Method and system for detecting and remediating polymorphic attacks across an enterprise

US 10,193,906 B2
Filed: 12/09/2016
Issued: 01/29/2019
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting potential malware comprising:

a)

1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;

2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predetermined criteria; and

,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a generalized attack tree from the obtained attack tree;

b) breaking the first generalized attack tree into subtrees including generalized objects;

c) obtaining at least one subtree including generalized objects associated with a subsequent generalized attack tree including generalized objects;

d) comparing the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects;

e) creating an updated generalized attack tree from the subtrees from the first generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree;

f) obtaining the subtrees associated with updated generalized attack tree;

g) comparing the subtrees associated with the updated generalized attack tree with the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects; and

,h) creating an updated generalized attack tree from the subtrees from the previously updated generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree, to detect potential malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

Citations

10 Claims

1. A method for detecting potential malware comprising:
- a)
  
  1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;
  
  2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predetermined criteria; and
  
  ,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a generalized attack tree from the obtained attack tree;
  
  b) breaking the first generalized attack tree into subtrees including generalized objects;
  
  c) obtaining at least one subtree including generalized objects associated with a subsequent generalized attack tree including generalized objects;
  
  d) comparing the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects;
  
  e) creating an updated generalized attack tree from the subtrees from the first generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree;
  
  f) obtaining the subtrees associated with updated generalized attack tree;
  
  g) comparing the subtrees associated with the updated generalized attack tree with the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects; and
  
  ,h) creating an updated generalized attack tree from the subtrees from the previously updated generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree, to detect potential malware.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the objects include links and vertices.
  - 3. The method of claim 2, wherein the links are determined to be known.
  - 4. The method of claim 2, wherein an object is determined as unknown when:
    - a) the object is unknown in accordance with predetermined criteria;
      
      or, b) the object is known and malicious in accordance with predetermined criteria.
  - 5. The method of claim 1, wherein the attack on the network occurs in at least one machine linked to the network.
  - 6. The method of claim 1, wherein the attack on the network occurs at an endpoint of the network.

7. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detect potential malware, by performing the following steps when such program is executed on the system, the steps comprising:
- a)
  
  1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;
  
  2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predetermined criteria; and
  
  ,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a generalized attack tree from the obtained attack tree;
  
  b) breaking the first generalized attack tree into subtrees including generalized objects;
  
  c) obtaining at least one subtree including generalized objects associated with a subsequent generalized attack tree including generalized objects;
  
  d) comparing the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on the generalized objects;
  
  e) creating an updated generalized attack tree from the subtrees from the first generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree;
  
  f) obtaining the subtrees associated with updated generalized attack tree;
  
  g) comparing the subtrees associated with the updated generalized attack tree with the at least one subtree associated with a subsequent generalized attack tree, based on the generalized objects; and
  
  ,h) creating an updated generalized attack tree from the subtrees from the previously updated generalized attack tree and the at least one subtree associated with the subsequent generalized attack tree, to detect potential malware.
- View Dependent Claims (8, 9, 10)
- - 8. The computer usable non-transitory storage medium of claim 7, wherein the objects include links and vertices.
  - 9. The computer usable non-transitory storage medium of claim 8, wherein the links are determined to be known.
  - 10. The computer usable non-transitory storage medium of claim 8, wherein an object is determined as unknown when:
    - a) the object is unknown in accordance with predetermined criteria;
      
      or, b) the object is known and malicious in accordance with predetermined criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
Leiderfarb, Tamara, Arzi, Lior, Pal, Anandabrata
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Khan, Sher A

Application Number

US15/373,482
Publication Number

US 20170171230A1
Time in Patent Office

781 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Method and system for detecting and remediating polymorphic attacks across an enterprise

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting and remediating polymorphic attacks across an enterprise

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links