Patents by Inventor Yanhui Jia
Yanhui Jia has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240039893Abstract: Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.Type: ApplicationFiled: July 29, 2022Publication date: February 1, 2024Inventors: Yanhui Jia, Qi Zhang, Shengming Xu
-
Publication number: 20240039889Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.Type: ApplicationFiled: August 7, 2023Publication date: February 1, 2024Inventors: Yanhui Jia, Christian Elihu Navarrete Discua, Durgesh Madhavrao Sangvikar, Ajaya Neupane, Yu Fu, Shengming Xu
-
Publication number: 20240039952Abstract: Techniques for Cobalt Strike Beacon HTTPS C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTPS C2 heuristic detection includes monitoring HyperText Transfer Protocol Secure (HTTPS) network traffic at a firewall; prefiltering the monitored HTTPS network traffic at the firewall to select a subset of the HTTPS network traffic to forward to a cloud security service; determining whether the subset of the HTTPS network traffic is associated with Cobalt Strike Beacon HTTPS C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTPS C2 traffic activity.Type: ApplicationFiled: July 29, 2022Publication date: February 1, 2024Inventors: Yanhui Jia, Shengming Xu
-
Publication number: 20240039951Abstract: Techniques for probing for Cobalt Strike TeamServer detection are disclosed. In some embodiments, a system/process/computer program product for probing for Cobalt Strike TeamServer detection includes monitoring HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefiltering the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service; performing HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a Cobalt Strike TeamServer; and performing an action in response to detecting that the target is the Cobalt Strike TeamServer.Type: ApplicationFiled: July 29, 2022Publication date: February 1, 2024Inventors: Yanhui Jia, Shengming Xu
-
Publication number: 20240037231Abstract: Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (LPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.Type: ApplicationFiled: June 9, 2023Publication date: February 1, 2024Inventors: Yanhui Jia, Matthew W. Tennis, Stefan Achleitner, Taojie Wang, Hui Gao, Shengming Xu
-
Patent number: 11770361Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.Type: GrantFiled: July 29, 2022Date of Patent: September 26, 2023Assignee: Palo Alto Networks, Inc.Inventors: Yanhui Jia, Christian Elihu Navarrete Discua, Durgesh Madhavrao Sangvikar, Ajaya Neupane, Yu Fu, Shengming Xu
-
Patent number: 11714903Abstract: Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (IPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.Type: GrantFiled: July 29, 2022Date of Patent: August 1, 2023Assignee: Palo Alto Networks, Inc.Inventors: Yanhui Jia, Matthew W. Tennis, Stefan Achleitner, Taojie Wang, Hui Gao, Shengming Xu
-
Patent number: 11627160Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.Type: GrantFiled: February 28, 2021Date of Patent: April 11, 2023Assignee: Palo Alto Networks, Inc.Inventors: Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, Xin Ouyang
-
Publication number: 20210194926Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.Type: ApplicationFiled: February 28, 2021Publication date: June 24, 2021Inventors: Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, Xin Ouyang
-
Patent number: 10986126Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.Type: GrantFiled: July 24, 2018Date of Patent: April 20, 2021Assignee: Palo Alto Networks, Inc.Inventors: Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, Xin Ouyang
-
Publication number: 20190081980Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.Type: ApplicationFiled: July 24, 2018Publication date: March 14, 2019Inventors: Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, Xin Ouyang