US20230370481A1 - System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network - Google Patents
System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network Download PDFInfo
- Publication number
- US20230370481A1 US20230370481A1 US18/351,795 US202318351795A US2023370481A1 US 20230370481 A1 US20230370481 A1 US 20230370481A1 US 202318351795 A US202318351795 A US 202318351795A US 2023370481 A1 US2023370481 A1 US 2023370481A1
- Authority
- US
- United States
- Prior art keywords
- algorithm
- network
- file
- traffic
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000010801 machine learning Methods 0.000 claims abstract description 151
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 142
- 239000013598 vector Substances 0.000 claims abstract description 105
- 238000012549 training Methods 0.000 claims abstract description 81
- 230000003993 interaction Effects 0.000 claims abstract description 38
- 238000004891 communication Methods 0.000 claims description 31
- 238000001514 detection method Methods 0.000 claims description 14
- 238000009434 installation Methods 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 6
- 238000013135 deep learning Methods 0.000 claims description 5
- 230000015654 memory Effects 0.000 description 32
- 238000013528 artificial neural network Methods 0.000 description 10
- 210000002569 neuron Anatomy 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004913 activation Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000010606 normalization Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 230000000135 prohibitive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000013526 transfer learning Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/088—Non-supervised learning, e.g. competitive learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Definitions
- the present invention relates to traffic in computer networks. More particularly, the present invention relates to systems and methods for determining file-access patterns and using them to detect for example ransomware attacks in at least one computer network in at least one computer network.
- Ransomware attacks have become common in computer networks. In recent years, there has been a spike in the number of reported incidents as well as the funds that cyber hackers are attempting to extort from organizations. Ransomware attacks are not only increasing in frequency, they are also becoming more sophisticated and complex. Ransomware attacks are becoming a popular attack vector and effectively shutting down public sector networks.
- NAS Networked Attached Storage
- endpoint computers network-based file-access attacks
- Windows Operating System process/memory injection file-less attacks Two major vulnerabilities are being exploited: Networked Attached Storage (NAS) including endpoint computers network-based file-access attacks and/or Windows Operating System process/memory injection file-less attacks.
- the number of ransomware attacks on organizations is increasing at several orders of magnitude over the past years, and these attacks are projected to cost businesses dozens of billions of USD, in addition to the cost of loss of customer/partner loyalty and trust.
- Some currently available solutions are based on endpoint security agents running on the computer hosts, looking for specific signatures of ransom attacks that are found during extensive low-level research.
- the main limitations of this approach are that the defenders are required to cover their entire endpoints with detection tools and with the increasing size of networks and number of endpoints, it is becoming increasingly impossible to cover each and every endpoint (not to mention the prohibitive cost).
- the defenders are required to continuously update their software, with any new attack signature being discovered, in order to vaccinate their network and endpoints from this new attack, while the attackers try to act quickly before the updates.
- With the increasing size of networks and number of endpoints, as well as its complex architecture, defense against all attackers is becoming increasingly impossible.
- a method of determining file-access patterns in at least one computer network including a file-access server, the method including: training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset including vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic, using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
- ML machine learning
- a second ML algorithm is trained (e.g., by the processor) with a second training dataset including vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm, and a normalized difference is determined (e.g., by the processor) between a new input vector representing sampled network traffic and the vectors in the second training dataset.
- the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
- the second ML algorithm includes at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture.
- GAN generative adversarial network
- the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic than for file-access traffic without anomalies.
- an active learning mechanism is applied to update at least one detection model based on a user feedback loop.
- a loss determined by the second ML algorithm is normalized (e.g., by the processor) based on the output of the first ML algorithm for the new input vector, wherein the output of the first ML algorithm is different from the output of the second ML algorithm for the second training dataset, and wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation
- a third ML algorithm is trained (e.g., by the processor) with a third training dataset including vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic, and the third ML algorithm is applied on the sampled network traffic.
- the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
- the sampled network traffic is sampled on a network attached storage (NAS).
- the sampled network traffic includes vectors each representing a different time interval.
- Embodiments of the invention include a device for determining file-access patterns in at least one computer network including a file-access server, the device including: a memory, to store a first training dataset, and a processor in communication with the computer network, wherein the processor is configured to: train a first machine learning (ML) algorithm with a first training dataset including vectors such that the first ML algorithm learns network characteristics associated with file-access traffic, when the first ML algorithm receives input vectors representing sampled network traffic, determine network characteristics associated with file-access traffic based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determine file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
- ML machine learning
- the processor is configured to train a second ML algorithm with a second training dataset including vectors such that the second ML algorithm identifies an anomaly in the sampled network traffic based on the learned network characteristics, when the second ML algorithm receives a new input vector representing sampled network traffic, apply the second ML algorithm on the sampled network traffic, and determine a normalized difference between the new input vector and the vectors in the second training dataset, wherein a normalized difference that is larger than difference of the second training dataset corresponds to a file-access anomaly in the sampled network traffic.
- the second ML algorithm includes at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture.
- GAN generative adversarial network
- the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic.
- the processor is further configured to apply an active learning mechanism to update at least one detection model based on a user feedback loop.
- the processor is further configured to normalize a loss determined by the second ML algorithm based on the output of the first ML algorithm for the new input vector being different from the output of the second ML algorithm for the second training dataset, wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation.
- the processor is configured to train a third ML algorithm with a third training dataset including vectors such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector representing sampled network traffic, and apply a third ML algorithm on the sampled network traffic.
- the at least one ransom attack property is determined based on highest interaction with the file-access server.
- the sampled network traffic is sampled on a network attached storage (NAS).
- the sampled network traffic includes vectors each representing a different time interval.
- a method of identifying an anomaly in at least one computer network including a file-access server including: applying (e.g., by a processor) in communication with the computer network, a first machine learning (ML) algorithm trained to learn to determine network characteristics associated with sampled file-access traffic, wherein the network characteristics associated with file-access traffic are determined based on highest interaction with the file-access server, and applying (e.g., by the processor) a second ML algorithm trained to identify an anomaly in the sampled network traffic based on the determined network characteristics.
- ML machine learning
- the anomaly is identified, using the second ML algorithm, based on a calculated normalized difference between training datasets and new sampled network traffic, and wherein a large normalized difference corresponds to a file-access anomaly in the sampled network traffic.
- a third ML algorithm is applied (e.g., by the processor) to detect at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, where the at least one ransom attack property is determined based on largest interaction frequency with the file-access server.
- FIG. 1 shows a block diagram of an exemplary computing device, according to some embodiments of the invention
- FIG. 2 shows a block diagram of a device for learning file-access patterns in at least one computer network including a file-access server, according to some embodiments of the invention
- FIG. 3 shows a block diagram of a device for learning file-access patterns in at least one computer network including a file-access server, according to some embodiments of the invention
- FIG. 4 shows a block diagram of a device for detection of at least one file-access anomaly of ransom attack property in the at least one computer network including a file-access server, according to some embodiments of the invention.
- FIGS. 5 A- 5 C show flowcharts of a method of determining file-access patterns in at least one computer network, the network including a file-access server, according to some embodiments of the invention.
- the terms “plurality” and “a plurality” as used herein may include, for example, “multiple” or “two or more”.
- the terms “plurality” or “a plurality” may be used throughout the specification to describe two or more components, devices, elements, units, parameters, or the like.
- the term set when used herein may include one or more items.
- the method embodiments described herein are not constrained to a particular order or sequence. Additionally, some of the described method embodiments or elements thereof can occur or be performed simultaneously, at the same point in time, or concurrently.
- FIG. 1 is a schematic block diagram of an example computing device 100 , according to some embodiments of the invention.
- Computing device 100 may include a controller or processor 105 (e.g., a central processing unit processor (CPU), a programmable controller or any suitable computing or computational device), memory 120 , storage 130 , input devices 135 (e.g. a keyboard or touchscreen), and output devices 140 (e.g., a display), a communication unit 145 (e.g., a cellular transmitter or modem, a Wi-Fi communication unit, or the like) for communicating with remote devices via a computer communication network, such as, for example, the Internet.
- the computing device 100 may operate by executing an operating system 115 and/or executable code 125 .
- Controller 105 may be configured to execute program code to perform operations described herein.
- the system described herein may include one or more computing devices 100 , for example, to act as the various devices or the components shown in FIG. 2 .
- system 200 may be, or may include computing device 100 or components thereof.
- Operating system 115 may be or may include any code segment or one or more code sets (e.g., one similar to executable code 125 described herein) designed and/or configured to perform tasks involving coordinating, scheduling, arbitrating, supervising, controlling or otherwise managing operation of computing device 100 , for example, scheduling execution of software programs or enabling software programs or other modules or units to communicate.
- code sets e.g., one similar to executable code 125 described herein
- Memory 120 may be or may include, for example, a Random Access Memory (RAM), a read only memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a double data rate (DDR) memory chip, a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units or storage units.
- Memory 120 may be or may include a plurality of, possibly different memory units.
- Memory 120 may be a computer or processor non-transitory readable medium, or a computer non-transitory storage medium, e.g., a RAM.
- Executable code 125 may be any executable code, e.g., an application, a program, a process, task or script. Executable code 125 may be executed by controller 105 possibly under control of operating system 115 .
- executable code 125 may be a software application that performs methods as further described herein.
- FIG. 1 a system according to some embodiments of the invention may include a plurality of executable code segments similar to executable code 125 that may be stored into memory 120 and cause controller 105 to carry out methods described herein.
- Storage 130 may be or may include, for example, a hard disk drive, a universal serial bus (USB) device or other suitable removable and/or fixed storage unit. In some embodiments, some of the components shown in FIG. 1 may be omitted.
- memory 120 may be a non-volatile memory having the storage capacity of storage 130 . Accordingly, although shown as a separate component, storage 130 may be embedded or included in memory 120 .
- Input devices 135 may be or may include a keyboard, a touch screen or pad, one or more sensors or any other or additional suitable input device. Any suitable number of input devices 135 may be operatively connected to computing device 100 .
- Output devices 140 may include one or more displays or monitors and/or any other suitable output devices. Any suitable number of output devices 140 may be operatively connected to computing device 100 .
- Any applicable input/output (I/O) devices may be connected to computing device 100 as shown by blocks 135 and 140 .
- NIC network interface card
- USB universal serial bus
- Some embodiments of the invention may include an article such as a computer or processor non-transitory readable medium, or a computer or processor non-transitory storage medium, such as for example a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, carry out methods disclosed herein.
- an article may include a storage medium such as memory 120 , computer-executable instructions such as executable code 125 and a controller such as controller 105 .
- non-transitory computer readable medium may be, for example, a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, carry out methods disclosed herein.
- the storage medium may include, but is not limited to, any type of disk including, semiconductor devices such as read-only memories (ROMs) and/or random-access memories (RAMs), flash memories, electrically erasable programmable read-only memories (EEPROMs) or any type of media suitable for storing electronic instructions, including programmable storage devices.
- ROMs read-only memories
- RAMs random-access memories
- EEPROMs electrically erasable programmable read-only memories
- memory 120 is a non-transitory machine-readable medium.
- a system may include components such as, but not limited to, a plurality of central processing units (CPU) or any other suitable multi-purpose or specific processors or controllers (e.g., controllers similar to controller 105 ), a plurality of input units, a plurality of output units, a plurality of memory units, and a plurality of storage units.
- a system may additionally include other suitable hardware components and/or software components.
- a system may include or may be, for example, a personal computer, a desktop computer, a laptop computer, a workstation, a server computer, a network device, or any other suitable computing device.
- a system as described herein may include one or more facility computing device 100 and one or more remote server computers in active communication with one or more facility computing device 100 such as computing device 100 , and in active communication with one or more portable or mobile devices such as smartphones, tablets and the like.
- deep-learning technology e.g., employing neural networks
- infer “file-access” patterns based on network characteristics, and detect ransomware attacks by discovering suspicious abnormal patterns in the inferred “file-access” patterns over time.
- the file-access traffic may include network communications within a computer network (e.g., of an organization) between users and file-access servers.
- a file-access pattern may be a pattern of data flow to network elements related to the file-access traffic.
- the file-access traffic pattern may include records, such as “ip_src”/“ip_dest”/“port_src”/“port_dst”, to be stored in the data-structure of the file-access pattern, where “ip_src” is the user's workstation IP address, “ip_dst” is the file-access server IP address, and “port_src”/“dst_port” are the source port and destination port used for communication.
- a file-access pattern may be a pattern of a particular port, in communication with a file-access server, that is being accessed (or where an interaction with the file-access server is identified) multiple times every hour.
- a network characteristic may be a feature of the network that is related to data flow, for instance network fields such as ports, protocols, IP addresses, etc.
- the “file-access” patterns may be learned based on sampled features that are included, or “built-in”, in the NAS gateways (e.g., sFlow and NetFlow sampling protocols), thus some embodiments do not require any hardware and/or software modifications to the network.
- the respective backup protocol may be used to communicate between the user and backup servers.
- SMB Simple-Message-Block
- the network characteristic are: backup port: 445, file transfer port: 21, backup IP: 1.1.1.1, file server IP: 2.2.2.2.
- a neural network e.g. a neural network implementing machine learning
- a NN may be configured or trained for a specific task, e.g., pattern recognition or classification. Training a NN for the specific task may involve adjusting these weights based on examples.
- Each neuron of an intermediate or last layer may receive an input signal, e.g., a weighted sum of output signals from other neurons, and may process the input signal using a linear or nonlinear function (e.g., an activation function).
- a linear or nonlinear function e.g., an activation function
- the results of the input and intermediate layers may be transferred to other neurons and the results of the output layer may be provided as the output of the NN.
- the neurons and links within a NN are represented by mathematical constructs, such as activation functions and matrices of data elements and weights.
- a processor e.g. CPUs or graphics processing units (GPUs), or a dedicated hardware device may perform the relevant calculations.
- the normal file-access pattern (e.g., normal file-access behavior without malicious attacks) may be learned to predict the file-access anomalies and ransom attacks using a transfer learning carried out by normalizing auto-encoder losses of each device in the network.
- the loss normalization may allow transforming different behaviors to a single framework which is feeding a global ransom detection model, thus agnostic to a specific deployment.
- Loss functions may be used to determine the error (or the loss) between the output of ML algorithms and the given target value, such that the loss function may express how far off the target the computed output is compared to its actual output value.
