公开(公告)号：WO2022101722A1

公开(公告)日：2022-05-19

申请号：PCT/IB2021/059726

申请日：2021-10-21

Applicant: ARMIS SECURITY LTD.

Inventor： FRIEDLANDER, Yuval ,  SHOHAM, Ron ,  BEN ZVI, Gil ,  HANETZ, Tom

IPC: G06F21/55 ,  G05B23/02

Abstract: A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.

公开(公告)号：WO2021224744A1

公开(公告)日：2021-11-11

申请号：PCT/IB2021/053648

申请日：2021-04-30

Applicant: ARMIS SECURITY LTD.

Inventor： SHOHAM, Ron ,  HANETZ, Tom ,  FRIEDLANDER, Yuval ,  BEN ZVI, Gil

IPC: H04L29/12

Abstract: A system and method for inferring device models. The method includes determining block statistics for each block of a plurality of blocks of a plurality of media access control (MAC) addresses, the plurality of blocks having a plurality of respective prefixes, wherein the plurality of blocks are grouped based on commonalities among the plurality of respective prefixes; generating an aggregated statistical model for the plurality of blocks based on the plurality of MAC addresses and the block statistics, wherein each block is a string of digits included in one of the plurality of MAC addresses; and applying the aggregated statistical model to the block statistics of at least one block of the plurality of blocks in order to determine at least one inferred device model, wherein each of the at least one block is grouped into the same group.

公开(公告)号：WO2022259111A1

公开(公告)日：2022-12-15

申请号：PCT/IB2022/055209

申请日：2022-06-03

Applicant: ARMIS SECURITY LTD.

Inventor： SHOHAM, Ron ,  FRIEDLANDER, Yuval ,  BEN ZVI, Gil ,  HANETZ, Tom

IPC: H04W12/122 ,  G06N20/00 ,  G06N20/20

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

公开(公告)号：WO2022208350A1

公开(公告)日：2022-10-06

申请号：PCT/IB2022/052894

申请日：2022-03-29

Applicant: ARMIS SECURITY LTD.

Inventor： LUK-ZILBERMAN, Evgeny ,  BEN ZVI, Gil ,  HANETZ, Tom ,  SHOHAM, Ron ,  FRIEDLANDER, Yuval

IPC: H04L9/40 ,  G06K9/62 ,  G06F16/28 ,  G06F16/285 ,  G06N20/00 ,  H04L63/1425 ,  H04L63/1441

Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.

公开(公告)号：WO2023275755A1

公开(公告)日：2023-01-05

申请号：PCT/IB2022/056012

申请日：2022-06-28

Applicant: ARMIS SECURITY LTD.

Inventor： SHOHAM, Ron ,  FRIEDLANDER, Yuval ,  HANETZ, Tom ,  BEN ZVI, Gil

IPC: G06K9/62 ,  G06N20/00 ,  G06N3/08 ,  G06F18/2113 ,  G06F18/217 ,  G06F18/23 ,  G06N7/01 ,  G06V10/751

Abstract: A system and method for machine learning model validation. A method includes: determining a first score distribution for a first run of a machine learning model and a second score distribution for a second run of the machine learning model, wherein the first run includes applying the machine learning model to a first test dataset, wherein the second run includes applying the machine learning model to a second test dataset, wherein the second test dataset is collected after the first test dataset; comparing the first score distribution to the second score distribution; determining, based on the comparison, whether the machine learning model is validated; continuing use of the machine learning model when it is determined that the machine learning model is validated; and performing at least one rehabilitative action with respect to the machine learning model when it is determined that the machine learning model is not validated.

公开(公告)号：WO2022162530A1

公开(公告)日：2022-08-04

申请号：PCT/IB2022/050643

申请日：2022-01-25

Applicant: ARMIS SECURITY LTD.

Inventor： BEN ZVI, Gil ,  SHOHAM, Ron ,  HANETZ, Tom ,  FRIEDLANDER, Yuval

IPC: H04L9/40 ,  H04L41/142

Abstract: A system and method for detecting deviations from baseline behavior patterns for categorical features. A method includes determining a first discrete probability distribution for a categorical variable based on a first set of network activity data; determining a second discrete probability distribution for a unique observation based on a second set of network activity data; comparing the second discrete probability distribution to the first discrete probability distribution by applying a distance function to the first and second discrete probability distributions, wherein an output of the distance function is a scalar value representing a difference between the first and second discrete probability distributions; determining whether the scalar value is above a threshold; detecting an anomaly with respect to the categorical variable when the scalar value is above the threshold; and determining that a behavior with respect to the categorical variable is normal when the scalar value is not above the threshold.

公开(公告)号：WO2023084371A1

公开(公告)日：2023-05-19

申请号：PCT/IB2022/060648

申请日：2022-11-04

Applicant: ARMIS SECURITY LTD.

Inventor： FRIEDLANDER, Yuval ,  ZVI, Gil Ben ,  HANETZ, Tom ,  SHOHAM, Ron

IPC: H04L9/40 ,  H04W24/08

Abstract: A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.

公开(公告)号：WO2023047206A1

公开(公告)日：2023-03-30

申请号：PCT/IB2022/057676

申请日：2022-08-16

Applicant: ARMIS SECURITY LTD.

Inventor： SHOHAM, Ron ,  FRIEDLANDER, Yuval ,  BEN ZVI, Gil ,  HANETZ, Tom

IPC: G06N5/04 ,  G06N5/02 ,  H04L9/40

Abstract: Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.

公开(公告)号：WO2023275754A1

公开(公告)日：2023-01-05

申请号：PCT/IB2022/056011

申请日：2022-06-28

Applicant: ARMIS SECURITY LTD.

Inventor： SHOHAM, Ron ,  FRIEDLANDER, Yuval ,  HANETZ, Tom ,  BEN ZVI, Gil

IPC: G06N20/00 ,  G06N5/02 ,  G06N3/08 ,  G06F18/213 ,  G06F18/2193 ,  G06F18/22

Abstract: A system and method for machine learning features validation. A method includes: performing statistical testing on a plurality of pairs of features, each pair of features including a test feature of a plurality of test features extracted from a first data set and a corresponding training feature extracted from a second data set during a training phase for a machine learning model, wherein the statistical testing is performed under a null hypothesis that the first data set and the second data set are drawn from a same continuous distribution, wherein performing the statistical testing further comprises determining a degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature; and determining, based on the degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature, whether the plurality of test features is validated.