WO2020120429A1 - Systems and methods for behavioral threat detection - Google Patents

Systems and methods for behavioral threat detection Download PDF

Info

Publication number
WO2020120429A1
WO2020120429A1 PCT/EP2019/084312 EP2019084312W WO2020120429A1 WO 2020120429 A1 WO2020120429 A1 WO 2020120429A1 EP 2019084312 W EP2019084312 W EP 2019084312W WO 2020120429 A1 WO2020120429 A1 WO 2020120429A1
Authority
WO
WIPO (PCT)
Prior art keywords
event
target
client
events
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2019/084312
Other languages
English (en)
French (fr)
Inventor
Daniel DICHIU
Stefan Niculae
Elena A. Bosinceanu
Sorina N. ZAMFIR
Andreea Dincu
Andrei A. Apostoae
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bitdefender IPR Management Ltd
Original Assignee
Bitdefender IPR Management Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bitdefender IPR Management Ltd filed Critical Bitdefender IPR Management Ltd
Priority to CA3120423A priority Critical patent/CA3120423C/en
Priority to KR1020217017510A priority patent/KR102403629B1/ko
Priority to CN201980081446.2A priority patent/CN113168469B/zh
Priority to IL283698A priority patent/IL283698B2/en
Priority to AU2019400060A priority patent/AU2019400060B2/en
Priority to EP19817694.3A priority patent/EP3895048B1/en
Priority to ES19817694T priority patent/ES2946062T3/es
Priority to SG11202105054UA priority patent/SG11202105054UA/en
Priority to JP2021533157A priority patent/JP7389806B2/ja
Publication of WO2020120429A1 publication Critical patent/WO2020120429A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • a computer-implemented method comprises, in response to receiving an indication of an occurrence of a target event on a target client system, employing at least one hardware processor of a computer system to assemble an event sequence including the target event, all events of the event sequence having occurred on the target client system, wherein members of the event sequence are arranged according to a time of occurrence of each event of the event sequence.
  • the method further comprises, in response to receiving the indication, employing at least one processor of the computer system to select a parameter value from a plurality of parameter values according to the target client system.
  • FIG. 4 shows exemplary software components executing on a protected client system according to some embodiments of the present invention.
  • Fig. 8-A shows an exemplary training of an event encoder according to some embodiments of the present invention.
  • Fig 17-A shows results of an experiment comprising employing some embodiments of the present invention to detect actual computer security threats.
  • Fig. 17-B shows other experimental results of using some embodiments to detect actual computer security threats.
  • the illustrated client systems are connected by local networks 12a-b, and further to an extended network 14, such as a wide area network (WAN) or the Internet.
  • client systems lOa-d represent a family’s electronic devices, interconnected by a home network 12a.
  • client systems lOe-g may denote individual computers and/or a corporate mainframe inside an office building.
  • Local network 12-b may then represent a section of a corporate network (e.g., a local area network - LAN).
  • Fig.1 further shows a security server 16 connected to extended network 14.
  • Server 16 generically represents a set of communicatively coupled computer systems, which may or may not be in physical proximity to each other.
  • Server 16 protects client systems lOa-h against computer security threats such as malicious software and intrusion.
  • such protection comprises security server 16 detecting suspicious activity occurring at a client system, for instance an action of an attacker controlling the respective client system.
  • Examples of such events include the launch of a process/thread (e.g., a user launches an application, a parent process creates a child process, etc.), an attempt to access an input device of the respective client system (e.g., camera, microphone), an attempt to access a local or remote network resource (e.g., a hypertext transfer protocol - HTTP request to access a particular URL, an attempt to access a document repository over a local network), a request formulated in a particular uniform resource identifier scheme (e.g., a mailto: or a ftp: request), an execution of a particular processor instruction (e.g., system call), an attempt to load a library (e.g., a dynamic linked library - DLL), an attempt to create a new disk file, an attempt to read from or write to a particular location on disk (e.g., an attempt to overwrite an existing file, an attempt to open a specific folder or document), and an attempt to send an electronic message (e.g., email, short
  • 1 may be collectively represented by a single client profile which captures a normal or baseline behavior of the members of a particular family.
  • one client profile is used to represent all computers in the accounting department of a corporation, while another client profile represents all computers used by the respective corporation’s research and development team.
  • a cloud computing embodiment such as a virtual desktop infrastructure (VDI) environment wherein a physical machine may execute a plurality of virtual machines for various distributed users, one client profile may be attached to multiple virtual machines executing on the respective physical machine.
  • VDI virtual desktop infrastructure
  • Fig.3-A shows an exemplary hardware configuration of a client system according to some embodiments of the present invention.
  • Client system 10 may represent any of client systems lOa-h in Fig.1.
  • the illustrated client system is a computer system.
  • Other client systems such as mobile telephones, tablet computers, and wearable devices may have slightly different configurations.
  • Processor 32 comprises a physical device (e.g. microprocessor, multi-core integrated circuit formed on a semiconductor substrate) configured to execute computational and/or logical operations with a set of signals and/or data. Such signals or data may be encoded and delivered to processor 32 in the form of processor instructions, e.g., machine code.
  • Memory unit 34 may comprise volatile computer-readable media (e.g.
  • Event harvester 52 is configured to detect various events occurring during execution of software by client system 10. Some embodiments may timestamp each detected event to record a time of occurrence of the respective event. Monitored events may be machine and/or operating system-specific. Exemplary events include, among others, a process launch, a process termination, the spawning of child processes, an access requests to peripherals (e.g., hard disk, network adapter), a command entered by the user into a command-line interface, etc. Such hardware and/or software events may be detected using any method known in the art of computer security, for instance by hooking certain functions of the operating system, detecting system calls, employing a file system minifilter, changing a memory access permission to detect an attempt to execute code from certain memory addresses, etc.
  • Fig. 5 shows exemplary software executing on security server 16 according to some embodiments of the present invention.
  • the illustrated software includes a profiling engine 60 and an anomaly detector 62 further connected to an alert manager 64.
  • profiling engine 60 may execute on a dedicated cluster of processors, while instances of anomaly detector 62 may run on other machines/processors.
  • profiling engine 60 is configured to analyze events occurring on a set of client systems (e.g., a subset of clients lOa-h in Fig.1) and to construct a plurality of client profiles representing a baseline, normal, and/or legitimate manner of operating the respective client systems.
  • a subset of event indicators 20a-b received from clients may be used to assemble a training event corpus, denoted as corpus 18 in Figs.1, 5, and 6.
  • Profiles are then determined according to event corpus 18. Determining a client profile may include, among others, representing events in an abstract multi-dimensional event space and carrying out data clustering procedures, as shown in more detail below. Constructed profiles may then be stored as entries in profile database 19.
  • An exemplary profile database entry comprises a set of profile parameters such as a set of coordinates of a cluster centroid, a measure of the cluster’s diameter and/or eccentricity, etc.
  • Fig.6 illustrates exemplary components and operation of profiling engine 60.
  • engine 60 comprises an event encoder 70, an event clustering engine 72, and a client clustering engine 74 connected to event encoder 70 and event clustering engine 72.
  • An exemplary sequence of steps performed by profiling engine is illustrated in Fig.7.
  • An exemplary embedding space is spanned by a set of axes, wherein each axis represents a distinct event feature.
  • Exemplary features may include, in the case of a network event, a source IP address, a source port, a destination IP address, a destination port, and an indicator of the transport protocol, among others.
  • each axis of the embedding space corresponds to a linear combination of event features (for instance, in a principal component/singular value decomposition embodiment).
  • events are analyzed in the context of other events, which precede and/or follow the respective event.
  • encoder 70 is configured to represent events as vectors in an embedding space of contexts, wherein two events that occur predominantly in similar contexts are located relatively close together.
  • Some embodiments choose the dimensionality of the embedding space according to a size of the event vocabulary N, i.e., the count of distinct event types that the respective security system is monitoring (for more on the event vocabulary, see below).
  • the dimensionality of the event space may of the order of the quadratic root of N, or of a logarithm of N.
  • a typical embodiment of the present invention uses an embedding context space having several hundred to several thousand dimensions.
  • Event encoder 70 may be constructed using any method known in the art of automated data processing.
  • encoder 70 comprises an artificial intelligence system, for instance a multilayer artificial neural network (e.g., a recurrent and/or feed-forward neural network).
  • parameters of encoder 70 may be tuned until some performance condition is satisfied. Such tuning is herein referred to as training and is represented by step 208 in Fig. 7.
  • exemplary tunable parameters of event encoder 70 include a set of synapse weights, among others.
  • training encoder 70 amounts to constructing the embedding space itself.
  • the embedding space is not pre-determined, but instead depends on the composition of event corpus 18 and on the selected training procedure.
  • Exemplary training procedures are shown in Figs. 8-A-B and comprise versions of the word2vec algorithm, such as a skip-gram algorithm and a continuous bag-of-words algorithm.
  • events are not analyzed in isolation, but as constituents of an event sequence 25 consisting of multiple events ordered according to a time of occurrence or detection.
  • all events of the respective sequence are selected so that they occur on the same client system.
  • Event sequence 25 comprises a central event Eo and an event context consisting of a subset of events E ⁇ .- .E i (k3 0) preceding the central event and/or a subset of events E ...E p (p3 0) following the central event.
  • the encoder-decoder pair may then be trained by adjusting parameters of encoder 70b and/or decoder 76b in an effort to reduce the prediction error, i.e., the mismatch between the“predicted” central event and the actual central event of the respective training sequences.
  • a step 222 retrieves a set of event records from event corpus 18 and identifies an event sequence 25 according to event timestamps and according to a source of the respective events (i.e., client systems where the respective events have occurred).
  • a step 224 then executes event encoder 70a to produce an embedding-space representation of event Eo (event vector 28c in Fig. 8-A).
  • profiling engine 60 executes event decoder 76a to produce a set of predictions or“guesses” for events preceding and/or following central event Eo within sequence 25.
  • some embodiments further transform the generated embedding space to reduce its dimensionality.
  • This operation may comprise any data dimensionality reduction algorithm, for instance a principal component analysis (PCA) or a singular value decomposition (SVD).
  • PCA principal component analysis
  • SVD singular value decomposition
  • profiling engine 60 may employ any data clustering algorithm known in the art, for instance a variant of a k-means algorithm.
  • Another exemplary embodiment may train a set of perceptrons to carve the embedding space into distinct regions and assign event vectors located within each region to a distinct event cluster.
  • the number of clusters and/or regions may be pre-determined (e.g., according to a count of protected client systems and/or monitored event types) or may be dynamically determined by the clustering algorithm itself.
  • An outcome of event clustering comprises a set of event cluster parameters 54 (Fig.
  • client clustering engine 74 assign client systems lOa-h to clusters according to an event profile indicative of a typical distribution of events occurring on the respective client systems.
  • an event profile of a client system comprises a vector of numbers, each determined according to a count of events occurring on the respective client system and belonging to a distinct event cluster previously determined by event clustering engine 72.
  • each component of the event profile is determined according to a cluster allegiance measure indicative of a proportion of events belonging to the respective event cluster Q, determined as a fraction of a total count of events available from the respective client system.
  • Fig. 13 illustrates exemplary components and operation of anomaly detector 62 according to some embodiments of the present invention (see also Fig. 5).
  • Anomaly detector 62 is configured to receive an event stream 24 comprising event indicators indicative of events occurring on various client systems, and in response, to output a security label 88 indicating whether the respective events are indicative of a security threat such as intrusion or execution of malicious software.
  • anomaly detector 62 comprises a profile manager 84 configured, in response to receiving an event notification indicative of an event occurring on a protected client system, to select a client profile according to the respective event.
  • Profile manager 84 is further connected to a behavior model 86 configured to determine whether the respective event fits a pattern of normal/baseline behavior represented by the respective profile. When no, the respective event may be considered an anomaly, thus indicative of a possible attack on the respective client system.
  • Fig. 14 shows an exemplary sequence of steps performed by anomaly detector 62 during a training procedure according to some embodiments of the present invention.
  • a step 242 selects one such client profile from profile database 19.
  • each such client profile comprises a set of client clusters, for instance cluster 82a in Fig. 11.
  • Each client cluster further includes a selected subset of protected client systems.
  • a step 244 may select a training set of events registered as occurring on any client system associated with the respective profile/cluster.
  • step 244 may comprise selected the training set of events from training corpus 18 already used for constructing client profiles as shown above.
  • a further step 246 may use the respective training set of events as training corpus to train behavior model 86.
  • Fig. 17-B shows profile-specific average detection rates achieved for three distinct types of attacks. Event sequences collected from the test machine during each type of attack were analyzed using each of the 11 profile-specific trained behavior models. The detection rate differs among models and types of attack, which further attests to the specificity of some of the systems and methods described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Radar Systems Or Details Thereof (AREA)
  • Ultra Sonic Daignosis Equipment (AREA)
PCT/EP2019/084312 2018-12-10 2019-12-10 Systems and methods for behavioral threat detection Ceased WO2020120429A1 (en)

