Identifying malware-suspect end points through entropy changes in consolidated logs
First Claim
Patent Images
1. A method to detect a malware attack, the method comprising:
- monitoring an event log of a first device, the event log to identify events associated with the first device;
determining, by executing an instruction with at least one hardware processor, an expected rate of log entries during a time window;
identifying, by executing an instruction with the at least one hardware processor, that an actual rate of log entries during the time window satisfies a threshold;
in response to the identifying that the actual rate of log entries during the time window satisfies the threshold, (i) calculating, by executing an instruction with the at least one hardware processor, a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determining, by executing an instruction with the at least one hardware processor, whether the first device is compromised based on the confidence value; and
performing an action in response to determining that the first device is compromised.
6 Assignments
0 Petitions
Accused Products
Abstract
Detecting a malware attack includes monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised, determining an expected rate of log entries during a time window, identifying that an actual rate of log entries during the time window satisfies a threshold, determining, in response to the identifying, that the first device is a compromised device, and performing an action in response to determining that the first device is a compromised device.
45 Citations
22 Claims
-
1. A method to detect a malware attack, the method comprising:
-
monitoring an event log of a first device, the event log to identify events associated with the first device; determining, by executing an instruction with at least one hardware processor, an expected rate of log entries during a time window; identifying, by executing an instruction with the at least one hardware processor, that an actual rate of log entries during the time window satisfies a threshold; in response to the identifying that the actual rate of log entries during the time window satisfies the threshold, (i) calculating, by executing an instruction with the at least one hardware processor, a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determining, by executing an instruction with the at least one hardware processor, whether the first device is compromised based on the confidence value; and performing an action in response to determining that the first device is compromised. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer readable storage device or storage disk comprising computer readable instructions that, when executed by one or more processors, cause the one or more processors to at least:
-
monitor an event log of a first device, the event log to identify events associated with the first device; determine an expected rate of log entries over a time period; identify that an actual rate of log entries over the time period satisfies a threshold; in response to satisfaction of the threshold by the actual rate of log entries during the time period, (i) calculate a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determine whether the first device is compromised based on the confidence value; and perform an action in response to a determination that the first device is compromised. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system to detect a malware attack, the system comprising:
-
one or more memories including computer readable instructions; and one or more processors in communication with the one or more memories, the one or more processors to execute the computer readable instructions to at least; monitor an event log of a first device, the event log to identify events associated with the first device; determine an expected rate of log entries during a time window; identify that an actual rate of log entries during the time window satisfies a threshold; in response to satisfaction of the threshold by the actual rate of log entries during the time window, (i) calculate a confidence value associated with the first device being compromised, the confidence value calculated based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries, and (ii) determine whether the first device is compromised based on the confidence value; and perform an action in response to a determination that the first device is compromised. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method to configure a system to detect a malware attack, the method comprising:
-
obtaining a data set including a plurality of historic log entries for a plurality of endpoints, respective ones of the historic log entries including respective event identifications and respective event times; for a first time window, identifying, by executing an instruction with at least one hardware processor and based on a semantic analysis of keywords in the historic log entries, a subset of the historic log entries with respective event identifications associated with respective severity values that satisfy a threshold; tagging, by executing an instruction with the at least one hardware processor, the subset of the historic log entries as originating from a compromised endpoint; and training, by executing an instruction with the at least one hardware processor, a machine learning algorithm to generate a classifier based on the plurality of historic log entries and the tagged subset of log entries. - View Dependent Claims (20, 21, 22)
-
Specification