Automatic selection of malicious activity detection rules using crowd-sourcing techniques

US 10,148,673 B1
Filed: 09/30/2015
Issued: 12/04/2018
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing a rule to detect malicious activity, the computer-implemented method comprising:

receiving, by processing circuitry and from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity;

performing a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system;

based on the indication, locating, by the processing circuitry, the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, the locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value;

initiating transmitting, by the predicted numerical rating value exceeding the threshold rating value, a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity,wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors,wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, andwherein the performing of the numerical rating prediction operation includes;

deriving, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and

generating the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and

initiating detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques of operating intrusion detection systems provide a recommendation of an intrusion detection rule to an administrator of an intrusion detection system based on the experience of another administrator that has used the rule in another intrusion detection system. For example, suppose that electronic circuitry receives a numerical rating from a first intrusion detection system that indicates whether an intrusion detection rule was effective in identifying malicious activity when used in the first intrusion detection system. Based on the received rating and attributes of the first intrusion detection system, the electronic circuitry generates a predicted numerical rating that indicates whether the intrusion detection rule is likely to be effective in identifying malicious communications when used in a second intrusion detection system. If the predicted numerical rating is sufficiently high, then the electronic circuitry transmits a message to the second intrusion detection system recommending the intrusion detection rule for use in the second intrusion detection system.

38 Citations

View as Search Results

15 Claims

1. A computer-implemented method of providing a rule to detect malicious activity, the computer-implemented method comprising:
- receiving, by processing circuitry and from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity;
  
  performing a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system;
  
  based on the indication, locating, by the processing circuitry, the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, the locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value;
  
  initiating transmitting, by the predicted numerical rating value exceeding the threshold rating value, a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity,wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors,wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, andwherein the performing of the numerical rating prediction operation includes;
  
  deriving, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and
  
  generating the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and
  
  initiating detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A computer-implemented method as in claim 1, wherein receiving the indication of whether the malicious activity detection rule is effective from the first malicious activity detection system includes obtaining, from the first malicious activity detection system, a ratio of a number of false alerts to a number of total alerts generated by the first malicious activity detection system using the malicious activity detection rule.
  - 3. A computer-implemented method as in claim 2, further comprising:
    - having initiated the transmitting of the message to the second malicious activity detection system, transmitting the message to the second malicious activity detection system including providing a number of actual alerts to the second malicious activity detection system, the number of actual alerts being a difference between the number of total alerts and the number of false alerts generated by the first malicious activity detection system using the malicious activity detection rule.
  - 4. A computer-implemented method as in claim 1, wherein each of the finite number of system descriptors is a system feature vector having a specified number of components,wherein each of finite number of rule descriptors is a rule feature vector having the specified number of components, andwherein deriving includes:
    - forming a cost metric, the cost metric being a function of (i) each of the respective system feature vectors of each of the first malicious activity detection system and the other malicious activity detection systems, (ii) the rule feature vector of the malicious activity detection rule, and (iii) the received numerical rating value; and
      
      finding values of the components of each of the respective system feature vectors and the rule feature vector that minimizes the cost metric.
  - 5. A computer-implemented method as in claim 4, wherein generating the predicted numerical rating values includes computing, as the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in each of the other malicious activity detection systems, an inner product of the respective system feature vector of that other malicious activity detection system and the rule feature vector.
  - 6. A computer-implemented method as in claim 1, further comprising:
    - receiving another malicious activity detection rule;
      
      deriving another rule descriptor of the other malicious activity detection rule; and
      
      generating other predicted numerical rating values indicating whether the other malicious activity detection rule is predicted to be effective in the other malicious activity detection systems based on the derived system descriptors and the derived other rule descriptor.
  - 7. A computer-implemented method as in claim 1, further comprising:
    - having initiated the transmitting of the message to the second malicious activity detection system, transmitting the message to the second malicious activity detection system including computing an amount of money saved when the malicious activity detection rule is used in the first malicious activity detection system to detect malicious activity; and
      
      providing a notification of the amount of money saved within the message.
  - 8. A computer-implemented method as in claim 1, wherein the initiating transmitting of the message includes initiating transmitting the message containing one or more of (i) a first identifier of the second malicious activity detection system, (ii) a second identifier of the malicious activity detection rule, and (iii) statistics involving actual usage of the malicious activity detection rule in the other malicious activity detection systems.

