System and method to detect premium attacks on electronic networks and electronic devices

US 10,121,000 B1
Filed: 06/28/2016
Issued: 11/06/2018
Est. Priority Date: 06/28/2016
Status: Active Grant

First Claim

Patent Images

1. A computerized method for detecting premium attacks by an attack classification system including one or more hardware processors and storage medium, the method comprising:

receiving, by the attack classification system, analytic information;

generating, by the attack classification system, logical representations for different portions of the analytic information represented as a nodal graph, the logical representations include objects, properties, and relationships between the objects and the properties;

filtering, by the attack classification system, a first set of one or more relationships from the relationships, each of the first set of relationships provides lesser assistance in clustering the objects and the properties than a remaining plurality of relationships from the relationships;

performing, by the attack classification system, a clustering operation that forms one or more clusters by removing a second set of one or more relationships from the remaining plurality of relationships, the one or more clusters includes a first cluster being a logical representation of a first plurality of objects of the objects, a first plurality of properties of the properties and a plurality of relationships being the remaining plurality of relationships excluding the second set of relationships;

analyzing, by the attack classification system, at least the first cluster of the one or more clusters to determine features of at least the first cluster;

introducing the determined features associated with the first cluster into the nodal graph; and

analyzing the features of the first cluster to determine whether the first plurality of objects, the first plurality of properties and the plurality of relationships forming the first cluster are associated with a premium attack, the analyzing of the features of the first cluster comprises applying rule-based constraints to the features of at least the first cluster to determine that the features correspond to cluster features that are commonly present in premium attacks.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for detecting premium attacks by an attack classification system is described. Based on received analytic information, the attack classification system generates logical representations for different portions of the analytic information represented as a nodal graph. The logical representations include objects, properties, and relationships between the objects and the properties. The attack classification system filters at least one relationship from the relationships and forms a first cluster further filtering the relationships. Being a logical representation of objects, properties and the remaining relationships, the first cluster is analyzed to determine features and introduce the features into the nodal graph. An analysis of the features determines whether the objects, properties and relationships forming the first cluster are associated with a premium attack by at least applying rule-based constraints to the features of the first cluster to determine whether they correspond to cluster features commonly present in premium attacks.

179 Citations

47 Claims

1. A computerized method for detecting premium attacks by an attack classification system including one or more hardware processors and storage medium, the method comprising:
- receiving, by the attack classification system, analytic information;
  
  generating, by the attack classification system, logical representations for different portions of the analytic information represented as a nodal graph, the logical representations include objects, properties, and relationships between the objects and the properties;
  
  filtering, by the attack classification system, a first set of one or more relationships from the relationships, each of the first set of relationships provides lesser assistance in clustering the objects and the properties than a remaining plurality of relationships from the relationships;
  
  performing, by the attack classification system, a clustering operation that forms one or more clusters by removing a second set of one or more relationships from the remaining plurality of relationships, the one or more clusters includes a first cluster being a logical representation of a first plurality of objects of the objects, a first plurality of properties of the properties and a plurality of relationships being the remaining plurality of relationships excluding the second set of relationships;
  
  analyzing, by the attack classification system, at least the first cluster of the one or more clusters to determine features of at least the first cluster;
  
  introducing the determined features associated with the first cluster into the nodal graph; and
  
  analyzing the features of the first cluster to determine whether the first plurality of objects, the first plurality of properties and the plurality of relationships forming the first cluster are associated with a premium attack, the analyzing of the features of the first cluster comprises applying rule-based constraints to the features of at least the first cluster to determine that the features correspond to cluster features that are commonly present in premium attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computerized method of claim 1, wherein the analytic information includes information gathered during an analysis of at least one detected malicious attack and contextual information associated with the at least one detected malicious attack.
  - 3. The computerized method of claim 1, wherein the receiving of the analytic information is responsive to a triggering event that includes the attack classification system determining that a prescribed period of time has elapsed from a prior analysis for a presence of a premium attack.
  - 4. The computerized method of claim 1, wherein the generating of the logical representations for different portions of the analytic information comprisesstructuring a first portion of the analytic information as one of the objects that is logically represented as a first node in accordance with a graph data model;
    - structuring a second portion of the analytic information as one of the properties that is logically represented as a second node in accordance with a graph data model; and
      
