Graph-based Instrusion Detection Using Process Traces

US 20160330226A1
Filed: 07/19/2016
Published: 11/10/2016
Est. Priority Date: 04/16/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious processes, comprising:

modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities, each edge comprising one or more timestamps corresponding respective events between two system entities;

generating a set of valid path patterns that relate to potential attacks; and

determining one or more event sequences in the system to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities. A set of valid path patterns that relate to potential attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and the valid path patterns using a random walk on the graph.

37 Citations

20 Claims

1. A method for detecting malicious processes, comprising:
- modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities, each edge comprising one or more timestamps corresponding respective events between two system entities;
  
  generating a set of valid path patterns that relate to potential attacks; and
  
  determining one or more event sequences in the system to be suspicious based on the graph and the valid path patterns using a random walk on the graph.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the system entities comprise files in the system, processes in the system, UNIX®
    - sockets in the system, and Internet sockets in the system.
  - 3. The method of claim 1, wherein the valid patterns are determined based on properties of the system entity types.
  - 4. The method of claim 3, wherein the valid path patterns are determined based on definitions provided by security experts according to their experiences based on previous intrusion attacks.
  - 5. The method of claim 1, wherein determining the one or more event sequences to be suspicious comprises performing a breadth first search of candidate paths within the graph.
  - 6. The method of claim 5, wherein the breadth first search comprises a time order constraint based on the edge timestamps.
  - 7. The method of claim 1, wherein determining the one or more event sequences to be suspicious comprises determining that the entities on an edge deviate from the normal roles for those entities.
  - 8. The method of claim 7, wherein determining that entities deviate from the normal role for those entities comprises determining a sender score for a sender entity and a receiver score for a receiver entity.
  - 9. The method of claim 8, wherein determining one or more event sequences to be suspicious comprises calculating an anomaly score based on the sender score and receiver score for each entity in each event sequence.
  - 10. The method of claim 9, wherein determining one or more event sequences to be suspicious comprises normalizing anomaly scores using a Box-Cox power transformation.

11. A system for detecting malicious processes, comprising:
- a modeling module configured to model system data as a graph that comprises vertices that represent system entities and edges that represent events between respective system entities, each edge comprising one or more timestamps corresponding respective events between two system entities; and
  
  a malicious process path discovery module comprising a processor configured to generate a set of valid path patterns that relate to potential attacks and to determine one or more event sequences in the system to be suspicious based on the graph and the valid path patterns using a random walk on the graph.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the system entities comprise files in the system, processes in the system, UNIX®
    - sockets in the system, and Internet sockets in the system.
  - 13. The system of claim 11, wherein the malicious process path discovery module is further configured to determine valid patterns based on properties of the system entity types.
  - 14. The system of claim 13, wherein the malicious process path discovery module is further configured to determine valid path patterns based on definitions provided by security experts according to their experiences based on previous intrusion attacks.
  - 15. The system of claim 11, wherein the malicious process path discovery module is further configured to perform a breadth first search of candidate paths within the graph.
  - 16. The system of claim 15, wherein the breadth first search comprises a time order constraint based on the edge timestamps.
  - 17. The system of claim 11, wherein the malicious process path discovery module is further configured to determine whether the entities on an edge deviate from the normal roles for those entities.
  - 18. The system of claim 17, wherein the malicious process path discovery module is further configured to determine a sender score for a sender entity and a receiver score for a receiver entity.
  - 19. The system of claim 18, wherein the malicious process path discovery module is further configured to calculate an anomaly score based on the sender score and receiver score for each entity in each event sequence.
  - 20. The system of claim 19, wherein the malicious process path discovery module is further configured to normalize anomaly scores using a Box-Cox power transformation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IP Wave Pte. Ltd.
Original Assignee
NEC Laboratories America Inc (NEC Corporation)
Inventors
Dong, Boxiang, Chen, Zhengzhang, Tang, LuAn, Jiang, Guofei, Chen, Haifeng

Granted Patent

US 10,305,917 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/12   Discovery or management of ...

H04L 41/142   using statistical or mathem...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Graph-based Instrusion Detection Using Process Traces

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Graph-based Instrusion Detection Using Process Traces

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links