Patent Grant
11588834
In general, managed network or system security programs or platforms are designed to try to identify attack patterns and suspicious activity from malicious actors and to allow actions to be taken to investigate or remedy potential compromise events. This has resulted in somewhat of a cat-and-mouse game, with “good guys” on one side trying to counteract “bad guys” on the other side; but unfortunately, the “good guys” typically are fundamentally disadvantaged, since a “bad guy” can take actions that may seem relatively small, for example, using rudimentary, relatively cheap technology, that may have very large impact and require large expensive efforts on behalf of the “good guys.” Many times the attack patterns taken by malicious actors only become recognizable in hindsight, often after a compromise event has occurred. Existing systems and methods furthermore often struggle to correlate malicious behaviour across numerous sources of telemetry, allowing malicious attackers to operate on networks undetected.
As a result of these and other factors, it is becoming more and more difficult to identify attack patterns or suspicious activity from threat or other malicious actors operating in computer networks within the sea of normal, legitimate network telemetry. Put another way, as threat and other malicious actors continue to modify/refine their attack patterns or actions to try to mimic normal message traffic or activity, it is becoming increasingly difficult to separate artifacts of attack patterns and suspicious activities from normal network telemetry. These circumstances further can lead to significant false positives in identifying compromise events, reducing confidence in available systems and methods.
Accordingly, it can be seen that a need exists for systems and methods that not only can identify abnormal, malicious activities, but that can also associate such activities with attack patterns or known suspicious activities to increase confidence in the detection of compromise events that have actually occurred. Further, such systems and methods should efficiently present any compromise events to clients with enough context and information that allows them to investigate and/or attempt to take remedial measures with the appropriate scope.
The present disclosure is directed to the foregoing and other related, and unrelated, problems or issues in the relevant art.
Briefly described, according to various aspects, the present disclosure includes systems and methods for identifying malicious actors or malicious activities, such as systems and methods for identifying threat or other malicious actors operating in one or more computer networks by extracting information related to these actor's attack patterns or suspicious activity from the sea of normal, legitimate activity across the one or more computer networks. Attack patterns can include actions or activities related to various computer network attacks or attempted attacks, such as malware attacks, phishing attacks, automated attacks, backdoor attacks, port attacks, malignant employees, etc., as well as other artifacts or indicators of suspicious or threat actors taking actions or otherwise operating on computer networks.
In one embodiment, a system for identifying attack patterns or suspicious activity can include a normalizer, a profile builder, at least one primitive creator, and a compromise detector. In addition, a client portal also can be utilized or otherwise provided. The normalizer receives raw data from a plurality of clients and structures the raw data into one or more structured data sets. The profile builder builds or populates one or more historical, baseline activity profiles. The baseline activity profiles can be developed for each client, and, in some embodiments, for entities, e.g., employees, users, devices, etc. or other entities, associated with the clients. For example, the profile builder can identify features in the one or more structured data sets and provide information (e.g., frequency information related to the features) to one or more databases for building the one or more historical baseline profiles.
The primitive creator generates primitives from the one or more structured data sets. Primitives generally include items, elements, etc. in the one or more structure data sets that are possibly indicative of attack patterns or suspicious activity. In some embodiments, primitives can be at least partially defined by highly improbable network telemetry. For example, the primitive creator can identify or extract features in the one or more data sets and compare the identified or extracted features to information (e.g., frequency information) in the one or more historical, baseline activity profiles. For each of the identified or extracted features found to occur below a prescribed frequency threshold based on information in one or more of the historical, baseline activity profile(s), the primitive creator creates or otherwise provides corresponding primitives. The features extracted by the primitive creator generally can correspond to the features extracted to build or populate the one or more historical, baseline activity profiles, and in this regard, the one primitive creator can compare these extracted features against their historical frequency or occurrence reflected in in the activity baseline profile(s) to determine whether the relevant extracted features represent improbable network telemetry and should be identified as primitives that potentially represent or suggest attack patterns or other suspicious activities.
The compromise detector receives primitives from the primitive creator (or other additional primitive creators), and organizes the received primitives into groups according to prescribed grouping information, e.g., populates or provides primitives into session windows based on client or entity information. The compromise detector then identifies specific combinations or sequences of primitives in the groups. For each identified combination or sequence of primitives that meets one or more set criterion, the compromise detector generates a corresponding compromise event.
The client portal receives compromise events or other information related thereto from the compromise detector to notify affected clients of the events indicating an identified attack pattern or suspicious activity to facilitate investigation or remediation thereof.
In one example, the profile builder can populate entity profiles for each entity associated with a particular client with information related to the identified or extracted features, and also populate client profiles for each of the clients with information related to the identified or extracted features. The primitive creator can compare the identified or extracted features to the information in a corresponding entity profile, and if the identified or extracted features in comparison to the information in the entity profile meets a selected or determined entity frequency threshold, the at least one primitive creator may establish or elevate a temporary or staged primitive to be investigated further by the primitive creator. Thereafter, the primitive creator further can compare the identified or extracted features corresponding to each staged or temporary primitive to information in a corresponding client profile, and, if the identified or extracted features in comparison to the information in the corresponding client profile meets a selected or determined client frequency threshold, the at least one primitive creator can create a corresponding primitive to be provided to the compromise detector.
