Modeling malicious behavior that occurs in the absence of users

US 10,452,841 B1
Filed: 05/01/2017
Issued: 10/22/2019
Est. Priority Date: 05/01/2017
Status: Active Grant

First Claim

Patent Images

1. A method of identifying malicious events occurring on computer devices in the absence of users, the method comprising:

training an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices;

utilizing the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present;

utilizing malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and

utilizing the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.

Citations

20 Claims

1. A method of identifying malicious events occurring on computer devices in the absence of users, the method comprising:
- training an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices;
  
  utilizing the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present;
  
  utilizing malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and
  
  utilizing the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, further comprising:
    - receiving a request to determine whether a given computer device is clean or infected;
      
      detecting a fourth plurality of events on the given computer device; and
      
      utilizing values of the first set of attributes extracted from the fourth plurality of events to determine if the given computer device is clean or infected.
  - 3. The method as recited in claim 2, further comprising generating a prediction on whether the given computer device is infected based on the values of the first set of attributes extracted from the fourth plurality of events.
  - 4. The method as recited in claim 3, further comprising performing a security action with respect to the given computer device responsive to predicting the given computer device is infected.
  - 5. The method as recited in claim 4, wherein the security action comprises one or more of storing an indication that an event is suspect, notifying an administrator, generating a warning, disabling network access, and launching a security application.
  - 6. The method as recited in claim 1, wherein:
    - clean computer devices are computer devices determined to be devoid of malware;
      
      infected computer devices are computer devices determined to be executing malware; and
      
      training the anomaly detection model comprises;
      
      identifying one or more clean computer devices which have not been infected with malware;
      
      detecting a plurality of events that occur on each clean computer device of the one or more clean computer devices;
      
      recording a plurality of attributes for each event of the plurality of events; and
      
      providing the plurality of attributes for the plurality of events to the anomaly detection model.
  - 7. The method as recited in claim 1, further comprising receiving event attribute matrices, comprising the attributes for a plurality of events, from the one or more first clean computer devices, the infected computer devices, and the one or more second clean computer devices, wherein the rows of each matrix correspond to events, and wherein the columns of each matrix correspond to attributes.

8. A system comprising:
- a memory; and
  
  one or more processors coupled to the memory;
  
  wherein the system is configured to;
  
  train an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices;
  
  utilize the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present;
  
  utilize malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and
  
  utilize the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system as recited in claim 8, wherein the system is further configured to:
    - receive a request to determine whether a given computer device is clean or infected;
      
      detect a fourth plurality of events on the given computer device; and
      
      utilize values of the first set of attributes extracted from the fourth plurality of events to determine if the given computer device is clean or infected.
  - 10. The system as recited in claim 9, wherein the system is further configured to generate a prediction on whether the given computer device is infected based on the values of the first set of attributes extracted from the fourth plurality of events.
  - 11. The system as recited in claim 10, wherein the system is further configured to perform a security action with respect to the given computer device responsive to predicting the given computer device is infected.
  - 12. The system as recited in claim 11, wherein the security action comprises one or more of storing an indication that an event is suspect, notifying an administrator, generating a warning, disabling network access, and launching a security application.
  - 13. The system as recited in claim 8, wherein:
    - clean computer devices are computer devices determined to be devoid of malware;
      
      infected computer devices are computer devices determined to be executing malware; and
      
      training the anomaly detection model comprises;
      
      identifying one or more clean computer devices which have not been infected with malware;
      
      detecting a plurality of events that occur on each clean computer device of the one or more clean computer devices;
      
      recording a plurality of attributes for each event of the plurality of events; and
      
      providing the plurality of attributes for the plurality of events to the anomaly detection model.
  - 14. The system as recited in claim 8, wherein the system is configured to receive event attribute matrices, comprising the attributes for a plurality of events, from the one or more first clean computer devices, the infected computer devices, and the one or more second clean computer devices, wherein the rows of each matrix correspond to events, and wherein the columns of each matrix correspond to attributes.

15. A non-transitory computer readable storage medium storing program instructions, wherein the program instructions are executable by a processor to:
- train an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices;
  
  utilize the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present;
  
  utilize malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and
  
  utilize the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage medium as recited in claim 15, wherein the program instructions are further executable by a processor to:
    - receive a request to determine whether a given computer device is clean or infected;
      
      detect a fourth plurality of events on the given computer device; and
      
      utilize values of the first set of attributes extracted from the fourth plurality of events to determine if the given computer device is clean or infected.
  - 17. The non-transitory computer readable storage medium as recited in claim 16, wherein the program instructions are further executable by a processor to generate a prediction on whether the given computer device is infected based on the values of the first set of attributes extracted from the fourth plurality of events.
  - 18. The non-transitory computer readable storage medium as recited in claim 15, wherein the program instructions are further executable by a processor to perform a security action with respect to the given computer device responsive to predicting the given computer device is infected.
  - 19. The non-transitory computer readable storage medium as recited in claim 18, wherein the security action comprises one or more of storing an indication that an event is suspect, notifying an administrator, generating a warning, disabling network access, and launching a security application.
  - 20. The non-transitory computer readable storage medium as recited in claim 19, wherein:
    - clean computer devices are computer devices determined to be devoid of malware;
      
      infected computer devices are computer devices determined to be executing malware; and
      
      training the anomaly detection model comprises;
      
      identifying one or more clean computer devices which have not been infected with malware;
      
      detecting a plurality of events that occur on each clean computer device of the one or more clean computer devices;
      
      recording a plurality of attributes for each event of the plurality of events; and
      
      providing the plurality of attributes for the plurality of events to the anomaly detection model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Tamersoy, Acar, Bhatkar, Sandeep, Marino, Daniel, Roundy, Kevin Alejandro
Primary Examiner(s)
Shaw, Brian F

Application Number

US15/583,077
Time in Patent Office

904 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/01   Dynamic search techniques; ...

G06N 5/04   Inference or reasoning models

Modeling malicious behavior that occurs in the absence of users

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Modeling malicious behavior that occurs in the absence of users

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links