      determining a logical relationship between nodes associated with the objects and properties, including a first relationship between the first node and the second node.
  - 5. The computerized method of claim 1, wherein the filtering of the first set of relationships from the relationships comprises (i) determining, by iterative analysis of each of the relationships, whether one or more relationships provide lesser assistance in the clustering of the objects and the properties than the remaining plurality of relationships, and (ii) removing the one or more relationships that are operating as the first set of relationships while retaining the remaining plurality of relationships.
  - 6. The computerized method of claim 5, wherein the determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties includes determining whether any of the relationships is based on a call to a particular search engine.
  - 7. The computerized method of claim 5, wherein the determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties includes determining whether any of the relationships occur outside a desired time period.
  - 8. The computerized method of claim 5, wherein the determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties includes determining whether any of the relationships pertains to a known benign domain or Internet Protocol (IP) address.
  - 9. The computerized method of claim 1, wherein the clustering operation removes the second set of relationships by maintaining relationships associated with the one or more objects associated with at least a prescribed number of relationships and the plurality of properties associated with at least the prescribed number of relationships.
  - 10. The computerized method of claim 1, wherein the analyzing of at least the first cluster comprises conducting an analysis of attributes associated with the object, properties and relationships associated with the first cluster to determine the features of the first cluster.
  - 11. The computerized method of claim 10, wherein the features of the first cluster include one or more of (1) a number of objects logically represented within the first cluster;
    - (2) a number of objects that are associated with a particular type of executable;
      
      (3) a number of objects that are associated with a particular type of non-executable;
      
      (4) a number of objects and properties associated with a particular industry;
      
      (5) node connectivity information.
  - 12. The computerized method of claim 1, wherein the rule-based constraints include a first constraint associated with a size of the cluster as represented by a range in an aggregate number of the first plurality of objects and the first plurality of properties.
  - 13. The computerized method of claim 12, wherein the rule-based constraints further include a second constraint associated with lateral proliferation of malware, the second constraint is represented by a range in a number of new client devices detected with malware per a selected time frame.
  - 14. The computerized method of claim 12, wherein the rule-based constraints includes a second constraint associated with a range in number of original sources of the analytic information that infers a concentrated attack.
  - 15. The computerized method of claim 1, wherein the premium attack is a cyberattack directed toward a specific target or a specific set of targets.
  - 16. The computerized method of claim 1, wherein the premium attack is a cyberattack that exhibits signs of manual operator activity during the cyberattack.

17. An attack classification system for detecting premium attacks, comprising:
- one or more hardware processors; and
  
  a storage medium that stores one or more software modules, including;
  
  data collection logic that, when executed by the one or more hardware processors, obtains analytic information from one or more resources remotely located from the attack classification system,mapping logic that, when executed by the one or more hardware processors and in accordance with a selected data model, generates logical representations, operating as objects, properties and relationships, for different portions of the analytic information represented as a nodal graph,filtering logic that, when executed by the one or more hardware processors, filters a first set of one or more relationships from the relationships and each of the first set of relationships providing lesser assistance in clustering the objects and the properties than a remaining plurality of relationships from the relationships,cluster formation logic that, when executed by the one or more hardware processors, performs a clustering operation by forming one or more clusters by removing a second set of one or more relationships from the remaining plurality of relationships, the one or more clusters includes a first cluster being a logical representation of a first plurality of objects of the objects, a first plurality of properties of the properties and a plurality of relationships being the remaining plurality of relationships excluding the second set of relationships,cluster analysis logic to analyze at least the first cluster of the one or more clusters to determine features of at least the first cluster and to introduce the determined features associated with the first cluster into the nodal graph, andclassification logic to analyze the features of the first cluster to determine whether the first plurality of objects, the first plurality of properties and the plurality of relationships forming the first cluster are associated with a premium attack, the analyzing of the features of the first cluster comprises applying rule-based constraints to the features of at least the first cluster to determine that the features correspond to cluster features that are commonly present in premium attacks.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The attack classification system of claim 17, wherein the analytic information includes information gathered during an analysis of at least one detected malicious attack and contextual information associated with the at least one detected malicious attack.
  - 19. The attack classification system of claim 17, wherein the data collection logic obtains the analytic information in response to a triggering event that includes a determination that a prescribed period of time has elapsed from a prior analysis for a presence of a premium attack.
  - 20. The attack classification system of claim 17, wherein the mapping logic generates the logical representations for the different portions of the analytic information by at leaststructuring a first portion of the analytic information as one of the objects that is logically represented as a first node in accordance with a graph data model;
    - structuring a second portion of the analytic information as one of the properties that is logically represented as a second node in accordance with a graph data model; and
      