Priority Applications (9)

Application Number Priority Date Filing Date Title
CA3120423A CA3120423C (en) 2018-12-10 2019-12-10 Systems and methods for behavioral threat detection
KR1020217017510A KR102403629B1 (ko) 2018-12-10 2019-12-10 행동 위협 탐지를 위한 시스템 및 방법
CN201980081446.2A CN113168469B (zh) 2018-12-10 2019-12-10 用于行为威胁检测的系统及方法
IL283698A IL283698B2 (en) 2018-12-10 2019-12-10 Systems and methods for detecting behavioral threats
AU2019400060A AU2019400060B2 (en) 2018-12-10 2019-12-10 Systems and methods for behavioral threat detection
EP19817694.3A EP3895048B1 (en) 2018-12-10 2019-12-10 Systems and methods for behavioral threat detection
ES19817694T ES2946062T3 (es) 2018-12-10 2019-12-10 Sistemas y métodos para la detección de amenazas de comportamiento
SG11202105054UA SG11202105054UA (en) 2018-12-10 2019-12-10 Systems and methods for behavioral threat detection
JP2021533157A JP7389806B2 (ja) 2018-12-10 2019-12-10 挙動による脅威検出のためのシステムおよび方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US16/215,251 2018-12-10
US16/215,251 US11153332B2 (en) 2018-12-10 2018-12-10 Systems and methods for behavioral threat detection

Publications (1)

Publication Number Publication Date
WO2020120429A1 true WO2020120429A1 (en) 2020-06-18

Family

ID=68841136

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2019/084312 Ceased WO2020120429A1 (en) 2018-12-10 2019-12-10 Systems and methods for behavioral threat detection

Country Status (11)

