Abstract: Systems and methods for malware detection using multiple neural networks are provided. According to one embodiment, for each training sample, a supervised learning process is performed, including: (i) generating multiple code blocks of assembly language instructions by disassembling machine language instructions contained within the training sample; (ii) extracting dynamic features corresponding to each of the code blocks by executing each of the code blocks within a virtual environment; (iii) feeding each code block into a first neural network and the corresponding dynamic features into a second neural network; (iv) updating weights and biases of the neural networks based on whether the training sample was malware or benign; and (v) after processing a predetermined or configurable number of the training samples, the neural networks criticize each other and unify their respective weights and biases by exchanging their respective weights and biases and adjusting their respective weights and biases accordingly.
Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.
Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.
Type:
Grant
Filed:
March 24, 2020
Date of Patent:
January 24, 2023
Assignee:
Fortinet, Inc.
Inventors:
Abhishek Narula, Christopher Carsey, Amit Jain, Pooja Singh
Abstract: Systems and methods are described for synergistically combining static file based detection and behavioral analysis to improve both threat detection time and accuracy. An endpoint security solution running on an endpoint device generates a static analysis score by performing a static file analysis on files associated with a process initiated on the endpoint device. When the static analysis score meets or exceeds a static analysis threshold, then a network security platform treats the process as malicious and blocks execution of the process. When the static analysis score is less than the static analysis threshold, then the endpoint security solution obtains a dynamic analysis score for the process. The network security platform treats the process as malicious and causes execution of the process to be blocked based on a function of the static analysis score and the dynamic analysis score.
Abstract: Systems and methods for improving the catch rate of attacks/malware by a cooperating group of network security devices are provided. According to one embodiment, a security management device configured in a protected network, maintains multiple dynamic IP address lists including an NGFW deep detection list, a DDoS deep detection list, a NGFW block list and a DDoS block list. The security management device, continuously updates the lists based on updates provided by a cooperating group of network security devices based on network traffic observed by the network security devices. In response to receipt of a request from a NGFW device or a DDoS mitigation device associated with the protected network, the security management device provides the requestor with the requested dynamic IP address lists for use in connection with processing network traffic by the requestor.
Abstract: One or more MSRP data packets are received from a first MSRP session and creates a first log entry. One or more MSRP data packets are also received from a second MSRP session and create a second log entry. A correlation between the first and second MSRP sessions based on MDNs can be detected, and mapped correlating information to malicious activity. The mapping includes reconstructing MSRP messages sent from a source and encapsulated in a data field of the packets, including MDNs, and matching to at least one threat from a malicious activity database. In response to the threat matching, to conduct a security action on the first and second MSRP sessions.
Abstract: A DNS (Domain Name Server) proxy is configured as a DNS server for clients on the enterprise network to send two or more DNS queries to collect each available IP addresses on a SDWAN member link. IP address collection can be responsive to receiving a DNS request from a client for assigning a FQDN (Fully Qualified Domain Name). Service quality can be evaluated for the service on each member link of the IP addresses. An IP address is assigned to the client based on the service quality evaluation. A notification is transmitted to the client in a DNS response to the IP address request, with the chosen IP address information for configuration.
Abstract: Systems and methods for automatically building up a VPN to facilitate full-mesh communication within an enterprise based on group and role settings of the participating network devices are provided. An SDWAN controller associated with a private network receives configuration information related to group setting and role setting for various network devices of the private network. The group setting indicates a group with which a network device is associated and the role setting specifies a role of the network device within the group as of either a hub or an edge. The SDWAN controller determines IPsec configuration information for generating VPN links between the network devices of the groups to enable full-mesh communication among the groups. The SDWAN controller further directs the network devices to set up IPsec tunnels by pushing the determined IPsec configuration information to the network devices.
