Systems and methods for detecting malicious computing events

US 10,320,818 B2
Filed: 02/14/2017
Issued: 06/11/2019
Est. Priority Date: 02/14/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious computing events, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

determining, for each of a plurality of computing events detected within an enterprise, an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information;

determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events;

determining, for each computing event after the initial disposition score for the computing event has been determined;

an updated disposition score based on new security information that was not available when the initial disposition score was determined; and

an updated classification by comparing the updated disposition score with the threshold disposition score;

calculating a degree to which the threshold disposition score correctly identifies malicious computing events by;

determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and

determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and

protecting the enterprise from security threats by;

receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise;

determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and

implementing the optimal threshold disposition score within the enterprise.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting malicious computing events may include (i) determining, for multiple computing events detected within an enterprise, an initial disposition score for each computing event based on currently-available security information, (ii) determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score, (iii) for each computing event, determining (a) an updated disposition score based on new security information (b) an updated classification, (iv) calculating a degree to which the threshold disposition score correctly identifies malicious computing events by determining a frequency with which the initial classification of each computing event matches the updated classification of the computing event, and (v) adjusting the threshold disposition score based on the degree to which the threshold disposition score correctly identifies malicious computing events.

21 Citations

18 Claims

1. A computer-implemented method for detecting malicious computing events, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- determining, for each of a plurality of computing events detected within an enterprise, an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information;
  
  determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events;
  
  determining, for each computing event after the initial disposition score for the computing event has been determined;
  
  an updated disposition score based on new security information that was not available when the initial disposition score was determined; and
  
  an updated classification by comparing the updated disposition score with the threshold disposition score;
  
  calculating a degree to which the threshold disposition score correctly identifies malicious computing events by;
  
  determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and
  
  determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and
  
  protecting the enterprise from security threats by;
  
  receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise;
  
  determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and
  
  implementing the optimal threshold disposition score within the enterprise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 17, 18)
- - 2. The method of claim 1, wherein the plurality of computing events comprises at least one of:
    - an attempt to download a file onto an endpoint device within the enterprise;
      
      an attempt to distribute sensitive information from within the enterprise to an external entity; and
      
      an attempt by the external entity to access the sensitive information within the enterprise.
  - 3. The method of claim 1, further comprising receiving, at a backend security server, the plurality of computing events from a security agent installed on at least one endpoint device within the enterprise.
  - 4. The method of claim 3, wherein:
    - receiving at least one computing event detected on the endpoint device further comprises receiving at least a portion of a configuration of the endpoint device at a point in time at which the computing event was detected; and
      
      determining the updated disposition score of the computing event comprises re-analyzing the configuration of the endpoint device using the new security information.
  - 5. The method of claim 1, wherein the desired ratio of false positives to false negatives corresponds to a desired strictness of security services implemented within the enterprise.
  - 6. The method of claim 1, further comprising:
    - identifying computing events whose initial disposition scores were false positives; and
      
      adding the identified computing events to a whitelist within the enterprise such that similar computing events are classified as non-malicious.
  - 7. The method of claim 6, further comprising decreasing the threshold disposition score after adding the identified computing events to the whitelist.
  - 17. The method of claim 1, wherein determining the optimal threshold disposition score comprises:
    - for each of the plurality of computing events, computing a theoretical initial classification based on one or more test threshold disposition scores and a theoretical updated classification based on the one or more test threshold disposition scores;
      
      determining a rate of false positives produced by the one or more test threshold disposition scores and a rate of false negatives produced by the one or more test threshold disposition scores; and
      
      selecting the optimal threshold disposition score within the one or more test threshold disposition scores.
  - 18. The method of claim 5, wherein a high desired ratio of false positives to false negatives corresponds to a strict security service that favors detecting malicious computing events over inconveniencing users due to false positives.

8. A system for detecting malicious computing events, the system comprising:
- a physical processor;
  
  a scoring module, executed by the physical processor, that determines, for each of a plurality of computing events detected within an enterprise;
  
  an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information; and
  
  an updated disposition score based on new security information that was not available when the initial disposition score was determined;
  
  a classification module, executed by the physical processor, that determines, for each computing event;
  
  an initial classification as malicious or non-malicious by comparing the initial disposition score of the computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events; and
  
  an updated classification by comparing the updated disposition score of the computing event with the threshold disposition score;
  
  a calculation module, executed by the physical processor, that calculates a degree to which the threshold disposition score correctly identifies malicious computing events by;
  
  determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and
  
  determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and
  
  a security module, executed by the physical processor, that protects the enterprise from security threats by;
  
  receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise;
  
  determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and
  
  implementing the optimal threshold disposition score within the enterprise.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the plurality of computing events comprises at least one of:
    - an attempt to download a file onto an endpoint device within the enterprise;
      
      an attempt to distribute sensitive information from within the enterprise to an external entity; and
      
      an attempt by the external entity to access the sensitive information within the enterprise.
  - 10. The system of claim 8, wherein the scoring module, implemented within a backend security server, further receives the plurality of computing events from a security agent installed on at least one endpoint device within the enterprise.
  - 11. The system of claim 10, wherein:
    - the scoring module further receives at least a portion of a configuration of the endpoint device at a point in time at which at least one computing event was detected; and
      
      the scoring module determines the updated disposition score of the computing event by re-analyzing the configuration of the endpoint device using the new security information.
  - 12. The system of claim 10, wherein the desired ratio of false positives to false negatives corresponds to a desired strictness of security services implemented within the enterprise.
  - 13. The system of claim 10, wherein the security module further:
    - identifies computing events whose initial disposition scores were false positives; and
      
      adds the identified computing events to a whitelist within the enterprise such that similar computing events are classified as non-malicious.
  - 14. The system of claim 13, wherein the security module further decreases the threshold disposition score after adding the identified computing events to the whitelist.

15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- determine, for each of a plurality of computing events detected within an enterprise, an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information;
  
  determine an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events;
  
  determine, for each computing event after the initial disposition score for the computing event has been determined;
  
  an updated disposition score based on new security information that was not available when the initial disposition score was determined; and
  
  an updated classification by comparing the updated disposition score with the threshold disposition score;
  
  calculate a degree to which the threshold disposition score correctly identifies malicious computing events by;
  
  determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and
  
  determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and
  
  protect the enterprise from security threats by;
  
  receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise;
  
  determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and
  
  implementing the optimal threshold disposition score within the enterprise.
- View Dependent Claims (16)
- - 16. The computer-readable medium of claim 15, wherein the plurality of computing events comprises at least one of:
    - an attempt to download a file onto an endpoint device within the enterprise;
      
      an attempt to distribute sensitive information from within the enterprise to an external entity; and
      
      an attempt by the external entity to access the sensitive information within the enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Viljoen, Pieter
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Salman, Raied A

Application Number

US15/431,795
Publication Number

US 20180234434A1
Time in Patent Office

847 Days
Field of Search

726 23, 726 24, 726 25, 709232
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for detecting malicious computing events

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting malicious computing events

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links