- the learning may keep improving from one NAS network to another, by normalizing calculated loss-vectors which measure the difference between the actual input and the auto-encoder reconstruction, yielding high loss for abnormal file-access behavior (e.g., a ransom attack) while yielding low loss for normal behaviors.
- loss normalization may be carried out by min-max scaling, norm scaling, etc.
- FIG. 2 shows a block diagram of a device 200 for learning file-access patterns 211 in at least one computer network 20 including a file-access server 201 , according to some embodiments.
- hardware elements are indicated with a solid line and the direction of arrows may indicate the direction of information flow.
- the device 200 may include a processor 202 (e.g., such as the controller 105 shown in FIG. 1 ) in active communication with at least one network 20 .
- the at least one network 20 may be a computer network with at least partial wireless communication (e.g., via Wi-Fi, Bluetooth, etc.).
- the processor 202 may be actively connected to the at least one network 20 in order to sample the traffic there, though the processor 202 may or may not perform other functions of the at least one network 20 .
- the device 200 including the processor 202 may be a computing device physically connected to the at least one network 20 for network traffic sampling.
- the processor 202 may analyze traffic (e.g., analyze network packets) passing through the at least one network 20 by analyzing a sample 203 of the traffic, such that the file-access patterns 211 may be learned from the retrieved traffic sample 203 , as further described hereinafter.
- the sampled network traffic may be sampled on the network gateways (routers, switches, etc.) of a network including the network attached storage (NAS).
- the traffic sample 203 is converted into a vector, for example (ip_src, ip_dest, port_src, port_dst), as input for machine learning algorithms used by the processor 202 .
- the processor 202 may sample traffic in a predefined location of the at least one network 20 .
- the processor 202 may be a router's processor which executes dedicated software to determine the file-access patterns 211 , or the processor 202 may be connected to the router, and sample traffic in one or more predefined nodes of the at least one network 20 .
- the processor 202 may retrieve copies of network samples (e.g., randomly chosen packets) from between at least one network device or node of the at least one network 20 and the processor 202 (or another part of the at least one network 20 ).
- the at least one network device or node may be a communication link, a single communication switch or server, a group of links and/or servers, and/or total traffic in the network.
- the processor 202 may retrieve copies of randomly chosen packets from the servers, network gateways, switches, routers, and/or communication.
- the device 200 includes a memory 204 configured to store a first training dataset 205 including vectors.
- the dataset 205 may include vectors of network fields (e.g., ports, protocols, IP addresses, etc.) that have significant traffic interactions with file-access servers (e.g., the top 90 th percentile).
- the processor 202 may train a first machine learning (ML) algorithm 206 with the first training dataset 205 .
- the first ML algorithm 206 may be trained to learn to determine network characteristics 207 that are associated with file-access traffic, when the first ML algorithm 206 receives input vectors representing sampled network traffic 203 .
- the traffic vector may be for example a time-ordered list of tuples, consisting of network fields such as source-IP, destination-IP, source-port, destination-port, etc.
- the first ML algorithm 206 may be trained with the first training dataset 205 to determine network characteristics or fields that have significant traffic interactions with file-access servers (e.g., the top 90 th percentile).
- the dataset 205 may include a specific protocol type that is always used for data flow in the file-access server such that the characteristics of that protocol may be learned.
- the first ML algorithm 206 may determine network characteristics 207 (e.g., ports, protocols, IP addresses, etc.) that are associated with file-access traffic.
- the first ML algorithm 206 receives as input network traffic data and returns a list of network fields (or characteristics) that most significantly interact with the file-access servers 201 .
- the traffic may be analyzed in the network attached servers (NAS), where the network file-access servers are deployed.
- NAS network attached servers
- the determined network characteristics 207 may be the list [445, 21, ‘1.1.1.1’, ‘2.2.2.2’], where backup port is 445, file transfer port is 21, backup IP is 1.1.1.1, and file server IP is 2.2.2.2.
- the first ML algorithm 206 (e.g., an auto-encoder) may be trained with the training dataset 205 for a particular day ‘i’, and the trained models of the auto-encoder may be used to infer on the following day i+1 and calculate loss vectors between the inference and the actual traffic.
- the first ML algorithm 206 may learn results of inference associated with smaller losses. For each new vector or network field, the norm of the vector may be calculated, and if the calculated norm is above a predefined threshold (e.g., corresponding to interactions with traffic or occurrences), then that field may be returned as the output.
- the first ML algorithm 206 may then converge to a set of network fields with significant traffic and stable patterns.
- the first ML algorithm 206 may be trained with the first training dataset 205 to determine network characteristics or fields that have significant traffic interactions with file-access servers.
- the processor 202 is configured to determine network characteristics 207 associated with file-access traffic, based on, using or by executing the first ML algorithm 206 , and based on highest interaction rate of traffic with the file-access server 201 compared to other interactions in the at least one computer network 20 .
- Each port number may be associated with its proportion of the file-access traffic, meaning, how much of the traffic (e.g., measured in percent) traversing the NAS gateways is associated with each port. Then, the port with highest proportion may be considered having the highest interaction rate.
- at port 445 there is 80%, at port 21: 10%, at ports 50000-60000: 5%, and all other ports 5%. In such case, port 445 may be considered as having the highest interaction rate.
- the highest interaction rate or most significant network fields may be autonomously learned as related to the file-access traffic, for example, learning that a particular port has the highest interaction rate.
- the autonomous learning by the first ML algorithm 206 may allow immediate “time-to-model”, in contrast to other machine learning based solutions that require long training and fine-tuning period.
- the first ML algorithm 206 may automatically learn to determine network characteristics 207 as a set of features ‘V’ including network parameters related to file-access traffic, such as: ports, protocols, connections, etc. For example, for back-up traffic, the associated server message block (SMB) ports 137-139 and/or 445 may be learnt and used together with their associated IP addresses. Since every computer network 20 is different, with dedicated computing elements, the back-up traffic may be using different ports for different computer networks 20 .
- SMB server message block
- the processor 202 is configured to determine file-access patterns 211 in the at least one computer network 20 based on the network characteristics 207 associated with file-access traffic.
- FIG. 3 shows a block diagram of a device 300 for identifying anomalies 311 in at least one computer network 20 including a file-access server 201 , according to some embodiments.
- hardware elements are indicated with a solid line and the direction of arrows may indicate the direction of information flow.
- some elements of the device 300 may be similar to corresponding elements of the device 200 (shown in FIG. 2 ) that are indicated with the same numerals, for example the computer network 20 , the file-access server 201 , the processor 202 , the first ML algorithm 206 , etc.
- the output of the first ML algorithm 206 may be used for reconstruction of the file-access patterns 211 , by a second ML algorithm 306 (e.g., a trained auto-encoder model) to identify anomalies and threats and accordingly yield small losses for “normal” file-access traffic and high losses for “ransom” traffic.
- the processor 202 may be configured to train the second ML algorithm 306 with a second training dataset 305 including vectors (e.g., stored at the memory 204 ). After training, when the second ML algorithm 306 receives a new input vector representing sampled network traffic 203 , the second ML algorithm 306 may identify an anomaly 311 in the sampled network traffic 203 based on the learned network characteristics 207 .
- the sampled network traffic may be sampled in the network gateways of a network attached storage (NAS).
- NAS network attached storage
- the processor 202 may apply the second ML algorithm on the sampled network traffic 203 to determine a normalized difference 307 between the new input vector and a vector in the second training dataset 305 (for example, determine the average absolute difference of the new vector compared to a vector in the second training dataset 305 ).
- a normalized difference that is larger than difference 307 between the new input vector and the vectors in the second training dataset 305 corresponds to a file-access anomaly 311 in the sampled network traffic 203 .
- the second ML algorithm 306 is trained for input reconstruction, and outputs a larger normalized loss for anomaly 311 input in file-access traffic.
- traffic aggregation metrics may be added to the set of features ‘V’ for anomaly 311 detection.
- the second training dataset 305 may include feature sets ‘F’ from the training data, where ‘F’ may include aggregation of traffic flows that were sampled in a specific window of time.
- a traffic flow, or set of packets with a common property may be defined as several categories in the sample, for example: flows that are represented with sufficient number of packets in the sample to provide reliable estimates of their frequencies in the total traffic; flows that appear in too few packets in the sample to provide a reliable estimate for their frequency in the total traffic; and flows that appear in the traffic but do not appear in any packet in the sample.
- the feature set ‘F’ may include general features related to the network traffic such as histogram of the number of flows that appear at a given time in the sample, how many of them were new with respect to the previous window of time, etc.
- the feature set ‘F’ may be a vector with values for the number of packets.
- the feature set ‘F’ may also include descriptive features related to file-access traffic such as spread of recorded file-access related traffic over various network fields (e.g., ports, IP addresses, protocols, etc.) as previously learnt. For example, the proportion of samples coming to and/or from port ‘i’ (e.g., port 445 for proportion of SMB traffic) may be estimated. In another example, the proportion of samples broadcasted over protocol ‘j’ may be estimated.
- port ‘i’ e.g., port 445 for proportion of SMB traffic
- protocol ‘j’ may be estimated.
- the second ML algorithm 306 includes at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture.
- GAN generative adversarial network
- different number of layers, sizes and architectures may be used, for example a multiplicative factor may be used to increase the hidden state size of each layer while keeping the same ratio between layers.
- Layer regularizations and/or dropouts may also be added to prevent training' overfitting.
- the second ML algorithm 306 may include an auto-encoder network with four hidden layers, where each layer is a long-short-term-memory (LSTM) of sizes 2, 4, 8 and 16, that are compressed into a latent-space representation.
- the decoder may include three symmetrical LSTM hidden layers of sizes 4, 8 and 16 which aim to reconstruct the input from the latent representation.
- the activation of each layer may be with a rectified linear unit (ReLU).
- ReLU rectified linear unit
- training losses are calculated using mean-average-error (MAE) or its normalized variation which normalizes the loss to prevent fluctuations due to high input values.
- network optimization may be carried out using a stochastic gradient descent algorithm such as the ‘Adam Optimization Algorithm’ that can handle sparse gradients on noisy problems successfully.
- the loss vectors may be normalized to create a baseline of the training losses. For example, if the loss vectors are [1],[10],[0] then a simple min-max baseline is ⁇ MAX: 10, MIN: 0 ⁇ such that a new value of 20 will be normalized to 2.
- the processor 202 is configured to apply an active learning mechanism to update at least one detection model based on a user feedback loop. For example, when a threat is detected, the user has an option to give feedback on the detected threat (e.g., indicating this was unusual, but yet a known backup procedure). Then, the normalized loss vectors associated with this detection may be tagged as “normal” and accordingly update the second ML algorithm 306 such that similar patterns may not be raised as alarms in the future. The normalization is carried out to transform the loss vectors of different network devices that belong to different networks with possibly varying characteristics, properties and behaviors to a unified language that is used hereinafter for the global detection models.
- processor 202 is configured to normalize a loss determined by the second ML algorithm 306 based on the output of the first ML algorithm 206 for the new input vector being different from the output of the second ML algorithm 306 for the second training dataset 305 .
- the second ML algorithm 306 may be configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation.
- the input training data may be received from the second training dataset 305 , and the output is the auto-encoder models and baseline.
- the feature sets ‘F’ are calculated and the auto-encoder models are trained on the calculated features ‘F’.
- the trained models are used to calculate final loss vectors ‘L F ’ and the final loss vectors ‘L F ’ may be normalized to create a baseline.
- the actual inputs for ‘F’ may be ⁇ F 1 . . . F N ⁇
- the auto-encoder reconstruction may be ⁇ circumflex over (F) ⁇ 1 . . .
- the loss vectors may be calculated (e.g., calculate
- the loss vectors may be normalized to generate a baseline of the training losses. For example, if the final loss vectors ‘L F ’ are [1],[10],[0] then a simple min-max baseline is ⁇ MAX: 10, MIN: 0 ⁇ such that a new value of 20 may be normalized to 2.
- the input is a datapoint ‘Z’ representing sampled traffic, the trained auto-encoder model, and the normalized baseline model.
- the output is at least one normalized loss vector.
- the feature sets ‘Z’, are calculated and the trained auto-encoder models on ‘Z’ to calculate the loss vector ‘L Z ’.
- the final loss vectors ‘L Z ’ may be normalized per baseline to get the normalized features as the output.
- FIG. 4 shows a block diagram of a device 400 for detection of at least one file-access anomaly or ransom attack property 411 in the at least one computer network 20 including a file-access server 201 , according to some embodiments.
- hardware elements are indicated with a solid line and the direction of arrows may indicate the direction of information flow.
- some elements of the device 400 may be similar to corresponding elements of the device 200 (shown in FIG. 2 ) or the device 300 (shown in FIG. 3 ) that are indicated with the same numerals, for example the computer network 20 , the file-access server 201 , the processor 202 , the first ML algorithm 206 , etc.
- the processor 202 is configured to train a third ML algorithm 406 with a third training dataset 405 including vectors.
- the third ML algorithm 406 may detect at least one file-access anomaly or ransom attack property 411 based on at least one communication pattern 407 in the anomaly sampled network traffic 203 , when the third ML algorithm receives a new input vector representing sampled network traffic.
- the sampled network traffic may be sampled on a network attached storage (NAS).
- NAS network attached storage
- the at least one file-access anomaly or ransom attack property 411 is determined based on highest interaction with the file-access server 201 .
- the highest interaction or most significant network fields may be autonomously learned as related to the file-access traffic, for example, learning that a particular port has the highest interaction rate.
- the input of the third ML algorithm 406 may be the normalized loss vector from the second ML algorithm 306 , in order to detect and classify threats in a generic way which is agnostic to the specific deployment while continuing to learn and evolve with any new customer.
- the third training dataset 405 may include both normal traffic and also traffic with known threats.
- the auto-encoder model may be created with a baseline by training on normal traffic only.
- the trained models may be applied with the third ML algorithm 406 on the threat traffic to create their normalized loss vectors of each datapoint with their threat tagging such that normal traffic or threat (e.g. ransom attacks) are detected.
- the threat vectors may be concatenated to create the final dataset of loss-vectors and threats among the various devices in the computer network 20 , such that the output of the second ML algorithm 306 may be used to train the third ML algorithm 406 to detect whether the loss-vectors are associated with normal file-access traffic or a threat.
- the global models of the third ML algorithm 406 may be feed-forward neural networks with one hidden-layer, where the output layer of the third ML algorithm 406 may be of size 2 denoting “normal” or “threat”, while the output layer of a classifier may further denote various threat types.
