Intrusion Detection Patents (Class 726/23)
-
Patent number: 11716700Abstract: A base station determines a window of time for arrival of uplink signals, wherein the window of time includes a start based on a first expected time of arrival for a first uplink signal from a first UE and an end based on a second expected time of arrival for a second uplink signal from a second UE. The base station detection detects a false base station, such as a L1 man-in-the-middle false base station, based on an uplink signal being received outside of the determined window of time for the arrival of uplink signals.Type: GrantFiled: October 27, 2022Date of Patent: August 1, 2023Assignee: QUALCOMM IncorporatedInventors: Ravi Agarwal, Gavin Bernard Horn, Naga Bhushan
-
Patent number: 11711386Abstract: An electronic device is disclosed, which is connectable with a CAN bus or other broadcast network. The electronic device programmed to compute expected periods and period variability metrics for historical accumulations of messages for different message headers and to identify periodic message headers based on the period variability metrics, and is further programmed to detect a temporal anomaly as a deviation of a period of a most recent set of two or more messages with a periodic message header from the expected period for the periodic message header, and to generate an alert indicating the detected temporal anomaly. The electronic device may be further programmed to maintain a state machine for a vehicle (or other platform) including the CAN bus and perform state-aware anomaly detection.Type: GrantFiled: July 22, 2020Date of Patent: July 25, 2023Assignee: BATTELLE MEMORIAL INSTITUTEInventors: Aaron McCanty, Jason Goodman, Douglas Thornton
-
Patent number: 11711391Abstract: Described are a system, method, and computer program product for user network activity anomaly detection. The method includes receiving network resource data associated with network resource activity of a plurality of users and generating a plurality of layers of a multilayer graph from the network resource data. Each layer of the plurality of layers may include a plurality of nodes, which are associated with users, connected by a plurality of edges, which are representative of node interdependency. The method also includes generating a plurality of adjacency matrices from the plurality of layers and generating a merged single layer graph based on a weighted sum of the plurality of adjacency matrices. The method further includes generating anomaly scores for each node in the merged single layer graph and determining a set of anomalous users based on the anomaly scores.Type: GrantFiled: October 18, 2021Date of Patent: July 25, 2023Assignee: Visa International Service AssociationInventors: Bo Dong, Yuhang Wu, Yu-San Lin, Michael Yeh, Hao Yang
-
Patent number: 11711394Abstract: Briefly, systems and methods for managing Internet of Things (IoT) devices provide platforms featuring an architecture for user and device authentication as well as IoT system self-healing.Type: GrantFiled: May 31, 2021Date of Patent: July 25, 2023Inventor: Jack Wolosewicz
-
Patent number: 11711384Abstract: A method and system for detecting illegitimate messages injected into legitimate messages of a bus, such as a Controller Area Network (CAN) bus, are provided. Legitimate messages are broadcasted over the bus with a period whereby the legitimate messages are periodic legitimate messages. A controller connected to the bus receives at a first time instant a first message from the bus and receives at a second time instant a second message from the bus. The controller compares a first difference in time between the second time instant and the first time instant with a limit. The limit is two-thirds of the period. An anomaly is detected when the first difference in time is less than the limit.Type: GrantFiled: August 27, 2018Date of Patent: July 25, 2023Assignee: Lear CorporationInventors: William D. Hass, Lars Wolleschensky
-
Patent number: 11704431Abstract: Cybersecurity and data categorization efficiency are enhanced by providing reliable statistics about the number and location of sensitive data of different categories in a specified environment. These data sensitivity statistics are computed while iteratively sampling a collection of blobs, files, or other stored items that hold data. The items may be divided into groups, e.g., containers or directories. Efficient sampling algorithms are described. Data sensitivity statistic gathering or updating based on the sampling activity ends when a specified threshold has been reached, e.g., a certain number of items have been sampled, a certain amount of data has been sampled, sampling has used a certain amount of computational resources, or the sensitivity statistics have stabilized to a certain extent.Type: GrantFiled: May 29, 2019Date of Patent: July 18, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Naama Kraus, Tamer Salman, Salam Bashir
-
Patent number: 11704408Abstract: Techniques for threat scanning transplanted containers are described. A method of threat scanning transplanted containers may include generating a container map of running containers on a block storage volume mounted to a scanning instance of a threat scanning service, scanning the block storage volume by a scanning engine of the scanning instance, identifying at least one threat on the block storage volume, and identifying at least one container associated with the at least one threat using the container map.Type: GrantFiled: June 30, 2021Date of Patent: July 18, 2023Assignee: Amazon Technologies, Inc.Inventors: Mircea Ciubotariu, Muhammad Wasiq, Shane Anil Pereira
-
Patent number: 11700268Abstract: Disclosed is a device for configuring and implementing network security for a connected network node, and for shifting the network security closer to the attack point of origin. In particular, the device may activate attack protections on different Multi-Access Edge Computing (“MEC”) devices that are physically located near or at the attack point of origin. The device may detect an attack signature based on one or more received data packets, and may provide a response with an extended header field, the attack signature, and/or other attack protection instructions. The responses may be passed to an address of a suspected attacker. MEC devices along the network path may detect and receive the responses, and implement attack protections in response. The responses may also be passed to a multicast or broadcast address that the MEC device may use to receive responses.Type: GrantFiled: June 3, 2021Date of Patent: July 11, 2023Assignee: Verizon Patent and Licensing Inc.Inventor: Tin Zaw
-
Patent number: 11700276Abstract: Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.Type: GrantFiled: September 28, 2020Date of Patent: July 11, 2023Assignee: Rapid7, Inc.Inventors: Roy Hodgman, Derek Abdine
-
Patent number: 11698964Abstract: A system for detecting malware includes a processor to collect processor trace information corresponding to an application being executed by the processor (202). The processor can also detect an invalid indirect branch instruction from the processor trace information (204) and detect at least one malware instruction being executed by the application in response to analyzing modified memory values corresponding to the invalid indirect branch (206). Additionally, the processor can block the application from accessing or modifying memory (208).Type: GrantFiled: December 13, 2017Date of Patent: July 11, 2023Assignee: INTEL CORPORATIONInventors: Danyu Bi, Salmin Sultana, Yuanyuan Li, Yong Jiang, Pramod Pesara, Selvakumar Panneer, Ravi Sahita
-
Patent number: 11700273Abstract: A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination.Type: GrantFiled: April 16, 2021Date of Patent: July 11, 2023Assignee: Centripetal Networks, LLCInventors: David K. Ahn, Keith A. George, Peter P. Geremia, Pierre Mallett, III, Sean Moore, Robert T. Perry, Jonathan R. Rogers
-
Patent number: 11700233Abstract: A system and computer-implemented method to monitor network traffic for a protected network using a block of IP addresses including an IP address for a server. The method includes selecting one or more green addresses, each being a different IP address from the block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet of the internet traffic from a client directed to an IP address of the block of IP addresses prior to any performance of DPI on the packet. It is determined whether the destination address matches the one or more green addresses or is a yellow address (which belongs to the block of IP addresses, but is not a green address). When determined that the destination address matches the one or more green addresses, the method the packet is sent to the IP address associated with the matching green address, bypassing any DPI.Type: GrantFiled: June 4, 2019Date of Patent: July 11, 2023Assignee: Arbor Networks, Inc.Inventor: Brian St. Pierre
-
Patent number: 11698961Abstract: A method, performed by one or more processors, including receiving a plurality of system event records; processing the plurality of system event records using a set of event detectors to determine that a suspicious system event has occurred; sending, to a client device, a plurality of properties associated with the suspicious system event; receiving, from the client device, a selection indicator indicating a selected one or more properties of the plurality of properties; generating one or more new event detectors based on the selected one or more properties; and adding the one or more new event detectors to the set of event detectors.Type: GrantFiled: August 23, 2019Date of Patent: July 11, 2023Assignee: Palantir Technologies Inc.Inventors: Andrew Eggleton, Elliot Colquhoun, Ranec Highet, Xiao Tang, Tareq Alkhatib, Raj Krishnan, Nik Seetharaman, Brandon Helms, Gautam Punukollu, Morten Kromann
-
Patent number: 11695789Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.Type: GrantFiled: March 30, 2021Date of Patent: July 4, 2023Assignee: Infoblox Inc.Inventors: Mayana Pereira, Vadym Tymchenko, Bin Yu
-
Patent number: 11693958Abstract: A technique for anomaly detection is disclosed. Event data is converted into a normalized common information model. The resulting data may be stored in an event data store database. Additionally, the resulting data may be stored in a knowledge graph representation in a knowledge graph database. The knowledge graph database efficiently stores event data to generate histograms on demand for common anomaly queries.Type: GrantFiled: September 8, 2022Date of Patent: July 4, 2023Assignee: RADIANT SECURITY, INC.Inventor: Barry Steiman
