公开(公告)号：US12130909B1

公开(公告)日：2024-10-29

申请号：US17063618

申请日：2020-10-05

Applicant: FireEye, Inc.

Inventor： Steven Antonio Ross ,  Ai Quoc Duong ,  Larry Alan King ,  John Patrick Young

IPC: G06F21/55 ,  G06F21/56

CPC classification number: G06F21/552 ,  G06F21/561

Abstract: A method performed by an enterprise search system to conduct an automated, computerized search for select operational attributes of a plurality of network devices is shown. The method comprises initiating the search via a user interface based on receipt of input information, which is used to form a query. The method then determines based on the query, one or more audits each specifying one or more tasks to be performed by at least a first network device to search for the select operational attributes. Subsequently, the method makes the one or more audits available to the first network device via a network, and receives, from the first network device, one or more responses to the query. The method may include generating one or more filter conditions to apply to results of executing the one or more tasks to yield the select operational attributes when included in the results.

公开(公告)号：US20240354404A1

公开(公告)日：2024-10-24

申请号：US18302354

申请日：2023-04-18

Applicant: Arm Limited

Inventor： Dominic Phillip Mulligan ,  Brendan James Moran ,  Michael Bartling ,  Matthias Lothar Boettcher

IPC: G06F21/55 ,  G06F21/53

CPC classification number: G06F21/554 ,  G06F21/53 ,  G06F21/552

Abstract: A method to mitigate an attack initiated by a malicious actor by migration of the attacked process is provided. The method includes monitoring a process being executed from a first computing location on a computing device for a trigger indicating a potential attack and detecting the trigger indicating the potential attack. Responsive to detecting the trigger indicating the potential attack, initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. A computing device is also provided that includes a processor, a memory, and instructions stored on the memory that when executed by the processor direct the computing device to monitor a process being executed from a first computing location on the computing device for a trigger indicating a potential attack and detect the trigger indicating the potential attack.

公开(公告)号：US12126636B2

公开(公告)日：2024-10-22

申请号：US17137193

申请日：2020-12-29

Applicant: Darktrace Limited

Inventor： Tom Dean ,  Jack Stockdale

IPC: H04L9/40 ,  G06F21/55

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L63/1441

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, in, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

公开(公告)号：US12124570B2

公开(公告)日：2024-10-22

申请号：US17392449

申请日：2021-08-03

Applicant: VMWARE, INC.

Inventor： Sachin Pandurang Bochare ,  Amol Shivram Katkar ,  Vasantha Kumar Dhanasekar

IPC: G06F21/55 ,  G06F21/56

CPC classification number: G06F21/552 ,  G06F21/554 ,  G06F21/565 ,  G06F21/566

Abstract: Example methods are provided to build a smart file reputation cache at a cloud, and to provide the smart file reputation cache to an antivirus (AV) endpoint such as a virtualized computing instance in a virtualized computing environment. Training techniques can be used to build the smart file reputation cache at the cloud, based on information learned from existing AV endpoints and a management server. The smart file reputation can then be provided to newly installed AV endpoints for local access, instead of the AV endpoints sending file reputation requests to the cloud.

公开(公告)号：US20240338436A1

公开(公告)日：2024-10-10

申请号：US18574401

申请日：2021-07-02

Applicant: NEC Corporation

Inventor： Daichi Hasumi

IPC: G06F21/55

CPC classification number: G06F21/552

Abstract: A log generation apparatus includes an input operation log collection unit that collects input operation logs in which an operation event of an input device is recorded; an information log collection unit that collects information logs in which a process event related to processing performed by an information apparatus connected to the input device is recorded, the information logs being different from the input operation logs; and a generation unit that generates, based on the information logs and the input operation logs, a user operation log including identification information of an application, the application being one which is inferred from the input operation logs and for which the processing is performed, and generates, as a log group for detecting an abnormality, a user operation log group including the user operation logs arranged in an order according to times of occurrences of operation events or process events.

公开(公告)号：US12111937B2

公开(公告)日：2024-10-08

申请号：US18187332

申请日：2023-03-21

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Nigel John Edwards

IPC: G06F21/54 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

CPC classification number: G06F21/577 ,  G06F21/54 ,  G06F21/552 ,  G06F21/566 ,  G06F21/572 ,  G06F2221/034

Abstract: A technique includes an operating system agent of a computer system monitoring a process to detect whether an integrity of the process has been compromised. The monitoring includes the operating system agent scanning a data structure. The process executes in a user space, and the data structure is part of an operating system kernel space. The technique includes a hardware controller of the computer system listening for a heartbeat that is generated by the operating system agent. The hardware controller takes a corrective action in response to at least one of the hardware controller detecting an interruption of the heartbeat, or the operating system agent communicating to the hardware controller a security alert for the process.

公开(公告)号：US12111919B2

公开(公告)日：2024-10-08

申请号：US17464413

申请日：2021-09-01

Applicant: Fortinet, Inc.

Inventor： Sameer T. Khanna

IPC: G06F21/55 ,  G06F18/24 ,  G06F21/31 ,  G06F21/62 ,  G06F40/242 ,  G06F40/279 ,  G06F40/284 ,  G06V10/56 ,  G06V10/764 ,  G06V10/776 ,  G06V40/20 ,  H04L9/40 ,  H04L43/045 ,  G06F40/205

CPC classification number: G06F21/552 ,  G06F18/24 ,  G06F21/316 ,  G06F21/6218 ,  G06F40/242 ,  G06F40/279 ,  G06F40/284 ,  G06V10/56 ,  G06V10/764 ,  G06V10/776 ,  G06V40/20 ,  H04L43/045 ,  H04L63/1416 ,  H04L63/1425 ,  G06F40/205

Abstract: Systems, devices, and methods are discussed for identifying possible improper file accesses by an endpoint device. In some cases an agent is placed on each system to be surveilled that records the absolute paths for each file accessed for each user. This information may be accumulated and sent to a central server or computer for analysis of all such file accesses on a user basis. In some cases, a file access tree is created, and in some implementations be pruned of branches and leaves if deemed to be duplicates or very similar to other branched and leaves via a Levenshtein distance threshold. The resulting tree's edges may be scaled in particular implementations based on the deviation of a user's file accesses from their sphere of permissions. A variance metric may be computed from the final tree's form to capture the user's access patterns.

公开(公告)号：US20240330445A1

公开(公告)日：2024-10-03

申请号：US18332376

申请日：2023-06-09

Applicant: Microsoft Technology Licensing, LLC

Inventor： Shalom Shay SHAVIT ,  Ram Haim PLISKIN ,  Daniel DAVRAEV

IPC: G06F21/55 ,  G06F21/56

CPC classification number: G06F21/554 ,  G06F21/552 ,  G06F21/562

Abstract: Malicious activity detection is enabled for cloud computing platforms. A first log comprising a record of a first control plane operation executed by a cloud application associated with an entity is obtained. A plurality of second logs, each comprising a record of a respective second control plane operation executed in association with the entity, is obtained. A first property set is generated based on the first log and a second property set is generated based on the plurality of second logs. A malicious activity score indicative of a degree to which the first control plane operation is anomalous with respect to the entity is determined based on the first property set and the second property set. A determination that the first control plane operation potentially corresponds to malicious activity is made based on the malicious activity score and a security alert is generated.

公开(公告)号：US20240330440A1

公开(公告)日：2024-10-03

申请号：US18738285

申请日：2024-06-10

Applicant: Proofpoint, Inc.

Inventor： Alex Kortney ,  Nir Barak

IPC: G06F21/55 ,  G06F21/54

CPC classification number: G06F21/552 ,  G06F21/54 ,  G06F2221/2101

Abstract: A system monitors access to a computer file via a dynamically changeable non-heterogeneous collection load balanced across two hash tables. User activity is monitored on a target device to detect a user entered pattern including a wildcard character, selects one of the two hash tables, and calculates an index for the selected hash table based on the user entered pattern. The index is used to access the selected hash table to receive a stored pattern. The hash tables each have a plurality of entries, and each entry includes a list of one or more patterns that have the same hash index but different pattern values sorted by length in characters from longest to shortest. The first hash table is a direct hash table, and the second hash table is a reverse hash table.

公开(公告)号：US12105851B2

公开(公告)日：2024-10-01

申请号：US17486288

申请日：2021-09-27

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Debdipta Ghosh

IPC: G06F21/64 ,  G06F8/65 ,  G06F21/55 ,  G06F21/56 ,  G06F21/60

CPC classification number: G06F21/64 ,  G06F8/65 ,  G06F21/552 ,  G06F21/566 ,  G06F21/602

Abstract: A system hash for each production system is generated. Each system hash includes a concatenation of a hardware hash and a software hash of each production system in the datacenter. A datacenter hash tree is created based on a combination of the system hashes. A test copy of the software hash of each of the production systems is created in respective test systems in the datacenter. In response to detecting a change in the datacenter hash tree, a modification in a system hash which resulted in the change is identified. The central copy of the software hash is compared with the test copy of the software hash. In response to a mismatch between the central copy and the test copy, occurrence of an unauthorized attack in a software of the production system is detected.