Systems and methods for detecting anomalies that are potentially indicative of malicious attacks

US 10,104,100 B1
Filed: 03/03/2016
Issued: 10/16/2018
Est. Priority Date: 03/03/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, by the computing device, a sequence of computing activities performed on the computing device;

calculating, by the computing device, a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity;

detecting, by the computing device, an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; and

in response to detecting the anomaly, performing a security action on the computing device to mitigate the malicious attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks may include (1) identifying a sequence of activities performed on a computing device, (2) calculating a cumulative influence score between pairs of activities in the sequence of activities through convolution of the sequence of activities, (3) detecting an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device, and (4) in response to detecting the anomaly, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

85 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, by the computing device, a sequence of computing activities performed on the computing device;
  
  calculating, by the computing device, a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity;
  
  detecting, by the computing device, an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; and
  
  in response to detecting the anomaly, performing a security action on the computing device to mitigate the malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the sequence of computing activities comprises at least one of:
    - a sequence of single computing events; and
      
      subsequences of computing events.
  - 3. The method of claim 1, wherein calculating the cumulative influence score comprises hashing at least one influence score between a first computing activity and a second computing activity in a pair of computing activities.
  - 4. The method of claim 3, wherein the second computing activity comprises at least one instance of a computing activity following the first computing activity in the sequence of computing activities.
  - 5. The method of claim 4, wherein the influence score between the first computing activity and the second computing activity comprises a sum of values of a monotonically decreasing function of distances between the first computing activity and each instance of the second computing activity.
  - 6. The method of claim 1, wherein convolution of the sequence of computing activities comprises mapping the sequence of computing activities to a matrix of a finite size.
  - 7. The method of claim 1, wherein the expected threshold for the user comprises at least one of:
    - a minimum score for the user;
      
      a maximum score for the user; and
      
      an expected sequence of computing activities for the user.
  - 8. The method of claim 7, wherein detecting the anomaly comprises at least one of:
    - determining that the cumulative influence score is lower than the minimum score for the user;
      
      determining that the cumulative influence score is higher than the maximum score for the user; and
      
      determining that the sequence of computing activities is not the expected sequence of computing activities for the user.
  - 9. The method of claim 1, wherein the security action comprises at least one of:
    - signaling an alert;
      
      sending the anomaly to an administrator for review;
      
      receiving confirmation of the malicious attack;
      
      receiving disconfirmation of the malicious attack; and
      
      preventing execution of the sequence of computing activities.
  - 10. The method of claim 1, further comprising adding the anomaly to at least one of:
    - a whitelist of safe computing activities;
      
      a blacklist of computing activities indicative of an attack; and
      
      a training dataset of computing activities for determining thresholds.

11. A system for detecting anomalies that are potentially indicative of malicious attacks, the system comprising:
- an identification module, stored in memory, that identifies a sequence of computing activities performed on a computing device;
  
  a calculation module, stored in memory, that calculates a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity;
  
  a detection module, stored in memory, that detects an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device;
  
  a security module, stored in memory, that, in response to detecting the anomaly, performs a security action on the computing device to mitigate the malicious attack; and
  
  at least one processor that executes the identification module, the calculation module, the detection module, and the security module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the sequence of computing activities comprises at least one of:
    - a sequence of single computing events; and
      
      subsequences of computing events.
  - 13. The system of claim 11, wherein the calculation module calculates the cumulative influence score by hashing at least one influence score between a first computing activity and a second computing activity in a pair of computing activities.
  - 14. The system of claim 13, wherein the second computing activity comprises at least one instance of a computing activity following the first computing activity in the sequence of computing activities.
  - 15. The system of claim 14, wherein the influence score between the first computing activity and the second computing activity comprises a sum of values of a monotonically decreasing function of distances between the first computing activity and each instance of the second computing activity.
  - 16. The system of claim 11, wherein convolution of the sequence of computing activities comprises mapping the sequence of computing activities to a matrix of a finite size.
  - 17. The system of claim 11, wherein the expected threshold for the user comprises at least one of:
    - a minimum score for the user;
      
      a maximum score for the user; and
      
      an expected sequence of computing activities for the user.
  - 18. The system of claim 17, wherein the detection module detects the anomaly by at least one of:
    - determining that the cumulative influence score is lower than the minimum score for the user;
      
      determining that the cumulative influence score is higher than the maximum score for the user; and
      
      determining that the sequence of computing activities is not the expected sequence of computing activities for the user.
  - 19. The system of claim 11, wherein the security action comprises at least one of:
    - signaling an alert;
      
      sending the anomaly to an administrator for review;
      
      receiving confirmation of the malicious attack;
      
      receiving disconfirmation of the malicious attack; and
      
      preventing execution of the sequence of computing activities.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a sequence of computing activities performed on the computing device;
  
  calculate a cumulative influence score between pairs of computing activities in the sequence of computing activities through convolution of the sequence of computing activities, wherein an influence score comprises a likelihood of influence of one computing activity on another computing activity;
  
  detect an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device; and
  
  in response to detecting the anomaly, perform a security action on the computing device to mitigate the malicious attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bogorad, Walter
Primary Examiner(s)
Revak, Christopher

Application Number

US15/059,326
Time in Patent Office

957 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Systems and methods for detecting anomalies that are potentially indicative of malicious attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting anomalies that are potentially indicative of malicious attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links