IDENTIFYING MALWARE-SUSPECT END POINTS THROUGH ENTROPY CHANGES IN CONSOLIDATED LOGS
First Claim
Patent Images
1. A method for detecting a malware attack, comprising:
- monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised;
determining an expected rate of log entries during a time window;
identifying that an actual rate of log entries during the time window satisfies a threshold;
determining, in response to the identifying, that the first device is a compromised device; and
performing an action in response to determining that the first device is a compromised device.
7 Assignments
0 Petitions
Accused Products
Abstract
Detecting a malware attack includes monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised, determining an expected rate of log entries during a time window, identifying that an actual rate of log entries during the time window satisfies a threshold, determining, in response to the identifying, that the first device is a compromised device, and performing an action in response to determining that the first device is a compromised device.
-
Citations
25 Claims
-
1. A method for detecting a malware attack, comprising:
-
monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised; determining an expected rate of log entries during a time window; identifying that an actual rate of log entries during the time window satisfies a threshold; determining, in response to the identifying, that the first device is a compromised device; and performing an action in response to determining that the first device is a compromised device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer readable medium for detecting a malware attack, comprising computer readable code executable by one or more processors to:
-
monitor an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised; determine an expected rate of log entries over a predetermined time; identify that an actual rate of log entries over the predetermined time satisfies a threshold; determine, in response to the identifying, that the first device is a compromised device; and perform an action in response to determining that the first device is a compromised device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting a malware attack, comprising:
-
one or more processors; and one or more memories coupled to the one or more processors and computer readable code stored on the one or more memories and executable by the one or more processors to; monitor an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised; determine an expected rate of log entries during a time window; identify that an actual rate of log entries during the time window satisfies a threshold; determine, in response to the identifying, that the first device is a compromised device; and perform an action in response to determining that the first device is a compromised device. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method for configuring a system for detecting a malware attack, comprising:
-
obtaining a data set comprising a plurality of historic log entries for a plurality of endpoints, wherein the plurality of historic log entries each comprise an event identification and an event time; identifying, for a particular time window, a subset of log entries comprising an event identification associated with a severity value that satisfies a threshold; tagging the subset of log entries as originating from a compromised endpoint; and training a machine learning algorithm to generate a classifier based on the plurality of historic log entries and the tagged subset of log entries. - View Dependent Claims (23, 24, 25)
-
Specification