Patents by Inventor Alex Lisle
Alex Lisle has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11693962Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.Type: GrantFiled: April 26, 2021Date of Patent: July 4, 2023Assignee: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Patent number: 11586735Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.Type: GrantFiled: April 19, 2021Date of Patent: February 21, 2023Assignee: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Patent number: 11223519Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.Type: GrantFiled: April 26, 2021Date of Patent: January 11, 2022Assignee: AlienVault, Inc.Inventors: Alex Lisle, Roger Thornton, Russell Spitler, Jaime Blasco, Srivathsan Srinivasagoplan
-
Publication number: 20210250223Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.Type: ApplicationFiled: April 26, 2021Publication date: August 12, 2021Applicant: AlienVault, Inc.Inventors: Alex Lisle, Roger Thornton, Russell Spitler, Jaime Blasco, Srivathsan Srinivasagoplan
-
Publication number: 20210248234Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.Type: ApplicationFiled: April 26, 2021Publication date: August 12, 2021Applicant: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Publication number: 20210240829Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.Type: ApplicationFiled: April 19, 2021Publication date: August 5, 2021Applicant: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Patent number: 10992519Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.Type: GrantFiled: March 26, 2018Date of Patent: April 27, 2021Assignee: Alien Vault, Inc.Inventors: Alex Lisle, Roger Thornton, Russell Spitler, Jaime Blasco, Srivathsan Srinivasagoplan
-
Patent number: 10990674Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.Type: GrantFiled: August 28, 2018Date of Patent: April 27, 2021Assignee: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Patent number: 10984104Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.Type: GrantFiled: August 28, 2018Date of Patent: April 20, 2021Assignee: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Patent number: 10904278Abstract: Techniques are disclosed relating to detection of network security threats. In some embodiments, a computer system receives network event information from network devices in a network. The computer system stores a set of received network event information in a first data store and performs analysis to identify a subset of the network event information. The computer system uses the subset of network event information to create, in a second data store, a model of a state of the network, and runs stored threat detection routines to query the second data store to detect threats to the network. The computer system provides an indication of threats detected in response to running the plurality of stored threat detection routines and, in response to receiving an indication of a user query regarding the network, provides query results determined based on accessing information in the first data store, but not the second data store.Type: GrantFiled: May 2, 2018Date of Patent: January 26, 2021Assignee: Alien Vault, Inc.Inventors: Alex Lisle, Roger Thornton, Russell Spitler, Jaime Blasco
-
Patent number: 10846406Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.Type: GrantFiled: August 28, 2018Date of Patent: November 24, 2020Assignee: AlienVault, Inc.Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Publication number: 20200074080Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.Type: ApplicationFiled: August 28, 2018Publication date: March 5, 2020Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Publication number: 20200074081Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.Type: ApplicationFiled: August 28, 2018Publication date: March 5, 2020Inventors: Srivathsan Srinivasagopalan, Alex Lisle, Russell Spitler, Roger Thornton
-
Publication number: 20190296962Abstract: Techniques are disclosed relating to storage of network event information for multiple tenants. In some embodiments, one or more host computer systems are configured to maintain a plurality of containers operable to isolate network event information of a plurality of tenants from others of the plurality of tenants. The plurality of containers includes a first container that includes a first database executable to store network event information for a first of the plurality of tenants, and a second container that includes a second database executable to store network event information for a second of the plurality of tenants. In some embodiments, a management computer system is configured to receive, from the first tenant, a request to access network event information of the first tenant and route the request to a host computer system maintaining the first container to cause the first database to service the request.Type: ApplicationFiled: March 26, 2018Publication date: September 26, 2019Inventors: Alex Lisle, Roger Thornton, Russell Spitler, Jaime Blasco, Srivathsan Srinivasagoplan
-
Publication number: 20180343276Abstract: Techniques are disclosed relating to detection of network security threats. In some embodiments, a computer system receives network event information from network devices in a network. The computer system stores a set of received network event information in a first data store and performs analysis to identify a subset of the network event information. The computer system uses the subset of network event information to create, in a second data store, a model of a state of the network, and runs stored threat detection routines to query the second data store to detect threats to the network. The computer system provides an indication of threats detected in response to running the plurality of stored threat detection routines and, in response to receiving an indication of a user query regarding the network, provides query results determined based on accessing information in the first data store, but not the second data store.Type: ApplicationFiled: May 2, 2018Publication date: November 29, 2018Inventors: Alex Lisle, Roger Thornton, Russell Spitler, Jaime Blasco