Country Link
US (1) US11153332B2 (https=)
EP (1) EP3895048B1 (https=)
JP (1) JP7389806B2 (https=)
KR (1) KR102403629B1 (https=)
CN (1) CN113168469B (https=)
AU (1) AU2019400060B2 (https=)
CA (1) CA3120423C (https=)
ES (1) ES2946062T3 (https=)
IL (1) IL283698B2 (https=)
SG (1) SG11202105054UA (https=)
WO (1) WO2020120429A1 (https=)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10805331B2 (en) 2010-09-24 2020-10-13 BitSight Technologies, Inc. Information technology security assessment system
US9438615B2 (en) 2013-09-09 2016-09-06 BitSight Technologies, Inc. Security risk management
US10257219B1 (en) 2018-03-12 2019-04-09 BitSight Technologies, Inc. Correlated risk in cybersecurity
US10521583B1 (en) 2018-10-25 2019-12-31 BitSight Technologies, Inc. Systems and methods for remote detection of software through browser webinjects
KR102165494B1 (ko) * 2018-12-28 2020-10-14 네이버 주식회사 온라인 서비스에서의 비정상 사용 행위 식별 방법, 장치 및 컴퓨터 프로그램
US10726136B1 (en) * 2019-07-17 2020-07-28 BitSight Technologies, Inc. Systems and methods for generating security improvement plans for entities
US11032244B2 (en) 2019-09-30 2021-06-08 BitSight Technologies, Inc. Systems and methods for determining asset importance in security risk management
US10893067B1 (en) 2020-01-31 2021-01-12 BitSight Technologies, Inc. Systems and methods for rapidly generating security ratings
US11023585B1 (en) 2020-05-27 2021-06-01 BitSight Technologies, Inc. Systems and methods for managing cybersecurity alerts
US20220284433A1 (en) * 2021-03-04 2022-09-08 Capital One Services, Llc Unidimensional embedding using multi-modal deep learning models
US12353563B2 (en) 2021-07-01 2025-07-08 BitSight Technologies, Inc. Systems and methods for accelerating cybersecurity assessments
US12425437B2 (en) 2021-09-17 2025-09-23 BitSight Technologies, Inc. Systems and methods for precomputation of digital asset inventories
US12282564B2 (en) 2022-01-31 2025-04-22 BitSight Technologies, Inc. Systems and methods for assessment of cyber resilience
CN115456789B (zh) * 2022-11-10 2023-04-07 杭州衡泰技术股份有限公司 基于交易模式识别的异常交易检测方法及其系统
US12321450B2 (en) 2023-03-02 2025-06-03 Bitdefender IPR Management Ltd. Antimalware systems and methods using optimal triggering of artificial intelligence modules
US20250094582A1 (en) * 2023-09-15 2025-03-20 International Business Machines Corporation Selectively prioritizing alerts received for an advanced cybersecurity threat prioritization system
US12225026B1 (en) * 2023-09-29 2025-02-11 Citibank, N.A. Detecting malicious activity using user-specific parameters
WO2026009439A1 (ja) * 2024-07-05 2026-01-08 Ntt株式会社 文書処理装置
JP2026014482A (ja) 2024-07-19 2026-01-29 富士通株式会社 データ処理方法、データ処理装置およびプログラム
US20260089179A1 (en) * 2024-09-24 2026-03-26 Oracle International Corporation Detecting stealing of principals in a cloud environment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7818797B1 (en) * 2001-10-11 2010-10-19 The Trustees Of Columbia University In The City Of New York Methods for cost-sensitive modeling for intrusion detection and response
US20140215618A1 (en) * 2013-01-25 2014-07-31 Cybereason Inc Method and apparatus for computer intrusion detection