- a classifier may include a classification model used in order to infer the file-access anomaly or ransom attack' properties and root-case information that have largest deviations from their training state.
- the third ML algorithm 406 may include an auto-encoder with a structure with a hidden layer of size 16 and the output layer is of size 2 (where all sizes reflect the number of neurons).
- the classifier may be implemented as a separate fourth ML algorithm, together with the detector ML algorithm.
- the third ML algorithm 406 includes a detector module and a classifier module.
- the third ML algorithm 406 may include one or more feed-forward neural networks with one hidden-layer, for instance where the detector's output layer mat be of size 2 denoting “normal” or “threat”, while the classifier's output layer may denote various threat types.
- the detector network structure may include a hidden layer of size 16 and the output layer of size 2 (e.g., where all sizes reflect the number of neurons).
- the model may classify the type of the detected anomaly as “ransomware attack over port 445” by observing significantly higher number of packets entering the network over port 445 which may result in large deviation of the feature associated with port 445 from its training state.
- the third ML algorithm 406 may employ a feedback loop. For example, when a threat is detected, the user has an option to give feedback on it, for instance telling this was an indeed unusual, but yet known, heavy backup procedure. Then, the normalized loss vectors associated with this detection may be immediately tagged as “normal” and trigger a new run of the third ML algorithm 406 such that similar patterns 407 may not be raised as alarms in the future, also in other customer' networks. In contrast, when the user's feedback acknowledging the threat, the respective normalized vectors may be tagged as “threat” and also trigger a new run of the third ML algorithm 406 to make sure similar patterns (even if not the exact same patterns) 407 won't be unnoticed.
- a feedback loop For example, when a threat is detected, the user has an option to give feedback on it, for instance telling this was an indeed unusual, but yet known, heavy backup procedure. Then, the normalized loss vectors associated with this detection may be immediately tagged as “normal” and trigger a new
- FIGS. 5 A- 5 C show flowcharts of a method of determining file-access patterns in at least one computer network, the network including a file-access server, according to some embodiments.
- a first machine learning (ML) algorithm may be trained (e.g., by the processor 202 in communication with the computer network 20 , as shown in FIGS. 2 - 4 ) with a first training dataset including vectors representing network traffic. Such that the first ML algorithm learns network characteristics associated with file-access traffic.
- ML machine learning
- network characteristics may be determined (e.g., by the processor 202 ) based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network.
- file-access patterns may be determined (e.g., by the processor 202 ) in the at least one computer network based on the network characteristics associated with file-access traffic.
- a second ML algorithm may be trained (e.g., by the processor 202 ) with a second training dataset including vectors such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm.
- a normalized difference may be determined (e.g., by the processor 202 ) between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein an anomaly is identified when a normalized difference that is larger than difference of the second training dataset is determined.
- a third ML algorithm may be trained (e.g., by the processor 202 ) with a third training dataset including vectors such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic.
- the third ML algorithm may be applied on the sampled network traffic, where the at least one ransom attack property is determined based on highest interaction with the file-access server, for example the at least one ransom attack property may be determined according to highest interaction property (e.g., frequency of interactions with the file-access server) during the attack, such as the port number.
- the applied ML algorithms may be completely agnostic to the malware and/or ransom type and characteristics, as well as be robust from variations and changes to the attack that may cause current rule-based tools to not detect the attack.
Abstract
Systems and methods of determining file-access patterns in at least one computer network, the network comprising a file-access server, including training a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic, determining, using the first ML algorithm, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determining file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
Description
- This application is Continuation of patent application Ser. No. 17/104,190, filed Nov. 25, 2020, which claims benefit of Provisional Application No. 62/940,266, filed Nov. 26, 2019, both of which are incorporated herein by reference.
- The present invention relates to traffic in computer networks. More particularly, the present invention relates to systems and methods for determining file-access patterns and using them to detect for example ransomware attacks in at least one computer network in at least one computer network.
- Ransomware attacks (or cyber extortion) have become common in computer networks. In recent years, there has been a spike in the number of reported incidents as well as the funds that cyber hackers are attempting to extort from organizations. Ransomware attacks are not only increasing in frequency, they are also becoming more sophisticated and complex. Ransomware attacks are becoming a popular attack vector and effectively shutting down public sector networks.
- Two major vulnerabilities are being exploited: Networked Attached Storage (NAS) including endpoint computers network-based file-access attacks and/or Windows Operating System process/memory injection file-less attacks. The number of ransomware attacks on organizations is increasing at several orders of magnitude over the past years, and these attacks are projected to cost businesses dozens of billions of USD, in addition to the cost of loss of customer/partner loyalty and trust.
- Some currently available solutions are based on endpoint security agents running on the computer hosts, looking for specific signatures of ransom attacks that are found during extensive low-level research. The main limitations of this approach are that the defenders are required to cover their entire endpoints with detection tools and with the increasing size of networks and number of endpoints, it is becoming increasingly impossible to cover each and every endpoint (not to mention the prohibitive cost). Furthermore, the defenders are required to continuously update their software, with any new attack signature being discovered, in order to vaccinate their network and endpoints from this new attack, while the attackers try to act quickly before the updates. With the increasing size of networks and number of endpoints, as well as its complex architecture, defense against all attackers is becoming increasingly impossible. Furthermore, the strong dependence on tailor-made discovery of the threat signature is giving rise to zero-day attacks which are going unnoticed. In this constant race between the defenders and attackers, the attackers keep winning. Since un-detected attacks are often being detected only long afterwards, files may be encrypted and inaccessible.
- There is thus provided, in accordance with some embodiments of the invention, a method of determining file-access patterns in at least one computer network, the network including a file-access server, the method including: training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset including vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic, using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
- In some embodiments, a second ML algorithm is trained (e.g., by the processor) with a second training dataset including vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm, and a normalized difference is determined (e.g., by the processor) between a new input vector representing sampled network traffic and the vectors in the second training dataset. In some embodiments, the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
- In some embodiments, the second ML algorithm includes at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture. In some embodiments, the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic than for file-access traffic without anomalies. In some embodiments, an active learning mechanism is applied to update at least one detection model based on a user feedback loop. In some embodiments, a loss determined by the second ML algorithm is normalized (e.g., by the processor) based on the output of the first ML algorithm for the new input vector, wherein the output of the first ML algorithm is different from the output of the second ML algorithm for the second training dataset, and wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation
- In some embodiments, a third ML algorithm is trained (e.g., by the processor) with a third training dataset including vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic, and the third ML algorithm is applied on the sampled network traffic. In some embodiments, the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
- In some embodiments, the sampled network traffic is sampled on a network attached storage (NAS). In some embodiments, the sampled network traffic includes vectors each representing a different time interval.
- Embodiments of the invention include a device for determining file-access patterns in at least one computer network including a file-access server, the device including: a memory, to store a first training dataset, and a processor in communication with the computer network, wherein the processor is configured to: train a first machine learning (ML) algorithm with a first training dataset including vectors such that the first ML algorithm learns network characteristics associated with file-access traffic, when the first ML algorithm receives input vectors representing sampled network traffic, determine network characteristics associated with file-access traffic based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determine file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
- In some embodiments, the processor is configured to train a second ML algorithm with a second training dataset including vectors such that the second ML algorithm identifies an anomaly in the sampled network traffic based on the learned network characteristics, when the second ML algorithm receives a new input vector representing sampled network traffic, apply the second ML algorithm on the sampled network traffic, and determine a normalized difference between the new input vector and the vectors in the second training dataset, wherein a normalized difference that is larger than difference of the second training dataset corresponds to a file-access anomaly in the sampled network traffic.
- In some embodiments, the second ML algorithm includes at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture. In some embodiments, the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic. In some embodiments, the processor is further configured to apply an active learning mechanism to update at least one detection model based on a user feedback loop. In some embodiments, the processor is further configured to normalize a loss determined by the second ML algorithm based on the output of the first ML algorithm for the new input vector being different from the output of the second ML algorithm for the second training dataset, wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation.
- In some embodiments, the processor is configured to train a third ML algorithm with a third training dataset including vectors such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector representing sampled network traffic, and apply a third ML algorithm on the sampled network traffic. In some embodiments, the at least one ransom attack property is determined based on highest interaction with the file-access server.
- In some embodiments, the sampled network traffic is sampled on a network attached storage (NAS). In some embodiments, the sampled network traffic includes vectors each representing a different time interval.
- There is thus provided, in accordance with some embodiments of the invention, a method of identifying an anomaly in at least one computer network including a file-access server, the method including: applying (e.g., by a processor) in communication with the computer network, a first machine learning (ML) algorithm trained to learn to determine network characteristics associated with sampled file-access traffic, wherein the network characteristics associated with file-access traffic are determined based on highest interaction with the file-access server, and applying (e.g., by the processor) a second ML algorithm trained to identify an anomaly in the sampled network traffic based on the determined network characteristics. In some embodiments, the anomaly is identified, using the second ML algorithm, based on a calculated normalized difference between training datasets and new sampled network traffic, and wherein a large normalized difference corresponds to a file-access anomaly in the sampled network traffic.
- In some embodiments, a third ML algorithm is applied (e.g., by the processor) to detect at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, where the at least one ransom attack property is determined based on largest interaction frequency with the file-access server.
- The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which:
-
FIG. 1 shows a block diagram of an exemplary computing device, according to some embodiments of the invention; -
FIG. 2 shows a block diagram of a device for learning file-access patterns in at least one computer network including a file-access server, according to some embodiments of the invention; -
FIG. 3 shows a block diagram of a device for learning file-access patterns in at least one computer network including a file-access server, according to some embodiments of the invention; -
FIG. 4 shows a block diagram of a device for detection of at least one file-access anomaly of ransom attack property in the at least one computer network including a file-access server, according to some embodiments of the invention; and -
FIGS. 5A-5C show flowcharts of a method of determining file-access patterns in at least one computer network, the network including a file-access server, according to some embodiments of the invention. - It will be appreciated that, for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.
- In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, and components, modules, units and/or circuits have not been described in detail so as not to obscure the invention. Some features or elements described with respect to one embodiment may be combined with features or elements described with respect to other embodiments. For the sake of clarity, discussion of same or similar features or elements may not be repeated.
- Although embodiments of the invention are not limited in this regard, discussions utilizing terms such as, for example, “processing”, “computing”, “calculating”, “determining”, “establishing”, “analyzing”, “checking”, or the like, may refer to operation(s) and/or process(es) of a computer, a computing platform, a computing system, or other electronic computing device, that manipulates and/or transforms data represented as physical (e.g., electronic) quantities within the computer's registers and/or memories into other data similarly represented as physical quantities within the computer's registers and/or memories or other information non-transitory storage medium that may store instructions to perform operations and/or processes. Although embodiments of the invention are not limited in this regard, the terms “plurality” and “a plurality” as used herein may include, for example, “multiple” or “two or more”. The terms “plurality” or “a plurality” may be used throughout the specification to describe two or more components, devices, elements, units, parameters, or the like. The term set when used herein may include one or more items. Unless explicitly stated, the method embodiments described herein are not constrained to a particular order or sequence. Additionally, some of the described method embodiments or elements thereof can occur or be performed simultaneously, at the same point in time, or concurrently.
- Reference is made to
FIG. 1 , which is a schematic block diagram of anexample computing device 100, according to some embodiments of the invention.Computing device 100 may include a controller or processor 105 (e.g., a central processing unit processor (CPU), a programmable controller or any suitable computing or computational device),memory 120,storage 130, input devices 135 (e.g. a keyboard or touchscreen), and output devices 140 (e.g., a display), a communication unit 145 (e.g., a cellular transmitter or modem, a Wi-Fi communication unit, or the like) for communicating with remote devices via a computer communication network, such as, for example, the Internet. Thecomputing device 100 may operate by executing anoperating system 115 and/orexecutable code 125.Controller 105 may be configured to execute program code to perform operations described herein. The system described herein may include one ormore computing devices 100, for example, to act as the various devices or the components shown inFIG. 2 . For example,system 200 may be, or may includecomputing device 100 or components thereof. -
Operating system 115 may be or may include any code segment or one or more code sets (e.g., one similar toexecutable code 125 described herein) designed and/or configured to perform tasks involving coordinating, scheduling, arbitrating, supervising, controlling or otherwise managing operation ofcomputing device 100, for example, scheduling execution of software programs or enabling software programs or other modules or units to communicate. -
Memory 120 may be or may include, for example, a Random Access Memory (RAM), a read only memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a double data rate (DDR) memory chip, a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units or storage units.Memory 120 may be or may include a plurality of, possibly different memory units.Memory 120 may be a computer or processor non-transitory readable medium, or a computer non-transitory storage medium, e.g., a RAM. -
Executable code 125 may be any executable code, e.g., an application, a program, a process, task or script.Executable code 125 may be executed bycontroller 105 possibly under control ofoperating system 115. For example,executable code 125 may be a software application that performs methods as further described herein. Although, for the sake of clarity, a single item ofexecutable code 125 is shown inFIG. 1 , a system according to some embodiments of the invention may include a plurality of executable code segments similar toexecutable code 125 that may be stored intomemory 120 andcause controller 105 to carry out methods described herein. -
Storage 130 may be or may include, for example, a hard disk drive, a universal serial bus (USB) device or other suitable removable and/or fixed storage unit. In some embodiments, some of the components shown inFIG. 1 may be omitted. For example,memory 120 may be a non-volatile memory having the storage capacity ofstorage 130. Accordingly, although shown as a separate component,storage 130 may be embedded or included inmemory 120. -
Input devices 135 may be or may include a keyboard, a touch screen or pad, one or more sensors or any other or additional suitable input device. Any suitable number ofinput devices 135 may be operatively connected tocomputing device 100.Output devices 140 may include one or more displays or monitors and/or any other suitable output devices. Any suitable number ofoutput devices 140 may be operatively connected tocomputing device 100. Any applicable input/output (I/O) devices may be connected tocomputing device 100 as shown byblocks input devices 135 and/oroutput devices 140. - Some embodiments of the invention may include an article such as a computer or processor non-transitory readable medium, or a computer or processor non-transitory storage medium, such as for example a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, carry out methods disclosed herein. For example, an article may include a storage medium such as
memory 120, computer-executable instructions such asexecutable code 125 and a controller such ascontroller 105. Such a non-transitory computer readable medium may be, for example, a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, carry out methods disclosed herein. The storage medium may include, but is not limited to, any type of disk including, semiconductor devices such as read-only memories (ROMs) and/or random-access memories (RAMs), flash memories, electrically erasable programmable read-only memories (EEPROMs) or any type of media suitable for storing electronic instructions, including programmable storage devices. For example, in some embodiments,memory 120 is a non-transitory machine-readable medium. - A system according to some embodiments of the invention may include components such as, but not limited to, a plurality of central processing units (CPU) or any other suitable multi-purpose or specific processors or controllers (e.g., controllers similar to controller 105), a plurality of input units, a plurality of output units, a plurality of memory units, and a plurality of storage units. A system may additionally include other suitable hardware components and/or software components. In some embodiments, a system may include or may be, for example, a personal computer, a desktop computer, a laptop computer, a workstation, a server computer, a network device, or any other suitable computing device. For example, a system as described herein may include one or more
facility computing device 100 and one or more remote server computers in active communication with one or morefacility computing device 100 such ascomputing device 100, and in active communication with one or more portable or mobile devices such as smartphones, tablets and the like. - According to some embodiments, deep-learning technology (e.g., employing neural networks) is applied to infer “file-access” patterns based on network characteristics, and detect ransomware attacks by discovering suspicious abnormal patterns in the inferred “file-access” patterns over time. The file-access traffic may include network communications within a computer network (e.g., of an organization) between users and file-access servers. A file-access pattern may be a pattern of data flow to network elements related to the file-access traffic. The file-access traffic pattern may include records, such as “ip_src”/“ip_dest”/“port_src”/“port_dst”, to be stored in the data-structure of the file-access pattern, where “ip_src” is the user's workstation IP address, “ip_dst” is the file-access server IP address, and “port_src”/“dst_port” are the source port and destination port used for communication. For example, a file-access pattern may be a pattern of a particular port, in communication with a file-access server, that is being accessed (or where an interaction with the file-access server is identified) multiple times every hour. A network characteristic may be a feature of the network that is related to data flow, for instance network fields such as ports, protocols, IP addresses, etc. The “file-access” patterns may be learned based on sampled features that are included, or “built-in”, in the NAS gateways (e.g., sFlow and NetFlow sampling protocols), thus some embodiments do not require any hardware and/or software modifications to the network.