      determining a logical relationship between nodes associated with the objects and properties, including a first relationship between the first node and the second node.
  - 21. The attack classification system of claim 17, wherein the filtering logic filters the first set of relationships from the relationships by at least (i) determining, by iterative analysis of each of the relationships, whether one or more relationships provide lesser assistance in the clustering of the objects and the properties than the remaining plurality of relationships, and (ii) removing the one or more relationships that are operating as the first set of relationships while retaining the remaining plurality of relationships.
  - 22. The attack classification system of claim 21, wherein the filtering logic determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties includes determining whether any of the relationships is based on a call to a particular search engine.
  - 23. The attack classification system of claim 21, wherein the filtering logic determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties includes determining whether any of the relationships occur outside a desired time period.
  - 24. The attack classification system of claim 21, wherein the filtering logic determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties includes determining whether any of the relationships pertains to a known benign domain or Internet Protocol (IP) address.
  - 25. The attack classification system of claim 17, wherein the cluster formation logic removes the second set of relationships by maintaining relationships associated with the one or more objects associated with at least a prescribed number of relationships and the plurality of properties associated with at least the prescribed number of relationships.
  - 26. The attack classification system of claim 17, wherein the cluster analysis logic to analyze the first cluster by at least conducting an analysis of attributes associated with the object, properties and relationships associated with the first cluster to determine the features of the first cluster.
  - 27. The attack classification system of claim 26, wherein the features of the first cluster include one or more of (1) a number of objects logically represented within the first cluster;
    - (2) a number of objects that are associated with a particular type of executable;
      
      (3) a number of objects that are associated with a particular type of non-executable;
      
      (4) a number of objects and properties associated with a particular industry;
      
      (5) node connectivity information.
  - 28. The attack classification system of claim 17, wherein the rule-based constraints include a first constraint associated with a size of the cluster as represented by a range in an aggregate number of the first plurality of objects and the first plurality of properties.
  - 29. The attack classification system of claim 28, wherein the rule-based constraints further include a second constraint associated with lateral proliferation of malware, the second constraint is represented by a range in a number of new client devices detected with malware per a selected time frame.
  - 30. The attack classification system of claim 28, wherein the rule-based constraints includes a second constraint associated with a range in number of original sources of the analytic information that infers a concentrated attack.
  - 31. The attack classification system of claim 17, wherein the premium attack is a cyberattack directed toward a specific target or a specific set of targets.
  - 32. The attack classification system of claim 17, wherein the premium attack is a cyberattack that exhibits signs of manual operator activity during the cyberattack.

33. An attack classification system for detecting premium attacks, comprising:
- one or more hardware processors; and
  
  a storage medium that stores one or more software modules, including;
  