-
Patent number: 11693959Abstract: A system and method for generating event-specific handling instructions for accelerating a threat mitigation of a cybersecurity event includes identifying a cybersecurity event; generating a cybersecurity event digest based on the cybersecurity event, computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest; searching, based on the distinct cybersecurity hashing-based signature of the cybersecurity event, an n-dimensional space comprising a plurality of historical cybersecurity event hashing-based signatures; returning one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event based on the search; deriving one or more cybersecurity event-specific handling actions for the cybersecurity event based on identifying a threat handling action corresponding to each of the one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event; and executiType: GrantFiled: November 23, 2022Date of Patent: July 4, 2023Assignee: Expel, Inc.Inventors: Peter Silberman, Dan Whalen, Matt Berninger, Paul Diebold, Ben Kawecki
-
Patent number: 11689558Abstract: An attack path detection method, attack path detection system and non-transitory computer-readable medium are provided in this disclosure. The attack path detection method includes the following operations: establishing a connecting relationship among a plurality of hosts according to a host log set to generate a host association graph; labeling at least one host with an abnormal condition on the host association graph; calculating a risk value corresponding to each of the plurality of hosts; in a host without the abnormal condition, determining whether the risk value corresponding to the host without the abnormal condition is greater than a first threshold, and utilizing a host with the risk value greater than the first threshold as a high-risk host; and searching at least one host attach path from the high-risk host and the at least one host with the abnormal condition according to the connecting relationship of the host association graph.Type: GrantFiled: September 30, 2019Date of Patent: June 27, 2023Assignee: INSTITUTE FOR INFORMATION INDUSTRYInventors: Meng-Hsuan Chung, Chieh Lee, Hsiao-Hsien Chang
-
Patent number: 11689568Abstract: In several aspects of the present invention, a processor receives, from a rule-based intrusion detection system, an intercepted request sent by a hacker. A processor analyzes the intercepted request to determine, in part, a type of service and a type of hacker. A processor builds a first layer of a honeypot maze based on the analyzed intercepted request. A processor simulates the first layer of the honeypot maze to the hacker. A processor iteratively builds additional layers of the honeypot maze based on additional intercepted requests from the hacker.Type: GrantFiled: May 8, 2020Date of Patent: June 27, 2023Assignee: International Business Machines CorporationInventors: Francesco Maria Carteri, Roberto Ragusa
-
Patent number: 11687650Abstract: A method and system for a deployment of deceptive decoy elements in a computerized environment to identify data leakage processes invoked by suspicious entities are presented. The method includes generating at least one deceptive decoy element; and deploying the generated at least one deceptive decoy element in a folder in a file system of the computerized environment, wherein the deployment is based on a sensitivity level of the folder, wherein the at least one deceptive decoy element is configured to provide an indication of unauthorized access upon an attempt by an unauthorized entity to access the folder.Type: GrantFiled: May 4, 2021Date of Patent: June 27, 2023Assignee: ITSMINE LTD.Inventors: Kfir Kimhi, Ran Norman, Guy Ben Mayor
-
Patent number: 11689550Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to analyze network traffic for malicious activity. An example apparatus includes a graph generator to, in response to obtaining one or more internet protocol addresses included within input data, generate a graph data structure based on one or more features of the one or more internet protocol addresses in the input data, a file generator to generate a first matrix using the graph data structure, the first matrix to represent nodes in the graph data structure and generate a second matrix using the graph data structure, the second matrix to represent edges in the graph data structure, and a classifier to, using the first matrix and the second matrix, classify at least one of the one or more internet protocol addresses to identify a reputation of the at least one of the one or more internet protocol addresses.Type: GrantFiled: March 13, 2020Date of Patent: June 27, 2023Assignee: MCAFEE, LLCInventors: Yonghong Huang, Armando Rodriguez, Adam Wosotowsky, John Wagener, Joanna Negrete, Eric Peterson, Celeste Fralick
-
Patent number: 11687659Abstract: A computer-implemented method, computer program product and computing system for: obtaining hardware performance information concerning hardware deployed within a computing platform; obtaining platform performance information concerning the operation of the computing platform; obtaining application performance information concerning one or more applications deployed within the computing platform; and generating a holistic platform report concerning the computing platform based, at least in part, upon the hardware performance information, the platform performance information and the application performance information.Type: GrantFiled: June 24, 2022Date of Patent: June 27, 2023Assignee: ReliaQuest Holdings, LLCInventors: Brian P. Murphy, Joe Partlow, Colin O'Connor, Jason Pfeiffer