- For example, when user' data is backed up, the respective backup protocol may be used to communicate between the user and backup servers. In many cases, SMB (Simple-Message-Block) protocol is used, thus the file-access pattern records may be for example (ip_src, ip_dest=1.1.1.1, port_src, port_dst=445), where ‘1.1.1.1’ denotes the ‘backup server IP address’ and ‘445’ denotes the destination port of the communication, which is the SMB port. In another example, when a user is accessing a shared file which is stored in the file-access servers, the File-Transfer-Protocol (FTP) server may be used, such that the file-access pattern records may be (ip_src, ip_dest=2.2.2.2, port_src, port_dst=21), where ‘2.2.2.2’ denotes the ‘file server IP’ and ‘21’ denotes the destination port of the communication, which is the FTP port. In these examples, the network characteristic are: backup port: 445, file transfer port: 21, backup IP: 1.1.1.1, file server IP: 2.2.2.2.
- A neural network (NN), e.g. a neural network implementing machine learning, may refer to an information processing paradigm that may include nodes, referred to as neurons, organized into layers, with links between the neurons. The links may transfer signals between neurons and may be associated with weights. A NN may be configured or trained for a specific task, e.g., pattern recognition or classification. Training a NN for the specific task may involve adjusting these weights based on examples. Each neuron of an intermediate or last layer may receive an input signal, e.g., a weighted sum of output signals from other neurons, and may process the input signal using a linear or nonlinear function (e.g., an activation function). The results of the input and intermediate layers may be transferred to other neurons and the results of the output layer may be provided as the output of the NN. Typically, the neurons and links within a NN are represented by mathematical constructs, such as activation functions and matrices of data elements and weights. A processor, e.g. CPUs or graphics processing units (GPUs), or a dedicated hardware device may perform the relevant calculations.
- In some embodiments, the normal file-access pattern (e.g., normal file-access behavior without malicious attacks) may be learned to predict the file-access anomalies and ransom attacks using a transfer learning carried out by normalizing auto-encoder losses of each device in the network. The loss normalization may allow transforming different behaviors to a single framework which is feeding a global ransom detection model, thus agnostic to a specific deployment. Loss functions may be used to determine the error (or the loss) between the output of ML algorithms and the given target value, such that the loss function may express how far off the target the computed output is compared to its actual output value. Accordingly, the learning may keep improving from one NAS network to another, by normalizing calculated loss-vectors which measure the difference between the actual input and the auto-encoder reconstruction, yielding high loss for abnormal file-access behavior (e.g., a ransom attack) while yielding low loss for normal behaviors. For example, loss normalization may be carried out by min-max scaling, norm scaling, etc.
- Reference is now made to
FIG. 2 , which shows a block diagram of adevice 200 for learning file-access patterns 211 in at least onecomputer network 20 including a file-access server 201, according to some embodiments. InFIG. 2 , hardware elements are indicated with a solid line and the direction of arrows may indicate the direction of information flow. - The
device 200 may include a processor 202 (e.g., such as thecontroller 105 shown inFIG. 1 ) in active communication with at least onenetwork 20. For example, the at least onenetwork 20 may be a computer network with at least partial wireless communication (e.g., via Wi-Fi, Bluetooth, etc.). In some embodiments, theprocessor 202 may be actively connected to the at least onenetwork 20 in order to sample the traffic there, though theprocessor 202 may or may not perform other functions of the at least onenetwork 20. For instance, in some embodiments, thedevice 200 including theprocessor 202 may be a computing device physically connected to the at least onenetwork 20 for network traffic sampling. - In some embodiments, the
processor 202 may analyze traffic (e.g., analyze network packets) passing through the at least onenetwork 20 by analyzing asample 203 of the traffic, such that the file-access patterns 211 may be learned from the retrievedtraffic sample 203, as further described hereinafter. For example, the sampled network traffic may be sampled on the network gateways (routers, switches, etc.) of a network including the network attached storage (NAS). In some embodiments, thetraffic sample 203 is converted into a vector, for example (ip_src, ip_dest, port_src, port_dst), as input for machine learning algorithms used by theprocessor 202. - In some embodiments, the
processor 202 may sample traffic in a predefined location of the at least onenetwork 20. For example, theprocessor 202 may be a router's processor which executes dedicated software to determine the file-access patterns 211, or theprocessor 202 may be connected to the router, and sample traffic in one or more predefined nodes of the at least onenetwork 20. - In some embodiments, the
processor 202 may retrieve copies of network samples (e.g., randomly chosen packets) from between at least one network device or node of the at least onenetwork 20 and the processor 202 (or another part of the at least one network 20). For example, the at least one network device or node may be a communication link, a single communication switch or server, a group of links and/or servers, and/or total traffic in the network. In another example, theprocessor 202 may retrieve copies of randomly chosen packets from the servers, network gateways, switches, routers, and/or communication. - According to some embodiments, the
device 200 includes amemory 204 configured to store afirst training dataset 205 including vectors. For example, thedataset 205 may include vectors of network fields (e.g., ports, protocols, IP addresses, etc.) that have significant traffic interactions with file-access servers (e.g., the top 90th percentile). - The
processor 202 may train a first machine learning (ML)algorithm 206 with thefirst training dataset 205. Thefirst ML algorithm 206 may be trained to learn to determinenetwork characteristics 207 that are associated with file-access traffic, when thefirst ML algorithm 206 receives input vectors representing samplednetwork traffic 203. The traffic vector may be for example a time-ordered list of tuples, consisting of network fields such as source-IP, destination-IP, source-port, destination-port, etc. Such traffic vector may be for instance: [(ip_src=‘1.1.1.1’, ip_dst=‘2.2.2.2’, port_src=50000, port_dst=445, time=‘10:00’), (ip_src=‘3.3.3.3’, ip_dst=‘4.4.4.4’, port_src=55000, port_dst=21, time=‘10:05’)]. - For example, the
first ML algorithm 206 may be trained with thefirst training dataset 205 to determine network characteristics or fields that have significant traffic interactions with file-access servers (e.g., the top 90th percentile). For example, thedataset 205 may include a specific protocol type that is always used for data flow in the file-access server such that the characteristics of that protocol may be learned. After training, when thefirst ML algorithm 206 receives new input of samplednetwork traffic 203, thefirst ML algorithm 206 may determine network characteristics 207 (e.g., ports, protocols, IP addresses, etc.) that are associated with file-access traffic. - In some embodiments, to determine
network characteristics 207, thefirst ML algorithm 206 receives as input network traffic data and returns a list of network fields (or characteristics) that most significantly interact with the file-access servers 201. The traffic may be analyzed in the network attached servers (NAS), where the network file-access servers are deployed. For example, for the traffic vector: [(ip_src=‘1.1.1.1’, ip_dst=‘2.2.2.2’, port_src=50000, port_dst=445, time=‘10:00’), (ip_src=‘3.3.3.3’, ip_dst=‘4.4.4.4’, port_src=55000, port_dst=21, time=‘10:05’)], thedetermined network characteristics 207 may be the list [445, 21, ‘1.1.1.1’, ‘2.2.2.2’], where backup port is 445, file transfer port is 21, backup IP is 1.1.1.1, and file server IP is 2.2.2.2. - In some embodiments, the first ML algorithm 206 (e.g., an auto-encoder) may be trained with the
training dataset 205 for a particular day ‘i’, and the trained models of the auto-encoder may be used to infer on the following day i+1 and calculate loss vectors between the inference and the actual traffic. Thus, thefirst ML algorithm 206 may learn results of inference associated with smaller losses. For each new vector or network field, the norm of the vector may be calculated, and if the calculated norm is above a predefined threshold (e.g., corresponding to interactions with traffic or occurrences), then that field may be returned as the output. Thefirst ML algorithm 206 may then converge to a set of network fields with significant traffic and stable patterns. - The
first ML algorithm 206 may be trained with thefirst training dataset 205 to determine network characteristics or fields that have significant traffic interactions with file-access servers. In some embodiments, theprocessor 202 is configured to determinenetwork characteristics 207 associated with file-access traffic, based on, using or by executing thefirst ML algorithm 206, and based on highest interaction rate of traffic with the file-access server 201 compared to other interactions in the at least onecomputer network 20. Each port number may be associated with its proportion of the file-access traffic, meaning, how much of the traffic (e.g., measured in percent) traversing the NAS gateways is associated with each port. Then, the port with highest proportion may be considered having the highest interaction rate. As one example, at port 445: there is 80%, at port 21: 10%, at ports 50000-60000: 5%, and all other ports 5%. In such case, port 445 may be considered as having the highest interaction rate. - The highest interaction rate or most significant network fields may be autonomously learned as related to the file-access traffic, for example, learning that a particular port has the highest interaction rate. The autonomous learning by the
first ML algorithm 206 may allow immediate “time-to-model”, in contrast to other machine learning based solutions that require long training and fine-tuning period. - The
first ML algorithm 206 may automatically learn to determinenetwork characteristics 207 as a set of features ‘V’ including network parameters related to file-access traffic, such as: ports, protocols, connections, etc. For example, for back-up traffic, the associated server message block (SMB) ports 137-139 and/or 445 may be learnt and used together with their associated IP addresses. Since everycomputer network 20 is different, with dedicated computing elements, the back-up traffic may be using different ports fordifferent computer networks 20. - In some embodiments, the
processor 202 is configured to determine file-access patterns 211 in the at least onecomputer network 20 based on thenetwork characteristics 207 associated with file-access traffic. - Reference is now made to
FIG. 3 , which shows a block diagram of adevice 300 for identifyinganomalies 311 in at least onecomputer network 20 including a file-access server 201, according to some embodiments. InFIG. 3 , hardware elements are indicated with a solid line and the direction of arrows may indicate the direction of information flow. In some embodiments, some elements of thedevice 300 may be similar to corresponding elements of the device 200 (shown inFIG. 2 ) that are indicated with the same numerals, for example thecomputer network 20, the file-access server 201, theprocessor 202, thefirst ML algorithm 206, etc. - According to some embodiments, the output of the
first ML algorithm 206 may be used for reconstruction of the file-access patterns 211, by a second ML algorithm 306 (e.g., a trained auto-encoder model) to identify anomalies and threats and accordingly yield small losses for “normal” file-access traffic and high losses for “ransom” traffic. Theprocessor 202 may be configured to train thesecond ML algorithm 306 with asecond training dataset 305 including vectors (e.g., stored at the memory 204). After training, when thesecond ML algorithm 306 receives a new input vector representing samplednetwork traffic 203, thesecond ML algorithm 306 may identify ananomaly 311 in the samplednetwork traffic 203 based on the learnednetwork characteristics 207. For example, the sampled network traffic may be sampled in the network gateways of a network attached storage (NAS). - The
processor 202 may apply the second ML algorithm on the samplednetwork traffic 203 to determine anormalized difference 307 between the new input vector and a vector in the second training dataset 305 (for example, determine the average absolute difference of the new vector compared to a vector in the second training dataset 305). In some embodiments, a normalized difference that is larger thandifference 307 between the new input vector and the vectors in thesecond training dataset 305 corresponds to a file-access anomaly 311 in the samplednetwork traffic 203. In some embodiments, thesecond ML algorithm 306 is trained for input reconstruction, and outputs a larger normalized loss foranomaly 311 input in file-access traffic. - In some embodiments, traffic aggregation metrics may be added to the set of features ‘V’ for
anomaly 311 detection. Thesecond training dataset 305 may include feature sets ‘F’ from the training data, where ‘F’ may include aggregation of traffic flows that were sampled in a specific window of time. A traffic flow, or set of packets with a common property, may be defined as several categories in the sample, for example: flows that are represented with sufficient number of packets in the sample to provide reliable estimates of their frequencies in the total traffic; flows that appear in too few packets in the sample to provide a reliable estimate for their frequency in the total traffic; and flows that appear in the traffic but do not appear in any packet in the sample. - The feature set ‘F’ may include general features related to the network traffic such as histogram of the number of flows that appear at a given time in the sample, how many of them were new with respect to the previous window of time, etc. For example, the feature set ‘F’ may be a vector with values for the number of packets.
- The feature set ‘F’ may also include descriptive features related to file-access traffic such as spread of recorded file-access related traffic over various network fields (e.g., ports, IP addresses, protocols, etc.) as previously learnt. For example, the proportion of samples coming to and/or from port ‘i’ (e.g., port 445 for proportion of SMB traffic) may be estimated. In another example, the proportion of samples broadcasted over protocol ‘j’ may be estimated.