Family Cites Families (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6526405B1 (en) * 1999-12-17 2003-02-25 Microsoft Corporation Determining similarity between event types in sequences
AU2001262958A1 (en) 2000-04-28 2001-11-12 Internet Security Systems, Inc. Method and system for managing computer security information
US6742124B1 (en) 2000-05-08 2004-05-25 Networks Associates Technology, Inc. Sequence-based anomaly detection using a distance matrix
US6973577B1 (en) 2000-05-26 2005-12-06 Mcafee, Inc. System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state
US7035863B2 (en) 2001-11-13 2006-04-25 Koninklijke Philips Electronics N.V. Method, system and program product for populating a user profile based on existing user profiles
US7234166B2 (en) 2002-11-07 2007-06-19 Stonesoft Corporation Event sequence detection
US7716739B1 (en) 2005-07-20 2010-05-11 Symantec Corporation Subjective and statistical event tracking incident management system
JP2007242002A (ja) * 2006-02-10 2007-09-20 Mitsubishi Electric Corp ネットワーク管理装置及びネットワーク管理方法及びプログラム
WO2008055156A2 (en) 2006-10-30 2008-05-08 The Trustees Of Columbia University In The City Of New York Methods, media, and systems for detecting an anomalous sequence of function calls
US8448249B1 (en) 2007-07-31 2013-05-21 Hewlett-Packard Development Company, L.P. Methods and systems for using lambda transitions for processing regular expressions in intrusion-prevention systems
WO2009097610A1 (en) 2008-02-01 2009-08-06 Northeastern University A vmm-based intrusion detection system
US20090328215A1 (en) 2008-06-30 2009-12-31 Microsoft Corporation Semantic networks for intrusion detection
GB0816556D0 (en) 2008-09-10 2008-10-15 Univ Napier Improvements in or relating to digital forensics
US8370931B1 (en) 2008-09-17 2013-02-05 Trend Micro Incorporated Multi-behavior policy matching for malware detection
US20120137367A1 (en) 2009-11-06 2012-05-31 Cataphora, Inc. Continuous anomaly detection based on behavior modeling and heterogeneous information analysis
US8661034B2 (en) 2010-02-03 2014-02-25 Gartner, Inc. Bimodal recommendation engine for recommending items and peers
US8752171B2 (en) 2010-09-03 2014-06-10 Mcafee, Inc. Behavioral tracking system, method, and computer program product for undoing events based on user input
US8572239B2 (en) 2010-09-20 2013-10-29 Microsoft Corporation Node clustering
US20120278354A1 (en) 2011-04-29 2012-11-01 Microsoft Corporation User analysis through user log feature extraction
EP2754049A4 (en) * 2011-09-09 2015-08-26 Hewlett Packard Development Co SYSTEMS AND METHOD FOR EVALUATING EVENTS BASED ON A REFERENCE BASE LINE AFTER THE TIME POSITION IN A SUCCESS OF EVENTS
US9058486B2 (en) 2011-10-18 2015-06-16 Mcafee, Inc. User behavioral risk assessment
US8839435B1 (en) 2011-11-04 2014-09-16 Cisco Technology, Inc. Event-based attack detection
US9129227B1 (en) 2012-12-31 2015-09-08 Google Inc. Methods, systems, and media for recommending content items based on topics
US20140230062A1 (en) 2013-02-12 2014-08-14 Cisco Technology, Inc. Detecting network intrusion and anomaly incidents
US9225737B2 (en) 2013-03-15 2015-12-29 Shape Security, Inc. Detecting the introduction of alien content
US9166993B1 (en) 2013-07-25 2015-10-20 Symantec Corporation Anomaly detection based on profile history and peer history
GB2519941B (en) 2013-09-13 2021-08-25 Elasticsearch Bv Method and apparatus for detecting irregularities on device
US10346465B2 (en) 2013-12-20 2019-07-09 Qualcomm Incorporated Systems, methods, and apparatus for digital composition and/or retrieval
US20170039198A1 (en) * 2014-05-15 2017-02-09 Sentient Technologies (Barbados) Limited Visual interactive search, scalable bandit-based visual interactive search and ranking for visual interactive search
US9798883B1 (en) * 2014-10-06 2017-10-24 Exabeam, Inc. System, method, and computer program product for detecting and assessing security risks in a network
WO2016081516A2 (en) 2014-11-18 2016-05-26 Vectra Networks, Inc. Method and system for detecting threats using passive cluster mapping
US9652316B2 (en) 2015-03-31 2017-05-16 Ca, Inc. Preventing and servicing system errors with event pattern correlation
US9536072B2 (en) * 2015-04-09 2017-01-03 Qualcomm Incorporated Machine-learning behavioral analysis to detect device theft and unauthorized device usage
US20160335432A1 (en) * 2015-05-17 2016-11-17 Bitdefender IPR Management Ltd. Cascading Classifiers For Computer Security Applications
US20160352759A1 (en) 2015-05-25 2016-12-01 Yan Zhai Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls
CN105989849B (zh) 2015-06-03 2019-12-03 乐融致新电子科技(天津)有限公司 一种语音增强方法、语音识别方法、聚类方法及装置
US20170140384A1 (en) * 2015-11-12 2017-05-18 Fair Isaac Corporation Event sequence probability enhancement of streaming fraud analytics
EP3387814B1 (en) 2015-12-11 2024-02-14 ServiceNow, Inc. Computer network threat assessment
JP6679943B2 (ja) * 2016-01-15 2020-04-15 富士通株式会社 検知プログラム、検知方法および検知装置
US9762611B2 (en) 2016-02-16 2017-09-12 Cylance Inc. Endpoint-based man in the middle attack detection using machine learning models
US10218726B2 (en) * 2016-03-25 2019-02-26 Cisco Technology, Inc. Dynamic device clustering using device profile information
CN109564575B (zh) 2016-07-14 2023-09-05 谷歌有限责任公司 使用机器学习模型来对图像进行分类
US10832165B2 (en) 2016-12-02 2020-11-10 Facebook, Inc. Systems and methods for online distributed embedding services
US10552501B2 (en) 2017-03-28 2020-02-04 Oath Inc. Multilabel learning via supervised joint embedding of documents and labels
US10726128B2 (en) 2017-07-24 2020-07-28 Crowdstrike, Inc. Malware detection using local computational models
US12061954B2 (en) 2017-10-27 2024-08-13 Intuit Inc. Methods, systems, and computer program product for dynamically modifying a dynamic flow of a software application
US20190296933A1 (en) 2018-03-20 2019-09-26 Microsoft Technology Licensing, Llc Controlling Devices Based on Sequence Prediction
US11636287B2 (en) 2018-03-28 2023-04-25 Intuit Inc. Learning form-based information classification
US20190340615A1 (en) * 2018-05-04 2019-11-07 International Business Machines Corporation Cognitive methodology for sequence of events patterns in fraud detection using event sequence vector clustering