  data collection logic that, when executed by the one or more hardware processors, obtains analytic information from one or more resources remotely located from the attack classification system,mapping logic that, when executed by the one or more hardware processors and in accordance with a selected data model, generates logical representations, operating as objects, properties and relationships, for different portions of the analytic information represented as a nodal graph,filtering logic that, when executed by the one or more hardware processors, filters a first set of one or more relationships from the relationships and each of the first plurality of relationships providing lesser assistance in clustering the objects and the properties than a remaining plurality of relationships from the relationships,cluster formation logic that, when executed by the one or more hardware processors, performs a clustering operation by forming one or more clusters from removing one or more relationships of a plurality of relationships associated with logical representations of different portions of the analytic information, the logical representations of different portions of the analytic information are represented in accordance with a data model scheme as at least a plurality of objects,cluster analysis logic to analyze at least a first cluster of the one or more clusters to determine features of at least the first cluster and to introduce the determined features associated with the first cluster into the nodal graph, andclassification logic to analyze the features of the first cluster to determine whether the plurality of objects and a remaining relationships of the plurality of relationships forming the first cluster are associated with a premium attack, the analyzing of the features of the first cluster comprises applying rule-based constraints to the features of at least the first cluster to determine that the features correspond to cluster features that are commonly present in premium attacks.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 34. The attack classification system of claim 33, wherein the analytic information includes information gathered during an analysis of at least one detected malicious attack and contextual information associated with the at least one detected malicious attack.
  - 35. The attack classification system of claim 33, wherein the mapping logic generates the logical representations for the different portions of the analytic information by at leaststructuring a first portion of the analytic information as one of the objects that is logically represented as a first node in accordance with a graph data model;
    - structuring a second portion of the analytic information as one of the properties that is logically represented as a second node in accordance with a graph data model; and
      
      determining a logical relationship between nodes associated with the objects and properties, including a first relationship between the first node and the second node.
  - 36. The attack classification system of claim 33, wherein the filtering logic filters the first set of relationships from the relationships by at least (i) determining, by iterative analysis of each of the relationships, whether one or more relationships provide lesser assistance in the clustering of the objects and the properties than the remaining plurality of relationships, and (ii) removing the one or more relationships that are operating as the first set of relationships while retaining the remaining plurality of relationships.
  - 37. The attack classification system of claim 36, wherein the filtering logic determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties by at least determining whether any of the relationships is based on a call to a particular search engine.
  - 38. The attack classification system of claim 36, wherein the filtering logic determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties by at least determining whether any of the relationships occur outside a desired time period.
  - 39. The attack classification system of claim 36, wherein the filtering logic determining whether the one or more relationships provide lesser assistance in the clustering of the objects and the properties by at least determining whether any of the relationships pertains to a known benign domain or Internet Protocol (IP) address.
  - 40. The attack classification system of claim 33, wherein the cluster formation logic removes the second plurality of relationships by maintaining relationships associated with the one or more objects associated with at least a prescribed number of relationships and the plurality of properties associated with at least the prescribed number of relationships.
  - 41. The attack classification system of claim 33, wherein the cluster analysis logic to analyze the first cluster by at least conducting an analysis of attributes associated with the object, properties and relationships associated with the first cluster to determine the features of the first cluster.
  - 42. The attack classification system of claim 33, wherein the features of the first cluster include one or more of (1) a number of objects logically represented within the first cluster;
    - (2) a number of objects that are associated with a particular type of executable;
      
      (3) a number of objects that are associated with a particular type of non-executable;
      
      (4) a number of objects and properties associated with a particular industry;
      
      or (5) node connectivity information.
  - 43. The attack classification system of claim 33, wherein the rule-based constraints include a first rule-based constraint associated with a size of the cluster as represented by a range in an aggregate number of the first plurality of objects and the first plurality of properties.
  - 44. The attack classification system of claim 43, wherein the rule-based constraints further include a second rule-based constraint associated with lateral proliferation of malware, the second rule-based constraint is represented by a range in a number of new client devices detected with malware per a selected time frame.
  - 45. The attack classification system of claim 44, wherein the rule-based constraints further include a second rule-based constraint associated with a range in number of original sources of the analytic information that infers a concentrated attack.
  - 46. The attack classification system of claim 33, wherein the premium attack is a cyberattack directed toward a specific target or a specific set of targets.
  - 47. The attack classification system of claim 33, wherein the premium attack is a cyberattack that exhibits signs of manual operator activity during the cyberattack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Rivlin, Alexandr, Alam, Naveed, Duraisamy, Vinoth
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US15/195,909
Time in Patent Office

861 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 5/022   Knowledge engineering; Know...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1475   Passive attacks, e.g. eaves...

System and method to detect premium attacks on electronic networks and electronic devices

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to detect premium attacks on electronic networks and electronic devices

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links