- Instead of using only the current time-window as input, the input data may include ‘N’ vectors (time intervals), including ‘N1’ vectors prior to the current time and ‘N2’ vectors after the current time, for instance in a sliding-window. For example, if N1=10 and N2=0 then a sliding-window of the last 10 time intervals may be used as input, where each interval has its corresponding feature sets ‘F’.
- In some embodiments, the
second ML algorithm 306 includes at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture. In some embodiments, different number of layers, sizes and architectures may be used, for example a multiplicative factor may be used to increase the hidden state size of each layer while keeping the same ratio between layers. Layer regularizations and/or dropouts may also be added to prevent training' overfitting. - For example, the
second ML algorithm 306 may include an auto-encoder network with four hidden layers, where each layer is a long-short-term-memory (LSTM) of sizes 2, 4, 8 and 16, that are compressed into a latent-space representation. The decoder may include three symmetrical LSTM hidden layers of sizes 4, 8 and 16 which aim to reconstruct the input from the latent representation. The activation of each layer may be with a rectified linear unit (ReLU). - In some embodiments, training losses are calculated using mean-average-error (MAE) or its normalized variation which normalizes the loss to prevent fluctuations due to high input values. Accordingly, network optimization may be carried out using a stochastic gradient descent algorithm such as the ‘Adam Optimization Algorithm’ that can handle sparse gradients on noisy problems successfully. The loss vectors may be normalized to create a baseline of the training losses. For example, if the loss vectors are [1],[10],[0] then a simple min-max baseline is {MAX: 10, MIN: 0} such that a new value of 20 will be normalized to 2.
- In some embodiments, the
processor 202 is configured to apply an active learning mechanism to update at least one detection model based on a user feedback loop. For example, when a threat is detected, the user has an option to give feedback on the detected threat (e.g., indicating this was unusual, but yet a known backup procedure). Then, the normalized loss vectors associated with this detection may be tagged as “normal” and accordingly update thesecond ML algorithm 306 such that similar patterns may not be raised as alarms in the future. The normalization is carried out to transform the loss vectors of different network devices that belong to different networks with possibly varying characteristics, properties and behaviors to a unified language that is used hereinafter for the global detection models. - According to some embodiments,
processor 202 is configured to normalize a loss determined by thesecond ML algorithm 306 based on the output of thefirst ML algorithm 206 for the new input vector being different from the output of thesecond ML algorithm 306 for thesecond training dataset 305. Thesecond ML algorithm 306 may be configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation. - For example, during file-access pattern training, the input training data may be received from the
second training dataset 305, and the output is the auto-encoder models and baseline. The feature sets ‘F’ are calculated and the auto-encoder models are trained on the calculated features ‘F’. The trained models are used to calculate final loss vectors ‘LF’ and the final loss vectors ‘LF’ may be normalized to create a baseline. For example, the actual inputs for ‘F’ may be {F1 . . . FN}, the auto-encoder reconstruction may be {{circumflex over (F)}1 . . . {circumflex over (F)}N}, and the loss vectors may be calculated (e.g., calculate |{circumflex over (F)}i−Fi| for every ‘i’). The loss vectors may be normalized to generate a baseline of the training losses. For example, if the final loss vectors ‘LF’ are [1],[10],[0] then a simple min-max baseline is {MAX: 10, MIN: 0} such that a new value of 20 may be normalized to 2. - In another example, during file-access pattern inferring, the input is a datapoint ‘Z’ representing sampled traffic, the trained auto-encoder model, and the normalized baseline model. The output is at least one normalized loss vector. The feature sets ‘Z’, are calculated and the trained auto-encoder models on ‘Z’ to calculate the loss vector ‘LZ’. The final loss vectors ‘LZ’ may be normalized per baseline to get the normalized features as the output. For example, datapoint ‘Z’ may include a time-ordered list of tuples, consisting of network fields such as source-IP, destination-IP, source-port, destination-port, etc.: [(ip_src=‘1.1.1.1’, ip_dst=‘2.2.2.2’, port_src=50000, port_dst=445, time=‘10:00’), (ip_src=‘3.3.3.3’, ip_dst=‘4.4.4.4’, port_src=55000, port_dst=21, time=‘10:05’)].
- Reference is now made to
FIG. 4 , which shows a block diagram of a device 400 for detection of at least one file-access anomaly orransom attack property 411 in the at least onecomputer network 20 including a file-access server 201, according to some embodiments. InFIG. 4 , hardware elements are indicated with a solid line and the direction of arrows may indicate the direction of information flow. In some embodiments, some elements of the device 400 may be similar to corresponding elements of the device 200 (shown inFIG. 2 ) or the device 300 (shown inFIG. 3 ) that are indicated with the same numerals, for example thecomputer network 20, the file-access server 201, theprocessor 202, thefirst ML algorithm 206, etc. - According to some embodiments, the
processor 202 is configured to train athird ML algorithm 406 with athird training dataset 405 including vectors. Thethird ML algorithm 406 may detect at least one file-access anomaly orransom attack property 411 based on at least onecommunication pattern 407 in the anomaly samplednetwork traffic 203, when the third ML algorithm receives a new input vector representing sampled network traffic. For example, the sampled network traffic may be sampled on a network attached storage (NAS). - In some embodiments, the at least one file-access anomaly or
ransom attack property 411 is determined based on highest interaction with the file-access server 201. The highest interaction or most significant network fields may be autonomously learned as related to the file-access traffic, for example, learning that a particular port has the highest interaction rate. - The input of the
third ML algorithm 406 may be the normalized loss vector from thesecond ML algorithm 306, in order to detect and classify threats in a generic way which is agnostic to the specific deployment while continuing to learn and evolve with any new customer. - In some embodiments, the
third training dataset 405 may include both normal traffic and also traffic with known threats. For eachthird training dataset 405, the auto-encoder model may be created with a baseline by training on normal traffic only. Then, the trained models may be applied with thethird ML algorithm 406 on the threat traffic to create their normalized loss vectors of each datapoint with their threat tagging such that normal traffic or threat (e.g. ransom attacks) are detected. In some embodiments, the threat vectors may be concatenated to create the final dataset of loss-vectors and threats among the various devices in thecomputer network 20, such that the output of thesecond ML algorithm 306 may be used to train thethird ML algorithm 406 to detect whether the loss-vectors are associated with normal file-access traffic or a threat. - In some embodiments, the global models of the
third ML algorithm 406 may be feed-forward neural networks with one hidden-layer, where the output layer of thethird ML algorithm 406 may be of size 2 denoting “normal” or “threat”, while the output layer of a classifier may further denote various threat types. A classifier may include a classification model used in order to infer the file-access anomaly or ransom attack' properties and root-case information that have largest deviations from their training state. For example, thethird ML algorithm 406 may include an auto-encoder with a structure with a hidden layer of size 16 and the output layer is of size 2 (where all sizes reflect the number of neurons). In some embodiments, the classifier may be implemented as a separate fourth ML algorithm, together with the detector ML algorithm. - In some embodiments, the
third ML algorithm 406 includes a detector module and a classifier module. Thethird ML algorithm 406 may include one or more feed-forward neural networks with one hidden-layer, for instance where the detector's output layer mat be of size 2 denoting “normal” or “threat”, while the classifier's output layer may denote various threat types. For example, the detector network structure may include a hidden layer of size 16 and the output layer of size 2 (e.g., where all sizes reflect the number of neurons). In another example, the model may classify the type of the detected anomaly as “ransomware attack over port 445” by observing significantly higher number of packets entering the network over port 445 which may result in large deviation of the feature associated with port 445 from its training state. - In some embodiments, the
third ML algorithm 406 may employ a feedback loop. For example, when a threat is detected, the user has an option to give feedback on it, for instance telling this was an indeed unusual, but yet known, heavy backup procedure. Then, the normalized loss vectors associated with this detection may be immediately tagged as “normal” and trigger a new run of thethird ML algorithm 406 such thatsimilar patterns 407 may not be raised as alarms in the future, also in other customer' networks. In contrast, when the user's feedback acknowledging the threat, the respective normalized vectors may be tagged as “threat” and also trigger a new run of thethird ML algorithm 406 to make sure similar patterns (even if not the exact same patterns) 407 won't be unnoticed. - Reference is now made to
FIGS. 5A-5C , which show flowcharts of a method of determining file-access patterns in at least one computer network, the network including a file-access server, according to some embodiments. - In
Step 501, a first machine learning (ML) algorithm may be trained (e.g., by theprocessor 202 in communication with thecomputer network 20, as shown inFIGS. 2-4 ) with a first training dataset including vectors representing network traffic. Such that the first ML algorithm learns network characteristics associated with file-access traffic. - In
Step 502, network characteristics may be determined (e.g., by the processor 202) based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network. - In
Step 503, file-access patterns may be determined (e.g., by the processor 202) in the at least one computer network based on the network characteristics associated with file-access traffic. - In
Step 504, a second ML algorithm may be trained (e.g., by the processor 202) with a second training dataset including vectors such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm. InStep 505, a normalized difference may be determined (e.g., by the processor 202) between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein an anomaly is identified when a normalized difference that is larger than difference of the second training dataset is determined. - In Step 506, a third ML algorithm may be trained (e.g., by the processor 202) with a third training dataset including vectors such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic. The third ML algorithm may be applied on the sampled network traffic, where the at least one ransom attack property is determined based on highest interaction with the file-access server, for example the at least one ransom attack property may be determined according to highest interaction property (e.g., frequency of interactions with the file-access server) during the attack, such as the port number.
- According to some embodiments, by monitoring NAS device traffic, the applied ML algorithms may be completely agnostic to the malware and/or ransom type and characteristics, as well as be robust from variations and changes to the attack that may cause current rule-based tools to not detect the attack.
- While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents may occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the invention.
- Various embodiments have been presented. Each of these embodiments may, of course, include features from other embodiments presented, and embodiments not specifically described may include various features described herein.
Claims (20)
1. A method of determining file-access patterns in at least one computer network, the network comprising a file-access server, the method comprising:
training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic;
using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and
determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
2. The method of claim 1 , further comprising:
training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm;
determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
3. The method of claim 1 , further comprising:
training, by the processor, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and
applying the third ML algorithm on the sampled network traffic,
wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
4. The method of claim 1 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop.
5. The method of claim 1 , wherein the sampled network traffic is sampled on a network attached storage (NAS).
6. The method of claim 1 , wherein the sampled network traffic comprises vectors each representing a different time interval.
7. A method of determining an anomaly in at least one computer network, the network comprising a file-access server, the method comprising:
training, by a processor in communication with the computer network, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on network characteristics associated with file-access traffic; and
determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
8. The method of claim 7 , wherein the second ML algorithm comprises at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture.
9. The method of claim 7 , wherein the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic than for file-access traffic without anomalies.
10. The method of claim 7 , further comprising normalizing, by the processor, a loss determined by the second ML algorithm based on the output of the first ML algorithm for the new input vector, wherein the output of the first ML algorithm is different from the output of the second ML algorithm for the second training dataset, and wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation.
11. The method of claim 7 , further comprising:
training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic;
using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and
determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
12. The method of claim 7 , further comprising:
training, by the processor, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and
applying the third ML algorithm on the sampled network traffic,
wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
13. The method of claim 7 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop.
14. The method of claim 7 , wherein the sampled network traffic is sampled on a network attached storage (NAS).
15. The method of claim 7 , wherein the sampled network traffic comprises vectors each representing a different time interval.
16. A method of determining at least one ransom attack property in at least one computer network, the network comprising a file-access server, the method comprising:
training, by a processor in communication with the computer network, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in a sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and
applying the third ML algorithm on the sampled network traffic,
wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
17. The method of claim 16 , further comprising:
training, by the processor, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic;
using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and
determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
18. The method of claim 16 , further comprising:
training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm;
determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
19. The method of claim 16 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop.
20. The method of claim 16 , wherein the sampled network traffic comprises vectors each representing a different time interval.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/351,795 US20230370481A1 (en) | 2019-11-26 | 2023-07-13 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201962940266P | 2019-11-26 | 2019-11-26 | |
US17/104,190 US11716338B2 (en) | 2019-11-26 | 2020-11-25 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
US18/351,795 US20230370481A1 (en) | 2019-11-26 | 2023-07-13 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/104,190 Continuation US11716338B2 (en) | 2019-11-26 | 2020-11-25 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230370481A1 true US20230370481A1 (en) | 2023-11-16 |
Family
ID=75975262
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/104,190 Active 2041-10-16 US11716338B2 (en) | 2019-11-26 | 2020-11-25 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
US18/351,795 Pending US20230370481A1 (en) | 2019-11-26 | 2023-07-13 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/104,190 Active 2041-10-16 US11716338B2 (en) | 2019-11-26 | 2020-11-25 | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
Country Status (1)
Country | Link |
---|---|
US (2) | US11716338B2 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11537943B2 (en) * | 2019-12-13 | 2022-12-27 | Sap Se | Data center disaster circuit breaker utilizing machine learning |
JP2021189721A (en) * | 2020-05-29 | 2021-12-13 | 富士フイルムビジネスイノベーション株式会社 | Information processing apparatus and information processing program |
US11843623B2 (en) * | 2021-03-16 | 2023-12-12 | Mitsubishi Electric Research Laboratories, Inc. | Apparatus and method for anomaly detection |
US11848843B2 (en) * | 2021-12-28 | 2023-12-19 | T-Mobile Innovations Llc | Network anomaly detection using machine learning models |
Citations (130)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020107953A1 (en) * | 2001-01-16 | 2002-08-08 | Mark Ontiveros | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20020133586A1 (en) * | 2001-01-16 | 2002-09-19 | Carter Shanklin | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20040225627A1 (en) * | 1999-10-25 | 2004-11-11 | Visa International Service Association, A Delaware Corporation | Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems |
US20090144545A1 (en) * | 2007-11-29 | 2009-06-04 | International Business Machines Corporation | Computer system security using file system access pattern heuristics |
US20100058122A1 (en) * | 2008-09-03 | 2010-03-04 | Matthew Charles Compton | Apparatus, system, and method for automated error priority determination of call home records |
US20100162400A1 (en) * | 2008-12-11 | 2010-06-24 | Scansafe Limited | Malware detection |
US8401982B1 (en) * | 2010-01-14 | 2013-03-19 | Symantec Corporation | Using sequencing and timing information of behavior events in machine learning to detect malware |
US8479276B1 (en) * | 2010-12-29 | 2013-07-02 | Emc Corporation | Malware detection using risk analysis based on file system and network activity |
US20130263272A1 (en) * | 2009-01-17 | 2013-10-03 | Stopthehacker.com, Jaal LLC | Automated identidication of phishing, phony and malicious web sites |
US20140090061A1 (en) * | 2012-09-26 | 2014-03-27 | Northrop Grumman Systems Corporation | System and method for automated machine-learning, zero-day malware detection |
US20150052606A1 (en) * | 2011-10-14 | 2015-02-19 | Telefonica, S.A. | Method and a system to detect malicious software |
US9166993B1 (en) * | 2013-07-25 | 2015-10-20 | Symantec Corporation | Anomaly detection based on profile history and peer history |
US20160055410A1 (en) * | 2012-10-19 | 2016-02-25 | Pearson Education, Inc. | Neural networking system and methods |
US9317686B1 (en) * | 2013-07-16 | 2016-04-19 | Trend Micro Inc. | File backup to combat ransomware |
US20160234167A1 (en) * | 2011-07-26 | 2016-08-11 | Light Cyber Ltd. | Detecting anomaly action within a computer network |
US20170126724A1 (en) * | 2014-06-06 | 2017-05-04 | Nippon Telegraph And Telephone Corporation | Log analyzing device, attack detecting device, attack detection method, and program |
US20170126709A1 (en) * | 2015-10-30 | 2017-05-04 | Citrix Systems, Inc. | Feature engineering for web-based anomaly detection |
US9690938B1 (en) * | 2015-08-05 | 2017-06-27 | Invincea, Inc. | Methods and apparatus for machine learning based malware detection |
US20170208079A1 (en) * | 2016-01-19 | 2017-07-20 | Qualcomm Incorporated | Methods for detecting security incidents in home networks |
US9773112B1 (en) * | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US20170316342A1 (en) * | 2016-05-02 | 2017-11-02 | Cisco Technology, Inc. | Refined learning data representation for classifiers |
US20180007074A1 (en) * | 2015-01-14 | 2018-01-04 | Virta Laboratories, Inc. | Anomaly and malware detection using side channel analysis |
US20180007069A1 (en) * | 2016-07-01 | 2018-01-04 | Mcafee, Inc. | Ransomware Protection For Cloud File Storage |
US20180069893A1 (en) * | 2016-09-05 | 2018-03-08 | Light Cyber Ltd. | Identifying Changes in Use of User Credentials |
US9942254B1 (en) * | 2014-07-10 | 2018-04-10 | ThetaRay Ltd. | Measure based anomaly detection |
US20180107824A1 (en) * | 2016-10-17 | 2018-04-19 | Datto, Inc. | Systems and methods for detecting ransomware infection |
US20180113638A1 (en) * | 2016-10-26 | 2018-04-26 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Securing a media storage device using write restriction mechanisms |
US20180198821A1 (en) * | 2017-01-12 | 2018-07-12 | Acalvio Technologies, Inc. | Immunizing network devices using a malware marker |
US10027689B1 (en) * | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US20180205750A1 (en) * | 2017-01-19 | 2018-07-19 | Cisco Technology, Inc. | Statistical fingerprinting of network traffic |
US10032025B1 (en) * | 2017-01-24 | 2018-07-24 | Malwarebytes Inc. | Behavior-based ransomware detection |
US20180211038A1 (en) * | 2016-01-24 | 2018-07-26 | Minerva Labs Ltd. | Ransomware attack remediation |
US20180212987A1 (en) * | 2017-01-23 | 2018-07-26 | Microsoft Technology Licensing, Llc | Ransomware resilient cloud services |
US20180248895A1 (en) * | 2017-02-27 | 2018-08-30 | Amazon Technologies, Inc. | Intelligent security management |
US10078459B1 (en) * | 2016-09-26 | 2018-09-18 | EMC IP Holding Company LLC | Ransomware detection using I/O patterns |
US10122752B1 (en) * | 2016-06-10 | 2018-11-06 | Vmware, Inc. | Detecting and preventing crypto-ransomware attacks against data |
US20180336439A1 (en) * | 2017-05-18 | 2018-11-22 | Intel Corporation | Novelty detection using discriminator of generative adversarial network |
US10148680B1 (en) * | 2015-06-15 | 2018-12-04 | ThetaRay Ltd. | System and method for anomaly detection in dynamically evolving data using hybrid decomposition |
US20180373722A1 (en) * | 2017-06-26 | 2018-12-27 | Acronis International Gmbh | System and method for data classification using machine learning during archiving |
US20190020663A1 (en) * | 2017-07-13 | 2019-01-17 | Cisco Technology, Inc. | Using repetitive behavioral patterns to detect malware |
US20190042744A1 (en) * | 2017-08-02 | 2019-02-07 | Code 42 Software, Inc. | Ransomware attack onset detection |
US20190068618A1 (en) * | 2017-08-22 | 2019-02-28 | General Electric Company | Using virtual sensors to accommodate industrial asset control systems during cyber attacks |
US20190087572A1 (en) * | 2016-12-15 | 2019-03-21 | Hewlett-Packard Development Company, L.P. | Ransomware attack monitoring |
US10242665B1 (en) * | 2017-12-29 | 2019-03-26 | Apex Artificial Intelligence Industries, Inc. | Controller systems and methods of limiting the operation of neural networks to be within one or more conditions |
US20190095301A1 (en) * | 2017-09-22 | 2019-03-28 | Penta Security Systems Inc. | Method for detecting abnormal session |
US10248577B2 (en) * | 2017-04-07 | 2019-04-02 | International Business Machines Corporation | Using a characteristic of a process input/output (I/O) activity and data subject to the I/O activity to determine whether the process is a suspicious process |
US10270790B1 (en) * | 2014-12-09 | 2019-04-23 | Anbeco, LLC | Network activity monitoring method and apparatus |
US20190130097A1 (en) * | 2017-10-26 | 2019-05-02 | Western Digital Technologies, Inc. | Device-based anti-malware |
US20190147300A1 (en) * | 2017-11-16 | 2019-05-16 | International Business Machines Corporation | Anomaly detection in multidimensional time series data |
US20190147343A1 (en) * | 2017-11-15 | 2019-05-16 | International Business Machines Corporation | Unsupervised anomaly detection using generative adversarial networks |
US20190171936A1 (en) * | 2017-10-26 | 2019-06-06 | Nvidia Corporation | Progressive Modification of Neural Networks |
US20190215329A1 (en) * | 2018-01-08 | 2019-07-11 | Sophos Limited | Malware detection using machine learning |
US20190221311A1 (en) * | 2018-01-18 | 2019-07-18 | Hitachi, Ltd. | Analysis apparatus and analysis method |
US20190228099A1 (en) * | 2018-01-21 | 2019-07-25 | Microsoft Technology Licensing, Llc. | Question and answer pair generation using machine learning |
US20190236273A1 (en) * | 2018-01-26 | 2019-08-01 | Sophos Limited | Methods and apparatus for detection of malicious documents using machine learning |
US20190253452A1 (en) * | 2018-02-14 | 2019-08-15 | Cisco Technology, Inc. | Adaptive union file system based protection of services |
US20190258920A1 (en) * | 2017-04-17 | 2019-08-22 | Cerebras Systems Inc. | Data structure descriptors for deep learning acceleration |
US20190258818A1 (en) * | 2016-02-08 | 2019-08-22 | Consumerinfo.Com, Inc. | Smart access control system for implementing access restrictions of regulated database records based on machine learning of trends |
US20190258426A1 (en) * | 2018-02-19 | 2019-08-22 | SK Hynix Inc. | Convergence memory device and operation method thereof |
US20190303573A1 (en) * | 2018-03-30 | 2019-10-03 | Microsoft Technology Licensing, Llc | Service identification of ransomware impact at account level |
US20190317901A1 (en) * | 2018-04-16 | 2019-10-17 | Samsung Electronics Co., Ltd. | System and method for optimizing performance of a solid-state drive using a deep neural network |
US20190318244A1 (en) * | 2019-06-27 | 2019-10-17 | Intel Corporation | Methods and apparatus to provide machine programmed creative support to a user |
US20190332769A1 (en) * | 2018-04-30 | 2019-10-31 | Mcafee, Llc | Model development and application to identify and halt malware |
US20190385057A1 (en) * | 2016-12-07 | 2019-12-19 | Arilou Information Security Technologies Ltd. | System and Method for using Signal Waveform Analysis for Detecting a Change in a Wired Network |
US20200021620A1 (en) * | 2018-07-16 | 2020-01-16 | Securityadvisor Technologies, Inc. | Contextual security behavior management and change execution |
US20200034537A1 (en) * | 2018-07-30 | 2020-01-30 | Rubrik, Inc. | Ransomware infection detection in filesystems |
US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
US20200053123A1 (en) * | 2018-08-11 | 2020-02-13 | Microsoft Technology Licensing, Llc | Malicious cloud-based resource allocation detection |
US20200053111A1 (en) * | 2018-08-08 | 2020-02-13 | Rightquestion Llc | Artifact modification and associated abuse detection |
US20200067935A1 (en) * | 2018-08-27 | 2020-02-27 | Ciena Corporation | Network architecture providing device identification and redirection using whitelisting traffic classification |
US20200084087A1 (en) * | 2018-09-07 | 2020-03-12 | Vmware, Inc. | Intelligent anomaly detection and root cause analysis in mobile networks |
US20200090002A1 (en) * | 2018-09-14 | 2020-03-19 | Cisco Technology, Inc. | Communication efficient machine learning of data across multiple sites |
US20200089876A1 (en) * | 2018-09-13 | 2020-03-19 | Palo Alto Networks, Inc. | Preventing ransomware from encrypting files on a target machine |
US20200089884A1 (en) * | 2018-09-17 | 2020-03-19 | Axxana (Israel) Ltd. | Method and apparatus for ransomware detection |
US20200097653A1 (en) * | 2018-09-26 | 2020-03-26 | Mcafee, Llc | Detecting ransomware |
US20200106805A1 (en) * | 2018-09-27 | 2020-04-02 | AVAST Software s.r.o. | Gaussian autoencoder detection of network flow anomalies |
US20200137384A1 (en) * | 2018-10-24 | 2020-04-30 | City University Of Hong Kong | Generative adversarial network based intra prediction for video coding |
US20200137110A1 (en) * | 2015-09-15 | 2020-04-30 | Mimecast Services Ltd. | Systems and methods for threat detection and warning |
US20200133489A1 (en) * | 2018-10-31 | 2020-04-30 | EMC IP Holding Company LLC | I/o behavior prediction based on long-term pattern recognition |
US10692004B1 (en) * | 2015-11-15 | 2020-06-23 | ThetaRay Ltd. | System and method for anomaly detection in dynamically evolving data using random neural network decomposition |
US20200204680A1 (en) * | 2018-12-21 | 2020-06-25 | T-Mobile Usa, Inc. | Framework for predictive customer care support |
US20200202184A1 (en) * | 2018-12-21 | 2020-06-25 | Ambient AI, Inc. | Systems and methods for machine learning-based site-specific threat modeling and threat detection |
US20200204589A1 (en) * | 2017-09-22 | 2020-06-25 | Acronis International Gmbh | Systems and methods for preventive ransomware detection using file honeypots |
US20200244672A1 (en) * | 2019-01-30 | 2020-07-30 | Cisco Technology, Inc. | Ransomware detection using file replication logs |
US20200250522A1 (en) * | 2019-02-01 | 2020-08-06 | EMC IP Holding Company LLC | Issuing alerts for storage volumes using machine learning |
US20200272899A1 (en) * | 2019-02-22 | 2020-08-27 | Ubotica Technologies Limited | Systems and Methods for Deploying and Updating Neural Networks at the Edge of a Network |
US20200293653A1 (en) * | 2019-03-13 | 2020-09-17 | International Business Machines Corporation | Recurrent Neural Network Based Anomaly Detection |
US10802489B1 (en) * | 2017-12-29 | 2020-10-13 | Apex Artificial Intelligence Industries, Inc. | Apparatus and method for monitoring and controlling of a neural network using another neural network implemented on one or more solid-state chips |
US10834121B2 (en) * | 2018-07-24 | 2020-11-10 | EMC IP Holding Company LLC | Predictive real-time and scheduled anti-virus scanning |
US20200382536A1 (en) * | 2019-05-31 | 2020-12-03 | Gurucul Solutions, Llc | Anomaly detection in cybersecurity and fraud applications |
US20200387609A1 (en) * | 2019-06-04 | 2020-12-10 | Datto, Inc. | Methods and systems for detecting a ransomware attack using entropy analysis and file update patterns |
US20200387798A1 (en) * | 2017-11-13 | 2020-12-10 | Bios Health Ltd | Time invariant classification |
