Event-based attack detection
First Claim
Patent Images
1. A method comprising:
- accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices;
identifying a particular event from the accessed information;
determining a hash value of a file or a process associated with the particular event;
comparing the determined hash value with an expected hash value for the file or the process;
comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices;
determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value for the file or the process;
accessing, from a database, one or more risk factors for a malware attack on a computing device;
comparing the unusual event against the accessed risk factors;
determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and
verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied.
1 Assignment
0 Petitions
Accused Products
Abstract
Event-based attack detection is described. In some implementations, an attack on a computing device can be detected by identifying unusual events, or unusual sequences of events, that occurred on the computing device. A computing device can log events that occur on the computing device. In some implementations, the unusualness of an event, or sequence of events, on the computing device can be determined based on a comparison of events logged by the computing device and events logged by other computing devices. Other implementations are described.
52 Citations
30 Claims
-
1. A method comprising:
-
accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices; identifying a particular event from the accessed information; determining a hash value of a file or a process associated with the particular event; comparing the determined hash value with an expected hash value for the file or the process; comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices; determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value for the file or the process; accessing, from a database, one or more risk factors for a malware attack on a computing device; comparing the unusual event against the accessed risk factors; determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable medium including one or more sequences of instructions which, when executed by one or more processors, causes:
-
accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices; identifying a particular event from the accessed information; determining a hash value of a file or a process associated with the particular event; comparing the determined hash value with an expected hash value of the file or the process; comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices; determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value of the file or the process; accessing, from a database, one or more risk factors for a malware attack on a computing device; comparing the unusual event against the accessed risk factors; determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
one or more processors; and a non-transitory computer-readable medium including one or more sequences of instructions which, when executed by the one or more processors, causes; accessing, by one or more computers, information about event logs that correspond to the event logs of a particular computing device and one or more computing devices; identifying a particular event from the accessed information; determining a hash value of a file or a process associated with the particular event; comparing the determined hash value with an expected hash value of the file or the process; comparing, by one or more computers, the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices; determining that the particular event is an unusual event based on results of comparing the accessed information for the particular event from the particular computing device with the accessed information for the particular event from the one or more computing devices and of comparing the determined hash value with an expected hash value of the file or the process; accessing, from a database, one or more risk factors for a malware attack on a computing device; comparing the unusual event against the accessed risk factors; determining, based on results of comparing the unusual event against the accessed risk factors, whether the unusual event satisfies at least one of the risk factors; and verifying whether the unusual event is the malware attack when at least one of the risk factors is satisfied. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification