SYSTEM AND METHODS FOR MALWARE DETECTION USING LOG BASED CROWDSOURCING ANALYSIS

US 20150381637A1
Filed: 06/15/2015
Published: 12/31/2015
Est. Priority Date: 07/21/2010
Status: Active Grant

First Claim

Patent Images

1. A crowdsourcing log analysis system for protecting a plurality of client networks from security threats, each of said plurality of client networks is associated with a set of network entities, said system comprising:

at least one breach detection platform operable to receive a plurality of log files from said plurality of client networks via a communication network;

a plurality of server machines, each of said plurality of server machines operable to execute a third-party security product and log associated third-party assessment attributes of at least one suspect entity into at least one log file; and

said plurality of client networks, each of said plurality of client networks operable to connect with at least one of said plurality of server machines;

wherein said crowdsourcing log analysis system is operable to generate a risk factor for said at least one suspect entity based upon at least a plurality of said third-party assessment attributes.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A crowdsourcing log analysis system and methods for protecting computers and networks from malware attacks by analyzing data log information obtained from a plurality of client network. The client networks are associated with a set of network entities representing a plurality of business units or customers. The system may further comprise a plurality of server machines, each operable to execute a security product associated with a security product vendor and log associated information of at the network entities into at least one log file. The log files may be uploaded onto a breach detection platform for analysis based upon crowdsourcing principles and is operable to generate a risk factor attribute for at least one suspect entity.

79 Citations

View as Search Results

27 Claims

1. A crowdsourcing log analysis system for protecting a plurality of client networks from security threats, each of said plurality of client networks is associated with a set of network entities, said system comprising:
- at least one breach detection platform operable to receive a plurality of log files from said plurality of client networks via a communication network;
  
  a plurality of server machines, each of said plurality of server machines operable to execute a third-party security product and log associated third-party assessment attributes of at least one suspect entity into at least one log file; and
  
  said plurality of client networks, each of said plurality of client networks operable to connect with at least one of said plurality of server machines;
  
  wherein said crowdsourcing log analysis system is operable to generate a risk factor for said at least one suspect entity based upon at least a plurality of said third-party assessment attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The crowdsourcing log analysis system of claim 1, wherein said at least one suspect entity is selected from a group consisting of:
    - an external network entity, an internal network entity, a URL pattern, a destination host, a user agent and combinations thereof.
  - 3. The crowdsourcing log analysis system of claim 1, wherein said at least one breach detection platform is operable to collect data pertaining to said set of network entities, to normalize said data and to store the normalized data into at least one entity record of a data repository.
  - 4. The crowdsourcing log analysis system of claim 1, wherein said risk factor is selected from a group consisting of:
    - malicious, non-malicious, threatening, non-threatening, legitimate and suspicious.
  - 5. The crowdsourcing log analysis system of claim 1, wherein said at least one breach detection platform is further operable to generate an output report comprising data pertaining to the risk factor associated with said at least one suspect entity.
  - 6. The crowdsourcing log analysis system of claim 5, wherein said output report is configured to be transmitted via said communication network to one of said plurality of client networks.
  - 7. The crowdsourcing log analysis system of claim 1, wherein said at least one breach detection platform is further operable to generate an alert associated with a detectable security incident associated with one of said set of network entities, said alert is configured to be transmitted via said communication network.

8. A method for generating a risk factor for protecting a plurality of client networks from security threats, each of said plurality of client networks is associated with a set of network entities, for use in a system comprising at least one breach detection platform and a plurality of server machines associated with said plurality of client networks, each of said plurality of server machines operable to execute at least one third-party security product and log associated information, said at least one breach detection platform and said plurality of server machines being connected via a communication network,said method for operating said at least one breach detection platform in an improved manner, the method comprising:
- retrieving, via said communication network, a plurality of log files from said plurality of client networks, each of said plurality of log files comprising at least one log record structured in a plurality of a third-party formats (TPF);
  
  normalizing each of said plurality of log files by mapping a plurality of assessment attributes pertaining to at least one suspect entity from said plurality of third-party format into a standard format of at least one entity record;
  