9. A computer program product having a non-transitory computer readable medium which stores a set of instructions to provide a rule to detect malicious activity, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
- receiving, by processing circuitry and from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity;
  
  performing a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system;
  
  based on the indication, locating, by the processing circuitry, the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, the locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value;
  
  initiating transmitting, by the predicted numerical rating value exceeding the threshold rating value, a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity,wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors,wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, andwherein the performing of the numerical rating prediction operation includes;
  
  deriving, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and
  
  generating the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and
  
  initiating detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A computer program product as in claim 9, wherein receiving the indication of whether the malicious activity detection rule is effective from the first malicious activity detection system includes obtaining, from the first malicious activity detection system, a ratio of a number of false alerts to a number of total alerts generated by the first malicious activity detection system using the malicious activity detection rule.
  - 11. A computer program product as in claim 10, further comprising:
    - having initiated the transmitting of the message to the second malicious activity detection system, transmitting the message to the second malicious activity detection system including providing a number of actual alerts to the second malicious activity detection system, the number of actual alerts being a difference between the number of total alerts and the number of false alerts generated by the first malicious activity detection system using the malicious activity detection rule.
  - 12. A computer program product as in claim 9, wherein each of the finite number of system descriptors is a system feature vector having a specified number of components,wherein each of finite number of rule descriptors is a rule feature vector having the specified number of components, andwherein deriving includes:
    - forming a cost metric, the cost metric being a function of (i) each of the respective system feature vectors of each of the first malicious activity detection system and the other malicious activity detection systems, (ii) the rule feature vector of the malicious activity detection rule, and (iii) the received numerical rating value; and
      
      finding values of the components of each of the respective system feature vectors and the rule feature vector that minimizes the cost metric.
  - 13. A computer program product as in claim 12, wherein generating the predicted numerical rating values includes computing, as the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in each of the other malicious activity detection systems, an inner product of the respective system feature vector of that other malicious activity detection system and the rule feature vector.
  - 14. A computer program product as in claim 9, further comprising:
    - receiving another malicious activity detection rule;
      
      deriving another rule descriptor of the other malicious activity detection rule; and
      
      generating other predicted numerical rating values indicating whether the other malicious activity detection rule is predicted to be effective in the other malicious activity detection systems based on the derived system descriptors and the derived other rule descriptor.

15. An electronic apparatus, comprising:
- a user interface;
  
  memory; and
  
  control circuitry coupled to the user interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to;
  
  receive, from a first malicious activity detection system, an indication of whether a malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity, the received indication including a numerical rating value, a high numerical rating value indicating that the malicious activity detection rule is effective when used in the first malicious activity detection system to detect malicious activity;
  
  perform a numerical rating prediction operation to produce predicted numerical rating values indicating whether the malicious activity detection rule is predicted to be effective in other malicious activity detection systems that have not indicated using the malicious activity detection rule, the predicted numerical rating values including a predicted numerical rating value, the other malicious activity detection systems including a second malicious activity detection system;
  
  based on the indication, locate the second malicious activity detection system in which the malicious activity detection rule is predicted to be effective in detecting malicious activity, locating of the second malicious activity detection system including comparing each of the predicted numerical rating values to a threshold rating value, the predicted numerical rating value indicating whether the malicious activity detection rule is predicted to be effective in the second malicious activity detection system exceeding the threshold rating value;
  
  initiate transmission, by the predicted numerical rating value exceeding the threshold rating value, of a message to the second malicious activity detection system recommending the malicious activity detection rule for use in the second malicious activity detection system to detect malicious activity,wherein each of the first malicious activity detection system and the other malicious activity detection systems is described by a respective one of a finite number of system descriptors,wherein the malicious activity detection rule is described by one of a finite number of rule descriptors, andwherein the memory stores the instructions which, when carried out by the control circuitry, further cause the control circuitry to perform the numerical rating prediction operation, including to;
  
  derive, from the numerical rating value received from the first malicious activity detection system, (i) the respective system descriptor of each of the first malicious activity detection system and the other malicious activity detection systems and (ii) the rule descriptor of the malicious activity detection rule; and
  
  generate the predicted numerical rating values based on the derived system descriptors and the derived rule descriptor, the generated predicted numerical rating values including a generated predicted numerical rating value; and
  
  wherein the memory stores the instructions which, when carried out by the control circuitry, further cause the control circuitry to initiate detecting, by the generated predicted numerical rating value exceeding the threshold rating value, malicious activity by the second malicious activity detection system using the malicious activity detection rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Duchin, Zohar, Kaufman, Alon, Freylafert, Oleg, Asher, Lior, Zaslavsky, Alex
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/870,218
Time in Patent Office

1,161 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Automatic selection of malicious activity detection rules using crowd-sourcing techniques

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic selection of malicious activity detection rules using crowd-sourcing techniques

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links