Method and system for detecting and remediating polymorphic attacks across an enterprise
First Claim
Patent Images
1. A method for detecting potential malware comprising:
- a)
1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;
2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predefined criteria; and
,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a first generalized attack tree from the obtained attack tree;
b) dividing the first generalized attack tree into subtrees including first generalized objects;
c) obtaining at least one subtree including second generalized objects associated with a subsequent generalized attack tree;
d) comparing at least one of the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on at least partial matches of the first generalized objects and the second generalized objects, the least partial matches including matching less than all of the first generalized objects with the second generalized objects; and
,e) augmenting the first generalized attack tree by adding the second generalized objects, which do not match the first generalized objects, to the first generalized attack tree, to detect potentially unknown malware.
0 Assignments
0 Petitions
Accused Products
Abstract
Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.
16 Citations
9 Claims
-
1. A method for detecting potential malware comprising:
-
a)
1) obtaining an attack tree representative of an attack on a network, the attack tree formed of objects;2) analyzing the objects to determine whether each of the objects is classified as known or unknown, in accordance with predefined criteria; and
,3) representing the unknown objects in the attack tree as generalized objects, resulting in the creation of a first generalized attack tree from the obtained attack tree; b) dividing the first generalized attack tree into subtrees including first generalized objects; c) obtaining at least one subtree including second generalized objects associated with a subsequent generalized attack tree; d) comparing at least one of the subtrees from the first generalized attack tree to the at least one subtree associated with the subsequent generalized attack tree, based on at least partial matches of the first generalized objects and the second generalized objects, the least partial matches including matching less than all of the first generalized objects with the second generalized objects; and
,e) augmenting the first generalized attack tree by adding the second generalized objects, which do not match the first generalized objects, to the first generalized attack tree, to detect potentially unknown malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCheck Point Software Technologies Limited
-
Original AssigneeCheck Point Software Technologies Limited
-
InventorsLeiderfarb, Tamara, Arzi, Lior, Pal, Anandabrata
-
Primary Examiner(s)Khan, Sher A
-
Application NumberUS16/181,377Publication NumberTime in Patent Office406 DaysField of SearchUS Class CurrentCPC Class CodesH04L 63/1416 Event detection, e.g. attac...H04L 63/1441 Countermeasures against mal...H04L 63/145 the attack involving the pr...
