Patents by Inventor Marc Stoecklin
Marc Stoecklin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11153337Abstract: A method for improving a detection of beaconing activity includes receiving input data into a computer-implemented processing procedure at least one listing of at least one of time series data and candidate periods of potential beaconing activity. The input data is processed, to detect candidates of potential beaconing activity. By further evaluating the time series data using techniques used for evaluating an analog signal, the performance of detecting of potential beaconing activity is improved to eliminate false positive indications of beaconing activity and/or to provide indication of multiple interleaved periodicities of beaconing.Type: GrantFiled: March 28, 2019Date of Patent: October 19, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Xin Hu, Jiyong Jang, Douglas Schales, Marc Stoecklin, Ting Wang
-
Patent number: 10375101Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: GrantFiled: March 7, 2016Date of Patent: August 6, 2019Assignee: International Business Machines CorporationInventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
-
Publication number: 20190230109Abstract: A method for improving a detection of beaconing activity includes receiving input data into a computer-implemented processing procedure at least one listing of at least one of time series data and candidate periods of potential beaconing activity. The input data is processed, to detect candidates of potential beaconing activity. By further evaluating the time series data using techniques used for evaluating an analog signal, the performance of detecting of potential beaconing activity is improved to eliminate false positive indications of beaconing activity and/or to provide indication of multiple interleaved periodicities of beaconing.Type: ApplicationFiled: March 28, 2019Publication date: July 25, 2019Inventors: Xin Hu, Jiyong Jang, Douglas Schales, Marc Stoecklin, Ting Wang
-
Patent number: 10284584Abstract: A method (and structure) includes receiving, as input data into a computer-implemented processing procedure, at least one listing of at least one of time series data and potential candidate periods of potential beaconing activity. The input data is processed, using a processor on a computer, to evaluate the input data as if the input data represents data points of an input analog signal subject to principles of communication theory and having determinable statistical characteristics.Type: GrantFiled: May 27, 2016Date of Patent: May 7, 2019Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Xin Hu, Jiyong Jang, Douglas Schales, Marc Stoecklin, Ting Wang
-
Patent number: 10044737Abstract: A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.Type: GrantFiled: June 25, 2015Date of Patent: August 7, 2018Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Xin Hu, Jiyong Jang, Douglas Schales, Marc Stoecklin, Ting Wang
-
Patent number: 9832217Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: GrantFiled: September 30, 2014Date of Patent: November 28, 2017Assignee: International Business Machines CorporationInventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrios Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
-
Publication number: 20170244731Abstract: A method (and structure) includes receiving, as input data into a computer-implemented processing procedure, at least one listing of at least one of time series data and potential candidate periods of potential beaconing activity. The input data is processed, using a processor on a computer, to evaluate the input data as if the input data represents data points of an input analog signal subject to principles of communication theory and having determinable statistical characteristics.Type: ApplicationFiled: May 27, 2016Publication date: August 24, 2017Inventors: Xin HU, Jiyong JANG, Douglas SCHALES, Marc STOECKLIN, Ting WANG
-
Patent number: 9591007Abstract: A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.Type: GrantFiled: March 25, 2015Date of Patent: March 7, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Xin Hu, Jiyong Jang, Douglas Schales, Marc Stoecklin, Ting Wang
-
Publication number: 20160261624Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: ApplicationFiled: March 7, 2016Publication date: September 8, 2016Inventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin
-
Publication number: 20160134651Abstract: A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.Type: ApplicationFiled: June 25, 2015Publication date: May 12, 2016Inventors: Xin HU, Jiyong JANG, Douglas SCHALES, Marc STOECKLIN, Ting WANG
-
Publication number: 20160134641Abstract: A method for detecting beaconing behavior includes preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, where each source and destination pair is associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined. The activity time interval information is converted from the time domain into the frequency domain. Candidate frequencies are determined from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities.Type: ApplicationFiled: March 25, 2015Publication date: May 12, 2016Inventors: Xin HU, Jiyong Jang, Douglas Schales, Marc Stoecklin, Ting Wang
-
Patent number: 9251328Abstract: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.Type: GrantFiled: July 19, 2012Date of Patent: February 2, 2016Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Mihai Christodorescu, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin, Ting Wang
-
