Method for semi-supervised learning approach to add context to malicious events

US 10,148,674 B2
Filed: 12/11/2015
Issued: 12/04/2018
Est. Priority Date: 12/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a sequence analyzer, a sequence of events from an information handling system;

detecting a first event within the sequence of events;

determining a first state of a Markov model associated with the first event;

detecting a second event within the sequence of events;

determining a second state of the Markov model associated with the second event;

detecting a state transition from the first state to the second state in the Markov model;

determining a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model;

determining a probability of a traversal within the sequence of events to a missing event of the kill sequence of events;

providing the sequence of events to a further enrichment stage in response to the probability of the traversal being a high probability;

logging all events that occurred in the information handling system in between the first event and the second event;

identifying the first sequence of events as a possible kill sequence in response to determining the partial match; and

providing the sequence of events to the further enrichment stage, wherein the logged events that occurred between the first and second events are researched by a human analyst during the further enrichment stage.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information handling system includes an input and a processor. The processor receives a sequence of events, detects a first event within the sequence of events, determines a first state of a Markov model associated with the first event, detects a second event within the sequence of events, determines a second state of the Markov model associated with the second event, detects a state transition from the first state to the second state in the Markov model, determines a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model, and logs all events that occurred in the information handling system in between the first event and the second event.

Citations

17 Claims

1. A method comprising:
- receiving, at a sequence analyzer, a sequence of events from an information handling system;
  
  detecting a first event within the sequence of events;
  
  determining a first state of a Markov model associated with the first event;
  
  detecting a second event within the sequence of events;
  
  determining a second state of the Markov model associated with the second event;
  
  detecting a state transition from the first state to the second state in the Markov model;
  
  determining a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model;
  
  determining a probability of a traversal within the sequence of events to a missing event of the kill sequence of events;
  
  providing the sequence of events to a further enrichment stage in response to the probability of the traversal being a high probability;
  
  logging all events that occurred in the information handling system in between the first event and the second event;
  
  identifying the first sequence of events as a possible kill sequence in response to determining the partial match; and
  
  providing the sequence of events to the further enrichment stage, wherein the logged events that occurred between the first and second events are researched by a human analyst during the further enrichment stage.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving an indication that a third event within the logged events is identified as a new malicious event; and
      
      updating a reference event type to include a signature of the new malicious event.
  - 3. The method of claim 2, wherein the reference event type is a group of events previously identified as malicious events.
  - 4. The method of claim 1, further comprising:
    - determining that the second event occurred within a heuristic interval of the first event prior to determining the partial match.
  - 5. The method of claim 1, wherein the reference event type is classified by an existing system.
  - 6. The method of claim 1, wherein the sequence of events is received during an inline process.

7. An information handling system comprising:
- an input to receive events from another information handling system within a network; and
  
  a hardware processor to;
  
  receive a sequence of events;
  
  detect a first event within the sequence of events;
  
  determine a first state of a Markov model associated with the first event;
  
  detect a second event within the sequence of events;
  
  determine a second state of the Markov model associated with the second event;
  
  detect a state transition from the first state to the second state in the Markov model;
  
  determine a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model;
  
  determine a probability of a traversal within the sequence of events to a missing event of the kill sequence of events;
  
  provide the sequence of events to a further enrichment stage in response to the probability of the traversal being high;
  
  log all events that occurred in the information handling system in between the first event and the second event;
  
  identify the first sequence of events as a possible kill sequence in response to determining the partial match; and
  
  provide the sequence of events to the further enrichment stage, wherein the logged events that occurred between the first and second events are researched by a human analyst during the further enrichment stage.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The information handling system of claim 7, the hardware processor further to receive an indication that a third event within the logged events is identified as a new malicious event, and to update a reference event type to include a signature of the new malicious event.
  - 9. The information handling system of claim 8, wherein the reference event type is a group of events previously identified as malicious events.
  - 10. The information handling system of claim 7, the hardware processor further to determine that the second event occurred within a heuristic interval of the first event prior to determining the partial match.
  - 11. The information handling system of claim 7, wherein the sequence of events is received during an inline process.

12. A method comprising:
- creating, at a sequence analyzer, a Markov model based on a first sequence of events received during a learning process; and
  
  performing an inline process, during the inline process;
  
  receiving, at a sequence analyzer, a first event;
  
  determining a first state of the Markov model associated with the first event;
  
  receiving a second event;
  
  determining a second state of the Markov model associated with the second event;
  
  detecting a state transition in from the first state to the second state in the Markov model;
  
  determining whether a kill sequence can be identified in response to the second state and the state transition;
  
  determining a probability of a traversal within the sequence of events to a missing event of the kill sequence of events;
  
  providing the sequence of events to a further enrichment stage in response to the probability of the traversal being a high probability;
  
  in response to the kill sequence being identified, logging the first event, the second event, and the state transition;
  
  logging the first and second events in response to the kill sequence being partially identified; and
  
  providing log information pertaining to an entity between a heuristic of a missing partial sequence a memory for review by a human analyst.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further comprising:
    - enriching the first event in response to the first state being associated with the first state of the Markov model.
  - 14. The method of claim 13, wherein enriching the first event comprises:
    - determining information about the first event with respect to a kill sequence.
  - 15. The method of claim 12, wherein the kill sequence is positively identified in response to the first event being a reference event, and the second event being an event that occurs after the reference event in a sequence of events.
  - 16. The method of claim 12, wherein the reference event is a known malicious event of a kill sequence.
  - 17. The method of claim 12, wherein the kill sequence is partial identified in response to the first event being an event that occurs before a reference event in a sequence of events, and the second event being an event that occurs after the reference event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
McLean, Lewis I.
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Ahsan, Syed M

Application Number

US14/966,595
Publication Number

US 20170171228A1
Time in Patent Office

1,089 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Method for semi-supervised learning approach to add context to malicious events

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method for semi-supervised learning approach to add context to malicious events

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links