-
1.发明授权Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory 有权使用有限的内存检测探测和扫描高带宽,长期,不完整的网络流量信息公开(公告)号:US07752665B1
公开(公告)日:2010-07-06
申请号:US10620156
申请日:2003-07-14
CPC分类号: H04L63/1458
摘要: A method for detecting surveillance activity in a computer communication network comprising automatic detection of malicious probes and scans and adaptive learning. Automatic scan/probe detection in turn comprises modeling network connections, detecting connections that are likely probes originating from malicious sources, and detecting scanning activity by grouping source addresses that are logically close to one another and by recognizing certain combinations of probes. The method is implemented in a scan/probe detector, preferably in combination with a commercial or open-source intrusion detection system and an anomaly detector. Once generated, the model monitors online activity to detect malicious behavior without any requirement for a priori knowledge of system behavior. This is referred to as “behavior-based” or “mining-based detection.” The three main components may be used separately or in combination with each other. The alerts produced by each may be presented to an analyst, used for generating reports (such as trend analysis), or correlated with alerts from other detectors. Through correlation, the invention prioritizes alerts, reduces the number of alerts presented to an analyst, and determines the most important alerts.
摘要翻译: 一种用于检测计算机通信网络中的监视活动的方法,包括自动检测恶意探测和扫描以及自适应学习。 自动扫描/探测检测反过来包括建模网络连接,检测可能来自恶意源的探测的连接,以及通过将逻辑上接近彼此的源地址分组并通过识别探测器的某些组合来检测扫描活动。 该方法在扫描/探针检测器中实现,优选地与商业或开源入侵检测系统和异常检测器组合。 一旦生成,该模型监视在线活动以检测恶意行为,而不需要对系统行为的先验知识。 这被称为“基于行为”或“基于挖掘的检测”。三个主要组件可以单独使用或者彼此组合使用。 由每个警报产生的警报可能会提交给分析人员,用于生成报告(如趋势分析)或与来自其他检测器的警报相关。 通过相关性,本发明优先处理警报,减少提供给分析人员的警报数量,并确定最重要的警报。
-
公开(公告)号:US20200019705A1
公开(公告)日:2020-01-16
申请号:US16579318
申请日:2019-09-23
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
-
公开(公告)号:US10178113B2
公开(公告)日:2019-01-08
申请号:US14798006
申请日:2015-07-13
摘要: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model.
-
公开(公告)号:US20160364568A1
公开(公告)日:2016-12-15
申请号:US15247154
申请日:2016-08-25
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
-
公开(公告)号:US09450979B2
公开(公告)日:2016-09-20
申请号:US14185175
申请日:2014-02-20
CPC分类号: G06F21/566 , G06F11/08 , G06F11/3688 , G06F2221/033 , G06N7/005 , H04L63/1425
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
-
6.发明申请公开(公告)号:US20150058982A1
公开(公告)日:2015-02-26
申请号:US13987690
申请日:2013-08-20
IPC分类号: H04L29/06
CPC分类号: H04L63/1425 , G06F17/30914
摘要: A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space d. Anomalies are detected by determining which points lies in sparse regions of the feature space. Two feature maps are used for mapping data elements to a feature apace. A first map is a data-dependent normalization feature map which we apply to network connections. A second feature map is a spectrum kernel which we apply to system call traces.
摘要翻译: 一种用于无监督异常检测的方法,它们是用于处理未标记数据的算法。 数据元素被映射到通常是向量空间d的特征空间。 通过确定哪些点位于特征空间的稀疏区域来检测异常。 两个特征图用于将数据元素映射到特征空间。 第一张地图是我们适用于网络连接的依赖于数据的规范化特征图。 第二个特征图是我们应用于系统调用轨迹的频谱内核。
-
7.发明授权Systems, methods, and media for detecting network anomalies using a trained probabilistic model 有权使用训练有素的概率模型检测网络异常的系统,方法和媒体公开(公告)号:US08844033B2
公开(公告)日:2014-09-23
申请号:US12994550
申请日:2009-05-27
CPC分类号: H04L63/1425 , H04L63/1416 , H04L63/1466 , H04L67/02 , H04L69/16
摘要: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
摘要翻译: 提供了检测网络异常的系统,方法和介质。 在一些实施例中,接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构,并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较,然后确定通信协议消息是否是异常的。
-
8.发明授权Methods, systems, and media for masquerade attack detection by monitoring computer user behavior 有权通过监控计算机用户行为进行伪装攻击检测的方法,系统和媒体公开(公告)号:US08769684B2
公开(公告)日:2014-07-01
申请号:US12628587
申请日:2009-12-01
CPC分类号: H04L63/1416 , G06F21/50 , G06F21/55 , G06F21/552 , G06F21/554 , G06F21/566 , H04L29/06884 , H04L29/06897 , H04L63/1408 , H04L63/1425 , H04L63/1491
摘要: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.
摘要翻译: 提供了通过监控计算机用户行为进行伪装攻击检测的方法,系统和媒体。 根据一些实施例,提供了一种用于检测伪装攻击的方法,所述方法包括:在计算环境中监视第一多个用户动作和诱捕信息的访问; 为包括所述第一多个用户动作中的至少一个的类别生成用户意图模型; 监视第二多个用户动作; 通过确定与所生成的用户意图模型的偏差来比较第二多个用户动作与用户意图模型; 至少部分地基于所述比较来识别所述第二多个用户动作是否是伪装攻击; 以及响应于识别所述第二多个用户动作是所述伪装攻击而响应于响应于确定所述第二多个用户动作包括访问所述计算环境中的诱饵信息而产生警报。
-
9.发明授权Methods, media, and systems for detecting an anomalous sequence of function calls 有权用于检测函数调用异常顺序的方法,介质和系统公开(公告)号:US08694833B2
公开(公告)日:2014-04-08
申请号:US13942632
申请日:2013-07-15
IPC分类号: G06F11/00
CPC分类号: G06F21/566 , G06F11/08 , G06F11/3688 , G06F2221/033 , G06N7/005 , H04L63/1425
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
摘要翻译: 提供了用于检测函数调用异常序列的方法,介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。
-
公开(公告)号:US20130326332A1
公开(公告)日:2013-12-05
申请号:US13900912
申请日:2013-05-23
申请人: Suhit Gupta , Gail Kaiser , Salvatore J. Stolfo
发明人: Suhit Gupta , Gail Kaiser , Salvatore J. Stolfo
IPC分类号: G06F17/22
CPC分类号: G06F17/2247 , G06F17/30864 , G06F17/30908 , G06F17/30914
摘要: Systems and methods are presented for content extraction from markup language text. The content extraction process may parse markup language text into a hierarchical data model and then apply one or more filters. Output filters may be used to make the process more versatile. The operation of the content extraction process and the one or more filters may be controlled by one or more settings set by a user, or automatically by a classifier. The classifier may automatically enter settings by classifying markup language text and entering settings based on this classification. Automatic classification may be performed by clustering unclassified markup language texts with previously classified markup language texts.
摘要翻译: 介绍了从标记语言文本中提取内容的系统和方法。 内容提取过程可以将标记语言文本解析成分层数据模型,然后应用一个或多个过滤器。 输出滤波器可用于使该过程更加通用。 内容提取处理和一个或多个过滤器的操作可以由用户设置的一个或多个设置或由分类器自动地控制。 分类器可以通过分类标记语言文本并基于此分类输入设置来自动输入设置。 可以通过将未分类的标记语言文本与先前分类的标记语言文本进行聚类来执行自动分类。
-
-
-
-
-
-
-
-
-
搜索结果
99 条记录 (耗时 0.045 秒)