In some variations, the profile builder and the primitive creator can be the same, or part of the same, component that can populate one or more historical, baseline activity profile(s) with information (e.g., frequency information) related to identified features from or otherwise present in one or more data sets and can extract or otherwise identify such features in subsequent/new data sets, e.g., as subsequent/new data sets are received, and compare the features to or otherwise look up a historical frequency or occurrence thereof in the one or more historical, baseline activity profile(s). If the frequency or occurrence of certain features is below a prescribed frequency threshold or other selected criterion indicating that the presence or occurrence of the certain features in the subsequent/new data sets represents improbable activity on a network for a particular client and/or entity associated therewith, one or more primitives can be generated corresponding to these features.
The system further can include at least one additional primitive creator that creates primitives independent of historical client or entity information. The at least one additional primitive creator can include an indicator of compromise primitive creator, a business email compromise primitive creator, a cloud account hijacking primitive creator, other additional primitive creators that do or do not rely on historical information, or combinations thereof.
The compromise detector can group the received primitives into session windows, which can be open or otherwise available for a prescribed time period. The compromise detector further can generate compromise events if/when the received primitives in one of the session windows meets at least one selected criterion, such as the primitives in the session window include a number of primitives that exceed a prescribed number, the primitives in the session window match a specific combination or sequence of primitives that relate to known attack patterns or suspicious activities, the primitives in the session window are found to likely correspond to one or more attack patterns or suspicious activities according to a prescribed probability, or combinations thereof.
The system further can include a client value machine learning system that receives information from the clients through the client portal as one or more inputs, and generates one or more outputs that are provided to the compromise detector to suppress events below a certain probability threshold. Thus, the system can be updated and/or passively tuned, with minimal human intervention required, through client feedback on reported compromise events.
In one embodiment, a method for identifying attack patterns or suspicious activity is provided. The method can include receiving data from a plurality of clients, and building one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith based on the received data. The method also can include identifying or extracting features in the one or more data sets, and comparing the identified features to information in the one or more baseline activity profiles for creation of primitives for identified or extracted features that meet, e.g., are below, a prescribed frequency threshold. Thereafter, the method can include organizing the created primitives into groups according to prescribed grouping information, identifying specific sequences or combinations of primitives in the groups, and generating a compromise event for each identified signature, combination, or sequence of primitives that meet a particular threshold criterion. Then, the method can include notifying affected clients of each generated compromise events to indicate an identified attack pattern or suspicious activity and facilitate investigation or remediation thereof.
Various objects, features and advantages of the present disclosure will become apparent to those skilled in the art upon a review of the following detail description, when taken in conjunction with the accompanying drawings.
It will be appreciated that for simplicity and clarity of illustration, elements illustrated in the Figures are not necessarily drawn to scale. For example, the dimensions of some elements may be exaggerated relative to other elements. Embodiments incorporating teachings of the present disclosure are shown and described with respect to the drawings herein, in which:
The use of the same reference symbols in different drawings indicates similar or identical items.
The following description in combination with the figures is provided to assist in understanding the teachings disclosed herein. The description is focused on specific implementations and embodiments of the teachings, and is provided to assist in describing the teachings. This focus should not be interpreted as a limitation on the scope or applicability of the teachings.
As
The system 10A/10B can include a normalizer 16 that receives and normalizes or otherwise structures the raw data 14 into one or more normalized or structured data sets 18 (
The normalizer 20 further can be configured to enrich or otherwise augment the raw data 14 (
As additionally indicated in
According to one example, the profile builder 20 can receive a log related to an authentication event for a specific entity, such as a user of a prescribed client's system, e.g., “entity@example.corp,” from a particular client, e.g., client B, stating that the specific entity, e.g., “entity@example.corp,” authenticated to a particular director for an application (e.g., an Active Directory for the “Microsoft Teams” application, as provided by Microsoft Corp. of Redman, Wash.) using a particular operating system (e.g., “MacOS” as provided by Apple Inc. of Cupertino, Calif.) with an IP address originating from a specific country (e.g., the “UK”). If the profile builder 20 is set up to track and extract specific features related to the application, operating system, and country, then these features will be extracted by the profile builder and the corresponding frequencies for these values will be updated in the corresponding entity profile database 26. In addition, the distinct count of entities associated with these selected extracted features will be updated by the profile builder in the corresponding client profile database 24.
In some variations, when an entity's profile is updated by a new log, the profile builder 20 can update two data entries in the relevant entity database 26 including the entry for the entity's current day and the entry for the entity's current month. For example, if an entity has network activity through Feb. 27, 2020 and Mar. 13, 2020, the entity profile database 26 can have fifteen “day” data entries for the entity and two “month” entries for the entity. The aggregation of the fifteen “day” data entries can be equal to the aggregation of the two “month” data entries. The month data entries can allow the efficient aggregation of an entity's historical profile by the primitive creator 30, discussed further below, while the day data entries allow a time visualization of the entity's profile for exploratory purposes in the client portal 60, discussed further below.
As
The system 10B can include a plurality of primitive creators 30 each consuming received client data, e.g., structured logs 18, to identify or provide various primitives 40, as generally indicated in
The improbable primitive creator 32 compares the extracted or identified features to information in the client 24 and/or entity 26 databases and creates one or more improbable primitives 42 if a set or selected threshold. In some embodiments, the criterion includes one or more probability thresholds that must be met to affect creation of improbable primitives 42. For example, an entity threshold and a client threshold must be met for creation of an improbable primitive 42. An entity threshold can include a probability or frequency threshold that a specific feature must meet as compared to a particular entity's baseline reflected in the relevant entity database 26 to be deemed improbable. A client threshold can include a probability or frequency threshold that the specific feature must meet as compared to the client 12's (e.g., the client associated with the entity) baseline reflected in the relevant client database 24 to be deemed improbable. In some variations, both the client and entity thresholds must be meet by a particular feature(s) in order to initiate the creation of an improbable primitive 42.
