In-app behavior-based attack dectection

US 10,182,063 B2
Filed: 03/02/2016
Issued: 01/15/2019
Est. Priority Date: 03/02/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application;

generating, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data;

analyzing, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles;

generating, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and

initiating, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architectures and techniques for in-app behavior detection. A behavior detection agent within an application running on a hardware computing device captures events within the application. The events are inputs received from one or more sources external to the application. The behavior detection agent generates an event stream from the captured events. The behavior detection agent analyzes the event stream for significant feature frequencies and associations corresponding to one or more attack profiles. The behavior detection agent initiates an attack response in response to finding one or more significant feature frequencies and associations. The attack response comprises at least changing an operational configuration of the application.

Citations

24 Claims

1. A method comprising:
- capturing events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application;
  
  generating, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data;
  
  analyzing, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles;
  
  generating, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and
  
  initiating, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the application functions to provide access to a database environment.
  - 3. The method of claim 2 wherein the database environment comprises a multitenant database environment.
  - 4. The method of claim 1 wherein capturing the events within the application comprises, for one or more capture points within execution of the application, capturing input conditions provided from sources external to the application.
  - 5. The method of claim 1 wherein the significant feature frequencies and associations is described by a Boolean function based on known positive and negative instances of selected conditions.
  - 6. The method of claim 5 wherein the Boolean function is generated by:
    - analyzing prior results to determine, for each of the significant features, determining an intersection of know positives and detected positives, and an intersection of detected positives and known negatives; and
      
      producing a sub-optimal Boolean function in which detection rules are ranked by satisfiability rates.
  - 7. The method of claim 6 wherein at least a portion of the prior results are acquired from one or more log files.
  - 8. The method of claim 1 wherein the significant feature frequencies and associations comprises at least a timing between a first event and a second event.

9. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, are configurable to cause the one or more processors to:
- capture events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application;
  
  generate, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data;
  
  analyze, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles;
  
  generate, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and
  
  initiate, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable medium of claim 9 wherein the application functions to provide access to a database environment.
  - 11. The non-transitory computer-readable medium of claim 10 wherein the database environment comprises a multitenant database environment.
  - 12. The non-transitory computer-readable medium of claim 9 wherein capturing the events within the application comprises, for one or more capture points within execution of the application, capturing input conditions provided from sources external to the application.
  - 13. The non-transitory computer-readable medium of claim 9 wherein the significant feature frequencies and associations is described by a Boolean function based on known positive and negative instances of selected conditions.
  - 14. The non-transitory computer-readable medium of claim 13 wherein the Boolean function is generated by:
    - analyzing prior results to determine, for each of the significant features, determining an intersection of know positives and detected positives, and an intersection of detected positives and known negatives; and
      
      producing a sub-optimal Boolean function in which detection rules are ranked by satisfiability rates.
  - 15. The non-transitory computer-readable medium of claim 14 wherein at least a portion of the prior results are acquired from one or more log files.
  - 16. The non-transitory computer-readable medium of claim 9 wherein the significant feature frequencies and associations comprises at least a timing between a first event and a second event.

17. A system comprising one or more processors interconnected with one or more memory devices, wherein the one or more processors are configurable to:
- capture events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application;
  
  generate, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data;
  
  analyze, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles;
  
  generate, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and
  
  initiate, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17 wherein the application functions to provide access to a database environment.
  - 19. The system of claim 18 wherein the database environment comprises a multitenant database environment.
  - 20. The system of claim 17 wherein capturing the events within the application comprises, for one or more capture points within execution of the application, capturing input conditions provided from sources external to the application.
  - 21. The system of claim 17 wherein the significant feature frequencies and associations is described by a Boolean function based on known positive and negative instances of selected conditions.
  - 22. The system of claim 21 wherein the Boolean function is generated by:
    - analyzing prior results to determine, for each of the significant features, determining an intersection of know positives and detected positives, and an intersection of detected positives and known negatives; and
      
      producing a sub-optimal Boolean function in which detection rules are ranked by satisfiability rates.
  - 23. The system of claim 22 wherein at least a portion of the prior results are acquired from one or more log files.
  - 24. The system of claim 17 wherein the significant feature frequencies and associations comprises at least a timing between a first event and a second event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Nadeau, Philip Raymond, Aulakh, Tejinder Singh, Yan, Ping, Hang, Huy Nhut
Primary Examiner(s)
Lagor, Alexander

Application Number

US15/058,954
Publication Number

US 20170257384A1
Time in Patent Office

1,049 Days
Field of Search

726 22- 23
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

In-app behavior-based attack dectection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

In-app behavior-based attack dectection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links