  aggregating said plurality of log files into at least one data repository; and
  
  generating a risk factor for said at least one suspect entity, said risk factor characterized by an entity score.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 9. The method of claim 8, wherein said at least one suspect entity is selected from a group consisting of:
    - an external network entity, an internal network entity, a URL pattern, a destination host, a user agent and combinations thereof.
  - 10. The method of claim 8, wherein said entity score is selected from a group consisting of:
    - a Boolean value, a numerical value, a unit interval, a value within a range, a percentage value, a decimal value, a numerical ratio value, a key word, a descriptive text, a tagged label and combinations thereof.
  - 11. The method of claim 8, wherein said risk factor is selected from a group consisting of:
    - malicious, non-malicious, threatening, non-threatening, legitimate and suspicious.
  - 12. The method of claim 8, wherein said data repository comprises at least one database.
  - 13. The method of claim 8, wherein the step of aggregating said plurality of log files comprises:
    - retrieving at least one assessment attribute from said at least one log record;
      
      associating said at least one assessment attribute with a new entity record; and
      
      storing said new entity record.
  - 14. The method of claim 8, wherein the step of aggregating said plurality of log files comprises:
    - retrieving at least one assessment attribute from said at least one log record;
      
      associating said at least one assessment attribute with an existing entity record; and
      
      updating said existing entity record.
  - 15. The method of claim 8, wherein the step of generating said risk factor for at least one suspect entity comprises:
    - performing a voting analysis by assigning to said at least one suspect entity the count of said at least one third-party security product determining that one of said set of network entities is considered as a malicious entity.
  - 16. The method of claim 15, wherein the step of performing voting analysis further comprises:
    - performing rule mapping analysis such that said entity score is mapped to a known entity score.
  - 17. The method of claim 8, wherein the step of generating a risk factor for at least one suspect entity comprises:
    - assigning a weighting factor to said at least one third-party security product, said weighting factor representing risk factor reliability of the at least one third-party security product;
      
      generating a weighted risk value for each of said set of network entities, said weighted risk value being the product of the risk rating assigned by said at least one third-party security product and the associated weighting factor; and
      
      finding the average value of a plurality of said weighted risk values.
  - 18. The method of claim 8, wherein the step of generating a risk factor for at least one suspect entity comprises utilizing a machine learning classifier.
  - 19. The method of claim 8, wherein further comprising the step of:
    - generating an output report comprising data pertaining to the risk factor associated with each of said set of network entities.
  - 20. The method of claim 19, wherein said output report is configured to be transmitted via said communication network to one of said plurality of client networks.
  - 21. The method of claim 8, wherein further comprising the step of:
    - generating an alert associated with a detectable security incident associated with one of said set of network entities, said alert is configured to be transmitted via said communication network.
  - 22. The method of claim 8, wherein said step of generating a risk factor further comprises:
    - classifying said each of said set of network entities according to associated said entity score; and
      
      storing data pertaining to said risk factor into a classification database.
  - 23. The method of claim 8, wherein said step of generating a risk factor further comprises:
    - generating an output list of potentially compromised network entities, if said risk factor indicates that said at least one suspect entity is malicious, said output list comprising each of said set of network entities communicating with said at least one suspect entity.

24. A method for protecting a plurality of client networks from security threats using a crowdsourcing log analysis system, said system comprising at least one breach detection platform, a plurality of server machines associated with at least one of said plurality of client networks, each of said plurality of server machines operable to execute a product associated with a security product vendor and log associated information of at least one of a set of network entities into at least one log file, said system connectable with said plurality of client networks via a communication network,said method for operating each of said plurality of client networks in an improved manner, the method comprising:
- connecting, via said communication network, to said at least one breach detection platform, said platform comprising at least one data repository connectable via a computer network;
  
  uploading, via said communication network, said at least one log file to said at least one breach detection platform; and
  
  receiving, via said communication network, a risk factor attribute associated with a detectable security event associated with said at least one of said set of network entities.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein said step of receiving a risk factor attribute, comprises:
    - receiving, via said communication network, at least one report comprising data pertaining to said risk factor attribute.
  - 26. The method of claim 24, wherein said step of receiving a risk factor attribute, comprises:
    - receiving, via said communication network, at least one alert comprising data pertaining to said risk factor indicating a malicious activity associated with said at least one of said set of network entities.
  - 27. The method of claim 24, wherein said risk factor is selected from a group consisting of:
    - malicious, non-malicious, threatening, non-threatening, legitimate and suspicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CNP Limited
Original Assignee
Seculert Ltd. (Radware Limited)
Inventors
Raff, Aviv, Peri, Doron, Lotem, Amnon

Granted Patent

US 10,397,246 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHODS FOR MALWARE DETECTION USING LOG BASED CROWDSOURCING ANALYSIS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHODS FOR MALWARE DETECTION USING LOG BASED CROWDSOURCING ANALYSIS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links