Systems and methods for detecting anomalies that are potentially indicative of malicious attacks
First Claim
1. A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, by the computing device, a sequence of computing activities performed on the computing device;
calculating, by the computing device, a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity;
detecting, by the computing device, an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; and
in response to detecting the anomaly, performing a security action on the computing device to mitigate the malicious attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks may include (1) identifying a sequence of activities performed on a computing device, (2) calculating a cumulative influence score between pairs of activities in the sequence of activities through convolution of the sequence of activities, (3) detecting an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device, and (4) in response to detecting the anomaly, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying, by the computing device, a sequence of computing activities performed on the computing device; calculating, by the computing device, a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity; detecting, by the computing device, an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; and in response to detecting the anomaly, performing a security action on the computing device to mitigate the malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting anomalies that are potentially indicative of malicious attacks, the system comprising:
-
an identification module, stored in memory, that identifies a sequence of computing activities performed on a computing device; a calculation module, stored in memory, that calculates a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity; a detection module, stored in memory, that detects an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; a security module, stored in memory, that, in response to detecting the anomaly, performs a security action on the computing device to mitigate the malicious attack; and at least one processor that executes the identification module, the calculation module, the detection module, and the security module. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify a sequence of computing activities performed on the computing device; calculate a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity; detect an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; and in response to detecting the anomaly, perform a security action on the computing device to mitigate the malicious attack.
-
Specification