Extracting forensic indicators from activity logs

US 20170026395A1
Filed: 10/06/2016
Published: 01/26/2017
Est. Priority Date: 01/16/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for computer system forensics, comprising:

receiving an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers;

collecting logs of activity of entities in the computer network;

making a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval; and

based on the comparison, extracting from the logs a forensic indicator associated with the anomalous event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for computer system forensics includes receiving an identification of a time of occurrence of an anomalous event in a computer network including multiple host computers. Logs of activity of entities in the computer network are collected. A comparison is made between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval. Based on the comparison, a forensic indicator associated with the anomalous event is extracted from the logs.

28 Citations

View as Search Results

18 Claims

1. A method for computer system forensics, comprising:
- receiving an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers;
  
  collecting logs of activity of entities in the computer network;
  
  making a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval; and
  
  based on the comparison, extracting from the logs a forensic indicator associated with the anomalous event.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein collecting the logs comprises collecting information from a log selected from a set of logs consisting of host computer logs, system event logs, system-wide application event logs, security logs, audit logs, application-specific logs, file system tables, and browsing histories.
  - 3. The method according to claim 1, wherein the identification specifies at least one of the host computers that is associated with the anomalous event, and wherein making the comparison comprises processing log information with respect to the at least one of the host computers.
  - 4. The method according to claim 1, wherein receiving the identification comprises receiving a timestamp associated with an anomalous message transmitted by one of the host computers.
  - 5. The method according to claim 1, wherein extracting the forensic indicator comprises assigning respective scores to lines of the logs in the first entries, and extracting the forensic indicators from the lines that meet a predefined scoring criterion.
  - 6. The method according to claim 1, wherein extracting the forensic indicator comprises providing at least one identifier selected from a group of identifiers consisting of filenames, paths, registry paths, process names, module names, application names, and e-mail GUIDS that appear in the logs.

7. Apparatus for computer system forensics, comprising:
- an interface, which is configured to receive an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers; and
  
  a processor, which is configured to collect logs of activity of entities in the computer network, to make a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval, and based on the comparison, to extract from the logs a forensic indicator associated with the anomalous event.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus according to claim 7, wherein the collected logs comprise information from a log selected from a set of logs consisting of host computer logs, system event logs, system-wide application event logs, security logs, audit logs, application-specific logs, file system tables, and browsing histories.
  - 9. The apparatus according to claim 7, wherein the identification specifies at least one of the host computers that is associated with the anomalous event, and wherein the processor is configured to make the comparison by processing log information with respect to the at least one of the host computers.
  - 10. The apparatus according to claim 7, wherein the identification comprises a timestamp associated with an anomalous message transmitted by one of the host computers.
  - 11. The apparatus according to claim 7, wherein the processor is configured to extract the forensic indicator by assigning respective scores to lines of the logs in the first entries, and taking the forensic indicators from the lines that meet a predefined scoring criterion.
  - 12. The apparatus according to claim 7, wherein the extracted forensic indicator comprises at least one identifier selected from a group of identifiers consisting of filenames, paths, registry paths, process names, module names, application names, and e-mail GUIDS that appear in the logs.

13. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers, to collect logs of activity of entities in the computer network, to make a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval, and based on the comparison, to extract from the logs a forensic indicator associated with the anomalous event.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The product according to claim 13, wherein the collected logs comprise information from a log selected from a set of logs consisting of host computer logs, system event logs, system-wide application event logs, security logs, audit logs, application-specific logs, file system tables, and browsing histories.
  - 15. The product according to claim 13, wherein the identification specifies at least one of the host computers that is associated with the anomalous event, and wherein the instructions cause the computer to make the comparison by processing log information with respect to the at least one of the host computers.
  - 16. The product according to claim 13, wherein the identification comprises a timestamp associated with an anomalous message transmitted by one of the host computers.
  - 17. The product according to claim 13, wherein the instructions cause the computer to extract the forensic indicator by assigning respective scores to lines of the logs in the first entries, and taking the forensic indicators from the lines that meet a predefined scoring criterion.
  - 18. The product according to claim 13, wherein the extracted forensic indicator comprises at least one identifier selected from a group of identifiers consisting of filenames, paths, registry paths, process names, module names, application names, and e-mail GUIDS that appear in the logs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Light Cyber Ltd.
Original Assignee
Light Cyber Ltd.
Inventors
Mumcuoglu, Michael, Engel, Giora, Firstenberg, Eyal

Application Number

US15/286,674
Publication Number

US 20170026395A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 2463/121   Timestamp cryptographic mec...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Extracting forensic indicators from activity logs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Extracting forensic indicators from activity logs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links