More specifically, in some embodiments, the primitive creator 32 compares extracted features from a log 18 with the queried entity profile 26. If the frequency for any of the features extracted from the log 18 is below the pre-configured threshold, then an improbable primitive 42 for the entity and the offending feature is staged for creation. That is, the entity and relevant or offending feature that is below the pre-configured threshold is at least temporarily elevated for further investigation. Each feature may have a different configured threshold, such that the threshold required for staging a one type of primitive, e.g., a country primitive, can be different than the threshold required for staging another, e.g., an application primitive. Furthermore, clients, MSSPs, etc. may configure different thresholds for various primitive types. For each of the staged entity and offending/relevant features, e.g., temporarily elevated for further investigation, the improbable primitive creator 32 queries the client profile database 24 in order to compare the offending feature with the historical frequency across the entire client network. If the percentage of entities tracked in the client's network that have been previously associated with the relevant primitive is below a pre-configured threshold, then an improbable primitive 42 is created.
According to one example, an authentication log can arrive in the improbable primitive creator 32 for a specific entity, e.g., a specific user, user@example.corp, from a particular client, such as client A, stating that the specific user, i.e., user@example.corp, authenticated to a directory for a particular application (e.g., Microsoft's Active Directory for the “Sharepoint” Application, as provided by Microsoft Corp. of Redman, Wash.) using a specific operating system (e.g., “Linux”®) with an IP address originating from a particular location, e.g., “China.” The improbable primitive creator 32 can query the aggregate entity profile for the specific user, bill@example.corp, and calculate or otherwise determine whether the frequency of the specific user, bill@example.corp, using the particular application, “Sharepoint”, meets, e.g., is below or equal to, a pre-configured, entity application threshold; whether the frequency of the specific operative system, “Linux”, meets, e.g., is below or equal to, a pre-configured, entity operation system threshold; and whether the particular location, “China”, meets, e.g., is below or equal to, a pre-configured, entity country threshold.
If the location, “China”, and the operating system, “Linx”, meet the prescribed entity thresholds, but the particular application, “Sharepoint”, does not, the improbable primitive creator 32 will stage or temporarily update a primitive for the operating system and country features and the specific user (and not the application features), and query the client profile database 24 for the frequency of the operating system and country features (i.e., “Linux” and “China”) across the entire client's profile (e.g., client A's entire profile). If the frequency of entities who have been associated with “Linux” is above a pre-configured client operating system threshold (i.e., does not meet the client's operating system threshold), and if the frequency of users who have authenticated from “China” is below a pre-configured client country threshold (i.e., meets the country threshold), a country primitive for bill@example.corp with the relevant context will be created (but an operating system primitive will not). Numerous primitives can be generated from one network activity log, and if the frequencies for the application and operating systems for the foregoing example were below the pre-configured thresholds (i.e., met the prescribed thresholds as well), then three separate primitives would have been created, e.g., application, operating system, and country primitives all would have been created.
Accordingly, with embodiments of the present disclosure, the context for creation of an improbable primitive 42 can consist of numerous attributes, including but not limited to the extracted features, the frequency of the extracted features at the entity and client level, the relevant pre-configured thresholds, and historical frequencies associated with the extracted features.
The additional primitive creators can include an indicator of compromise primitive creator 34 (hereinafter “IOC primitive creator”) that consumes normalized logs 18 and extracts or identifies features, such as values, artifacts, other information, etc., from the logs 180. The IOC primitive creator 34 can be set to extract or identify various different features including but not limited to, IP addresses, domain names, network traffic information, account activity information, log in information, location information, database read volume information, file size information, port-application traffic information, DNS request information, web traffic information, file information, such as file size, file hashes, etc., command and control activity information, or combinations thereof.
The extracted values, features, etc. then are compared or queried against an internal threat intelligence database 34A in order to determine whether any extracted values, features, etc. have been marked or otherwise identified as suspicious. The threat intelligence database 34A can include aggregated information related to known threats, suspicious activities, etc., such as blacklists of known threat actors or groups, internal intelligence databases, etc. and other information collected by MSSPs, security researchers or analysts, etc. In one example, an IP address associated with a known threat group can added to the internal threat intelligence database by a security researcher, and if a log associated with a specific entity, e.g., a user user2@example.corp, and this IP address is consumed by the IOC primitive creator 34, then a suspicious primitive 44 for this user, i.e., user2@example.corp, will be created.
Another suspicious primitive creator can include a business email compromise primitive creator 36 (hereinafter “BEC primitive creator”). The BEC primitive creator 36 consumes normalized logs 18 and inspects for logs indicative of business email compromise, such as logs reflecting an inbox rule to redirect emails to an external address or an inbox rule to delete emails that would alert hat the entity has been compromised. That is, if a log including specific information, e.g., indicative of a business email compromise, the BEC primitive creator 36 generally will create a primitive for the relevant entity. The one or more suspicious primitive creators can include other primitive creators that generate primitive if a log includes certain information indicative of suspicious activity, such as a cloud account hijacking primitive creator 38 that creates a primitive if a log includes information indicating or related to a cloud account hijacking or other account hijacking.
In one embodiment, the compromise detector 50 groups primitives by both the associated entity and the original event time into a session or activity window. The compromise detector generally creates or generates compromise events 52 based on one or more combinations or sequences of primitives occurring during/within a particular, single session window. The session window can be a flexible window of time (e.g., not a fixed length of time) that can start when an event occurs for a particular entity, e.g., a user of a client's network, and end when that entity's, e.g., user's, account stops showing activity. A session window can span minutes or hours depending on the activity event flow.
