Automated forensics of computer systems using behavioral intelligence

US 10,645,110 B2
Filed: 04/18/2018
Issued: 05/05/2020
Est. Priority Date: 01/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method for computer system forensics, comprising:

receiving an identification of a plurality of host computers that exhibited an anomalous behavior, in a computer network comprising multiple host computers;

assembling a plurality of respective positive images of the identified plurality of host computers in the network using image information collected with regard to a configuration of software components running on the host computers;

assembling a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior;

making a comparison between the plurality of positive images and the plurality of negative images; and

based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior,wherein extracting the feature comprises extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for computer system forensics includes receiving an identification of at least one host computer that has exhibited an anomalous behavior, in a computer network comprising multiple host computers. Respective images of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.

Citations

26 Claims

1. A method for computer system forensics, comprising:
- receiving an identification of a plurality of host computers that exhibited an anomalous behavior, in a computer network comprising multiple host computers;
  
  assembling a plurality of respective positive images of the identified plurality of host computers in the network using image information collected with regard to a configuration of software components running on the host computers;
  
  assembling a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior;
  
  making a comparison between the plurality of positive images and the plurality of negative images; and
  
  based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior,wherein extracting the feature comprises extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method according to claim 1, wherein identifying the plurality of host computers comprises mapping respective suspiciousness levels of the host computers in the network, and initiating the comparison when the suspiciousness levels meet a predefined trigger condition.
  - 3. The method according to claim 2, wherein the trigger condition comprises a cumulative trigger condition of the plurality of host computers.
  - 4. The method according to claim 2, wherein the trigger condition initiates the comparison responsive to a single one of the plurality of host computers having a suspiciousness level above a threshold.
  - 5. The method according to claim 1, wherein assembling the respective positive images comprises collecting the image information from the host computers periodically.
  - 6. The method according to claim 1, wherein assembling the respective positive images comprises collecting the image information in response to identifying the plurality of host computers that exhibited the anomalous behavior.
  - 7. The method according to claim 1, wherein the plurality of the negative images comprise at least one image of the at least one host computer, wherein the at least one image is assembled using the image information collected with respect to the at least one host computer prior to the anomalous behavior.
  - 8. The method according to claim 1, wherein extracting the feature comprises finding a commonality of the positive images that is absent from the negative images.
  - 9. The method according to claim 8, wherein finding the commonality comprises identifying a property that is matched exactly in all of the positive images.
  - 10. The method according to claim 8, wherein finding the commonality comprises identifying a property of one of the positive images, and generalizing the property so that all of the positive images, but not the negative images, match the generalized property.
  - 11. The method according to claim 1, wherein extracting the feature comprises identifying a property that occurs with a first probability in the positive images and occurs with a second probability, lower than the first probability, in the negative images.
  - 12. The method according to claim 1, wherein extracting the feature comprises finding a commonality of the negative images that is absent from the positive images.
  - 13. The method according to claim 1, wherein extracting the feature comprises providing an identification of at least one of a file and a directory that is associated with the anomalous behavior.
  - 14. The method according to claim 13, wherein the images comprise a respective directory structure of each of the host computers, and wherein providing the identification comprises specifying a file in the directory structure that is manifest in the positive images but not in the negative images.
  - 15. The method according to claim 13, wherein the images comprise a respective directory structure of each of the host computers, and wherein providing the identification comprises specifying a file in the directory structure that is manifest in the negative images but not in the positive images.
  - 16. The method according to claim 13, wherein the images comprise a respective directory structure of each of the host computers, and wherein providing the identification comprises specifying a directory in the directory structure that is manifest in the positive images but not in the negative images.
  - 17. The method according to claim 13, wherein the images comprise a respective directory structure of each of the host computers, and wherein providing the identification comprises specifying a directory in the directory structure that is manifest in the negative images but not in the positive images.
  - 18. The method according to claim 1, and comprising applying the forensic indicator in checking the host computers on the network in order to inhibit further occurrence of the anomalous behavior.
  - 19. The method according to claim 1, wherein assembling a plurality of positive and negative images comprises choosing a number of positive images and a number of negative images according to tolerances of false-positive and false-negative results set by a system operator.
  - 20. The method according to claim 1, wherein extracting from the positive and negative images a feature of the configuration of the software components comprises extracting a plurality of features.
  - 21. The method according to claim 20, wherein assembling a plurality of positive and negative images comprises choosing a number of positive images and a number of negative images according to tolerances set by a system operator and assembling the chosen numbers of positive and negative images.
  - 22. The method according to claim 21, further comprising after extracting the plurality of features changing the number of positive or negative images and repeating the assembling of the positive and negative images for the changed number of images, the making of the comparison and the extracting of the plurality of features.

23. Apparatus for computer system forensics, comprising:
- an interface, configured to receive an identification of a plurality of host computers that exhibited an anomalous behavior, in a computer network comprising multiple host computers; and
  
  a hardware processor, which is configured to assemble a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, to assemble a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior, to make a comparison between the plurality of positive images and the plurality of negative images, and based on the comparison, to extract from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior,wherein the hardware processor is configured to extract the feature by extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images.
- View Dependent Claims (24, 25)
- - 24. The apparatus according to claim 23, wherein the hardware processor is configured to provide an identification of at least one of a file and a directory that is associated with the anomalous behavior.
  - 25. The apparatus according to claim 23, wherein the hardware processor is configured to identify a property that occurs with a first probability in the positive images and occurs with a second probability, lower than the first probability, in the negative images.

26. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of a plurality of computers on a network that exhibited an anomalous behavior, to assemble a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, to assemble a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior, to make a comparison between the plurality of positive images, and the plurality of negative images and based on the comparison, to extract from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior,wherein the instructions cause the computer to extract the feature by extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Mumcuoglu, Michael, Engel, Giora, Firstenberg, Eyal
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/955,712
Publication Number

US 20180367556A1
Time in Patent Office

748 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 2463/121   Timestamp

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Automated forensics of computer systems using behavioral intelligence

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Automated forensics of computer systems using behavioral intelligence

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links