US20200410297A1 (en) * | 2019-06-27 | 2020-12-31 | Robert Bosch Gmbh | Method for determining a confidence value of a detected object |
US20200412757A1 (en) * | 2019-06-26 | 2020-12-31 | Saudi Arabian Oil Company | Network security system and method for preemptively identifying or remediating security vulnerabilities |
US10893068B1 (en) * | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US20210026961A1 (en) * | 2019-07-23 | 2021-01-28 | Cyber Crucible Inc. | Systems and methods for ransomware detection and mitigation |
US20210029145A1 (en) * | 2018-07-31 | 2021-01-28 | Fortinet, Inc. | Automated feature extraction and artificial intelligence (ai) based detection and classification of malware |
US10911318B2 (en) * | 2015-03-24 | 2021-02-02 | Futurewei Technologies, Inc. | Future network condition predictor for network time series data utilizing a hidden Markov model for non-anomalous data and a gaussian mixture model for anomalous data |
US20210044563A1 (en) * | 2019-08-06 | 2021-02-11 | International Business Machines Corporation | In-line cognitive network security plugin device |
US20210044604A1 (en) * | 2019-08-07 | 2021-02-11 | Rubrik, Inc. | Anomaly and ransomware detection |
US20210049456A1 (en) * | 2019-08-12 | 2021-02-18 | Bank Of America Corporation | System and methods for generation of synthetic data cluster vectors and refinement of machine learning models |
US10931635B2 (en) * | 2017-09-29 | 2021-02-23 | Nec Corporation | Host behavior and network analytics based automotive secure gateway |
US20210055907A1 (en) * | 2019-08-21 | 2021-02-25 | Micron Technology, Inc. | Intelligent audio control in vehicles |
US20210053574A1 (en) * | 2019-08-21 | 2021-02-25 | Micron Technology, Inc. | Monitoring controller area network bus for vehicle control |
US20210067548A1 (en) * | 2019-08-26 | 2021-03-04 | The Western Union Company | Detection of malicious activity within a network |
US20210073127A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Intelligent Optimization of Caching Operations in a Data Storage Device |
US20210072911A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Intelligent Write-Amplification Reduction for Data Storage Devices Configured on Autonomous Vehicles |
US20210073063A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Predictive Management of Failing Portions in a Data Storage Device |
US20210072901A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Bandwidth Optimization for Different Types of Operations Scheduled in a Data Storage Device |
US20210072921A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Intelligent Wear Leveling with Reduced Write-Amplification for Data Storage Devices Configured on Autonomous Vehicles |
US20210099474A1 (en) * | 2019-09-30 | 2021-04-01 | Mcafee, Llc | Methods and apparatus to perform malware detection using a generative adversarial network |
US20210103580A1 (en) * | 2018-12-13 | 2021-04-08 | DataRobot, Inc. | Methods for detecting and interpreting data anomalies, and related systems and devices |
US20210126931A1 (en) * | 2019-10-25 | 2021-04-29 | Cognizant Technology Solutions India Pvt. Ltd | System and a method for detecting anomalous patterns in a network |
US20210216627A1 (en) * | 2019-11-22 | 2021-07-15 | Pure Storage, Inc. | Mitigation of Malicious Operations with Respect to Storage Structures |
US20210216630A1 (en) * | 2019-11-22 | 2021-07-15 | Pure Storage, Inc. | Extensible Attack Monitoring by a Storage System |
US11082441B1 (en) * | 2020-03-09 | 2021-08-03 | Flexxon Pte Ltd | Systems and methods for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats |
US20210264028A1 (en) * | 2018-06-25 | 2021-08-26 | Université Du Luxembourg | Method for preventing ransomware attacks on computing systems |
US11159407B2 (en) * | 2019-10-15 | 2021-10-26 | At&T Intellectual Property I, L.P. | Detection of unauthorized cryptomining |
US20210365769A1 (en) * | 2019-03-11 | 2021-11-25 | Lg Electronics Inc. | Artificial intelligence apparatus for controlling auto stop system based on driving information and method for the same |
US11269622B2 (en) * | 2019-06-28 | 2022-03-08 | Intel Corporation | Methods, systems, articles of manufacture, and apparatus for a context and complexity-aware recommendation system for improved software development efficiency |
US11323469B2 (en) * | 2014-06-23 | 2022-05-03 | Hewlett Packard Enterprise Development Lp | Entity group behavior profiling |
US11368432B2 (en) * | 2017-07-06 | 2022-06-21 | Crowd Strike, Inc. | Network containment of compromised machines |
US11374944B2 (en) * | 2018-12-19 | 2022-06-28 | Cisco Technology, Inc. | Instant network threat detection system |
US20220232024A1 (en) * | 2017-11-27 | 2022-07-21 | Lacework, Inc. | Detecting deviations from typical user behavior |
US20220261506A1 (en) * | 2019-07-16 | 2022-08-18 | Ctm Insights Llc | Methods for determining data integrity using overlapping regions |
US11436328B1 (en) * | 2017-02-24 | 2022-09-06 | Acronis International Gmbh | Systems and methods of safeguarding user data |
US11449607B2 (en) * | 2019-08-07 | 2022-09-20 | Rubrik, Inc. | Anomaly and ransomware detection |
US20220311794A1 (en) * | 2017-11-27 | 2022-09-29 | Lacework, Inc. | Monitoring a software development pipeline |
US20230105500A1 (en) * | 2019-08-07 | 2023-04-06 | Rubrik, Inc. | Anomaly and ransomware detection |
US11693963B2 (en) * | 2019-08-13 | 2023-07-04 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6208640B1 (en) | 1998-02-27 | 2001-03-27 | David Spell | Predictive bandwidth allocation method and apparatus |
US20110238855A1 (en) | 2000-09-25 | 2011-09-29 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US7099438B2 (en) | 2002-06-14 | 2006-08-29 | Ixia | Multi-protocol, multi-interface communications device testing system |
AU2003282786A1 (en) | 2002-08-30 | 2004-03-19 | Racom Products | Modular analog wireless data telemetry system adapted for use with web based location information distribution method and method for developing and disseminating information for use therewith |
CN101167079B (en) | 2006-03-29 | 2010-11-17 | 日本三菱东京日联银行股份有限公司 | User affirming device and method |
US8713190B1 (en) | 2006-09-08 | 2014-04-29 | At&T Intellectual Property Ii, L.P. | Method and apparatus for performing real time anomaly detection |
US7924739B2 (en) | 2008-12-22 | 2011-04-12 | At&T Intellectual Property I, L.P. | Method and apparatus for one-way passive loss measurements using sampled flow statistics |
US8335160B2 (en) | 2010-03-30 | 2012-12-18 | Telefonaktiebolaget L M Ericsson (Publ) | Flow sampling with top talkers |
US8509072B2 (en) | 2011-03-07 | 2013-08-13 | Comcast Cable Communications, Llc | Network congestion analysis |
US9288220B2 (en) | 2013-11-07 | 2016-03-15 | Cyberpoint International Llc | Methods and systems for malware detection |
US9674207B2 (en) | 2014-07-23 | 2017-06-06 | Cisco Technology, Inc. | Hierarchical attack detection in a network |
CN104253819A (en) | 2014-10-14 | 2014-12-31 | 活点信息技术有限公司 | Smart city cloud security architecture |
CN107465643A (en) | 2016-06-02 | 2017-12-12 | 国家计算机网络与信息安全管理中心 | A kind of net flow assorted method of deep learning |
US20180048693A1 (en) | 2016-08-09 | 2018-02-15 | The Joan and Irwin Jacobs Technion-Cornell Institute | Techniques for secure data management |
CA2943131C (en) | 2016-09-26 | 2020-01-14 | The Toronto-Dominion Bank | Automatic provisioning of services to network-connected devices |
WO2018069928A1 (en) | 2016-10-10 | 2018-04-19 | Technion Research & Development Foundation Limited | Mts sketch for accurate estimation of set-expression cardinalities from small samples |
US10212182B2 (en) | 2016-10-14 | 2019-02-19 | Cisco Technology, Inc. | Device profiling for isolation networks |
US10567409B2 (en) | 2017-03-20 | 2020-02-18 | Nec Corporation | Automatic and scalable log pattern learning in security log analysis |
US10785244B2 (en) | 2017-12-15 | 2020-09-22 | Panasonic Intellectual Property Corporation Of America | Anomaly detection method, learning method, anomaly detection device, and learning device |
SG11202007312YA (en) | 2018-02-07 | 2020-08-28 | Hochschule Anhalt | Method of adaptive route selection in a node of a wireless mesh communication network corresponding apparatus for performing the method of adaptive route selection and corresponding computer program |
-
2020
- 2020-11-25 US US17/104,190 patent/US11716338B2/en active Active
-
2023
- 2023-07-13 US US18/351,795 patent/US20230370481A1/en active Pending
Patent Citations (133)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040225627A1 (en) * | 1999-10-25 | 2004-11-11 | Visa International Service Association, A Delaware Corporation | Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems |
US20020133586A1 (en) * | 2001-01-16 | 2002-09-19 | Carter Shanklin | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20020107953A1 (en) * | 2001-01-16 | 2002-08-08 | Mark Ontiveros | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20090144545A1 (en) * | 2007-11-29 | 2009-06-04 | International Business Machines Corporation | Computer system security using file system access pattern heuristics |
US20100058122A1 (en) * | 2008-09-03 | 2010-03-04 | Matthew Charles Compton | Apparatus, system, and method for automated error priority determination of call home records |
US20100162400A1 (en) * | 2008-12-11 | 2010-06-24 | Scansafe Limited | Malware detection |
US20130263272A1 (en) * | 2009-01-17 | 2013-10-03 | Stopthehacker.com, Jaal LLC | Automated identidication of phishing, phony and malicious web sites |
US8401982B1 (en) * | 2010-01-14 | 2013-03-19 | Symantec Corporation | Using sequencing and timing information of behavior events in machine learning to detect malware |
US8479276B1 (en) * | 2010-12-29 | 2013-07-02 | Emc Corporation | Malware detection using risk analysis based on file system and network activity |
US20160234167A1 (en) * | 2011-07-26 | 2016-08-11 | Light Cyber Ltd. | Detecting anomaly action within a computer network |
US20150052606A1 (en) * | 2011-10-14 | 2015-02-19 | Telefonica, S.A. | Method and a system to detect malicious software |
US20140090061A1 (en) * | 2012-09-26 | 2014-03-27 | Northrop Grumman Systems Corporation | System and method for automated machine-learning, zero-day malware detection |
US20160055410A1 (en) * | 2012-10-19 | 2016-02-25 | Pearson Education, Inc. | Neural networking system and methods |
US9317686B1 (en) * | 2013-07-16 | 2016-04-19 | Trend Micro Inc. | File backup to combat ransomware |
US9166993B1 (en) * | 2013-07-25 | 2015-10-20 | Symantec Corporation | Anomaly detection based on profile history and peer history |
US20170126724A1 (en) * | 2014-06-06 | 2017-05-04 | Nippon Telegraph And Telephone Corporation | Log analyzing device, attack detecting device, attack detection method, and program |
US11323469B2 (en) * | 2014-06-23 | 2022-05-03 | Hewlett Packard Enterprise Development Lp | Entity group behavior profiling |
US9942254B1 (en) * | 2014-07-10 | 2018-04-10 | ThetaRay Ltd. | Measure based anomaly detection |
US10027689B1 (en) * | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) * | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10270790B1 (en) * | 2014-12-09 | 2019-04-23 | Anbeco, LLC | Network activity monitoring method and apparatus |
US20180007074A1 (en) * | 2015-01-14 | 2018-01-04 | Virta Laboratories, Inc. | Anomaly and malware detection using side channel analysis |
US10911318B2 (en) * | 2015-03-24 | 2021-02-02 | Futurewei Technologies, Inc. | Future network condition predictor for network time series data utilizing a hidden Markov model for non-anomalous data and a gaussian mixture model for anomalous data |
US10148680B1 (en) * | 2015-06-15 | 2018-12-04 | ThetaRay Ltd. | System and method for anomaly detection in dynamically evolving data using hybrid decomposition |
US9690938B1 (en) * | 2015-08-05 | 2017-06-27 | Invincea, Inc. | Methods and apparatus for machine learning based malware detection |
US20200137110A1 (en) * | 2015-09-15 | 2020-04-30 | Mimecast Services Ltd. | Systems and methods for threat detection and warning |
US20170126709A1 (en) * | 2015-10-30 | 2017-05-04 | Citrix Systems, Inc. | Feature engineering for web-based anomaly detection |
US10692004B1 (en) * | 2015-11-15 | 2020-06-23 | ThetaRay Ltd. | System and method for anomaly detection in dynamically evolving data using random neural network decomposition |
US20170208079A1 (en) * | 2016-01-19 | 2017-07-20 | Qualcomm Incorporated | Methods for detecting security incidents in home networks |
US20180211038A1 (en) * | 2016-01-24 | 2018-07-26 | Minerva Labs Ltd. | Ransomware attack remediation |
US20190258818A1 (en) * | 2016-02-08 | 2019-08-22 | Consumerinfo.Com, Inc. | Smart access control system for implementing access restrictions of regulated database records based on machine learning of trends |
US20170316342A1 (en) * | 2016-05-02 | 2017-11-02 | Cisco Technology, Inc. | Refined learning data representation for classifiers |
US10122752B1 (en) * | 2016-06-10 | 2018-11-06 | Vmware, Inc. | Detecting and preventing crypto-ransomware attacks against data |
US20180007069A1 (en) * | 2016-07-01 | 2018-01-04 | Mcafee, Inc. | Ransomware Protection For Cloud File Storage |
US20180069893A1 (en) * | 2016-09-05 | 2018-03-08 | Light Cyber Ltd. | Identifying Changes in Use of User Credentials |
US10078459B1 (en) * | 2016-09-26 | 2018-09-18 | EMC IP Holding Company LLC | Ransomware detection using I/O patterns |
US20180107824A1 (en) * | 2016-10-17 | 2018-04-19 | Datto, Inc. | Systems and methods for detecting ransomware infection |
US20180113638A1 (en) * | 2016-10-26 | 2018-04-26 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Securing a media storage device using write restriction mechanisms |
US20190385057A1 (en) * | 2016-12-07 | 2019-12-19 | Arilou Information Security Technologies Ltd. | System and Method for using Signal Waveform Analysis for Detecting a Change in a Wired Network |
US20190087572A1 (en) * | 2016-12-15 | 2019-03-21 | Hewlett-Packard Development Company, L.P. | Ransomware attack monitoring |
US20180198821A1 (en) * | 2017-01-12 | 2018-07-12 | Acalvio Technologies, Inc. | Immunizing network devices using a malware marker |
US20180205750A1 (en) * | 2017-01-19 | 2018-07-19 | Cisco Technology, Inc. | Statistical fingerprinting of network traffic |
US20180212987A1 (en) * | 2017-01-23 | 2018-07-26 | Microsoft Technology Licensing, Llc | Ransomware resilient cloud services |
US10032025B1 (en) * | 2017-01-24 | 2018-07-24 | Malwarebytes Inc. | Behavior-based ransomware detection |
US11436328B1 (en) * | 2017-02-24 | 2022-09-06 | Acronis International Gmbh | Systems and methods of safeguarding user data |
US20180248895A1 (en) * | 2017-02-27 | 2018-08-30 | Amazon Technologies, Inc. | Intelligent security management |
US10248577B2 (en) * | 2017-04-07 | 2019-04-02 | International Business Machines Corporation | Using a characteristic of a process input/output (I/O) activity and data subject to the I/O activity to determine whether the process is a suspicious process |