The specific session window time period, e.g., the time difference between events that will keep a session window open, is generally configurable, such as by clients, MSSPs, other parties, etc. For example, the event time difference can be set to a prescribed time period, e.g., 20 minutes, and the session window will remain open as long as new events keep occurring within the prescribed time period, e.g., less than 20 minutes, of each other, and the session window for that entity closes when the time between events exceeds the prescribed interval, e.g., exceeds 20 minutes in this example. It will be understood that there may be a large time gap as to when a primitive arrives at the compromise detector 50 and the event time on the original network log, and thus, the compromise detector 50 may only be concerned with event time on the original network and uses this timestamp to create sessions windows. The session window time period can be set to any particular time period, including minutes, one or more hours, or more, such as a few days. The session window time period can be set for each client intuitively or otherwise based on specific historical client information, e.g., it can be assumed that activity separated by more than hour or more of inactivity for a specific entity represents separate entity sessions, e.g., groups of interactions one entity takes within a period devoted to a particular activity (or closely related activities).
According embodiments of the present disclosure, a session window can group primitives with similar event times, and a session window can begin at the earliest event time. A session timeout generally can be configured to determine the maximum time gap between primitives before a new session window is created. If a primitive arrives with an event time within the specified timeout from the previous primitive, then the session window can be extended in order to include this new primitive. If primitives keep arriving with event times within the selected timeout, then the session window can be extended indefinitely until a maximum pre-configured session window duration is reached. Should one or more primitives arrive where the difference between the new primitive's event time and the temporally previous primitive's event time is greater than the session timeout, then a new session window is created containing only the new primitive.
Furthermore, the order in which primitives arrive to the compromise detector 50 generally is not important, and primitives associated with a session window from many days ago can be added and extend that session window as long as the session window is still cached in the memory of the primitive aggregator. The use of a session window can help to provide a data aggregation strategy that models a more accurate entity session than what is possible with traditional data aggregation methods/processes; rather than having a static session size for all entities, the size of the session varies depending on the entity's behavior.
However, if that session window 100 receives an I.O.C. primitive 40C and a country primitive 40A at T31, an operating system primitive 40 at T33, and subsequently a BEC primitive 40D denoting that an email forwarding rule was created at T34, and a I.O.C. primitive 40C, a country primitive 40A, and an operating system 40B primitive all followed by a business email compromise primitive 40D present in the session window 100 is a signature or sequence of primitives matching or likely to represent an attack pattern or suspicious activity, then an event 52 will be created by the compromise detector 50 and sent to a client portal 60. This signature is described by example only and is but one of many possible combinations or sequences that might result in creation of a compromise event 52. Numerous primitives denoting the same activity can often be created, which may lead to duplicate events being generated. The present disclosure can avoid this issue by keeping track of the state for each session window such that duplicate primitives do not trigger duplicate events.
In general, no one single primitive occurring typically may be sufficient to generate an event. Further, a prescribed number or select combination of multiple observed actions, e.g., multiple primitives, typically will be used to provide the requisite proof to generate an event, e.g., increasing the reliability of the system 10A/10B, reducing false detections/events, etc. . . . . With embodiments of the present disclosure, the compromise detector 50 will create events based on one or more threshold criteria. The system 10A/10B can be set to require any one or combination of threshold criteria for creating an event.
For example, the compromise detector 50 can generate an event(s) if a particular entity exceeded a prescribed number “N” of primitives observed. That is, if the session window includes the prescribed number N of primitives or more, the compromise detector 50 will create an event. The number N generally is selectable/configurable by clients, MSSPs, etc. and can be set to any appropriate number, e.g., two, three, four, five, six or more and so on.
The compromise detector 50 also can generate an event(s) when specific combinations or sequences are observed (e.g., any one signature primitive and any one improbable primitive are observed within a session window or other combinations of primitives that are representative of attack patterns or suspicious activity). In this regard, the compromise detector 50 will create an event if/when a session window includes a particular combination and/or sequence of primitives that matches a stored combination and/or sequence of primitives known to represent or related to attack patterns or suspicious activity.
In addition, the compromise detector 50 further can generate an event if a signature or sequence of primitives is likely to represent an attack pattern or suspicious activity according to a prescribed probability threshold or confidence internal, e.g., the compromise detector 50 determines a 90% or more likelihood that a particular combination or sequence of primitives in a session window represents an attack pattern or suspicious activity. The prescribed probability can be selectable and set to any value, e.g., 80%, 85%, 95%, 99%, etc., Further, in some implementations, the compromise detector 50 can generate an event if a signature or sequence of primitives in a session window is not likely to represent safe or benign activity according to a prescribed probability threshold or confidence internal, e.g., the compromise detector 50 determines a 10% or less likelihood that the signature or sequence of signatures is safe or benign. This prescribed probability also can be selectable and set to any value, e.g., 20%, 15%, 5%, 1%, etc.
Returning to
The client portal 60 also can provide one or more displays or visualizations, e.g., a series of dynamic visualizations, relating to the event so that the client can also visually explore the historical behavior of the entity in the client portal. Entity data generally is fetched in real-time during exploration from the entity and client profile databases. The visualization can help the client efficiently determine whether the entity's behavior should be investigated or how it should be remediated by providing a clearer explanation as to why the event was created. Accordingly, the system 10A/10B provides an improvement to and goes beyond the systems and methods employing a traditional “black box” strategy of providing clients with events, without sufficient context as to why the event is abnormal.