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7818797B1 (en) * 2001-10-11 2010-10-19 The Trustees Of Columbia University In The City Of New York Methods for cost-sensitive modeling for intrusion detection and response
US20140215618A1 (en) * 2013-01-25 2014-07-31 Cybereason Inc Method and apparatus for computer intrusion detection

Also Published As

Publication number Publication date
KR102403629B1 (ko) 2022-05-31
US20200186546A1 (en) 2020-06-11
IL283698B1 (en) 2024-01-01
IL283698B2 (en) 2024-05-01
CN113168469B (zh) 2024-04-23
EP3895048A1 (en) 2021-10-20
CN113168469A (zh) 2021-07-23
KR20210102897A (ko) 2021-08-20
CA3120423A1 (en) 2020-06-18
SG11202105054UA (en) 2021-06-29
EP3895048B1 (en) 2023-04-05
AU2019400060B2 (en) 2024-01-11
IL283698A (en) 2021-07-29
AU2019400060A1 (en) 2021-06-03
JP7389806B2 (ja) 2023-11-30
JP2022512195A (ja) 2022-02-02
CA3120423C (en) 2024-05-28
US11153332B2 (en) 2021-10-19
ES2946062T3 (es) 2023-07-12

Similar Documents

Publication Publication Date Title
AU2019398304B2 (en) Systems and methods for behavioral threat detection
AU2019400060B2 (en) Systems and methods for behavioral threat detection
AU2019398651B2 (en) Systems and methods for behavioral threat detection
CA3120156C (en) Systems and methods for behavioral threat detection
RU2772549C1 (ru) Системы и способы детектирования поведенческих угроз
RU2803399C2 (ru) Системы и способы детектирования поведенческих угроз
RU2778630C1 (ru) Системы и способы детектирования поведенческих угроз
HK40048545B (zh) 用於行为威胁检测的系统及方法
HK40049002B (zh) 用於行为威胁检测的系统及方法
HK40048546B (zh) 用於行为威胁检测的系统及方法
HK40048546A (en) Systems and methods for behavioral threat detection
HK40049002A (en) Systems and methods for behavioral threat detection
HK40048545A (en) Systems and methods for behavioral threat detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19817694

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3120423

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2019400060

Country of ref document: AU

Date of ref document: 20191210

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 20217017510

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2021533157

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019817694

Country of ref document: EP

Effective date: 20210712