US20190258920A1 (en) * | 2017-04-17 | 2019-08-22 | Cerebras Systems Inc. | Data structure descriptors for deep learning acceleration |
US20180336439A1 (en) * | 2017-05-18 | 2018-11-22 | Intel Corporation | Novelty detection using discriminator of generative adversarial network |
US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
US20180373722A1 (en) * | 2017-06-26 | 2018-12-27 | Acronis International Gmbh | System and method for data classification using machine learning during archiving |
US10893068B1 (en) * | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US11368432B2 (en) * | 2017-07-06 | 2022-06-21 | Crowd Strike, Inc. | Network containment of compromised machines |
US20190020663A1 (en) * | 2017-07-13 | 2019-01-17 | Cisco Technology, Inc. | Using repetitive behavioral patterns to detect malware |
US20190042744A1 (en) * | 2017-08-02 | 2019-02-07 | Code 42 Software, Inc. | Ransomware attack onset detection |
US10505955B2 (en) * | 2017-08-22 | 2019-12-10 | General Electric Company | Using virtual sensors to accommodate industrial asset control systems during cyber attacks |
US20190068618A1 (en) * | 2017-08-22 | 2019-02-28 | General Electric Company | Using virtual sensors to accommodate industrial asset control systems during cyber attacks |
US20200204589A1 (en) * | 2017-09-22 | 2020-06-25 | Acronis International Gmbh | Systems and methods for preventive ransomware detection using file honeypots |
US20190095301A1 (en) * | 2017-09-22 | 2019-03-28 | Penta Security Systems Inc. | Method for detecting abnormal session |
US10931635B2 (en) * | 2017-09-29 | 2021-02-23 | Nec Corporation | Host behavior and network analytics based automotive secure gateway |
US20190171936A1 (en) * | 2017-10-26 | 2019-06-06 | Nvidia Corporation | Progressive Modification of Neural Networks |
US20190130097A1 (en) * | 2017-10-26 | 2019-05-02 | Western Digital Technologies, Inc. | Device-based anti-malware |
US20200387798A1 (en) * | 2017-11-13 | 2020-12-10 | Bios Health Ltd | Time invariant classification |
US20190147343A1 (en) * | 2017-11-15 | 2019-05-16 | International Business Machines Corporation | Unsupervised anomaly detection using generative adversarial networks |
US20190147300A1 (en) * | 2017-11-16 | 2019-05-16 | International Business Machines Corporation | Anomaly detection in multidimensional time series data |
US20220232024A1 (en) * | 2017-11-27 | 2022-07-21 | Lacework, Inc. | Detecting deviations from typical user behavior |
US20220311794A1 (en) * | 2017-11-27 | 2022-09-29 | Lacework, Inc. | Monitoring a software development pipeline |
US10802489B1 (en) * | 2017-12-29 | 2020-10-13 | Apex Artificial Intelligence Industries, Inc. | Apparatus and method for monitoring and controlling of a neural network using another neural network implemented on one or more solid-state chips |
US10242665B1 (en) * | 2017-12-29 | 2019-03-26 | Apex Artificial Intelligence Industries, Inc. | Controller systems and methods of limiting the operation of neural networks to be within one or more conditions |
US20190215329A1 (en) * | 2018-01-08 | 2019-07-11 | Sophos Limited | Malware detection using machine learning |
US20190221311A1 (en) * | 2018-01-18 | 2019-07-18 | Hitachi, Ltd. | Analysis apparatus and analysis method |
US20190228099A1 (en) * | 2018-01-21 | 2019-07-25 | Microsoft Technology Licensing, Llc. | Question and answer pair generation using machine learning |
US20190236273A1 (en) * | 2018-01-26 | 2019-08-01 | Sophos Limited | Methods and apparatus for detection of malicious documents using machine learning |
US20190253452A1 (en) * | 2018-02-14 | 2019-08-15 | Cisco Technology, Inc. | Adaptive union file system based protection of services |
US20190258426A1 (en) * | 2018-02-19 | 2019-08-22 | SK Hynix Inc. | Convergence memory device and operation method thereof |
US20190303573A1 (en) * | 2018-03-30 | 2019-10-03 | Microsoft Technology Licensing, Llc | Service identification of ransomware impact at account level |
US20190317901A1 (en) * | 2018-04-16 | 2019-10-17 | Samsung Electronics Co., Ltd. | System and method for optimizing performance of a solid-state drive using a deep neural network |
US20190332769A1 (en) * | 2018-04-30 | 2019-10-31 | Mcafee, Llc | Model development and application to identify and halt malware |
US11620380B2 (en) * | 2018-06-25 | 2023-04-04 | Université Du Luxembourg | Method for preventing ransomware attacks on computing systems |
US20210264028A1 (en) * | 2018-06-25 | 2021-08-26 | Université Du Luxembourg | Method for preventing ransomware attacks on computing systems |
US20200021620A1 (en) * | 2018-07-16 | 2020-01-16 | Securityadvisor Technologies, Inc. | Contextual security behavior management and change execution |
US10834121B2 (en) * | 2018-07-24 | 2020-11-10 | EMC IP Holding Company LLC | Predictive real-time and scheduled anti-virus scanning |
US20200034537A1 (en) * | 2018-07-30 | 2020-01-30 | Rubrik, Inc. | Ransomware infection detection in filesystems |
US20210029145A1 (en) * | 2018-07-31 | 2021-01-28 | Fortinet, Inc. | Automated feature extraction and artificial intelligence (ai) based detection and classification of malware |
US20200053111A1 (en) * | 2018-08-08 | 2020-02-13 | Rightquestion Llc | Artifact modification and associated abuse detection |
US20200053123A1 (en) * | 2018-08-11 | 2020-02-13 | Microsoft Technology Licensing, Llc | Malicious cloud-based resource allocation detection |
US20200067935A1 (en) * | 2018-08-27 | 2020-02-27 | Ciena Corporation | Network architecture providing device identification and redirection using whitelisting traffic classification |
US20200084087A1 (en) * | 2018-09-07 | 2020-03-12 | Vmware, Inc. | Intelligent anomaly detection and root cause analysis in mobile networks |
US20200089876A1 (en) * | 2018-09-13 | 2020-03-19 | Palo Alto Networks, Inc. | Preventing ransomware from encrypting files on a target machine |
US20200090002A1 (en) * | 2018-09-14 | 2020-03-19 | Cisco Technology, Inc. | Communication efficient machine learning of data across multiple sites |
US20200089884A1 (en) * | 2018-09-17 | 2020-03-19 | Axxana (Israel) Ltd. | Method and apparatus for ransomware detection |
US20200097653A1 (en) * | 2018-09-26 | 2020-03-26 | Mcafee, Llc | Detecting ransomware |
US20210019403A1 (en) * | 2018-09-26 | 2021-01-21 | Mcafee, Llc | Detecting ransomware |
US20200106805A1 (en) * | 2018-09-27 | 2020-04-02 | AVAST Software s.r.o. | Gaussian autoencoder detection of network flow anomalies |
US20200137384A1 (en) * | 2018-10-24 | 2020-04-30 | City University Of Hong Kong | Generative adversarial network based intra prediction for video coding |
US20200133489A1 (en) * | 2018-10-31 | 2020-04-30 | EMC IP Holding Company LLC | I/o behavior prediction based on long-term pattern recognition |
US20210103580A1 (en) * | 2018-12-13 | 2021-04-08 | DataRobot, Inc. | Methods for detecting and interpreting data anomalies, and related systems and devices |
US11374944B2 (en) * | 2018-12-19 | 2022-06-28 | Cisco Technology, Inc. | Instant network threat detection system |
US20200202184A1 (en) * | 2018-12-21 | 2020-06-25 | Ambient AI, Inc. | Systems and methods for machine learning-based site-specific threat modeling and threat detection |
US20200204680A1 (en) * | 2018-12-21 | 2020-06-25 | T-Mobile Usa, Inc. | Framework for predictive customer care support |
US20200244672A1 (en) * | 2019-01-30 | 2020-07-30 | Cisco Technology, Inc. | Ransomware detection using file replication logs |
US20200250522A1 (en) * | 2019-02-01 | 2020-08-06 | EMC IP Holding Company LLC | Issuing alerts for storage volumes using machine learning |
US20200272899A1 (en) * | 2019-02-22 | 2020-08-27 | Ubotica Technologies Limited | Systems and Methods for Deploying and Updating Neural Networks at the Edge of a Network |
US20210365769A1 (en) * | 2019-03-11 | 2021-11-25 | Lg Electronics Inc. | Artificial intelligence apparatus for controlling auto stop system based on driving information and method for the same |
US20200293653A1 (en) * | 2019-03-13 | 2020-09-17 | International Business Machines Corporation | Recurrent Neural Network Based Anomaly Detection |
US20200382536A1 (en) * | 2019-05-31 | 2020-12-03 | Gurucul Solutions, Llc | Anomaly detection in cybersecurity and fraud applications |
US20200387609A1 (en) * | 2019-06-04 | 2020-12-10 | Datto, Inc. | Methods and systems for detecting a ransomware attack using entropy analysis and file update patterns |
US20200412757A1 (en) * | 2019-06-26 | 2020-12-31 | Saudi Arabian Oil Company | Network security system and method for preemptively identifying or remediating security vulnerabilities |
US20200410297A1 (en) * | 2019-06-27 | 2020-12-31 | Robert Bosch Gmbh | Method for determining a confidence value of a detected object |
US20190318244A1 (en) * | 2019-06-27 | 2019-10-17 | Intel Corporation | Methods and apparatus to provide machine programmed creative support to a user |
US11269622B2 (en) * | 2019-06-28 | 2022-03-08 | Intel Corporation | Methods, systems, articles of manufacture, and apparatus for a context and complexity-aware recommendation system for improved software development efficiency |
US20220261506A1 (en) * | 2019-07-16 | 2022-08-18 | Ctm Insights Llc | Methods for determining data integrity using overlapping regions |
US20210026961A1 (en) * | 2019-07-23 | 2021-01-28 | Cyber Crucible Inc. | Systems and methods for ransomware detection and mitigation |
US20210044563A1 (en) * | 2019-08-06 | 2021-02-11 | International Business Machines Corporation | In-line cognitive network security plugin device |
US20230105500A1 (en) * | 2019-08-07 | 2023-04-06 | Rubrik, Inc. | Anomaly and ransomware detection |
US11449607B2 (en) * | 2019-08-07 | 2022-09-20 | Rubrik, Inc. | Anomaly and ransomware detection |
US20210044604A1 (en) * | 2019-08-07 | 2021-02-11 | Rubrik, Inc. | Anomaly and ransomware detection |
US20210049456A1 (en) * | 2019-08-12 | 2021-02-18 | Bank Of America Corporation | System and methods for generation of synthetic data cluster vectors and refinement of machine learning models |
US11693963B2 (en) * | 2019-08-13 | 2023-07-04 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
US20210055907A1 (en) * | 2019-08-21 | 2021-02-25 | Micron Technology, Inc. | Intelligent audio control in vehicles |
US20210053574A1 (en) * | 2019-08-21 | 2021-02-25 | Micron Technology, Inc. | Monitoring controller area network bus for vehicle control |
US20210067548A1 (en) * | 2019-08-26 | 2021-03-04 | The Western Union Company | Detection of malicious activity within a network |
US20210073127A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Intelligent Optimization of Caching Operations in a Data Storage Device |
US20210072921A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Intelligent Wear Leveling with Reduced Write-Amplification for Data Storage Devices Configured on Autonomous Vehicles |
US20210072911A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Intelligent Write-Amplification Reduction for Data Storage Devices Configured on Autonomous Vehicles |
US20210073063A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Predictive Management of Failing Portions in a Data Storage Device |
US20210072901A1 (en) * | 2019-09-05 | 2021-03-11 | Micron Technology, Inc. | Bandwidth Optimization for Different Types of Operations Scheduled in a Data Storage Device |
US20210099474A1 (en) * | 2019-09-30 | 2021-04-01 | Mcafee, Llc | Methods and apparatus to perform malware detection using a generative adversarial network |
US11159407B2 (en) * | 2019-10-15 | 2021-10-26 | At&T Intellectual Property I, L.P. | Detection of unauthorized cryptomining |
US20210126931A1 (en) * | 2019-10-25 | 2021-04-29 | Cognizant Technology Solutions India Pvt. Ltd | System and a method for detecting anomalous patterns in a network |
US20210216630A1 (en) * | 2019-11-22 | 2021-07-15 | Pure Storage, Inc. | Extensible Attack Monitoring by a Storage System |
US20210216627A1 (en) * | 2019-11-22 | 2021-07-15 | Pure Storage, Inc. | Mitigation of Malicious Operations with Respect to Storage Structures |
US11082441B1 (en) * | 2020-03-09 | 2021-08-03 | Flexxon Pte Ltd | Systems and methods for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats |
Also Published As
Publication number | Publication date |
---|---|
US20210160257A1 (en) | 2021-05-27 |
US11716338B2 (en) | 2023-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11716338B2 (en) | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network | |
US11847215B2 (en) | Model development and application to identify and halt malware | |
US20210273958A1 (en) | Multi-stage anomaly detection for process chains in multi-host environments | |
Khan et al. | Deep learning for intrusion detection and security of Internet of things (IoT): current analysis, challenges, and possible solutions | |
US11522887B2 (en) | Artificial intelligence controller orchestrating network components for a cyber threat defense | |
US10986121B2 (en) | Multivariate network structure anomaly detector | |
Talukder et al. | A dependable hybrid machine learning model for network intrusion detection | |
EP4111370A2 (en) | Treating data flows differently based on level of interest | |
US20220053010A1 (en) | System and method for determining a communication anomaly in at least one network | |
US20220263860A1 (en) | Advanced cybersecurity threat hunting using behavioral and deep analytics | |
US10630709B2 (en) | Assessing detectability of malware related traffic | |
US20150039543A1 (en) | Feature Based Three Stage Neural Network Intrusion Detection | |
Carrasco et al. | Unsupervised intrusion detection through skip-gram models of network behavior | |
US11032303B1 (en) | Classification using projection of graphs into summarized spaces | |
Regan et al. | Federated IoT attack detection using decentralized edge data | |
US20240121262A1 (en) | Endpoint agents and scalable cloud architecture for low latency classification | |
Sharma et al. | An efficient hybrid deep learning model for denial of service detection in cyber physical systems | |
WO2022046221A1 (en) | Detecting network activity from sampled network metadata | |
Vinolia et al. | Machine learning and deep learning based intrusion detection in cloud environment: A review | |
Yang et al. | Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems | |
Sallay et al. | Intrusion detection alert management for high‐speed networks: current researches and applications | |
Mohammed et al. | Performance Analysis of different Machine Learning Models for Intrusion Detection Systems. | |
Sinha | A Study on Supervised Machine Learning Technique to Detect Anomalies in Networks | |
Thanthrige | Hidden markov model based intrusion alert prediction | |
Veena | A survey on network intrusion detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |