Patents Assigned to CYBEREASON
-
Publication number: 20200099600Abstract: A method of monitoring and reporting of packets including their attribution to their origin processes from a user space application without installing proprietary drivers, rather using only infrastructures and capabilities supplied by the operating system (OS). The method relies on correlation between packets received from a packet capture library and a kernel monitoring mechanism that supplies an event with the process ID which is executed on the same time frame for transmitting or receiving of that traffic. The attribution between the event and the packet is based on the 4-tuple (or other exemplar) that exists on both the event and the packet where the “4-tuple” is a set of: source address, source port, destination address, destination port.Type: ApplicationFiled: September 23, 2019Publication date: March 26, 2020Applicant: Cybereason, Inc.Inventor: Gal Kaplan
-
Publication number: 20200099715Abstract: A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.Type: ApplicationFiled: September 23, 2019Publication date: March 26, 2020Applicant: Cybereason, Inc.Inventor: Phillip Tsukerman
-
Patent number: 10503897Abstract: Techniques of operating a computer involve providing controls to an OS that monitor a rate at which commands in an operating system are performed. Along these lines, ransomware performs the OS commands it needs to control access to data files on a computer by performing those commands rapidly. In many cases, such rapid sequences of commands, e.g., read-copy-encrypt-delete, are performed much more rapidly than would be done by a typical user. Accordingly, the OS is then provided the capacity to monitor, e.g., a number of specified command sequences (e.g., read-copy-encrypt-delete) within some specified period of time (e.g., a minute, 5 minutes, an hour, or greater or less). If the number is greater than some threshold number, then the computer may take a remedial action such as issuing an alert to the user and/or limiting the rate at which the commands may be performed.Type: GrantFiled: July 13, 2017Date of Patent: December 10, 2019Assignee: CYBEREASONInventor: Yonatan Striem-Amit
-
Patent number: 10484422Abstract: A method, computer program product, system and apparatus for the prevention of RGA and DGA malware over an existing internet service is disclosed. The invention exploits the fact that when malware rapidly attempts to access many contact points, a malware is likely to need several attempts to find a current server. Software is installed on the individual endpoints in a network of internet services. The software monitors the websites or services and collects information about access attempts. The invention detects a series of failed attempts by the malware to access the service/website. These attempts can be accrued by being temporally linked (e.g., many attempts in a short time, many attempts consecutively), conceptually linked (e.g., similar addresses, similar attempts across multiple machines or time scales), higher than normal prevalence or other methods. The invention provides an indication of a malware attempt if enough failed attempts have accrued.Type: GrantFiled: October 18, 2016Date of Patent: November 19, 2019Assignee: Cybereason, Inc.Inventors: Uri Sternfeld, Yonatan Striem-Amit
-
Patent number: 10417414Abstract: A method, computer program product, and apparatus for performing baseline calculations for firewalling in a computer network is disclosed. The method involves defining a reference group for an executed software program, measuring signals in the reference group, measuring signals of the program, computing a distance between the signals of the program and the signals of the reference group, and taking an action if the computed distance deviates from a norm mode. The distance can be computed using a similarity matrix or other method. Measuring the program comprises observing behaviors of the program, collecting and analyzing data, comparing the data to baselines of the reference group, and comparing the behaviors of the program across a previous execution of the program. In cases where a program is known to be malicious, a reference group is not needed and a sandbox can be tailored just by copying the environment of the actual system.Type: GrantFiled: December 21, 2016Date of Patent: September 17, 2019Assignee: CYBEREASON, INC.Inventor: Yonatan Striem-Amit
-
Patent number: 10055579Abstract: A method, computer program product, and apparatus for implementing a distributed sandbox is disclosed. The method comprises discovering a machine with sufficient resources to run a virtual machine for a process, starting the process in a virtual machine on the discovered machine, if the virtual machine terminates, discovering another machine with sufficient resources to run a virtual machine for a process, and deciding if the process is benign when the virtual machine is finished. Control of the distributed sandbox is done by utilizing a broadcast network.Type: GrantFiled: December 30, 2016Date of Patent: August 21, 2018Assignee: Cybereason, Inc.Inventor: Yonatan Striem-Amit
-
Patent number: 10043010Abstract: Techniques of protecting computers from malware involve migrating processes running applications from a first sandbox to a second sandbox. Along these lines, when a computer being protected from malware receives application code over a network, the computer generates a set of processes that runs the application code on a first machine acting as a sandbox. After the set of processes produce a first output on the first machine, the computer migrates the set of processes to a second machine acting as another sandbox. After the set of processes produces a second output on the second machine, the computer grants or denies access to the application code based the second output. Because migration can occur over the entire lifecycle of an application and migration is difficult to detect, migrating processes running malware makes it more difficult for the malware to evade detection.Type: GrantFiled: December 30, 2016Date of Patent: August 7, 2018Assignee: CYBEREASONInventor: Yonatan Striem-Amit
-
Patent number: 9832214Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.Type: GrantFiled: August 8, 2016Date of Patent: November 28, 2017Assignee: Cybereason Inc.Inventors: Yonatan Striem Amit, Elan Pavlov
-
Patent number: 9679131Abstract: A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.Type: GrantFiled: March 14, 2013Date of Patent: June 13, 2017Assignee: Cybereason Inc.Inventor: Yonatan Striem Amit
-
Patent number: 9635040Abstract: A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information.Type: GrantFiled: March 14, 2013Date of Patent: April 25, 2017Assignee: Cybereason Inc.Inventor: Yonatan Striem Amit
-
Patent number: 9413773Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.Type: GrantFiled: March 14, 2013Date of Patent: August 9, 2016Assignee: Cybereason Inc.Inventors: Yonatan Striem Amit, Elan Pavlov
-
Publication number: 20140283026Abstract: A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other.Type: ApplicationFiled: March 14, 2013Publication date: September 18, 2014Applicant: CYBEREASON INCInventors: Yonatan Striem Amit, Elan Pavlov
-
Publication number: 20140283050Abstract: A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information.Type: ApplicationFiled: March 14, 2013Publication date: September 18, 2014Applicant: CYBEREASON INCInventor: Yonatan Striem Amit
-
Publication number: 20140215618Abstract: A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules.Type: ApplicationFiled: March 14, 2013Publication date: July 31, 2014Applicant: CYBEREASON INCInventor: Yonatan Striem Amit