Automated forensics of computer systems using behavioral intelligence
First Claim
1. A method for computer system forensics, comprising:
- receiving an identification of a plurality of host computers that exhibited an anomalous behavior, in a computer network comprising multiple host computers;
assembling a plurality of respective positive images of the identified plurality of host computers in the network using image information collected with regard to a configuration of software components running on the host computers;
assembling a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior;
making a comparison between the plurality of positive images and the plurality of negative images; and
based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior,wherein extracting the feature comprises extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for computer system forensics includes receiving an identification of at least one host computer that has exhibited an anomalous behavior, in a computer network comprising multiple host computers. Respective images of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.
-
Citations
26 Claims
-
1. A method for computer system forensics, comprising:
-
receiving an identification of a plurality of host computers that exhibited an anomalous behavior, in a computer network comprising multiple host computers; assembling a plurality of respective positive images of the identified plurality of host computers in the network using image information collected with regard to a configuration of software components running on the host computers; assembling a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior; making a comparison between the plurality of positive images and the plurality of negative images; and based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior, wherein extracting the feature comprises extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. Apparatus for computer system forensics, comprising:
-
an interface, configured to receive an identification of a plurality of host computers that exhibited an anomalous behavior, in a computer network comprising multiple host computers; and a hardware processor, which is configured to assemble a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, to assemble a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior, to make a comparison between the plurality of positive images and the plurality of negative images, and based on the comparison, to extract from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior, wherein the hardware processor is configured to extract the feature by extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images. - View Dependent Claims (24, 25)
-
-
26. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of a plurality of computers on a network that exhibited an anomalous behavior, to assemble a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, to assemble a plurality of negative images using image information collected with respect to a plurality of host computers not exhibiting the anomalous behavior, to make a comparison between the plurality of positive images, and the plurality of negative images and based on the comparison, to extract from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior,
wherein the instructions cause the computer to extract the feature by extracting a narrow feature, traversing a generalization path and determining whether generalizations on the path distinguish between the positive and negative images.
Specification