As indicated in
At 412, primitive features can be identified from the one or more data sets to facilitate identification or generation of one or more primitives. Thereafter, at 414, the identified primitive features can be compared to information in entity profiles, and a determination whether the identified permanent features meet a threshold or criterion for establishing a primitive in comparison to the entity profile is made at 416. If the threshold or criterion is met, a staged primitive is established for each identified primitive feature meeting the threshold or criterion at 418. If the identified primitive features do not meet the threshold or criterion, no primitives are staged and the process can return to 412.
Subsequently, as indicated in
Optionally, as indicated at 428, additional primitives can be created based on or independent of historical client or entity information. For example, IOC primitives, business email compromise primitives, cloud account hijacking primitives, or other suitable primitives can be created at 428.
Thereafter, at 430, primitives and/or additional primitives can be organized into groups according to prescribed grouping information, e.g., primitives can be grouped in session windows based on entity information, client information, time-based information, etc. And, at 432, one or more signatures, e.g., specific combinations or sequences, of primitives can be identified from/in the groups. Then, at 434, a determination is made as to whether there is a probability or potential that any of the signatures correspond to an attack pattern or suspicious activity (e.g., if one or more combinations or sequences of primitives meet a prescribed criterion, such as the received primitives in one of the session windows includes a number of primitives that exceed a prescribed number, match a specific combination or sequence of primitives that relate to known attack patterns or suspicious activities, are likely to correspond to one or more attack patterns or suspicious activities according to a prescribed probability threshold, or combinations thereof).
If there is there is a probability or potential that any of the signatures correspond to an attack pattern or suspicious activity as determined at 434, a compromise event(s) is generated and each client associated with the event(s) is notified and provided detailed information related to the event at 436. If not, no event is created (as generally indicated at 438).
Furthermore, at 440, information related to the compromise event(s) can be updated or can be provided to the entity profile, the client profile, or other profiles or data stores, etc. of the system, e.g., to provide tuning or update the system to help with the creation of primitives or identification of subsequent compromise events.
For purposes of this disclosure, an information handling system 80 (
As shown in
In one embodiment, the monitoring device(s) 86 may include a server or sequence analyzer or other client suitable computing device that has a processor and a memory or other suitable storage. The memory can include a random access memory (RAM), read only memory (ROM), and/or other non-transitory computer readable medium. The monitoring device(s) 86 further typically will be operable to store and execute computer readable instructions to continuously monitor, in real-time, activity at each networked system, for example, activity of the information handling systems 80 connected to network 84. The monitoring device(s) 86 can ingest or aggregate information or data logs related to activities of the information handling systems 80 and can provide these ingested/aggregate data logs or information or data related thereto to by the system 10A/10B for processing thereby. In addition, or in the alternative, the system 10A/10B can include a data center 88, such as a data center 88 management by an MSSP, with a plurality of networked information handling systems 80, e.g., including one or more servers 90 with at least one memory 92 and one or more processors 94 for receiving information or data logs related to activities of the information handling systems 80 of system 82. These information/data logs can be a part of the raw logs 14 provided to the system 10A/10B.
