公开(公告)号：US10454790B2

公开(公告)日：2019-10-22

申请号：US15935407

申请日：2018-03-26

Applicant: Verint Systems Ltd.

Inventor： Eithan Goldfarb ,  Yuval Altman ,  Naomi Frid ,  Gur Yaari

IPC: H04L12/26 ,  H04L29/06

Abstract: Methods and systems for analyzing flows of communication packets. A front-end processor associates input packets with flows and forwards each flow to the appropriate unit, typically by querying a flow table that holds a respective classification for each active flow. In general, flows that are not yet classified are forwarded to the classification unit, and the resulting classification is entered in the flow table. Flows that are classified as requested for further analysis are forwarded to an appropriate flow analysis unit. Flows that are classified as not requested for analysis are not subjected to further processing, e.g., discarded or allowed to pass.

公开(公告)号：US20180278636A1

公开(公告)日：2018-09-27

申请号：US15924859

申请日：2018-03-19

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N20/00 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

公开(公告)号：US20150026809A1

公开(公告)日：2015-01-22

申请号：US14337341

申请日：2014-07-22

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren

IPC: H04L29/06

CPC classification number: H04L63/1483 ,  H04L63/1416 ,  H04L63/145

Abstract: A malware detection system analyzes communication traffic to and/or from a certain host. The malware detection system uses the mismatch between host name and IP address to assign a quantitative score, which is indicative of the probability that the host is malicious. The system may use this score, for example, in combination with other indications, to decide whether the host in question is malicious or innocent. The overall decision may use, for example, a rule engine, machine learning techniques or any other suitable means. The malware detection system may also analyze alerts regarding hosts that are suspected of being malicious. The alerts may originate, for example, from Command & Control (C&C) detection, from an Intrusion Detection System (IDS), or from any other suitable source. A given alert typically reports a name of the suspected host and an IP address that allegedly belongs to that host.

Abstract translation: 恶意软件检测系统分析与/或来自某个主机的通信流量。 恶意软件检测系统使用主机名和IP地址之间的不匹配来分配定量分数，这表示主机是恶意的概率。 该系统可以使用该分数，例如，结合其他指示来确定所讨论的主机是恶意的还是无辜的。 总体决定可以使用例如规则引擎，机器学习技术或任何其他合适的手段。 恶意软件检测系统还可以分析有关怀疑是恶意的主机的警报。 警报可能起源于例如Command＆Control（C＆C）检测，入侵检测系统（IDS）或任何其他合适的来源。 给定的警报通常报告可疑主机的名称和据称属于该主机的IP地址。

公开(公告)号：US20130347114A1

公开(公告)日：2013-12-26

申请号：US13874339

申请日：2013-04-30

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Kere ,  Ido Krupkin ,  Pinhas Rozenblum

IPC: G06F21/56

CPC classification number: G06F21/56 ,  G06F21/52 ,  G06F21/566 ,  H04L63/1425

Abstract: Systems and methods for malware detection techniques, which detect malware by identifying the C&C communication between the malware and the remote host. In particular, the disclosed techniques distinguish between request-response transactions that carry C&C communication and request-response transactions of innocent traffic. Individual request-response transactions may be analyzed rather than entire flows, and fine-granularity features examined within the transactions. As such, these methods and systems are highly effective in distinguishing between malware C&C communication and innocent traffic, i.e., in detecting malware with high detection probability and few false alarms.

Abstract translation: 用于恶意软件检测技术的系统和方法，通过识别恶意软件和远程主机之间的C＆C通信来检测恶意软件。 特别地，所公开的技术区分携带C＆C通信和无辜流量的请求 - 响应交易的请求 - 响应事务。 可以分析单独的请求 - 响应事务，而不是整个流程，以及在事务中检查的细粒度特征。 因此，这些方法和系统在区分恶意软件C＆C通信和无害流量（即，以高检测概率和少量虚假警报）检测恶意软件方面是非常有效的。

公开(公告)号：US11038907B2

公开(公告)日：2021-06-15

申请号：US15924859

申请日：2018-03-19

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N20/00

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

公开(公告)号：US20160197796A1

公开(公告)日：2016-07-07

申请号：US14989075

申请日：2016-01-06

Applicant: Verint Systems Ltd.

Inventor： Eithan Goldfarb ,  Yuval Altman ,  Naomi Frid ,  Gur Yaari

IPC: H04L12/26

CPC classification number: H04L43/026 ,  H04L43/04 ,  H04L63/0227 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/30 ,  H04L63/306

Abstract: Methods and systems for analyzing flows of communication packets. A front-end processor associates input packets with flows and forwards each flow to the appropriate unit, typically by querying a flow table that holds a respective classification for each active flow. In general, flows that are not yet classified are forwarded to the classification unit, and the resulting classification is entered in the flow table. Flows that are classified as requested for further analysis are forwarded to an appropriate flow analysis unit. Flows that are classified as not requested for analysis are not subjected to further processing, e.g., discarded or allowed to pass.

Abstract translation: 用于分析通信包流的方法和系统。 前端处理器将输入分组与流相关联，并将每个流转发到适当的单元，通常通过查询为每个活动流保存相应分类的流表。 一般来说，尚未分类的流量被转发到分类单元，并且所得到的分类被输入到流程表中。 被分类为进一步分析的流量被转发到适当的流量分析单元。 分类为不要求进行分析的流量不经过进一步处理，例如丢弃或允许通过。

公开(公告)号：US09386028B2

公开(公告)日：2016-07-05

申请号：US14060933

申请日：2013-10-23

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  G06F21/56 ,  G06F21/55

CPC classification number: H04L63/1408 ,  G06F21/554 ,  G06F21/561 ,  G06F21/564 ,  H04L63/1416 ,  H04L63/145 ,  H04L2463/144

Abstract: Methods and systems for malware detection techniques, which detect malware by identifying the Command and Control (C&C) communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The fine-granularity features are examined, which are present in the transactions and are indicative of whether the transactions are exchanged with malware. A feature comprises an aggregated statistical property of one or more features of the transactions, such as average, sum median or variance, or of any suitable function or transformation of the features.

Abstract translation: 用于恶意软件检测技术的方法和系统，通过识别恶意软件和远程主机之间的命令和控制（C＆C）通信来检测恶意软件，并区分进行C＆C通信的通信事务和无害流量的交易。 检查细粒度特征，这些功能存在于交易中，并指示交易是否与恶意软件交换。 特征包括交易的一个或多个特征的聚合统计特性，例如平均值，中值或方差，或任何合适的函数或特征的变换。

公开(公告)号：US20140359761A1

公开(公告)日：2014-12-04

申请号：US14295758

申请日：2014-06-04

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

Abstract translation: 通过识别恶意软件和远程主机之间的C＆C通信来检测恶意软件的恶意软件检测技术，并区分进行C＆C通信的通信事务和无害流量的交易。 该系统使用恶意软件识别模型区分恶意软件事务和无害事务，它使用机器学习算法进行调整。 然而，可以从受保护的网络获得的恶意交易的数量和种类往往太有限，以有效地训练机器学习算法。 因此，系统从已知相对较丰富的恶意活动的另一计算机网络获得额外的恶意事务。 因此，该系统能够基于大量正面示例来适应恶意软件识别模型 - 从受保护网络和受感染网络获得的恶意交易。 因此，恶意软件识别模型以高速度和准确度进行了调整。

公开(公告)号：US20220038466A1

公开(公告)日：2022-02-03

申请号：US17221779

申请日：2021-04-03

Applicant: VERINT SYSTEMS LTD.

Inventor： Offri Gil ,  Omer Ziv ,  Yuval Altman ,  Yaron Gvilli ,  Hodaya Shabtay ,  Omri David ,  Yitshak Yishay

IPC: H04L29/06 ,  H04L29/12 ,  H04L9/06 ,  G06F16/951 ,  H04L29/08

Abstract: A traffic-monitoring system that monitors encrypted traffic exchanged between IP addresses used by devices and a network, and further receives the user-action details that are passed over the network. By correlating between the times at which the encrypted traffic is exchanged and the times at which the user-action details are received, the system associates the user-action details with the IP addresses. In particular, for each action specified in the user-action details, the system identifies one or more IP addresses that may be the source of the action. Based on the IP addresses, the system may identify one or more users who may have performed the action. The system may correlate between the respective action-times of the encrypted actions and the respective approximate action-times of the indicated actions. The system may hypothesize that the indicated action may correspond to one of the encrypted actions having these action-times.

公开(公告)号：US10999295B2

公开(公告)日：2021-05-04

申请号：US16823421

申请日：2020-03-19

Applicant: Verint Systems Ltd.

Inventor： Offri Gil ,  Omer Ziv ,  Yuval Altman ,  Yaron Gvili ,  Hodaya Shabtay ,  Omri David ,  Yitshak Yishay

IPC: H04L29/06 ,  H04L29/12 ,  H04L9/06 ,  G06F16/951 ,  H04L29/08

Abstract: A traffic-monitoring system that monitors encrypted traffic exchanged between IP addresses used by devices and a network, and further receives the user-action details that are passed over the network. By correlating between the times at which the encrypted traffic is exchanged and the times at which the user-action details are received, the system associates the user-action details with the IP addresses. In particular, for each action specified in the user-action details, the system identifies one or more IP addresses that may be the source of the action. Based on the IP addresses, the system may identify one or more users who may have performed the action. The system may correlate between the respective action-times of the encrypted actions and the respective approximate action-times of the indicated actions. The system may hypothesize that the indicated action may correspond to one of the encrypted actions having these action-times.