IDENTIFYING MALWARE-SUSPECT END POINTS THROUGH ENTROPY CHANGES IN CONSOLIDATED LOGS

US 20180288074A1
Filed: 03/31/2017
Published: 10/04/2018
Est. Priority Date: 03/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malware attack, comprising:

monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised;

determining an expected rate of log entries during a time window;

identifying that an actual rate of log entries during the time window satisfies a threshold;

determining, in response to the identifying, that the first device is a compromised device; and

performing an action in response to determining that the first device is a compromised device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a malware attack includes monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised, determining an expected rate of log entries during a time window, identifying that an actual rate of log entries during the time window satisfies a threshold, determining, in response to the identifying, that the first device is a compromised device, and performing an action in response to determining that the first device is a compromised device.

54 Citations

View as Search Results

25 Claims

1. A method for detecting a malware attack, comprising:
- monitoring an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised;
  
  determining an expected rate of log entries during a time window;
  
  identifying that an actual rate of log entries during the time window satisfies a threshold;
  
  determining, in response to the identifying, that the first device is a compromised device; and
  
  performing an action in response to determining that the first device is a compromised device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining the expected rate of log entries during the time window comprises:
    - analyzing the event log to determine a ratio of unique log entries to total log entries in the event log during the time window,wherein the actual rate of log entries comprises a change in the ratio of unique log entries to total log entries during the time window.
  - 3. The method of claim 2, wherein unique log entries are identified as unique based on a tag field in each log entry.
  - 4. The method of claim 1, wherein determining the expected rate of log entries over the time window comprises:
    - identifying one or more additional actual rates of log entries for the time window corresponding to one or more additional devices in a network comprising the first device; and
      
      wherein determining that the first device is a compromised device comprises comparing the actual rate of log entries for the first device to the one or more additional actual rates of log entries.
  - 5. The method of claim 4, wherein determining the expected rate of log entries comprisesdetermining a directional rate of change of unique log entries generated by the first device;
    - comparing the directional rate of change of unique log entries to a directional rate of change of log entries for the one or more additional devices in a same time window.
  - 6. The method of claim 1, wherein determining, in response to the identifying, that the first device is a compromised device comprises:
    - calculating a confidence value for the determining based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries.
  - 7. The method of claim 1, wherein the event log comprises log entries generated by a security application.

8. A computer readable medium for detecting a malware attack, comprising computer readable code executable by one or more processors to:
- monitor an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised;
  
  determine an expected rate of log entries over a predetermined time;
  
  identify that an actual rate of log entries over the predetermined time satisfies a threshold;
  
  determine, in response to the identifying, that the first device is a compromised device; and
  
  perform an action in response to determining that the first device is a compromised device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable medium of claim 8, wherein the computer readable code to determine the expected rate of log entries during the time window comprises computer readable code to:
    - analyze the event log to determine a ratio of unique log entries to total log entries in the event log during the time window,wherein the actual rate of log entries comprises a change in the ratio of unique log entries to total log entries during the time window.
  - 10. The computer readable medium of claim 9, wherein unique log entries are identified as unique based on a tag field in each log entry.
  - 11. The computer readable medium of claim 8, wherein the computer readable code to determine the expected rate of log entries during the time window comprises computer readable code to:
    - identify one or more additional actual rates of log entries for the time window corresponding to one or more additional devices in a network comprising the first device; and
      
      wherein determining that the first device is a compromised device comprises comparing the actual rate of log entries for the first device to the one or more additional actual rates of log entries.
  - 12. The computer readable medium of claim 11, wherein the computer readable code to determine the expected rate of log entries comprises computer readable code to:
    - determine a directional rate of change of unique log entries generated by the first device; and
      
      compare the directional rate of change of unique log entries to a directional rate of change of log entries for the one or more additional devices in a same time window.
  - 13. The computer readable medium of claim 8, wherein the computer readable code to determine, in response to the identifying, that the first device is a compromised device comprises computer readable code to:
    - calculate a confidence value for the determining based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries.
  - 14. The computer readable medium of claim 8, wherein the event log comprises log entries generated by a security application.

15. A system for detecting a malware attack, comprising:
- one or more processors; and
  
  one or more memories coupled to the one or more processors and computer readable code stored on the one or more memories and executable by the one or more processors to;
  
  monitor an event log of a first device, wherein the event log identifies events indicating that the first device is likely compromised;
  
  determine an expected rate of log entries during a time window;
  
  identify that an actual rate of log entries during the time window satisfies a threshold;
  
  determine, in response to the identifying, that the first device is a compromised device; and
  
  perform an action in response to determining that the first device is a compromised device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the computer readable code to determine the expected rate of log entries during the time window comprises computer readable code to:
    - analyze the event log to determine a ratio of unique log entries to total log entries in the event log during the time window,wherein the actual rate of log entries comprises a change in the ratio of unique log entries to total log entries during the time window.
  - 17. The system of claim 16, wherein unique log entries are identified as unique based on a tag field in each log entry.
  - 18. The system of claim 15, wherein the computer readable code to determine the expected rate of log entries during the time window comprises computer readable code to:
    - identify one or more additional actual rates of log entries during the time window corresponding to one or more additional devices in a network comprising the first device; and
      
      wherein determining that the first device is a compromised device comprises comparing the actual rate of log entries for the first device to the one or more additional actual rates of log entries.
  - 19. The system of claim 18, wherein the computer readable code to determine the expected rate of log entries comprises computer readable code to:
    - determine a directional rate of change of unique log entries generated by the first device; and
      
      compare the directional rate of change of unique log entries to a directional rate of change of log entries for the one or more additional devices in a same time window.
  - 20. The system of claim 15, wherein the computer readable code to determine, in response to the identifying, that the first device is a compromised device comprises computer readable code to:
    - calculate a confidence value for the determining based on the expected rate of log entries, the actual rate of log entries, and a standard deviation of the actual rate of log entries.
  - 21. The system of claim 15, wherein the event log comprises log entries generated by a security application.

22. A method for configuring a system for detecting a malware attack, comprising:
- obtaining a data set comprising a plurality of historic log entries for a plurality of endpoints, wherein the plurality of historic log entries each comprise an event identification and an event time;
  
  identifying, for a particular time window, a subset of log entries comprising an event identification associated with a severity value that satisfies a threshold;
  
  tagging the subset of log entries as originating from a compromised endpoint; and
  
  training a machine learning algorithm to generate a classifier based on the plurality of historic log entries and the tagged subset of log entries.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, wherein the classifier comprises at least one selected from a group consisting of a decision tree, a tree ensemble, a gradient boosted decision tree, and a Bayesian inference model.
  - 24. The method of claim 22, wherein the set of log entries can be analyzed using the classifier to identify a potential malware attack.
  - 25. The method of claim 24, wherein the potential malware attack is identified based on identifiers for each log in a set of the future log entries, and not based on content of the set of future log entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Thayer, Peter, Infante-Lopez, Gabriel G., Ferrado, Leandro J., Houspanossian, Alejandro

Granted Patent

US 10,440,037 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 7/01   Probabilistic graphical mod...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

IDENTIFYING MALWARE-SUSPECT END POINTS THROUGH ENTROPY CHANGES IN CONSOLIDATED LOGS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING MALWARE-SUSPECT END POINTS THROUGH ENTROPY CHANGES IN CONSOLIDATED LOGS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links