Identifying malware-suspect end points through entropy changes in consolidated logs

US 10,440,037 B2
Filed: 03/31/2017
Issued: 10/08/2019
Est. Priority Date: 03/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method to detect a malware attack, the method comprising:

monitoring an event log of a first device, the event log to identify events associated with the first device;

determining, by executing an instruction with at least one hardware processor, an expected rate of log entries during a time window;

identifying, by executing an instruction with the at least one hardware processor, that an actual rate of log entries during the time window satisfies a threshold;

in response to the identifying that the actual rate of log entries during the time window satisfies the threshold, (i) calculating, by executing an instruction with the at least one hardware processor, a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determining, by executing an instruction with the at least one hardware processor, whether the first device is compromised based on the confidence value; and

performing an action in response to determining that the first device is compromised.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a malware attack includes monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised, determining an expected rate of log entries during a time window, identifying that an actual rate of log entries during the time window satisfies a threshold, determining, in response to the identifying, that the first device is a compromised device, and performing an action in response to determining that the first device is a compromised device.

45 Citations

View as Search Results

22 Claims

1. A method to detect a malware attack, the method comprising:
- monitoring an event log of a first device, the event log to identify events associated with the first device;
  
  determining, by executing an instruction with at least one hardware processor, an expected rate of log entries during a time window;
  
  identifying, by executing an instruction with the at least one hardware processor, that an actual rate of log entries during the time window satisfies a threshold;
  
  in response to the identifying that the actual rate of log entries during the time window satisfies the threshold, (i) calculating, by executing an instruction with the at least one hardware processor, a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determining, by executing an instruction with the at least one hardware processor, whether the first device is compromised based on the confidence value; and
  
  performing an action in response to determining that the first device is compromised.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the determining of the expected rate of log entries during the time window includes:
    - analyzing the event log to determine a ratio of unique log entries to total log entries in the event log during the time window,wherein the actual rate of log entries is based on a change in the ratio of unique log entries to total log entries during the time window.
  - 3. The method of claim 2, wherein the unique log entries are identified as unique based on a tag field in each log entry.
  - 4. The method of claim 1, wherein the determining of the expected rate of log entries over the time window includes:
    - identifying one or more additional actual rates of log entries for the time window, the one or more additional actual rates corresponding to one or more additional devices in a network including the first device; and
      
      wherein the determining of whether the first device is a compromised device includes comparing the actual rate of log entries for the first device to the one or more additional actual rates of log entries.
  - 5. The method of claim 4, wherein the determining of the expected rate of log entries includes:
    - determining a directional rate of change of unique log entries generated by the first device; and
      
      comparing the directional rate of change of unique log entries to a directional rate of change of log entries for the one or more additional devices in a same time window.
  - 6. The method of claim 1, wherein the event log includes log entries generated by a security application.

7. A computer readable storage device or storage disk comprising computer readable instructions that, when executed by one or more processors, cause the one or more processors to at least:
- monitor an event log of a first device, the event log to identify events associated with the first device;
  
  determine an expected rate of log entries over a time period;
  
  identify that an actual rate of log entries over the time period satisfies a threshold;
  
  in response to satisfaction of the threshold by the actual rate of log entries during the time period, (i) calculate a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determine whether the first device is compromised based on the confidence value; and
  
  perform an action in response to a determination that the first device is compromised.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer readable storage device or storage disk of claim 7, wherein to determine the expected rate of log entries during the time window, the instructions, when executed, cause the one or more processors to:
    - analyze the event log to determine a ratio of unique log entries to total log entries in the event log during the time window,wherein the actual rate of log entries is based on a change in the ratio of unique log entries to total log entries during the time window.
  - 9. The computer readable storage device or storage disk of claim 8, wherein the unique log entries are identified as unique based on a tag field in each log entry.
  - 10. The computer readable storage device or storage disk of claim 7, wherein the instructions, when executed, cause the one or more processors to:
    - identify one or more additional actual rates of log entries for the time window, the one or more additional actual rates corresponding to one or more additional devices in a network including the first device; and
      
      determine whether the first device is compromised based on comparison of the actual rate of log entries for the first device to the one or more additional actual rates of log entries.
  - 11. The computer readable storage device or storage disk of claim 10, wherein to determine the expected rate of log entries, the instructions, when executed, cause the one or more processors to:
    - determine a directional rate of change of unique log entries generated by the first device; and
      
      compare the directional rate of change of unique log entries to a directional rate of change of log entries for the one or more additional devices in a same time window.
  - 12. The computer readable storage device or storage disk of claim 7, wherein the event log includes log entries generated by a security application.

13. A system to detect a malware attack, the system comprising:
- one or more memories including computer readable instructions; and
  
  one or more processors in communication with the one or more memories, the one or more processors to execute the computer readable instructions to at least;
  
  monitor an event log of a first device, the event log to identify events associated with the first device;
  
  determine an expected rate of log entries during a time window;
  
  identify that an actual rate of log entries during the time window satisfies a threshold;
  
  in response to satisfaction of the threshold by the actual rate of log entries during the time window, (i) calculate a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determine whether the first device is compromised based on the confidence value; and
  
  perform an action in response to a determination that the first device is compromised.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein to determine the expected rate of log entries during the time window, the one or more processors are to:
    - analyze the event log to determine a ratio of unique log entries to total log entries in the event log during the time window,wherein the actual rate of log entries is based on a change in the ratio of unique log entries to total log entries during the time window.
  - 15. The system of claim 14, wherein the unique log entries are identified as unique based on a tag field in each log entry.
  - 16. The system of claim 13, wherein the one or more processors are to:
    - identify one or more additional actual rates of log entries during the time window, the one or more additional actual rates corresponding to one or more additional devices in a network including the first device; and
      
      determine whether the first device is compromised based on comparison of the actual rate of log entries for the first device to the one or more additional actual rates of log entries.
  - 17. The system of claim 16, wherein to determine the expected rate of log entries, the one or more processors are to:
    - determine a directional rate of change of unique log entries generated by the first device; and
      
      compare the directional rate of change of unique log entries to a directional rate of change of log entries for the one or more additional devices in a same time window.
  - 18. The system of claim 13, wherein the event log includes log entries generated by a security application.

19. A method to configure a system to detect a malware attack, the method comprising:
- obtaining a data set including a plurality of historic log entries for a plurality of endpoints, respective ones of the historic log entries including respective event identifications and respective event times;
  
  for a first time window, identifying, by executing an instruction with at least one hardware processor and based on a semantic analysis of keywords in the historic log entries, a subset of the historic log entries with respective event identifications associated with respective severity values that satisfy a threshold;
  
  tagging, by executing an instruction with the at least one hardware processor, the subset of the historic log entries as originating from a compromised endpoint; and
  
  training, by executing an instruction with the at least one hardware processor, a machine learning algorithm to generate a classifier based on the plurality of historic log entries and the tagged subset of log entries.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, wherein the classifier comprises includes at least one of a decision tree, a tree ensemble, a gradient boosted decision tree, or a Bayesian inference model.
  - 21. The method of claim 19, wherein a set of future log entries can be analyzed using the classifier to identify a potential malware attack.
  - 22. The method of claim 21, wherein the potential malware attack is identified based on identifiers for respective ones of the set of the future log entries, and not based on content of the set of future log entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Thayer, Peter, Infante-Lopez, Gabriel G., Ferrado, Leandro J., Houspanossian, Alejandro
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ahmed, Mahabub S

Application Number

US15/476,212
Publication Number

US 20180288074A1
Time in Patent Office

921 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 7/01   Probabilistic graphical mod...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Identifying malware-suspect end points through entropy changes in consolidated logs

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Identifying malware-suspect end points through entropy changes in consolidated logs

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others