IL253987B - Cyber threat detection system and method - Google Patents

Cyber threat detection system and method

Info

Publication number
IL253987B
IL253987B IL253987A IL25398717A IL253987B IL 253987 B IL253987 B IL 253987B IL 253987 A IL253987 A IL 253987A IL 25398717 A IL25398717 A IL 25398717A IL 253987 B IL253987 B IL 253987B
Authority
IL
Israel
Prior art keywords
malicious
suspicious behaviors
suspicious
given set
detection system
Prior art date
Application number
IL253987A
Other languages
Hebrew (he)
Other versions
IL253987A0 (en
Inventor
Krips Koby
Bokobza Yasmin
Original Assignee
Cyberbit Ltd
Krips Koby
Bokobza Yasmin
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyberbit Ltd, Krips Koby, Bokobza Yasmin filed Critical Cyberbit Ltd
Priority to IL253987A priority Critical patent/IL253987B/en
Publication of IL253987A0 publication Critical patent/IL253987A0/en
Priority to PCT/IL2018/050892 priority patent/WO2019035120A1/en
Publication of IL253987B publication Critical patent/IL253987B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • Data Mining & Analysis (AREA)
  • Environmental & Geological Engineering (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Alarm Systems (AREA)

Abstract

A threat detection system comprising a processing resource configured to: provide a suspicious behaviors classifier configured to classify a set of a plurality of suspicious behaviors as malicious or non- malicious; obtain information of a given set of a plurality of suspicious behaviors, each suspicious behavior of the set comprises information of a corresponding group including one or more grouped events, grouped from a plurality of detected events that occurred on one or more endpoints connected to an organizational network, wherein: (a) at least one of the suspicious behaviors of the given set is identified in accordance with one or more user-defined identification rules, (b) at least one of the suspicious behaviors of the given set is non-anomalous, and (c) at least one of the groups includes multiple events including two or more of the detected events; and, utilizing the suspicious behaviors classifier, the given set as malicious or non-malicious.
IL253987A 2017-08-14 2017-08-14 Cyber threat detection system and method IL253987B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
IL253987A IL253987B (en) 2017-08-14 2017-08-14 Cyber threat detection system and method
PCT/IL2018/050892 WO2019035120A1 (en) 2017-08-14 2018-08-12 Cyber threat detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
IL253987A IL253987B (en) 2017-08-14 2017-08-14 Cyber threat detection system and method

Publications (2)

Publication Number Publication Date
IL253987A0 IL253987A0 (en) 2017-10-01
IL253987B true IL253987B (en) 2019-05-30

Family

ID=61866874

Family Applications (1)

Application Number Title Priority Date Filing Date
IL253987A IL253987B (en) 2017-08-14 2017-08-14 Cyber threat detection system and method

Country Status (2)

Country Link
IL (1) IL253987B (en)
WO (1) WO2019035120A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2593509A (en) * 2020-03-25 2021-09-29 British Telecomm Computer vulnerability identification
CN113746781A (en) * 2020-05-28 2021-12-03 深信服科技股份有限公司 Network security detection method, device, equipment and readable storage medium
US11562069B2 (en) 2020-07-10 2023-01-24 Kyndryl, Inc. Block-based anomaly detection
WO2022248906A1 (en) * 2021-05-24 2022-12-01 Nokia Solutions And Networks Oy Detecting manipulative network functions
US20220382860A1 (en) * 2021-05-26 2022-12-01 Microsoft Technology Licensing, Llc Detecting anomalous events through application of anomaly detection models
CN114780810B (en) * 2022-04-22 2024-02-27 中国电信股份有限公司 Data processing method and device, storage medium and electronic equipment
US11647040B1 (en) * 2022-07-14 2023-05-09 Tenable, Inc. Vulnerability scanning of a remote file system
CN117034261B (en) * 2023-10-08 2023-12-08 深圳安天网络安全技术有限公司 Exception detection method and device based on identifier, medium and electronic equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8046835B2 (en) * 2002-10-23 2011-10-25 Frederick S. M. Herz Distributed computer network security activity model SDI-SCAM
WO2013082437A1 (en) * 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
US9699205B2 (en) * 2015-08-31 2017-07-04 Splunk Inc. Network security system

Also Published As

Publication number Publication date
IL253987A0 (en) 2017-10-01
WO2019035120A1 (en) 2019-02-21

Similar Documents

Publication Publication Date Title
IL253987B (en) Cyber threat detection system and method
Soe et al. Ddos attack detection based on simple ann with smote for iot environment
Calderon The benefits of artificial intelligence in cybersecurity
Lee et al. Open source intelligence base cyber threat inspection framework for critical infrastructures
MX2017003826A (en) Distributed traffic management system and techniques.
US20190174452A1 (en) Detection of mobile transmitters in an office environment
IL227598B (en) Systems and methods for identifying malicious hosts
CN108259472A (en) Dynamic joint defence mechanism based on attack analysis realizes system and method
EP2854362B1 (en) Software network behavior analysis and identification system
WO2016073457A3 (en) Identifying a potential ddos attack using statistical analysis
EP2683130A3 (en) Social network protection system
WO2018063544A3 (en) Addressing inside-enterprise hack attempts
CN106973051A (en) Set up method, device, storage medium and the processor of detection Cyberthreat model
Sumanth et al. Raspberry Pi based intrusion detection system using k-means clustering algorithm
Hyun et al. Security operation implementation through big data analysis by using open source ELK stack
Rawat et al. Cyber threat exploitation and growth during COVID-19 times
Awadi et al. Multi-phase IRC botnet and botnet behavior detection model
CN108040075B (en) APT attack detection system
Zhang et al. Visual analytics for intrusion detection in spam emails
Hoffmann et al. Cyberattacks in agribusiness
Judy et al. Detection and Classification of Malware for Cyber Security using Machine Learning Algorithms
Patil et al. JARVIS: An Intelligent Network Intrusion Detection and Prevention System
Huo et al. Smart grid communication network traffic anomaly detection based on entropy analysis
Kharche et al. Internet worm classification and detection using data mining techniques
Maesschalck et al. Honeypots for automatic network-level industrial control system security

Legal Events

Date Code Title Description
FF Patent granted
KB Patent renewed