Multiplexed—proactive resiliency system

US 10,430,584 B2
Filed: 09/11/2017
Issued: 10/01/2019
Est. Priority Date: 09/11/2017
Status: Active Grant

First Claim

Patent Images

1. A method for machine-learned detection and removal of malicious software within a network, the method comprising:

recording, within a trace data repository, environment behavior of;

a network application; and

a plurality of network components that communicate with the application;

based on the recorded environment behavior, generating a baseline dataset within the trace data repository,scheduling a plurality of snapshots of the application, each of the snapshots occurring at a predetermined periodic interval;

capturing a first snapshot of the application and the plurality of components, the first snapshot corresponding to one of the plurality of scheduled snapshots;

storing the first snapshot in the trace data repository;

monitoring the application and the plurality of components, using the stored snapshots and the baseline dataset, for any deviation in the environment behavior;

detecting a first deviation in the environment behavior of the application or the plurality of components;

in response to detecting a first deviation, capturing a second snapshot of the application and the plurality of components, the second snapshot being inconsistent with the plurality of scheduled snapshots;

transmitting the second snapshot as an alert to one or more stakeholders associated with the application;

receiving a flag from the one or more stakeholders relating to the first deviation, the flag identifying the first deviation as intended or unwarranted;

detecting a second deviation included in the application or the plurality of components;

identifying a second deviation as intended or unwarranted based on the received flag;

upon determining that the second deviation is unwarranted, and, therefore, is directed to malicious software, reverting the application and the plurality of components back to a previous version of the application and the plurality of components, thereby removing the malicious software; and

upon determining that the second deviation is intended, storing the intended deviation in a log of verified intended deviations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for machine-learned detection and removal of malicious software within a network are provided. Methods may record environment behavior of an application and a plurality of components. The plurality of components may touch the application. Methods may generate a baseline dataset based on the recorded environment behavior. Methods may schedule snapshots of the application. Methods may take snapshots of the application and the components based on the scheduling. Methods may store the snapshots in a repository. Methods may monitor the application and the components, using the stored snapshots, for any deviation in the environment behavior. Methods may detect a deviation in the behavior of the application or components. Methods may take a snapshot, outside of the scheduling, of the application and components upon detection of the deviation. Methods may determine that the deviation is unwarranted. Methods may revert the application and components back to a previous version.

Citations

20 Claims

1. A method for machine-learned detection and removal of malicious software within a network, the method comprising:
- recording, within a trace data repository, environment behavior of;
  
  a network application; and
  
  a plurality of network components that communicate with the application;
  
  based on the recorded environment behavior, generating a baseline dataset within the trace data repository,scheduling a plurality of snapshots of the application, each of the snapshots occurring at a predetermined periodic interval;
  
  capturing a first snapshot of the application and the plurality of components, the first snapshot corresponding to one of the plurality of scheduled snapshots;
  
  storing the first snapshot in the trace data repository;
  
  monitoring the application and the plurality of components, using the stored snapshots and the baseline dataset, for any deviation in the environment behavior;
  
  detecting a first deviation in the environment behavior of the application or the plurality of components;
  
  in response to detecting a first deviation, capturing a second snapshot of the application and the plurality of components, the second snapshot being inconsistent with the plurality of scheduled snapshots;
  
  transmitting the second snapshot as an alert to one or more stakeholders associated with the application;
  
  receiving a flag from the one or more stakeholders relating to the first deviation, the flag identifying the first deviation as intended or unwarranted;
  
  detecting a second deviation included in the application or the plurality of components;
  
  identifying a second deviation as intended or unwarranted based on the received flag;
  
  upon determining that the second deviation is unwarranted, and, therefore, is directed to malicious software, reverting the application and the plurality of components back to a previous version of the application and the plurality of components, thereby removing the malicious software; and
  
  upon determining that the second deviation is intended, storing the intended deviation in a log of verified intended deviations.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the scheduling is based on a level of criticality associated with the application.
  - 3. The method of claim 1, wherein the previous version of the application and the plurality of components is the most recent snapshot, prior to the second deviation, of the application and the plurality of components.
  - 4. The method of claim 1, wherein the stored snapshots are used to identify issues and their causes, associated with the application and the plurality of components.
  - 5. The method of claim 1, wherein the stored snapshots are used to enhance the performance of a transmitted new application, such that an engine learns from the recorded environment behavior to simulate at least one new application and determine a suitable set of tools, components, code routines and/or environment for hosting the new application.
  - 6. The method of claim 1, wherein the stored snapshots are used to identify and determine a composite security breach exposure metric of an environment, said environment that includes the application and the plurality of components, said composite security breach exposure metric corresponding to the sum of a plurality of security breach exposure metrics, each security breach exposure metric corresponding to one of the plurality components.
  - 7. The method of claim 1, wherein the stored snapshots are used to appropriately allocate resources within the network.

8. An apparatus for machine-learned detection and removal of malicious software within a network, the apparatus comprising:
- a trace data repository, the trace data repository configured to;
  
  receive recorded environment behavior of;
  
  a network application; and
  
  a plurality of network components that communicate with the application;
  
  a processor configured to;
  
  generate a baseline dataset based on the recorded environment behavior; and
  
  store the baseline dataset in the trace data repository;
  
  a hardware-processor-scheduler configured to generate a schedule for capturing a plurality of substantially simultaneous snapshots of the application and the plurality of components at a plurality of predetermined periodic intervals;
  
  the processor further configured to;
  
  capture a plurality of simultaneous snapshots of the application and the plurality of components according to the schedule;
  
  store the plurality of captured snapshots in the trace data repository;
  
  monitor, using the stored snapshots and the baseline dataset, the application and the plurality of components, for any deviation in the environment behavior of the application or the plurality of components;
  
  detect a deviation in the environment behavior of the application or in at least one of the plurality of components;
  
  in response to detecting the deviation, capture a second simultaneous snapshot of the application and the plurality of components, the second simultaneous snapshot being inconsistent with the schedule;
  
  determine, based on previously recorded snapshots, whether the deviation is intended or unwarranted;
  
  upon determination that the deviation is unwarranted and, therefore, is caused by malicious software, revert the application and the plurality of components to a previous version of the application and the plurality of components, thereby removing the malicious software; and
  
  upon determination that the deviation is intended, storing the intended deviation in a log of verified intended deviations.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the scheduler generates the schedule based on a level of criticality associated with the application.
  - 10. The apparatus of claim 8, wherein the previous version of the application and the plurality of components is the most recent snapshot, prior to the deviation, of the application and the plurality of components.
  - 11. The apparatus of claim 8, wherein the stored snapshots are used to identify issues and their causes, associated with the application and the plurality of components.
  - 12. The apparatus of claim 8, wherein the stored snapshots are used to enhance the performance of a transmitted new application, such that an engine learns from the recorded environment behavior to simulate at least one new application and determine a suitable set of tools, components, code routines and/or environment for hosting the new application.
  - 13. The apparatus of claim 8, wherein the stored snapshots are used to identify and determine a composite security breach exposure metric of an environment, said environment that includes the application and the plurality of components, said composite security breach exposure metric corresponding to the sum of a plurality of composite security breach exposure metrics, each security breach exposure metric corresponding to one of the plurality of components.
  - 14. The apparatus of claim 8, wherein the stored snapshots are used to appropriately allocate resources within the network.

15. A method for machine-learned detection and removal of malicious software within a network, the method comprising:
- recording, within a trace data repository, environment behavior of;
  
  a network application; and
  
  a plurality of network components that communicate with the application;
  
  based on the recorded environment behavior, generating a baseline dataset within the trace data repository;
  
  scheduling a plurality of snapshots of the application, each of the snapshots occurring at a predetermined periodic interval;
  
  capturing a first snapshot of the application and the plurality of components, the first snapshot corresponding to one of the plurality of scheduled snapshots;
  
  storing the first snapshot and data associated with the first snapshot in the trace data repository, said data comprising;
  
  a trace identification sequence identifying the application;
  
  an infra reference identifier identifying an environment setup of the application at the time of the first snapshot;
  
  an application span reference identifier identifying the plurality of components that communicate with the application at the time of the first snapshot;
  
  a code reference identifying a static reference to a deployed piece of code, said deployed piece of code being the basis for functioning of the application;
  
  performing a simulated restoration of the application and the plurality of components back to the first snapshot;
  
  based on the simulated restoration, determining a confidence level for recovering the application and the plurality of components;
  
  storing, in a restoration reference repository;
  
  an iteration identifier identifying the first snapshot;
  
  a recoverability metric identifying the confidence level;
  
  a validated status identifying whether the recoverability metric has been validated;
  
  monitoring the application and the plurality of components, using the trace data repository, for any deviation in the environment behavior;
  
  detecting a deviation in the environment behavior of the application of the plurality of components;
  
  in response to detecting the deviation, receiving a flag relating to the deviation;
  
  based on the received flag, identifying the deviation as intended or unwarranted;
  
  determining that the deviation is unwarranted and, therefore, is directed to malicious software;
  
  upon determining that the deviation is unwarranted, reverting the application and the plurality of components back to a previous version of the application and the plurality of components, thereby removing the malicious software, said previous version being the most recent snapshot in which the recoverability metric is above a predetermined figure; and
  
  upon determining that the deviation is intended, storing the intended deviation in a log of verified intended deviations.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the scheduling is based on a level of criticality associated with the application.
  - 17. The method of claim 15, wherein the stored snapshots are used to identify issues and their causes, associated with the application and the plurality of components.
  - 18. The method of claim 15, wherein the stored snapshots are used to enhance the performance of a transmitted new application, such that an engine learns from the recorded environment behavior to simulate at least one new application and determine a suitable set of tools, components, code routines and/or environment for hosting the new application.
  - 19. The method of claim 15, wherein the stored snapshots are used to identify and determine a composite security breach exposure metric of an environment, said environment that includes the application and the plurality of components, said composite security breach exposure metric corresponding to the sum of a plurality of security breach exposure metrics, each security breach exposure metric corresponding to one of the plurality components.
  - 20. The method of claim 15, wherein the stored snapshots are used to appropriately allocate resources within the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Purushothaman, Sasidhar
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US15/700,388
Publication Number

US 20190080085A1
Time in Patent Office

750 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 2221/033   Test or assess software

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Multiplexed—proactive resiliency system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multiplexed—proactive resiliency system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links