Systems and methods for curating file clusters for security analyses
First Claim
1. A computer-implemented method for curating file clusters for security analyses, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a suspicious file that exists on at least one computing system within a computing community;
clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein clustering the set of files comprises;
measuring a degree of similarity among the set of files;
determining that the degree of similarity among the set of files is above a similarity threshold; and
clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold;
prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file;
providing, for presentation to a security analyst, a graphical representation of the file cluster that;
highlights the prioritized file relative to the file cluster; and
is organized as an ordered list that corresponds to the ranking;
receiving feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and
performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst.
6 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for curating file clusters for security analyzes may include (1) identifying a suspicious file that exists on at least one computing system within a computing community, (2) clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, (3) prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster, (4) providing, for presentation to a security analyst, a graphical representation of the file cluster that highlights the prioritized file relative to the file cluster, and then (5) performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
12 Claims
-
1. A computer-implemented method for curating file clusters for security analyses, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying a suspicious file that exists on at least one computing system within a computing community; clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein clustering the set of files comprises; measuring a degree of similarity among the set of files; determining that the degree of similarity among the set of files is above a similarity threshold; and clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold; prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file; providing, for presentation to a security analyst, a graphical representation of the file cluster that; highlights the prioritized file relative to the file cluster; and is organized as an ordered list that corresponds to the ranking; receiving feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for curating file clusters for security analyses, the system comprising:
-
a clustering module, stored in memory, that; identifies a suspicious file that exists on at least one computing system within a computing community; and clusters a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein the clustering module clusters the set of files by; measuring a degree of similarity among the set of files; determining that the degree of similarity among the set of files is above a similarity threshold; and determining that the degree of similarity among the set of files is above a similarity threshold; and clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold; a prioritization module, stored in memory, that prioritizes at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file; a presentation module, stored in memory, that provides, for presentation to a security analyst, a graphical representation of the file cluster that; highlights the prioritized file relative to the file cluster; and is organized as an ordered list that corresponds to the ranking; a security module, stored in memory, that; receives feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and performs at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and at least one physical processor configured to execute the clustering module, the prioritization module, the presentation module, and the security module. - View Dependent Claims (11)
-
-
12. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify a suspicious file that exists on at least one computing system within a computing community; cluster a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein clustering the set of files comprises; measuring a degree of similarity among the set of files; determining that the degree of similarity among the set of files is above a similarity threshold; and clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold; prioritize at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file; provide, for presentation to a security analyst, a graphical representation of the file cluster that; highlights the prioritized file relative to the file cluster; and is organized as an ordered list that corresponds to the ranking; receive feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and perform at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst.
-
Specification