Systems and methods for identifying similar hosts
First Claim
Patent Images
1. A computer-implemented method comprising:
- determining a query item, wherein the query item is associated with a compromised host of a plurality of hosts;
selecting an attribute associated with the query item;
assigning an attribute weight to the attribute;
identifying a query attribute value associated with the attribute and the query item;
weighting the query attribute value using the attribute weight;
determining a first distance between the weighted query attribute value and a random value;
identifying a candidate item, wherein the candidate item includes a host of the plurality of hosts;
identifying a candidate attribute value associated with the attribute and the candidate item;
weighting the candidate attribute value using the attribute weight;
determining a second distance between the weighted candidate attribute value and the random value;
determining a third distance between the first distance and the second distance; and
characterizing the candidate item as a similar item to the query item when the third distance is within a threshold value, wherein when input corresponding to feedback is received, a similarity value for the similar item is generated using the feedback, and the attribute weight is automatically optimized using the similarity value.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for identifying potentially compromised devices using attributes of a known compromised device may be provided. In one embodiment, an attribute set can be constructed for the compromised hosts using data from these logs. Weights can be assigned to each attribute in the attribute set initially, and further weights can be learned using audits by a user. This attribute set can be used in the disclosed systems and methods for identifying hosts that are similar to compromised hosts. The similar items can be used as hosts for deception mechanisms, can be taken off the network as being likely compromised or likely to become compromised, or quarantined.
-
Citations
30 Claims
-
1. A computer-implemented method comprising:
-
determining a query item, wherein the query item is associated with a compromised host of a plurality of hosts; selecting an attribute associated with the query item; assigning an attribute weight to the attribute; identifying a query attribute value associated with the attribute and the query item; weighting the query attribute value using the attribute weight; determining a first distance between the weighted query attribute value and a random value; identifying a candidate item, wherein the candidate item includes a host of the plurality of hosts; identifying a candidate attribute value associated with the attribute and the candidate item; weighting the candidate attribute value using the attribute weight; determining a second distance between the weighted candidate attribute value and the random value; determining a third distance between the first distance and the second distance; and characterizing the candidate item as a similar item to the query item when the third distance is within a threshold value, wherein when input corresponding to feedback is received, a similarity value for the similar item is generated using the feedback, and the attribute weight is automatically optimized using the similarity value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network device comprising:
-
one or more processors; and a non-transitory computer-readable medium containing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; determining a query item, wherein the query item is associated with a compromised host of a plurality of hosts; selecting an attribute associated with the query item; assigning an attribute weight to the attribute; identifying a query attribute value associated with the attribute and the query item; weighting the query attribute value using the attribute weight; determining a first distance between the weighted query attribute value and a random value; identifying a candidate item, wherein the candidate item includes a host of the plurality of hosts; identifying a candidate attribute value associated with the attribute and the candidate item; weighting the candidate attribute value using the attribute weight; determining a second distance between the weighted candidate attribute value and the random value; determining a third distance between the first distance and the second distance; and characterizing the candidate item as a similar item to the query item when the third distance is within a threshold value, wherein when input corresponding to feedback is received, a similarity value for the similar item is generated using the feedback, and the attribute weight is automatically optimized using the similarity value. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium of a network device, including instructions that, when executed by the one or more processors, cause the one or more processors to:
-
determine a query item, wherein the query item is associated with a compromised host of a plurality of hosts; select an attribute associated with the query item; assign an attribute weight to the attribute; identify a query attribute value associated with the attribute and the query item; weight the query attribute value using the attribute weight; determine a first distance between the weighted query attribute value and a random value; identify a candidate item, wherein the candidate item includes a host of the plurality of hosts; identify a candidate attribute value associated with the attribute and the candidate item; weight the candidate attribute value using the attribute weight; determine a second distance between the weighted candidate attribute value and the random value; determine a third distance between the first distance and the second distance; and characterize the candidate item as a similar item to the query item when the third distance is within a threshold value, wherein when input corresponding to feedback is received, a similarity value for the similar item is generated using the feedback, and the attribute weight is automatically optimized using the similarity value. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification