein the method for evaluating quality of rule-based detections further comprises releasing verified rules for the rule-based detections as predefined rules having the quality measurements within a predetermined quality target range, and wherein the verified rules are of alerting type such that operate generating alerts to the user of the infrastructure.

公开(公告)号：US20240202334A1

公开(公告)日：2024-06-20

申请号：US18066377

申请日：2022-12-15

Applicant: Nozomi Networks Sagl

Inventor： Alexey KLEYMENOV ,  Alessandro DI PINTO ,  Moreno CARULLO ,  Andrea CARCANO

IPC: G06F21/56 ,  G06F16/13 ,  H04L9/06

CPC classification number: G06F21/566 ,  G06F16/137 ,  G06F21/562 ,  H04L9/0643 ,  G06F2221/034

Abstract: The present invention relates to a method for automatically storing malicious samples, comprising collecting input samples from sample providers relating to malwares and goodwares, parsing each of the input samples to extract metadata relating to each of said input sample, adding the metadata relating to each of said input sample in a metadata database, storing each of the input sample in a sample storage, wherein the adding comprises converting the original hashes of each of the input samples to SHA256 hashes according to a hash mapping table operatively connected to the metadata database, and wherein the storing comprises defining the filename of each of the input samples equal to the corresponding SHA256 hash.

公开(公告)号：US20240007483A1

公开(公告)日：2024-01-04

申请号：US17855940

申请日：2022-07-01

Applicant: Nozomi Networks Sagl

Inventor： Alexey KLEYMENOV ,  Moreno CARULLO ,  Andrea CARCANO

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L63/1416 ,  H04L9/3247

Abstract: The present invention relates to a method for automatic signatures generation from a plurality of sources, comprising defining a plurality of identified sources of samples providers, collecting, by a computerized data processing unit, input samples from the sample providers, verifying, by the computerized data processing unit, the input samples defining verified input samples, generating, by the computerized data processing unit, verified signatures from the verified input samples, storing, in a verified signatures database operatively connected to the computerized data processing unit, the verified signatures, wherein the collecting comprises extracting raw IoCs from the input samples, wherein the verifying comprises evaluating the reputation of each of the raw IoCs according to predefined reputation rules and comparing each of the raw IoCs with a database of existing signatures operatively connected to the data processing unit to define allowable raw IoCs; and wherein the generating comprises creating the verified signatures from the verified input samples corresponding to the allowable raw IoCs.