Abstract: Systems and methods are described for automatically building up a VPN to facilitate full-mesh communication within a private network of an organization based on group and role settings of participating network devices. According to one embodiment, configuration information, including a group setting, indicating a group with which the particular network device is associated, and a role setting, specifying a role of the particular network device within the group as either a hub or an edge, is received by an SDWAN controller associated with the private network for each network device of the private network. Based on the configuration information, IPsec configuration information is determined for establishment of VPN links between a hub of each group and one or more edges of the group. Full-mesh communication among the groups is enabled by causing the hubs to set up IPsec tunnels between each pair of hubs based on the IPsec configuration information.
Abstract: Systems and methods for a machine learning based approach for identification of malware using static analysis and a machine-learning based automatic clustering of malware are provided. According to various embodiments of the present disclosure, a processing resource of a computer system receives a potential malware sample. A plurality of feature vectors is extracted from the potential malware sample and is converted into an input vector. A byte sequence is generated by walking a plurality of decision trees based on the input vector. Further, a hash value for the byte sequence is calculated and a determination is made regarding whether the hash value matches a malware hash value of a plurality of malware hash values corresponding to a known malware sample. Upon said determination being affirmative, the potential malware sample is classified as malware and is associated with a malware family of the known malware sample.
Abstract: Each of the plurality of stations connected to the access point can be profiled to determine device type, and determine a listen interval for each of the plurality of stations based on the device prioritization model based on DTIM periods of the plurality of stations. Delivery of multicast packets is prioritized from the enterprise network destined for a low power device multicast group on the Wi-Fi network and to prioritize delivery of unicast packets for low power device multicast group. The messages are transmitted to the stations over the Wi-Fi network according to the assigned listen interval.
Abstract: Multi-level machine learning models can be generated from the captured log events. Outcomes are predicted for input events in real-time. The captured log events are received and parsed to expose event outcome data. A first data set is generated by determining whether an outcome associated with the event outcome data was a success or a failure. Responsive to a failed event outcome, a second data set is generated by categorizing the failed event outcome, to train multiple level SVMs for prediction of Wi-Fi input events and automatic remediation of Wi-Fi issues.
Abstract: Muted 6 GHz stations on the Wi-Fi network within the plurality of stations on a first access point within the plurality of access points are assigned to a first access point from the plurality of access points associated with a list of non-overlapping 6 GHz channels, responsive to an RSSI value between the at least one 6 GHz station and the first access point. To do so, a channel switch announcement is unicast to the at least one muted 6 GHz station. The channel switch announcement is associated with a non-overlapping 6 GHz channel of the first access point. The remaining stations connected to the first access point are deauthenticated.
Abstract: Systems and methods for adaptively provisioning a distributed event data store of a multi-tenant architecture are provided. According to one embodiment, a managed security service provider (MSSP) maintains a distributed event data store on behalf of each tenant of the MSSP. For each tenant, the MSSP periodically determines a provisioning status for a current active partition of the distributed event data store of the tenant. Further, when the determining indicates an under-provisioning condition exits, the MSSP dynamically increases number of resource provision units (RPUs) to be used for a new partition to be added to the partitions for the tenant by a first adjustment ratio. While, when the determining indicates an over-provisioning condition exists, the MSSP dynamically decreases the number of RPUs to be used for subsequent partitions added to the partitions for the tenant by a second adjustment ratio.
Abstract: Systems and methods are for securing link aggregation are provided. According to an embodiment, a network device in a secure domain discovers device information associated with a peer network device in an untrusted domain that is connected through a first link directly connecting a first interface of the network device to a first interface of the peer network device, and authenticates the peer while allowing at least some network traffic to continue to be transmitted through the first interface. The network device establishes a secure session between the network device and the peer over the first link when the peer network device is successfully authenticated. The network device then allows the first link to operate as part of a single aggregated logical link, including a second link coupling a second interface of the network device to a second interface of the peer network device.
Type:
Grant
Filed:
September 30, 2020
Date of Patent:
December 20, 2022
Assignee:
Fortinet, Inc.
Inventors:
Joseph R. Mihelich, Xiao Hu, Amit Srivastav, Norman Cheng