Publication number: 20150264077Abstract: A method includes collecting system calls and call parameters invoked by monitored applications for target computer systems. The system calls and call parameters are received from operating system kernels on the plurality of target computer systems. Sequences of systems calls and call parameters of the monitored applications are correlated among different target computer systems to deduce malicious activities. Remedial action(s) are performed in response to malicious activities being deduced as being malicious by the correlating. Another method includes determining that network activity at a specific time is deemed to be suspicious. Using IP addresses involved in the suspicious network activity, computer system(s) are determined that are sources of the suspicious network activity. Based on the specific time and the determined computer system(s), application(s) are determined that are executing on the determined computer system(s) that are causing the suspicious network activity.Type: ApplicationFiled: September 30, 2014Publication date: September 17, 2015Inventors: Stefan Berger, Yangyi Chen, Xin Hu, Dimitrious Pendarakis, Josyula Rao, Douglas Lee Schales, Reiner Sailer, Marc Stoecklin
-
Patent number: 9003025Abstract: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.Type: GrantFiled: July 5, 2012Date of Patent: April 7, 2015Assignee: International Business Machines CorporationInventors: Mihai Christodorescu, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin, Ting Wang
-
Publication number: 20140012973Abstract: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.Type: ApplicationFiled: July 5, 2012Publication date: January 9, 2014Applicant: International Business Machines CorporationInventors: MIHAI CHRISTODORESCU, REINER SAILER, DOUGLAS LEE SCHALES, MARC STOECKLIN, TING WANG
-
Publication number: 20140012976Abstract: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.Type: ApplicationFiled: July 19, 2012Publication date: January 9, 2014Applicant: International Business Machines CorporationInventors: MIHAI CHRISTODORESCU, Reiner Sailer, Douglas Lee Schales, Marc Stoecklin, Ting Wang
-
Patent number: 7937388Abstract: A method for probabilistic lossy counting includes: for each element in a current window, determining whether an entry corresponding to a current element is present in a table; in the event an entry corresponding to the current element is present in the table, incrementing a frequency counter associated with the current element; otherwise, inserting an entry into a table, wherein inserting an entry comprises: calculating a probabilistic error bound ? based on an index i of the current window; and inserting the probabilistic error bound ? and a frequency counter into an entry corresponding to the current element in the table; and at the end of the current window, removing all elements from the table wherein the sum of the frequency counter and probabilistic error bound ? associated with the element is less than or equal to the index of the current window.Type: GrantFiled: August 20, 2008Date of Patent: May 3, 2011Assignee: International Business Machines CorporationInventors: Xenofontas Dimitropoulos, Paul T. Hurley, Andreas Kind, Marc Stoecklin
-
Patent number: 7911975Abstract: A system and method for monitoring packetized traffic flow in a network and enabling approximation of the rate information of a network flow. The method for monitoring network traffic flow includes receiving, at a network packet flow collector device, packetized traffic flow signals to be monitored; sampling said received packetized traffic flow signals in time to form an approximation of the packet flow rate in time; generating packet flow activity data comprising data representing the sampled traffic flow signals sampled in time; communicating the packet flow activity data to a network packet flow analyzer device and processing the flow activity data to form signals representing an approximate version of the network traffic flow in the network, the analyzer processing the traffic flow signals for reconstructing the rate of the netflow as a function of time.Type: GrantFiled: August 26, 2008Date of Patent: March 22, 2011Assignee: International Business Machines CorporationInventors: Patrick Droz, Paul Hurley, Andreas Kind, Marc Stoecklin
-
Publication number: 20100054151Abstract: A system and method for monitoring packetized traffic flow in a network and enabling approximation of the rate information of a network flow. The method for monitoring network traffic flow includes receiving, at a network packet flow collector device, packetized traffic flow signals to be monitored; sampling said received packetized traffic flow signals in time to form an approximation of the packet flow rate in time; generating packet flow activity data comprising data representing the sampled traffic flow signals sampled in time; communicating the packet flow activity data to a network packet flow analyzer device and processing the flow activity data to form signals representing an approximate version of the network traffic flow in the network, the analyzer processing the traffic flow signals for reconstructing the rate of the netflow as a function of time.Type: ApplicationFiled: August 26, 2008Publication date: March 4, 2010Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Patrick Droz, Paul Hurley, Andreas Kind, Marc Stoecklin
-
Publication number: 20100049700Abstract: A method for probabilistic lossy counting includes: for each element in a current window, determining whether an entry corresponding to a current element is present in a table; in the event an entry corresponding to the current element is present in the table, incrementing a frequency counter associated with the current element; otherwise, inserting an entry into a table, wherein inserting an entry comprises: calculating a probabilistic error bound ? based on an index i of the current window; and inserting the probabilistic error bound ? and a frequency counter into an entry corresponding to the current element in the table; and at the end of the current window, removing all elements from the table wherein the sum of the frequency counter and probabilistic error bound ? associated with the element is less than or equal to the index of the current window.Type: ApplicationFiled: August 20, 2008Publication date: February 25, 2010Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Xenofontas Dimitropoulos, Paul T. Hurley, Andreas Kind, Marc Stoecklin