Method and system for detecting and remediating polymorphic attacks across an enterprise
First Claim
Patent Images
1. A method for detecting potential malware comprising:
- a)
1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;
2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predetermined criteria; and
,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a generalized attack tree from the obtained attack tree;
b) breaking the first generalized attack tree into subtrees including generalized objects;
c) obtaining at least one subtree including generalized objects associated with a subsequent generalized attack tree including generalized objects;
d) comparing the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects;
e) creating an updated generalized attack tree from the subtrees from the first generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree;
f) obtaining the subtrees associated with updated generalized attack tree;
g) comparing the subtrees associated with the updated generalized attack tree with the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects; and
,h) creating an updated generalized attack tree from the subtrees from the previously updated generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree, to detect potential malware.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.
-
Citations
10 Claims
-
1. A method for detecting potential malware comprising:
-
a)
1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predetermined criteria; and
,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a generalized attack tree from the obtained attack tree; b) breaking the first generalized attack tree into subtrees including generalized objects; c) obtaining at least one subtree including generalized objects associated with a subsequent generalized attack tree including generalized objects; d) comparing the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects; e) creating an updated generalized attack tree from the subtrees from the first generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree; f) obtaining the subtrees associated with updated generalized attack tree; g) comparing the subtrees associated with the updated generalized attack tree with the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects; and
,h) creating an updated generalized attack tree from the subtrees from the previously updated generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree, to detect potential malware. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detect potential malware, by performing the following steps when such program is executed on the system, the steps comprising:
-
a)
1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predetermined criteria; and
,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a generalized attack tree from the obtained attack tree; b) breaking the first generalized attack tree into subtrees including generalized objects; c) obtaining at least one subtree including generalized objects associated with a subsequent generalized attack tree including generalized objects; d) comparing the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects; e) creating an updated generalized attack tree from the subtrees from the first generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree; f) obtaining the subtrees associated with updated generalized attack tree; g) comparing the subtrees associated with the updated generalized attack tree with the at least one subtree associated with a subsequent generalized attack tree, based on the generalized objects; and
,h) creating an updated generalized attack tree from the subtrees from the previously updated generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree, to detect potential malware. - View Dependent Claims (8, 9, 10)
-
Specification