One or more components of the system 10A/10B can be resident on or accessed by the devices 80, the server(s) 90, or other devices or information handling systems in communication therewith. One or more processors of the device 80 of the one or more processors 94 can process or execute instructions, workflows, etc., stored in at least one memory (e.g., a memory of the devices 90 or memory 92) to facilitate performance of various processes, functions, etc. of the system 10A/10B.
The foregoing description generally illustrates and describes various embodiments of the present disclosure. It will, however, be understood by those skilled in the art that various changes and modifications can be made to the above-discussed construction of the present disclosure without departing from the spirit and scope of the disclosure as disclosed herein, and that it is intended that all matter contained in the above description or shown in the accompanying drawings shall be interpreted as being illustrative, and not to be taken in a limiting sense. Furthermore, the scope of the present disclosure shall be construed to cover various modifications, combinations, additions, alterations, etc., above and to the above-described embodiments, which shall be considered to be within the scope of the present disclosure. Accordingly, various features and characteristics of the present disclosure as discussed herein may be selectively interchanged and applied to other illustrated and non-illustrated embodiments of the disclosure, and numerous variations, modifications, and additions further can be made thereto without departing from the spirit and scope of the present invention as set forth in the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5937066 | Gennaro et al. | Aug 1999 | A |
| 6357010 | Viets et al. | Mar 2002 | B1 |
| 7269578 | Sweeney | Sep 2007 | B2 |
| 7331061 | Ramsey et al. | Feb 2008 | B1 |
| 7492957 | Bonhaus | Feb 2009 | B1 |
| 7548932 | Horvitz et al. | Jun 2009 | B2 |
| 7555482 | Korkus | Jun 2009 | B2 |
| 7571474 | Ross et al. | Aug 2009 | B2 |
| 7594270 | Church et al. | Sep 2009 | B2 |
| 7606801 | Faitelson et al. | Oct 2009 | B2 |
| 7613722 | Horvitz et al. | Nov 2009 | B2 |
| 7770031 | MacKay et al. | Aug 2010 | B2 |
| 7856411 | Darr | Dec 2010 | B2 |
| 7926113 | Gula et al. | Apr 2011 | B1 |
| 8079081 | Lavrik et al. | Dec 2011 | B1 |
| 8122495 | Ramsey et al. | Feb 2012 | B2 |
| 8156553 | Church et al. | Apr 2012 | B1 |
| 8327419 | Korablev et al. | Dec 2012 | B1 |
| 8407335 | Church et al. | Mar 2013 | B1 |
| 8490193 | Sarraute et al. | Jul 2013 | B2 |
| 8490196 | Lucangeli et al. | Jul 2013 | B2 |
| 8522350 | Davenport et al. | Aug 2013 | B2 |
| 8539575 | Schmitlin et al. | Sep 2013 | B2 |
| 8578393 | Fisher | Nov 2013 | B1 |
| 8595170 | Gladstone et al. | Nov 2013 | B2 |
| 8621618 | Ramsey et al. | Dec 2013 | B1 |
| 8701176 | Ramsey et al. | Apr 2014 | B2 |
| 8793786 | Bhesania et al. | Jul 2014 | B2 |
| 8805881 | Hom et al. | Aug 2014 | B2 |
| 8832048 | Lim | Sep 2014 | B2 |
| 8839414 | Mantle et al. | Sep 2014 | B2 |
| 8898777 | Oliver | Nov 2014 | B1 |
| 8909673 | Faitelson et al. | Dec 2014 | B2 |
| 8931095 | Ramsey et al. | Jan 2015 | B2 |
| 8938802 | Davenport et al. | Jan 2015 | B2 |
| 8959115 | Marathe | Feb 2015 | B2 |
| 8984644 | Oliphant et al. | Mar 2015 | B2 |
| 9009828 | Ramsey et al. | Apr 2015 | B1 |
| 9032478 | Ballesteros et al. | May 2015 | B2 |
| 8928476 | Jerhotova et al. | Jun 2015 | B2 |
| 9046886 | Chong et al. | Jun 2015 | B2 |
| 9047336 | Hom et al. | Jun 2015 | B2 |
| 9069599 | Martinez et al. | Jun 2015 | B2 |
| 9098702 | Rubin et al. | Aug 2015 | B2 |
| 9129105 | Donley et al. | Sep 2015 | B2 |
| 9130988 | Seifert et al. | Sep 2015 | B2 |
| 9137262 | Qureshi et al. | Sep 2015 | B2 |
| 9191400 | Ptasinski et al. | Nov 2015 | B1 |
| 9298895 | Lim | Mar 2016 | B2 |
| 9319426 | Webb et al. | Apr 2016 | B2 |
| 9338134 | Yin | May 2016 | B2 |
| 9338180 | Ramsey et al. | May 2016 | B2 |
| 9430534 | Bhattacharya et al. | Aug 2016 | B2 |
| 9438563 | Yin | Sep 2016 | B2 |
| 9519756 | Bitran et al. | Dec 2016 | B2 |
| 9544273 | Fleury et al. | Jan 2017 | B2 |
| 9548994 | Pearcy et al. | Jan 2017 | B2 |
| 9558352 | Dennison et al. | Jan 2017 | B1 |
| 9560062 | Khatri et al. | Jan 2017 | B2 |
| 9560068 | Figlin et al. | Jan 2017 | B2 |
| 9596252 | Coates et al. | Mar 2017 | B2 |
| 9628511 | Ramsey et al. | Apr 2017 | B2 |
| 9667656 | Banerjee et al. | May 2017 | B2 |
| 9667661 | Sharma et al. | May 2017 | B2 |
| 9710672 | Braun | Jul 2017 | B2 |
| 9712549 | Almurayh | Jul 2017 | B2 |
| 9742559 | Christodorescu et al. | Aug 2017 | B2 |
| 9767302 | Lim | Sep 2017 | B2 |
| 9805202 | Medeiros et al. | Oct 2017 | B2 |
| 9910986 | Saxe | Mar 2018 | B1 |
| 9973524 | Boyer et al. | May 2018 | B2 |
| 10050992 | Thyni et al. | Aug 2018 | B2 |
| 10063582 | Feng et al. | Aug 2018 | B1 |
| 10116500 | Long et al. | Oct 2018 | B1 |
| 10311231 | Kayyoor et al. | Jun 2019 | B1 |
| 10356125 | Goutal et al. | Jul 2019 | B2 |
| 10382489 | Das et al. | Aug 2019 | B2 |
| 10419903 | Singh et al. | Sep 2019 | B2 |
| 10425223 | Roth et al. | Sep 2019 | B2 |
| 10474820 | Manadhata | Nov 2019 | B2 |
| 10491632 | Natarajan et al. | Nov 2019 | B1 |
| 10567407 | Tang et al. | Feb 2020 | B2 |
| 10594713 | McLean | Mar 2020 | B2 |
| 10601865 | Mesdaq et al. | Mar 2020 | B1 |
| 10728263 | Neumann | Jul 2020 | B1 |
| 10735470 | Vidas et al. | Aug 2020 | B2 |
| 10762206 | Titonis et al. | Sep 2020 | B2 |
| 10785238 | McLean | Sep 2020 | B2 |
| 10834128 | Rajogopalan et al. | Nov 2020 | B1 |
| 10853431 | Lin et al. | Dec 2020 | B1 |
| 10915828 | Qhi | Feb 2021 | B2 |
| 11044263 | McLean et al. | Jun 2021 | B2 |
| 11165862 | Austin et al. | Nov 2021 | B2 |
| 11275831 | Aouad et al. | Mar 2022 | B1 |
| 20020129135 | Delany et al. | Sep 2002 | A1 |
| 20050060295 | Gould et al. | Mar 2005 | A1 |
| 20050138204 | Iyer et al. | Jun 2005 | A1 |
| 20050288939 | Peled et al. | Dec 2005 | A1 |
| 20060012815 | Ebner et al. | Jan 2006 | A1 |
| 20060037076 | Roy | Feb 2006 | A1 |
| 20060195575 | Delany et al. | Aug 2006 | A1 |
| 20060253447 | Judge | Nov 2006 | A1 |
| 20070192867 | Miliefsky | Aug 2007 | A1 |
| 20070226248 | Darr | Sep 2007 | A1 |
| 20070226807 | Ginter et al. | Sep 2007 | A1 |
| 20080077593 | Abrams et al. | Mar 2008 | A1 |
| 20080219334 | Brainos et al. | Sep 2008 | A1 |
| 20080255997 | Bluhm et al. | Oct 2008 | A1 |
| 20080262991 | Kapoor | Oct 2008 | A1 |
| 20080320000 | Gaddam | Dec 2008 | A1 |
| 20090198682 | Buehler et al. | Aug 2009 | A1 |
| 20100083374 | Schmitlin et al. | Apr 2010 | A1 |
| 20100125913 | Davenport et al. | May 2010 | A1 |
| 20100251329 | Wei et al. | Sep 2010 | A1 |
| 20110004771 | Matsushima et al. | Jan 2011 | A1 |
| 20110179492 | Markopoulou et al. | Jul 2011 | A1 |
| 20110276604 | Hom et al. | Nov 2011 | A1 |
| 20110276716 | Coulson | Nov 2011 | A1 |
| 20120072983 | McCusker | Mar 2012 | A1 |
| 20120117640 | Ramsey et al. | May 2012 | A1 |
| 20120185275 | Loghmani | Jul 2012 | A1 |
| 20120024673 | Raad | Sep 2012 | A1 |
| 20120254333 | Chandramouli | Oct 2012 | A1 |
| 20120260341 | Chan et al. | Oct 2012 | A1 |
| 20130104191 | Peled et al. | Apr 2013 | A1 |
| 20130138428 | Chandramouli | May 2013 | A1 |
| 20130173620 | Takenouchi | Jul 2013 | A1 |
| 20130226938 | Risher et al. | Aug 2013 | A1 |
| 20130238319 | Minegishi et al. | Sep 2013 | A1 |
| 20130282746 | Balko et al. | Oct 2013 | A1 |
| 20130291103 | Davenport et al. | Oct 2013 | A1 |
| 20130318604 | Coates et al. | Nov 2013 | A1 |
| 20140041028 | Ramsey et al. | Feb 2014 | A1 |
| 20140047544 | Jakobsson | Feb 2014 | A1 |
| 20140051432 | Gupta et al. | Feb 2014 | A1 |
| 20140222712 | Samaha et al. | Aug 2014 | A1 |
| 20140373151 | Webb et al. | Dec 2014 | A1 |
| 20150019323 | Goldberg et al. | Jan 2015 | A1 |
| 20150040225 | Coates et al. | Feb 2015 | A1 |
| 20150074390 | Stoback | Mar 2015 | A1 |
| 20150135287 | Medeiros et al. | May 2015 | A1 |
| 20150135320 | Coskun | May 2015 | A1 |
| 20150156212 | Khatri et al. | Jun 2015 | A1 |
| 20150186618 | Poorvin et al. | Jul 2015 | A1 |
| 20150222652 | Ramsey et al. | Aug 2015 | A1 |
| 20150271047 | McLean | Sep 2015 | A1 |
| 20150324457 | McLean | Nov 2015 | A1 |
| 20160006749 | Cohen | Jan 2016 | A1 |
| 20160014140 | Akireddy et al. | Jan 2016 | A1 |
| 20160014151 | Prakash | Jan 2016 | A1 |
| 20160078365 | Baumard | Mar 2016 | A1 |
| 20160099963 | Mahaffey et al. | Apr 2016 | A1 |
| 20160139886 | Perdriau et al. | May 2016 | A1 |
| 20160156655 | Lotem | Jun 2016 | A1 |
| 20160182546 | Coates et al. | Jun 2016 | A1 |
| 20160241591 | Ramsey et al. | Aug 2016 | A1 |
| 20160277423 | Apostolescu et al. | Sep 2016 | A1 |
| 20160313709 | Biesdorf et al. | Oct 2016 | A1 |
| 20160337400 | Gupta | Nov 2016 | A1 |
| 20160342805 | Lim | Nov 2016 | A1 |
| 20160378978 | Singla et al. | Dec 2016 | A1 |
| 20170026343 | Wardman | Jan 2017 | A1 |
| 20170063893 | Franc et al. | Mar 2017 | A1 |
| 20170063905 | Muddu | Mar 2017 | A1 |
| 20170098087 | Li | Apr 2017 | A1 |
| 20170111379 | Khatri et al. | Apr 2017 | A1 |