-
Patent number: 11681800Abstract: A system for conducting a security recognition task, the system comprising a memory configured to store a model and training data including auxiliary information that will not be available as input to the model when the model is used as a security recognition task model for the security recognition task. The system further comprising one or more processors communicably linked to the memory and comprising a training unit and a prediction unit. The training unit is configured to receive the training data and the model from the memory and subsequently provide the training data to the model, and train the model, as the security recognition task model, using the training data to predict the auxiliary information as well as perform the security recognition task, thereby improving performance of the security recognition task. The prediction unit is configured to use the security recognition task model output to perform the security recognition task while ignoring the auxiliary attributes in the model output.Type: GrantFiled: August 13, 2021Date of Patent: June 20, 2023Assignee: Sophos LimitedInventors: Richard Edward Harang, Ethan McAvoy Rudd, Konstantin Berlin, Cody Marie Wild, Felipe Nicolás Ducau
-
Patent number: 11681802Abstract: This disclosure and the exemplary embodiments described herein, provide methods and systems for detecting a ransomware infection in one or more files. According to an exemplary embodiment, a low frequency encryption analysis and a high frequency encryption analysis of a plurality of received files is performed to determine if the one or more of the files are encrypted. If a file is encrypted, a watcher is utilized to monitor file events associated with the files for determining if one or more of the files are infected with ransomware.Type: GrantFiled: April 23, 2021Date of Patent: June 20, 2023Assignee: DATTO, INC.Inventor: Kurt Hansen
-
Patent number: 11683326Abstract: A method and system for detecting and preventing Internet fraud in online transactions by utilizing and analyzing a number of parameters to uniquely identify a computer user and potential fraudulent transaction through predictive modeling. The method and system uses a delta of time between the clock of the computer used by the actual fraudulent use and the potentially fraudulent user and the clock of the server computer in conjunction with personal information and/or non-personal information, preferably the Browser ID.Type: GrantFiled: March 22, 2021Date of Patent: June 20, 2023Assignee: The 41st Parameter, Inc.Inventor: Ori Eisen
-
Patent number: 11681549Abstract: In an example embodiment, a new solution is provided for an in-memory database provided in a cloud as a service that enables “job cross running” instead of “parallel job running.” Specifically, job scripts are clustered based on a shared service. A primary job script in the cluster is compiled and executed, but secondary job scripts in the cluster are not compiled until after the execution of the primary job script has begun. A mock library is inserted into each of the secondary job scripts to cause service calls for the shared service in the secondary job scripts to be replaced with mock service calls. The secondary job scripts are then scheduled and executed, and upon completion the primary job script is permitted to delete the shared service.Type: GrantFiled: April 28, 2022Date of Patent: June 20, 2023Assignee: SAP SEInventors: Long Du, Le Zhang, Yu Wang
-
Patent number: 11677777Abstract: Situational awareness and perimeter protection orchestration determines when network attacks are occurring, or predicts their occurrence, and provides tools and services to mitigate the attacks. The attacks can be denial of service attacks or distributed denial of service attacks or other types of attacks designed to disable and degrade a network. The dashboard can collect intelligence on what is happening on the network, and also streams of information from third parties that can be used to predict imminent network attacks. The dashboard can also determine what tools and services are available to the network operator in order to counteract the attacks.Type: GrantFiled: September 13, 2019Date of Patent: June 13, 2023Assignee: Wells Fargo Bank, N.A.Inventors: Peter A. Makohon, Robert I. Kirby, Christopher Houser, Lawrence T. Belton, Jr., Terrence W. Gareau
-
Patent number: 11677768Abstract: Various embodiments of the present disclosure are directed to automatic improved network architecture generation. In this regard, embodiments may process data representing a network architecture to generate an improved network architecture that resolves one or more vulnerabilities associated with the network architecture.Type: GrantFiled: October 22, 2019Date of Patent: June 13, 2023Assignee: Honeywell International Inc.Inventors: Tarun Gupta, Anusha Challa, Chetan Siddapura Kallappa
-
Patent number: 11677765Abstract: Provided herein are identification of a distributed denial of service attack and automatic implementation of preventive measures to halt the distributed denial of service attack. At substantially the same time as the attack, valid users/customers (e.g., devices) are provided quality of service and continued access to a website experiencing the distributed denial of service attack. Further, service to temporary or unknown users (e.g., devices) with public access to the website is suspended during the duration of the distributed denial of service attack.Type: GrantFiled: October 18, 2021Date of Patent: June 13, 2023Assignee: Wells Fargo Bank, N.A.Inventors: Ramanathan Ramanathan, Ajay K. Rentala, Rama Rao Yadlapalli, Vamsi K. Geda, Rameshchandra Bhaskar Ketharaju
-
Patent number: 11677763Abstract: Methods, computer-readable media, software, and apparatuses may assist in proactively warning a consumer they are a victim or possible target of a cyber-attack or cyber-threat. To discover whether a consumer may be a victim, the methods, computer-readable media, software, and apparatuses will monitor the Surface Web, Deep Web, and Dark Web for potential cyber-threats and cyber-attacks. If one is discovered, the methods, computer-readable media, software, and apparatuses will compare the criteria of victims of targeted in the cyber-attack and compare that criteria with consumer profiles. If a consumer profile matches the criteria, the methods, computer-readable media, software, and apparatuses will notify the consumer of the threat.Type: GrantFiled: January 14, 2021Date of Patent: June 13, 2023Assignee: ALLSTATE INSURANCE COMPANYInventors: Jason D. Park, John S. Parkinson
-
Patent number: 11669779Abstract: Systems and methods include receiving a content item between a user device and a location on the Internet or an enterprise network; utilizing a trained machine learning ensemble model to determine whether the content item is malicious; responsive to the trained machine learning ensemble model determining the content item is malicious or determining the content item is benign but such determining is in a blind spot of the trained ensemble model, performing further processing on the content item; and, responsive to the trained machine learning ensemble model determining the content item is benign with such determination not in a blind spot of the trained machine learning ensemble model, allowing the content item. A blind spot is a location where the trained machine learning ensemble model has not seen any examples with a combination of features at the location or has examples with conflicting labels.Type: GrantFiled: April 5, 2019Date of Patent: June 6, 2023Assignee: Zscaler, Inc.Inventors: Dianhuan Lin, Rex Shang, Changsha Ma, Kevin Guo, Howie Xu
-
Patent number: 11671343Abstract: Techniques are disclosed relating to data discovery. A control program that is executing on a computer system may receiving a request to locate instances of data on a computer network having a plurality of computer systems that are managed by an orchestration program. The control program may perform multiple, limited-time-period deployments of a sniffer program to different portions of the computer network in order to sample network traffic from the different portions to determine whether instances of the data appear in the network traffic. The control program may receive, from the sniffer program, information that identifies one or more of the different portions of the computer network whose network traffic included instances of the data.Type: GrantFiled: February 25, 2021Date of Patent: June 6, 2023Assignee: Helios Data Inc.Inventors: Yi Sun, Fei Zou
-
Patent number: 11663333Abstract: An exemplary method includes: obtaining, at one or more cloud servers, endpoint data of an endpoint computing device; based on the endpoint data, determining, by the one or more cloud servers, a plurality of script-language rules, wherein: each of the plurality of script-language rules corresponds to an atomic operation of detecting and/or removing at least one rootkit, the at least one rootkit comprises a target rootkit, and the plurality of script-language rules comprise a set of one or more rootkit rules corresponding to the target rootkit; and transmitting, by the one or more cloud servers to the endpoint computing device, the plurality of script-language rules, wherein the set of rootkit rules is executable at the endpoint computing device to detect and/or remove the target rootkit by, for each of the set of rootkit rules, executing a corresponding atomic operation.Type: GrantFiled: August 11, 2020Date of Patent: May 30, 2023Assignee: Beijing DiDi Infinity Technology and Development Co., Ltd.Inventor: Yu Wang
-
Patent number: 11665179Abstract: A threat detection method includes: obtaining packets in a Transmission Control Protocol (TCP) session between a first device and a second device; obtaining a first data flow transmitted from the first device and a second data flow transmitted from the second device in the TCP session; obtaining time information of each of a plurality of first packets in the first data flow and time information of each of a plurality of second packets in the second data flow; calculating an activation rate, a response rate, and a quantity of interactions based on the time information; and if the activation rate is greater than or equal to a first threshold, the response rate is greater than or equal to a second threshold, and the quantity of interactions is greater than or equal to a third threshold, determining that the first device is threatened.Type: GrantFiled: September 3, 2019Date of Patent: May 30, 2023Assignee: HUAWEI TECHNOLOGIES CO., LTD.Inventor: Wenhui Xie
-
Patent number: 11663334Abstract: Systems and methods for data augmentation used in training an anti-malware (AM) machine learning model are provided herein. In some embodiments, a method for data augmentation may include receiving a first plurality of binary files each having a first binary structure, wherein the first plurality of binary files include one or more known malicious and benign files; modifying the binary structure of each of the first plurality of binary files to produce a second plurality of binary files each having a second binary structure that is different from the first binary structure; using the first and second plurality of binary files to train an AM machine learning model as to which files are malicious and which files are benign; and using the trained AM machine learning model to identify new malicious files.Type: GrantFiled: April 25, 2022Date of Patent: May 30, 2023Assignee: UAB 360 ITInventors: Mantas Briliauskas, Aleksandr {hacek over (S)}ev{hacek over (c)}enko
-
Patent number: 11658995Abstract: Methods, non-transitory computer readable media, network traffic management apparatuses, and network traffic management systems that identify when a domain name identifier in a received request matches one of a plurality of domain names stored in a whitelist domain name storage. When the identification indicates the received domain name identifier fails to match one of the plurality of domain names stored in the whitelist domain name storage, then a determination is made on whether the received request is a suspicious request. Another storage is updated when the determination indicates the received request is the suspicious request or otherwise updating the received request as a valid request.Type: GrantFiled: March 20, 2019Date of Patent: May 23, 2023Assignee: F5, Inc.Inventors: Judge Kennedy Singh Arora, Sandeep Agarwal, Nitesh Soni, Ravneet S. Dhaliwal
-
Patent number: 11657149Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.Type: GrantFiled: June 11, 2021Date of Patent: May 23, 2023Assignee: WEBROOT INC.Inventors: Eric Klonowski, Fred Krenson
-
Patent number: 11659000Abstract: Mechanisms, which can include systems, method, and media, for protecting network devices from malicious rich text format (RTF) files are provided, the mechanisms comprising: intercepting an RTF file destined for a network device; parsing the RTF file to identify a plurality of objects in the RTF file; checking a first object of the plurality of objects for a first heuristic; based upon an outcome of the checking of the first object for the first heuristic, increasing a cumulative weight by a first weight value; comparing the cumulative weight against at least one threshold to classify the RTF file; and based on the classification of the RTF file, taking a protective action on the RTF file.Type: GrantFiled: November 20, 2020Date of Patent: May 23, 2023Assignee: McAfee, LLCInventor: Chintan Shah
-
Patent number: 11657152Abstract: A security engine may use event-stream processing and behavioral techniques to detect ransomware. The engine may detect process behavior associated with encrypting a file, encrypting a storage device, or disabling a backup file, and may assign a ransomware category to the process based thereon. The engine may initiate protection actions to protect system resources from the process, which may continue to execute. The engine may monitor the process for specific behavior corresponding to its ransomware category. Based on the extent to which such specific behavior is detected, the engine may determine that the process is not ransomware, assign a ransomware subcategory to the process, or adjust the process's threat score. Monitoring of the process may continue, and the threat score may be updated based on the process's behavior. If the threat score exceeds a threshold corresponding to the ransomware category (or subcategory), a corresponding policy action may be initiated.Type: GrantFiled: April 16, 2021Date of Patent: May 23, 2023Assignee: VMWare, Inc.Inventors: Jeffrey Albin Kraemer, Adam Karol Malinowski
-
Patent number: 11658993Abstract: Described embodiments provide systems and methods for traffic inspection via embedded browsers. An application inspector module of an embedded browser executable on a client may intercept network traffic for an application. The network traffic may include packets exchanged between the application and the server via a channel. The application inspector module may identify a computing resource usage on the client in providing a user with access to the application via the embedded browser. The application inspector module may generate analytics data based on the intercepted network traffic and the computing resource usage. The application inspector module may maintain a user behavior profile based on the analytics data. The application inspector module may determine that a portion of the network traffic directed to the remote server contains sensitive information. Responsive to the determination, the application inspector module may block or remove the portion of the network traffic.Type: GrantFiled: January 10, 2022Date of Patent: May 23, 2023Inventors: Alexandr Smelov, Christopher Fleck
-
Patent number: 11658999Abstract: A cybersecurity system and method for handling a cybersecurity event includes identifying a cybersecurity alert; selectively initializing automated threat intelligence workflows based on computing a cybersecurity alert type, wherein the automated threat intelligence workflows include a plurality of automated investigative tasks that, when executed by one or more computers, derive cybersecurity alert intelligence data; and executing the plurality of automated investigative tasks includes automatically sourcing a corpus of investigative data; deriving the cybersecurity alert intelligence data based on extracting selective pieces of data from the corpus of investigative data, wherein the cybersecurity alert intelligence data informs an inference of a cybersecurity alert severity of the cybersecurity alert; and automatically routing the cybersecurity alert to one of a plurality of distinct threat mitigation or threat disposal routes based on the cybersecurity alert severity of the cybersecurity alert.Type: GrantFiled: February 15, 2022Date of Patent: May 23, 2023Assignee: Expel, Inc.Inventors: Matt Peters, Peter Silberman, Dan Whalen, Elisabeth Weber, Jon Hencinski, John Begeman
-
Patent number: 11657317Abstract: Under one aspect, a computer-implemented method includes receiving a query at a query interface about whether a computer file comprises malicious code. It is determined, using at least one machine learning sub model corresponding to a type of the computer file, whether the computer file comprises malicious code. Data characterizing the determination are provided to the query interface. Generating the sub model includes receiving computer files at a collection interface. Multiple sub populations of the computer files are generated based on respective types of the computer files, and random training and testing sets are generated from each of the sub populations. At least one sub model for each random training set is generated.Type: GrantFiled: October 20, 2017Date of Patent: May 23, 2023Assignee: Cylance Inc.Inventors: Ryan Permeh, Stuart McClure, Matthew Wolff, Gary Golomb, Derek A. Soeder, Seagen Levites, Michael O'Dea, Gabriel Acevedo, Glenn Chisholm
-
Patent number: 11659396Abstract: The disclosed technology includes a method and system for preventing or reducing cyber-attacks in telecommunications networks, such as 5G networks. For example, a first node in a 5G network can detect that a first connected device is at risk of a cyber-attack based on one or more conditions and can broadcast to a plurality of nodes in the RAN that the first connected device is at risk of the cyber-attack. The first node can receive a first message from a second node of the plurality of nodes confirming or acknowledging that the first connected device is at risk of the cyber-attack. In response to receiving the first message from the second node confirming or acknowledging that the first connected device is at risk of the cyber-attack, the system can deauthorize the first connected device.Type: GrantFiled: November 18, 2022Date of Patent: May 23, 2023Assignee: T-Mobile USA, Inc.Inventors: Venson Shaw, Sunil Lingayat
-
Patent number: 11651070Abstract: Provided are a computer program product, system, and method for detecting a security breach in a system managing access to a storage. Process Input/Output (I/O) activity by a process accessing data in a storage is monitored. A determination is made of a characteristic of the data subject to the I/O activity from the process. A determination is made as to whether a characteristic of the process I/O activity as compared to the characteristic of the data satisfies a condition. The process initiating the I/O activity is characterized as a suspicious process in response to determining that the condition is satisfied. A security breach is indicated in response to characterizing the process as the suspicious process.Type: GrantFiled: September 17, 2021Date of Patent: May 16, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Matthew G. Borlick, Lokesh M. Gupta
-
Patent number: 11652714Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.Type: GrantFiled: July 11, 2022Date of Patent: May 16, 2023Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Arindum Mukerji, Jeff James Costlow, Michael Kerber Krause Montague, Jesse Abraham Rothstein, Matthew Alexander Schurr
-
Patent number: 11652833Abstract: An indication of a security alert and a context for the security alert is received. The context includes one or more entities related to the context and a timestamp for the security alert. Data sources for the one or more entities are searched during a time window around the timestamp. One or more anomaly detection models are executed to identify anomalies that are related to the security alert based on the context. Identified anomalies for investigation of the security alert are output.Type: GrantFiled: July 24, 2020Date of Patent: May 16, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Hani Hana Neuvirth, Dawn A. Burns, Andrey Karpovsky, Yotam Livny
-
Patent number: 11651072Abstract: A system for identifying missing organizational security detection system rules, the system includes at least one processing circuitry configured to provide a known cyber-attack techniques repository including information of known cyber-attack techniques and required SIEM (or any other organizational security detection system such as EDR, firewall, etc.) rules required for protecting against each of the known cyber-attack techniques, the known rules being in a generic SIEM rules format; obtain existing SIEM rules of a SIEM of an organization, the existing SIEM rules being in a vendor-specific language, other than the generic SIEM rules format; translate the existing SIEM rules to the generic SIEM rules format, using a translation system, giving rise to translated SIEM rules; compare the translated SIEM rules to the required SIEM rules to identify missing rules, being the required SIEM rules not included in the translated SIEM rules.Type: GrantFiled: February 23, 2021Date of Patent: May 16, 2023Assignee: CyberProof Israel Ltd.Inventors: Eran Alshech, Adam Amram
-
Patent number: 11647034Abstract: Enriched access data supports anomaly detection to enhance network cybersecurity. Network access data is enriched using service nodes representing resource provision and other services, with geolocation nodes representing grouped access origins, and access values representing access legitimacy confidence. Data enrichment provides a trained model by mapping IP addresses to geolocations, building a bipartite access graph whose inter-node links indicate aspects of accesses from geolocations to services, and generating semantic vectors from the graph. Vector generation may include collaborative filtering, autoencoding, neural net embedding, and other machine learning tools and techniques. Anomaly detection systems then calculate service-geolocation or geolocation-geolocation vector distances with anomaly candidate vectors and the model's graph-based vectors, and treat distances past a threshold as anomaly indicators.Type: GrantFiled: September 12, 2020Date of Patent: May 9, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Roy Levin, Andrey Karpovsky
-
Patent number: 11647355Abstract: Implementations described and claimed herein provide systems and methods for correlating one or more service areas of a network with one or more geolocation coordinates to determine available services for customers to the network. A service polygon may be generated that define an area in which a particular service offered by a communications network is available. The boundaries of the service polygons may be adjusted based on information corresponding to physical features of the initial area. The service polygons may aid a communications network in providing a list of available services to potential customers or devices connected to the network by determining one or more geolocation coordinate values of a potential connection site and comparing the values to the service polygons. A network management system may determine the available services, current or in the future, to offer such services to a customer to the network.Type: GrantFiled: March 18, 2022Date of Patent: May 9, 2023Assignee: Level 3 Communications, LLCInventors: Shawn Draper, Vamsi Kaza, Jerry Matthews, William Gray
-
Patent number: 11645427Abstract: A system includes a device including one or more sensors that generate one or more signals used to detect whether an unauthorized activity has occurred at the device. The device is configured to transmit the one or more signals generated by the one or more sensors. The central monitoring device is configured to receive the one or more signals and compare the one or more signals with a baseline signal for the device. The baseline signal includes an expected signal for each of the one or more sensors when the unauthorized activity has not occurred. The monitoring device determines whether the unauthorized activity has occurred based on a result of the comparison.Type: GrantFiled: November 29, 2020Date of Patent: May 9, 2023Assignee: Bank of America CorporationInventors: Michael R. Young, Daniel J August, Tomas M. Castrejon, III, Richard Martin Seymour Scot, Neal Aaron Slensker
-
Patent number: 11647029Abstract: A method of probing and responding to a security breach in a computer network security system includes defining first and second rules and defining a model to output a probability that a security breach has occurred based on an input and to generate commands. Data is collected at first nodes according to the first rules and a first portion of the collected data is selected and sent from the first nodes to a second node. The selected first portion is input into the model to obtain an output probability that a security breach has occurred and the following steps are performed: determining signs of a security breach, generating a first command with the model to cause a second portion of the collected data to be selected, and generating a second command with the model to cause a change in settings at one or more of the first nodes.Type: GrantFiled: December 7, 2018Date of Patent: May 9, 2023Assignee: Withsecure CorporationInventors: Paolo Palumbo, Dmitry Komashinskiy, Szymon Grzybowski