Event-based attack detection

US 8,839,435 B1
Filed: 11/04/2011
Issued: 09/16/2014
Est. Priority Date: 11/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices;

identifying a particular event from the accessed information;

determining a hash value of a file or a process associated with the particular event;

comparing the determined hash value with an expected hash value for the file or the process;

comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices;

determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value for the file or the process;

accessing, from a database, one or more risk factors for a malware attack on a computing device;

comparing the unusual event against the accessed risk factors;

determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and

verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Event-based attack detection is described. In some implementations, an attack on a computing device can be detected by identifying unusual events, or unusual sequences of events, that occurred on the computing device. A computing device can log events that occur on the computing device. In some implementations, the unusualness of an event, or sequence of events, on the computing device can be determined based on a comparison of events logged by the computing device and events logged by other computing devices. Other implementations are described.

52 Citations

View as Search Results

30 Claims

1. A method comprising:
- accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices;
  
  identifying a particular event from the accessed information;
  
  determining a hash value of a file or a process associated with the particular event;
  
  comparing the determined hash value with an expected hash value for the file or the process;
  
  comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices;
  
  determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value for the file or the process;
  
  accessing, from a database, one or more risk factors for a malware attack on a computing device;
  
  comparing the unusual event against the accessed risk factors;
  
  determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and
  
  verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices comprises comparing a number of times the particular event occurs in the particular computing device with a number of times other events occur in the particular computing device.
  - 3. The method of claim 1, wherein comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices comprises comparing a number of times the particular event occurs in the particular computing device with a number of times the particular event occurs in the other computing devices.
  - 4. The method of claim 1, wherein verifying whether the unusual event is a malware attack comprises:
    - assigning a risk rating count to account for a number of the risk factors for the unusual event;
      
      determining if the unusual event satisfies at least a threshold amount of the risk rating count for the number of the risk factors;
      
      associating information for the unusual event with a malware attack based on the determination that the risk rating count satisfies at least the threshold amount; and
      
      determining whether the unusual event is not the malware attack based on the associated information.
  - 5. The method of claim 4, further comprising:
    - receiving information for the threshold amount; and
      
      enabling the threshold amount to be a variable threshold amount.
  - 6. The method of claim 4, further comprising:
    - receiving, through a graphical user interface (GUI), a user input for varying the threshold amount for the computing device; and
      
      determining that the threshold amount is to be varied based on the received user input.
  - 7. The method of claim 1, wherein the verifying comprises:
    - assigning a risk rating corresponding to the unusual event;
      
      determining whether the unusual event in the stored event logs satisfies one of the risk factors;
      
      adjusting the risk rating based on whether the risk factor is satisfied;
      
      determining if the unusual event satisfies at least a threshold for the risk rating for the malware attack;
      
      determining that the unusual event is the malware attack based upon satisfying at least the threshold; and
      
      determining that the unusual event is not the malware attack based upon not satisfying the threshold.
  - 8. The method of claim 7, wherein adjusting the risk rating comprises:
    - increasing the risk rating based upon the determination that the risk factor is satisfied; and
      
      decreasing the risk rating based upon the determination that the risk factor is not satisfied.
  - 9. The method of claim 7, further comprising adjusting the risk rating based on whether each of the respective risk factors is satisfied.
  - 10. The method of claim 1, wherein the unusual event comprises an unusual sequence of events.

11. A non-transitory computer-readable medium including one or more sequences of instructions which, when executed by one or more processors, causes:
- accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices;
  
  identifying a particular event from the accessed information;
  
  determining a hash value of a file or a process associated with the particular event;
  
  comparing the determined hash value with an expected hash value of the file or the process;
  
  comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices;
  
  determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value of the file or the process;
  
  accessing, from a database, one or more risk factors for a malware attack on a computing device;
  
  comparing the unusual event against the accessed risk factors;
  
  determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and
  
  verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable medium of claim 11, wherein the instructions that cause comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices comprises comparing a number of times the particular event occurs in the particular computing device with a number of times other events occur in the particular computing device.
  - 13. The non-transitory computer-readable medium of claim 11, wherein the instructions that cause comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices comprises comparing a number of times the particular event occurs in the particular computing device with a number of times the particular event occurs in the other computing devices.
  - 14. The non-transitory computer-readable medium of claim 11, wherein the instructions that cause verifying whether the unusual event is a malware attack comprise instructions that cause:
    - assigning a risk rating count to account for a number of the risk factors for the unusual event;
      
      determining if the unusual event satisfies at least a threshold amount of the risk rating count for the number of the risk factors;
      
      associating information for the unusual event with a malware attack based on the determination that the risk rating count satisfies at least the threshold amount; and
      
      determining whether the unusual event is not the malware attack based on the associated information.
  - 15. The non-transitory computer-readable medium of claim 14, wherein the instructions include instructions that cause:
    - receiving information for the threshold amount; and
      
      enabling the threshold amount to be a variable threshold amount.
  - 16. The non-transitory computer-readable medium of claim 14, wherein the instructions include instructions that cause:
    - receiving, through a graphical user interface (GUI), a user input for varying the threshold amount for the computing device; and
      
      determining that the threshold amount is to be varied based on the received user input.
  - 17. The non-transitory computer-readable medium of claim 11, wherein the instructions that cause verifying comprise instructions that cause:
    - assigning a risk rating corresponding to the unusual event;
      
      determining whether the unusual event in the stored event logs satisfies one of the risk factors;
      
      adjusting the risk rating based on whether the risk factor is satisfied;
      
      determining if the unusual event satisfies at least a threshold for the risk rating for the malware attack;
      
      determining that the unusual event is the malware attack based upon satisfying at least the threshold; and
      
      determining that the unusual event is not the malware attack based upon not satisfying the threshold.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the instructions that cause adjusting the risk rating comprise instructions that cause:
    - increasing the risk rating based upon the determination that the risk factor is satisfied; and
      
      decreasing the risk rating based upon the determination that the risk factor is not satisfied.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the instructions include instructions that cause adjusting the risk rating based on whether each of the respective risk factors is satisfied.
  - 20. The non-transitory computer-readable medium of claim 11, wherein the unusual event comprises an unusual sequence of events.

21. A system comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including one or more sequences of instructions which, when executed by the one or more processors, causes;
  
  accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices;
  
  identifying a particular event from the accessed information;
  
  determining a hash value of a file or a process associated with the particular event;
  
  comparing the determined hash value with an expected hash value of the file or the process;
  
  comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices;
  
  determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value of the file or the process;
  
  accessing, from a database, one or more risk factors for a malware attack on a computing device;
  
  comparing the unusual event against the accessed risk factors;
  
  determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and
  
  verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the instructions that cause comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices comprises comparing a number of times the particular event occurs in the particular computing device with a number of times other events occur in the particular computing device.
  - 23. The system of claim 21, wherein the instructions that cause comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices comprises comparing a number of times the particular event occurs in the particular computing device with a number of times the particular event occurs in the other computing devices.
  - 24. The system of claim 21, wherein the instructions that cause verifying whether the unusual event is a malware attack comprise instructions that cause:
    - assigning a risk rating count to account for a number of the risk factors for the unusual event;
      
      determining if the unusual event satisfies at least a threshold amount of the risk rating count for the number of the risk factors;
      
      associating information for the unusual event with a malware attack based on the determination that the risk rating count satisfies at least the threshold amount; and
      
      determining whether the unusual event is not the malware attack based on the associated information.
  - 25. The system of claim 24, wherein the instructions include instructions that cause:
    - receiving information for the threshold amount; and
      
      enabling the threshold amount to be a variable threshold amount.
  - 26. The system of claim 24, wherein the instructions include instructions that cause:
    - receiving, through a graphical user interface (GUI), a user input for varying the threshold amount for the computing device; and
      
      determining that the threshold amount is to be varied based on the received user input.
  - 27. The system of claim 21, wherein the instructions that cause verifying comprise instructions that cause:
    - assigning a risk rating corresponding to the unusual event;
      
      determining whether the unusual event in the stored event logs satisfies one of the risk factors;
      
      adjusting the risk rating based on whether the risk factor is satisfied;
      
      determining if the unusual event satisfies at least a threshold for the risk rating for the malware attack;
      
      determining that the unusual event is the malware attack based upon satisfying at least the threshold; and
      
      determining that the unusual event is not the malware attack based upon not satisfying the threshold.
  - 28. The system of claim 27, wherein the instructions that cause adjusting the risk rating comprise instructions that cause:
    - increasing the risk rating based upon the determination that the risk factor is satisfied; and
      
      decreasing the risk rating based upon the determination that the risk factor is not satisfied.
  - 29. The system of claim 27, wherein the instructions include instructions that cause adjusting the risk rating based on whether each of the respective risk factors is satisfied.
  - 30. The system of claim 21, wherein the unusual event comprises an unusual sequence of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
King, Paul
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US13/289,147
Time in Patent Office

1,047 Days
Field of Search

726 22- 24
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 2221/2115   Third party

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Event-based attack detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Event-based attack detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links