IL253987B - Cyber threat detection system and method - Google Patents

Cyber threat detection system and method

Info

Publication number
IL253987B
IL253987B IL253987A IL25398717A IL253987B IL 253987 B IL253987 B IL 253987B IL 253987 A IL253987 A IL 253987A IL 25398717 A IL25398717 A IL 25398717A IL 253987 B IL253987 B IL 253987B
Authority
IL
Israel
Prior art keywords
malicious
suspicious behaviors
suspicious
given set
detection system
Prior art date
Application number
IL253987A
Other languages
Hebrew (he)
Other versions
IL253987A0 (en
Inventor
Krips Koby
Bokobza Yasmin
Original Assignee
Cyberbit Ltd
Krips Koby
Bokobza Yasmin
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyberbit Ltd, Krips Koby, Bokobza Yasmin filed Critical Cyberbit Ltd
Priority to IL253987A priority Critical patent/IL253987B/en
Publication of IL253987A0 publication Critical patent/IL253987A0/en
Priority to PCT/IL2018/050892 priority patent/WO2019035120A1/en
Publication of IL253987B publication Critical patent/IL253987B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • Data Mining & Analysis (AREA)
  • Environmental & Geological Engineering (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Alarm Systems (AREA)

Abstract

A threat detection system comprising a processing resource configured to: provide a suspicious behaviors classifier configured to classify a set of a plurality of suspicious behaviors as malicious or non- malicious; obtain information of a given set of a plurality of suspicious behaviors, each suspicious behavior of the set comprises information of a corresponding group including one or more grouped events, grouped from a plurality of detected events that occurred on one or more endpoints connected to an organizational network, wherein: (a) at least one of the suspicious behaviors of the given set is identified in accordance with one or more user-defined identification rules, (b) at least one of the suspicious behaviors of the given set is non-anomalous, and (c) at least one of the groups includes multiple events including two or more of the detected events; and, utilizing the suspicious behaviors classifier, the given set as malicious or non-malicious.
IL253987A 2017-08-14 2017-08-14 Cyber threat detection system and method IL253987B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
IL253987A IL253987B (en) 2017-08-14 2017-08-14 Cyber threat detection system and method
PCT/IL2018/050892 WO2019035120A1 (en) 2017-08-14 2018-08-12 Cyber threat detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
IL253987A IL253987B (en) 2017-08-14 2017-08-14 Cyber threat detection system and method

Publications (2)

Publication Number Publication Date
IL253987A0 IL253987A0 (en) 2017-10-01
IL253987B true IL253987B (en) 2019-05-30

Family

ID=61866874

Family Applications (1)

Application Number Title Priority Date Filing Date
IL253987A IL253987B (en) 2017-08-14 2017-08-14 Cyber threat detection system and method

Country Status (2)

Country Link
IL (1) IL253987B (en)
WO (1) WO2019035120A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2593509A (en) * 2020-03-25 2021-09-29 British Telecomm Computer vulnerability identification
CN113746781A (en) * 2020-05-28 2021-12-03 深信服科技股份有限公司 Network security detection method, device, equipment and readable storage medium
US11562069B2 (en) 2020-07-10 2023-01-24 Kyndryl, Inc. Block-based anomaly detection
CN117652131A (en) * 2021-05-24 2024-03-05 诺基亚通信公司 Detection of Manipulated Network Functions
US20220382860A1 (en) * 2021-05-26 2022-12-01 Microsoft Technology Licensing, Llc Detecting anomalous events through application of anomaly detection models
CN114780810B (en) * 2022-04-22 2024-02-27 中国电信股份有限公司 Data processing methods, devices, storage media and electronic equipment
US11647040B1 (en) * 2022-07-14 2023-05-09 Tenable, Inc. Vulnerability scanning of a remote file system
CN116743475A (en) * 2023-06-29 2023-09-12 深圳市深信服信息安全有限公司 Threat handling methods and related equipment
CN117034261B (en) * 2023-10-08 2023-12-08 深圳安天网络安全技术有限公司 Exception detection method and device based on identifier, medium and electronic equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8046835B2 (en) * 2002-10-23 2011-10-25 Frederick S. M. Herz Distributed computer network security activity model SDI-SCAM
WO2013082437A1 (en) * 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
US9699205B2 (en) * 2015-08-31 2017-07-04 Splunk Inc. Network security system

Also Published As

Publication number Publication date
WO2019035120A1 (en) 2019-02-21
IL253987A0 (en) 2017-10-01

Similar Documents

Publication Publication Date Title
IL253987B (en) Cyber threat detection system and method
Soe et al. Ddos attack detection based on simple ann with smote for iot environment
US11194903B2 (en) Cross-machine detection techniques
US10484408B2 (en) Malicious communication pattern extraction apparatus, malicious communication pattern extraction method, and malicious communication pattern extraction program
Lee et al. Open source intelligence base cyber threat inspection framework for critical infrastructures
EP2854362B1 (en) Software network behavior analysis and identification system
WO2019217969A8 (en) Predicting cyber threats in a federated threat intelligence environment
CN108259472A (en) Dynamic joint defence mechanism based on attack analysis realizes system and method
US10819717B2 (en) Malware infected terminal detecting apparatus, malware infected terminal detecting method, and malware infected terminal detecting program
Judy et al. Detection and classification of malware for cyber security using machine learning algorithms
CN103036998A (en) Intrusion detection system based on immune principle in cloud computing
WO2018063544A3 (en) Addressing inside-enterprise hack attempts
Bhandari et al. AINIS: an intelligent network intrusion system
CN106973051A (en) Set up method, device, storage medium and the processor of detection Cyberthreat model
Rawat et al. Cyber threat exploitation and growth during COVID-19 times
Hoffmann et al. Cyberattacks in agribusiness
Desai et al. Mitigating denial based service attacks in heterogeneous sensor networks: Strategies and solutions
Ghaffari et al. DroidMalHunter: A novel entropy-based anomaly detection system to detect malicious Android applications
Maesschalck et al. Honeypots for automatic network-level industrial control system security
Huo et al. Smart grid communication network traffic anomaly detection based on entropy analysis
Refsdal et al. Risk Evaluation
Shendre et al. Learning probe attack patterns with Honeypots
Kharche et al. Internet worm classification and detection using data mining techniques
Yucel et al. An annotated bibliographical survey on cyber intelligence for cyber intelligence officers
Kumar et al. Self tuning ids for changing environment

Legal Events

Date Code Title Description
FF Patent granted
KB Patent renewed