System and method for determining summary events of an attack
First Claim
Patent Images
1. A method of using a particular computer to isolate certain events indicative of an attack on a computerized end point, comprising:
- using the particular computer to generate an attack tree corresponding to an attack on a computerized end point, the attack tree comprising events based on processes performed by the computerized end point associated with the attack;
using the particular computer to analyze the events of the attack tree by;
a) isolating primary events, from the events of the attack tree, associated with the attack on the computerized end point, including events of the attack tree;
1) where at least one of data, applications, and credentials, associated with the computerized end point, are at least one of maliciously;
manipulated, altered or compromised;
or,2) indicative of abnormal process behavior or known behaviors common to malicious activity;
b) wherein each isolated primary event is unique from every other isolated primary event;
c) isolating secondary events, from the remaining events of the attack tree, associated with the attack on the computerized end point including at least one of;
network events, file create/delete/modify/rename/copy events, registry modification events, predefined events associated with potential malicious behaviors of interest, and, hook and code injections; and
,d) wherein each isolated secondary event is unique from every other isolated primary event and every other isolated secondary event; and
,using the particular computer to provide a description of the attack on the computerized end point by selectively using the unique isolated primary and unique isolated secondary events.
1 Assignment
0 Petitions
Accused Products
Abstract
Computerized methods and systems determine summary events from an attack on an endpoint. The detection and determination of these summary events is performed by a machine, e.g., a computer, node of a network, system or the like.
-
Citations
15 Claims
-
1. A method of using a particular computer to isolate certain events indicative of an attack on a computerized end point, comprising:
-
using the particular computer to generate an attack tree corresponding to an attack on a computerized end point, the attack tree comprising events based on processes performed by the computerized end point associated with the attack; using the particular computer to analyze the events of the attack tree by; a) isolating primary events, from the events of the attack tree, associated with the attack on the computerized end point, including events of the attack tree; 1) where at least one of data, applications, and credentials, associated with the computerized end point, are at least one of maliciously;
manipulated, altered or compromised;
or,2) indicative of abnormal process behavior or known behaviors common to malicious activity; b) wherein each isolated primary event is unique from every other isolated primary event; c) isolating secondary events, from the remaining events of the attack tree, associated with the attack on the computerized end point including at least one of;
network events, file create/delete/modify/rename/copy events, registry modification events, predefined events associated with potential malicious behaviors of interest, and, hook and code injections; and
,d) wherein each isolated secondary event is unique from every other isolated primary event and every other isolated secondary event; and
,using the particular computer to provide a description of the attack on the computerized end point by selectively using the unique isolated primary and unique isolated secondary events. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitably programmed system to isolate certain events indicative of an attack on a computerized end point, by performing the following steps when such program is executed on the system, the steps comprising:
-
obtaining an attack tree corresponding to an attack on a computerized end point, the attack tree comprising events based on processes performed by the computerized end point associated with the attack; analyzing the events of the attack tree by; a) isolating primary events, from the events of the attack tree, associated with the attack on the computerized end point, including events of the attack tree; 1) where at least one of data, applications, and credentials, associated with the computerized end point, are at least one of maliciously;
manipulated, altered or compromised;
or,2) indicative of abnormal process behavior or known behaviors common to malicious activity; b) wherein each isolated primary event is unique from every other isolated primary event; c) isolating secondary events, from the remaining events of the attack tree, associated with the attack on the computerized end point including at least one of;
network events, file create/delete/modify/rename/copy events, registry modification events, predefined events associated with potential malicious behaviors of interest, and, hook and code injections; and
,d) wherein each isolated secondary event is unique from every other isolated primary event and every other isolated secondary event; and
,providing a description of the attack on the computerized end point by selectively using the unique isolated primary and unique isolated secondary events. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer system for isolating certain events indicative of an attack on a computerized end point, comprising:
-
a non-transitory storage medium for storing computer components; and
,a computerized processor for executing the computer components comprising; a module for obtaining an attack tree corresponding to an attack on a computerized end point, the attack tree comprising events based on processes performed by the computerized end point associated with the attack; a module for analyzing the events of the attack tree by; a) isolating primary events, from the events of the attack tree, associated with the attack on the computerized end point, including events of the attack tree; 1) where at least one of data, applications, and credentials, associated with the computerized end point, are at least one of maliciously;
manipulated, altered or compromised;
or,2) indicative of abnormal process behavior or known behaviors common to malicious activity; b) wherein each isolated primary event is unique from every other isolated primary event; c) isolating secondary events, from the remaining events of the attack tree, associated with the attack on the computerized end point including at least one of;
network events, file create/delete/modify/rename/copy events, registry modification events, predefined events associated with potential malicious behaviors of interest, and, hook and code injections; and
,d) wherein each isolated secondary event is unique from every other isolated primary event and every other isolated secondary event; and
,a module for providing a description of the attack on the computerized end point by selectively using the unique isolated primary and unique isolated secondary events. - View Dependent Claims (12, 13, 14, 15)
-
Specification