Endpoint detection and response utilizing machine learning

US 10,699,012 B2
Filed: 01/04/2018
Issued: 06/30/2020
Est. Priority Date: 01/11/2017
Status: Active Grant

First Claim

Patent Images

1. A method for implementation by one or more dataprocessors forming part of at least one computing device, the method comprising:

monitoring, by at least one data processor, a plurality of events associated with each of a plurality of computing nodes forming part of a network topology, the network topology comprising antivirus tools to detect malicious software prior to it accessing one of the computing nodes;

determining, by a least one data processor using at least one machine learning model, that at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools; and

automatically exploring the computing nodes of the network topology;

providing, by a software tool, recommended ML packs based on the automatic exploring;

andselecting the ML based on the provided recommended ML packs providing, by at least one data processor, data characterizing the determination;

wherein;

the at least one machine learning model is embodied in a plurality of machine learning (ML) packs, each pack being separate and distinct and identifying different types of malicious activity;

at least one of the ML packs executing on a first of the plurality of computing nodes automatically and without human intervention changes its parameters and propagates such changes to at least one other computing node when a threat is detected on the first node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of events associated with each of a plurality of computing nodes that form part of a network topology are monitored. The network topology includes antivirus tools to detect malicious software prior to it accessing one of the computing nodes. Thereafter, it is determined that, using at least one machine learning model, at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools. Data is then provided that characterizes the determination. Related apparatus, systems, techniques and articles are also described.

20 Citations

View as Search Results

19 Claims

1. A method for implementation by one or more dataprocessors forming part of at least one computing device, the method comprising:
- monitoring, by at least one data processor, a plurality of events associated with each of a plurality of computing nodes forming part of a network topology, the network topology comprising antivirus tools to detect malicious software prior to it accessing one of the computing nodes;
  
  determining, by a least one data processor using at least one machine learning model, that at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools; and
  
  automatically exploring the computing nodes of the network topology;
  
  providing, by a software tool, recommended ML packs based on the automatic exploring;
  
  andselecting the ML based on the provided recommended ML packs providing, by at least one data processor, data characterizing the determination;
  
  wherein;
  
  the at least one machine learning model is embodied in a plurality of machine learning (ML) packs, each pack being separate and distinct and identifying different types of malicious activity;
  
  at least one of the ML packs executing on a first of the plurality of computing nodes automatically and without human intervention changes its parameters and propagates such changes to at least one other computing node when a threat is detected on the first node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein providing data characterizing the determination includes at least one of:
    - display the data in an electronic visual display, loading the data into memory, storing the data in physical persistence, or transmitting the data to a remote computing device.
  - 3. The method of claim 1 further comprising:
    - identifying, by at least one data processor, a source of the malicious activity;
      
      wherein the provided data further characterizes the identified source of the malicious activity.
  - 4. The method of claim 3 further comprising:
    - isolating a node corresponding to the identified source of the malicious activity from communication with other nodes.
  - 5. The method of claim 3 further comprising:
    - initiating remediation at the node corresponding to the identified source of the malicious activity to prevent further damage to the node and/or the network topology.
  - 6. The method of claim 5, wherein the remediation utilizes at least one reinforcement learning method selected from a group consisting of:
    - multi-armed bandits, Q-learning, or Bayesian optimization.
  - 7. The method of claim 1, wherein the antivirus tools comprise at least one of:
    - antivirus software or a computer network gateway appliance.
  - 8. The method of claim 1, wherein the at least one machine learning model is selected from a group consisting of:
    - generalized linear models, ordinary least squares, ridge regression, lasso, multi-task lasso, elastic net, multi-task elastic net, least angle regression, LARS lasso, orthogonal matching pursuit (OMP), Bayesian regression, naive Bayesian, logistic regression, stochastic gradient descent (SGD), neural networks, Perceptron, passive aggressive algorithms, robustness regression, Huber regression, polynomial regression, linear and quadratic discriminant analysis, kernel ridge regression, support vector machines, stochastic gradient descent, nearest neighbor, Gaussian processes, cross decomposition, decision trees, or ensemble methods.
  - 9. The method of claim 1, wherein at least one machine learning model uses supervised learning and has labels origination from a source selected from a group consisting of:
    - existing label corpuses associated with executable files, indicators of compromise, or deterministic finite automata tailored to recognize particular tactics, techniques and procedures (TTPs).
  - 10. The method of claim 1, wherein the at least one machine learning model uses unsupervised learning methods that characterize qualitative changes on a node based on corresponding monitored events.
  - 11. The method of claim 10, wherein the unsupervised learning methods are selected from a group consisting of:
    - clustering, anomaly detection or latent variable models.
  - 12. The method of claim 1, wherein different types of malicious activity identified by the machine learning packs are selected from a group consisting of:
    - memory-based attacks, POWERSHELL/macro-based exploits, privilege escalation, lateral movement, data exfiltration, anti-analysis efforts, password stealer, backdoor/tunnel, or insider threat.
  - 13. The method of claim 1, wherein at least one machine learning pack is self-configured dynamically on a corresponding node based on communications with at least one of:
    - another node or a remote computing system.
  - 14. The method of claim 1, wherein at least one machine learning pack on a corresponding node is updated based on communications with at least one of:
    - another node or a remote computing system.
  - 15. The method of claim 1, wherein at least one machine learning model is dynamically updated based on the monitored events.
  - 16. The method of claim 1 further comprising:
    - imputing, using at least one generative model, missing data providing context of at least one event indicative of the malicious activity.
  - 17. The method of claim 1, wherein the changed parameters are one or more of likelihood gradients and posterior parameter samples.
  - 18. The method of claim 1 further comprising:
    - preventing the malicious software from continuing to execute.
  - 19. The method of claim 1, wherein at least a portion of the ML packs are utilized in sequence such that, if a first of the ML packs indicates that a certain situation may be present, corresponding event data or a modification thereof is passed to second of the ML packs that consumes a greater amount of computation resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Kashyap, Rahul Chander, Kotov, Vadim Dmitriyevich, Oswald, Samuel John, Strong, Homer Valentine
Primary Examiner(s)
Idowu, Olugbenga O

Application Number

US15/862,067
Publication Number

US 20180196942A1
Time in Patent Office

908 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

H04L 63/1408   by monitoring network traff...

Endpoint detection and response utilizing machine learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Endpoint detection and response utilizing machine learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links