公开(公告)号：US20240241945A1

公开(公告)日：2024-07-18

申请号：US18154758

申请日：2023-01-13

Applicant: VMware, Inc.

Inventor： Lalit Prithviraj JAIN ,  Raghav BATTA ,  Jonathan James OLIVER ,  Anjali MANGAL

IPC: G06F21/55

CPC classification number: G06F21/552 ,  G06F2221/034

Abstract: A method of correlating alerts that are generated by a plurality of endpoints includes the steps of: collecting alert data of alerts generated by the endpoints; for each endpoint, computing alert sequences based on the collected alert data; training a sequence-based model with the computed alert sequences, to generate a vector representation for each of the alerts; for each alert in a set of alerts generated during a first time period, acquiring a vector representation corresponding thereto, which has been generated by the sequence-based model; and applying a clustering algorithm to the vector representations of the alerts in the set of alerts to generate a plurality of clusters of correlated alerts.

公开(公告)号：US20250131084A1

公开(公告)日：2025-04-24

申请号：US18491593

申请日：2023-10-20

Applicant: VMware, Inc.

Inventor： Jue MO ,  Aditya CHOUDHARY ,  Jonathan James OLIVER ,  Raghav BATTA ,  Lalit Prithviraj JAIN

IPC: G06F21/55 ,  G06F21/57

Abstract: A computer system comprises a plurality of endpoints at which security agents generate security alerts and a machine-learning (ML) system that receives the security alerts from the endpoints and that separates the security alerts into a plurality of clusters, wherein the ML system is configured to execute on a processor of a hardware platform to: determine that a group of first alerts of the security alerts belongs to a first cluster of the clusters; create a first representative alert from metadata of the first alerts belonging to the first cluster; and in response to a security analytics platform evaluating the first representative alert as being harmless to the computer system, store information indicating that all of the first alerts are harmless.

公开(公告)号：US20240163307A1

公开(公告)日：2024-05-16

申请号：US17987483

申请日：2022-11-15

Applicant: VMware, Inc.

Inventor： Aditya CHOUDHARY ,  Jonathan James OLIVER ,  Ritika SINGHAL ,  Shugao XIA ,  Raghav BATTA ,  Amit CHOPRA

IPC: H04L9/40

CPC classification number: H04L63/1441 ,  H04L63/104 ,  H04L63/1433

Abstract: A method of evaluating alerts generated by security agents installed in endpoints includes: receiving a locality-sensitive hash (LSH) value associated with an alert generated by a security agent installed in one of the endpoints; performing a search for centroids that are within a threshold distance from the received LSH value, wherein the centroids are each an LSH value that is representative of one of a plurality of groups of alerts; and assigning a security risk indicator to the alert associated with the received LSH value based on results of the search and transmitting the security risk indicator to a security analytics platform of the endpoints.

公开(公告)号：US20240152622A1

公开(公告)日：2024-05-09

申请号：US17984047

申请日：2022-11-09

Applicant: VMware, Inc.

Inventor： Shugao XIA ,  Ritika SINGHAL ,  Jonathan James OLIVER ,  Raghav BATTA ,  Jue MO ,  Aditya CHOUDHARY

IPC: G06F21/57 ,  G06F21/55

CPC classification number: G06F21/577 ,  G06F21/552 ,  G06F2221/034

Abstract: A method of scoring alerts generated by a plurality of endpoints includes the steps of: in response to a new alert generated by a first endpoint of the plurality of endpoints, generating an anomaly score of the new alert; identifying a rule that triggered the new alert and determining a threat score associated with the rule; and generating a security risk score for the new alert based on the anomaly score and the threat score and transmitting the security risk score to a security analytics platform of the endpoints.

公开(公告)号：US20250133093A1

公开(公告)日：2025-04-24

申请号：US18490643

申请日：2023-10-19

Applicant: VMware, Inc.

Inventor： Jonathan James OLIVER ,  Raghav BATTA ,  Ioana Maria ANGHEL

IPC: H04L9/40 ,  G06N5/022

Abstract: A computer system comprises a machine-learning (ML) system at which alerts are received from endpoints, wherein the ML system is configured to: upon receiving a first alert and a second alert, apply an ML model to the first and second alerts; based at least in part on the first alert being determined to belong to a first cluster of the ML system, classify the first alert into one of a plurality of alert groups, wherein alerts classified into a first alert group of the alert groups are assigned a higher priority for security risk evaluation than alerts classified into a second alert group of the alert groups; and based on the second alert being determined to not belong to any cluster of the ML system, analyze a chain of events that triggered the second alert to determine whether there is suspicious activity associated with the second alert.

公开(公告)号：US20240370533A1

公开(公告)日：2024-11-07

申请号：US18313191

申请日：2023-05-05

Applicant: VMware, Inc.

Inventor： Shelly MEHTA ,  Lalit Prithviraj JAIN ,  Raghav BATTA ,  Jonathan James OLIVER

IPC: G06F21/12 ,  G06F21/57

Abstract: A machine-learning (ML) platform at which alerts are received from endpoints and divided into a plurality of clusters, wherein a plurality of alerts in each of the clusters is labeled based on metrics of maliciousness determined at a security analytics platform, the plurality of alerts in each of the clusters representing a population diversity of the alerts, and wherein the ML platform is configured to execute on a processor of a hardware platform to: select an alert from a cluster for evaluation by the security analytics platform; transmit the selected alert to the security analytics platform, and then receive a determined metric of maliciousness for the selected alert from the security analytics platform; and based on the determined metric of maliciousness, label the selected alert and update a rate of selecting alerts from the cluster for evaluation by the security analytics platform.

公开(公告)号：US20240205245A1

公开(公告)日：2024-06-20

申请号：US18068484

申请日：2022-12-19

Applicant: VMware, Inc.

Inventor： Ritika SINGHAL ,  Jonathan James OLIVER ,  Shugao XIA ,  Aditya CHOUDHARY ,  Raghav BATTA

IPC: H04L9/40 ,  G06F9/455

CPC classification number: H04L63/1425 ,  G06F9/45558 ,  H04L63/1416 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: A method of filtering out new alerts generated by a security agent installed in an endpoint is based on cluster profile data of clusters that were generated by applying a clustering algorithm to locality-sensitive hash (LSH) values of prior alerts. The method includes the steps of: storing cluster profile data of each cluster that is part of a subset of the clusters; generating an LSH value of a new alert generated by the security agent; and determining that the new alert belongs to one of the clusters in the subset based on the LSH value of the new alert and, in response to said determining, filtering out the new alert from a group of alerts that require further investigation.