| 20170140295 | Bandara | May 2017 | A1 |
| 20170142149 | Coates et al. | May 2017 | A1 |
| 20170169154 | Lin et al. | Jun 2017 | A1 |
| 20170171228 | McLean | Jun 2017 | A1 |
| 20170180418 | Shen | Jun 2017 | A1 |
| 20170201381 | Kinder et al. | Jul 2017 | A1 |
| 20170201431 | Kinder et al. | Jul 2017 | A1 |
| 20170201490 | Kinder et al. | Jul 2017 | A1 |
| 20170201548 | Kinder et al. | Jul 2017 | A1 |
| 20170024475 | Kinder et al. | Aug 2017 | A1 |
| 20170243004 | Kinder et al. | Aug 2017 | A1 |
| 20170243005 | Kinder et al. | Aug 2017 | A1 |
| 20170244734 | Kinder et al. | Aug 2017 | A1 |
| 20170244754 | Kinder et al. | Aug 2017 | A1 |
| 20170244762 | Kinder et al. | Aug 2017 | A1 |
| 20170318033 | Holland et al. | Nov 2017 | A1 |
| 20170318034 | Holland et al. | Nov 2017 | A1 |
| 20170359368 | Hodgman | Dec 2017 | A1 |
| 20180077189 | Doppke et al. | Mar 2018 | A1 |
| 20180089574 | Goto | Mar 2018 | A1 |
| 20180091306 | Antonopoulos et al. | Mar 2018 | A1 |
| 20180103010 | Diaz Cuellar et al. | Apr 2018 | A1 |
| 20180124073 | Scherman et al. | May 2018 | A1 |
| 20180124085 | Frayman et al. | May 2018 | A1 |
| 20180152480 | Kinder et al. | May 2018 | A1 |
| 20180181599 | Crabtree et al. | Jun 2018 | A1 |
| 20180288198 | Pope et al. | Oct 2018 | A1 |
| 20180036755 | Musuvathi et al. | Dec 2018 | A1 |
| 20190014149 | Cleveland et al. | Jan 2019 | A1 |
| 20190037406 | Wash | Jan 2019 | A1 |
| 20190050554 | Fiske | Feb 2019 | A1 |
| 20190068630 | Valecha et al. | Feb 2019 | A1 |
| 20190095801 | Saillet et al. | Mar 2019 | A1 |
| 20190102554 | Luo et al. | Apr 2019 | A1 |
| 20190102646 | Redmon | Apr 2019 | A1 |
| 20190104154 | Kumar et al. | Apr 2019 | A1 |
| 20190122258 | Bramberger et al. | Apr 2019 | A1 |
| 20190132344 | Lem et al. | May 2019 | A1 |
| 20190141079 | Vidas et al. | May 2019 | A1 |
| 20190149564 | McLean | May 2019 | A1 |
| 20190173919 | Irimie | Jun 2019 | A1 |
| 20190242718 | Siskind | Aug 2019 | A1 |
| 20190258807 | DiMaggio et al. | Aug 2019 | A1 |
| 20190297096 | Ahmed et al. | Sep 2019 | A1 |
| 20190342296 | Anandam et al. | Nov 2019 | A1 |
| 20190347433 | Chakravorty et al. | Nov 2019 | A1 |
| 20190377832 | McLean et al. | Dec 2019 | A1 |
| 20190379678 | McLean et al. | Dec 2019 | A1 |
| 20200036750 | Bahnsen | Jan 2020 | A1 |
| 20200036751 | Kohavi | Jan 2020 | A1 |
| 20200186544 | Dichiu | Jun 2020 | A1 |
| 20200195683 | Kuppa et al. | Jun 2020 | A1 |
| 20200259791 | Garcia et al. | Aug 2020 | A1 |
| 20200274894 | Argoeti | Aug 2020 | A1 |
| 20200285737 | Kraus et al. | Sep 2020 | A1 |
| 20200285952 | Liu et al. | Sep 2020 | A1 |
| 20200314122 | Jones | Oct 2020 | A1 |
| 20200336497 | Seul | Oct 2020 | A1 |
| 20200351285 | Eisenkot et al. | Nov 2020 | A1 |
| 20200351302 | Kyle | Nov 2020 | A1 |
| 20200351307 | Vidas et al. | Nov 2020 | A1 |
| 20200356665 | Denney | Nov 2020 | A1 |
| 20200358795 | Urbanski et al. | Nov 2020 | A1 |
| 20200358819 | Bowditch et al. | Nov 2020 | A1 |
| 20200364338 | Ducau | Nov 2020 | A1 |
| 20200394309 | Angelo et al. | Dec 2020 | A1 |
| 20210067562 | Kinder et al. | Mar 2021 | A1 |
| 20210109797 | Zhou | Apr 2021 | A1 |
| 20210112087 | Tassoumt | Apr 2021 | A1 |
| 20210112090 | Rivera et al. | Apr 2021 | A1 |
| 20210173930 | Dahal | Jun 2021 | A1 |
| 20210185057 | McLean | Jun 2021 | A1 |
| 20210226970 | Ross et al. | Jul 2021 | A1 |
| 20210258327 | Felke | Aug 2021 | A1 |
| 20220038424 | Liu | Feb 2022 | A1 |
| 20220070182 | Bowditch et al. | Mar 2022 | A1 |
| Number | Date | Country |
|---|---|---|
| 3599753 | Jan 2020 | EP |
| 2738344 | Dec 2020 | RU |
| WO2007002749 | Jan 2007 | WO |
| WO2007090605 | Aug 2007 | WO |
| WO2010059843 | May 2010 | WO |
| WO2021067238 | Apr 2021 | WO |
| Entry |
|---|
| Afroz, S. and Greenstadt, R. “PhishZoo: Detecting Phishing Websites by Looking at Them”; IEEE Fifth International Conference on Semantic Computing, 2011; pp. 368-375; doi: 10.1109/ICSC.2011.52; 2011. |
| Alkhawlani, Mohammed, Elmogy, Mohammed and Elbakry, Hazem; “Content-based image retrieval using local features descriptors and bag-of-visual words”; International Journal of Advanced Computer Science and Applications, vol. 6 No. 9 2015; pp. 212-219; 2015. |
| Buber, E., Demir, O. and Sahingoz, O.K.; “Feature selections for the machine learning based detection of phishing websites”; 2017 International Artificial Intelligence and Data Processing Symposium (IDAP), 2017; pp. 1-5; doi: 10.1109/DAP.2017.8090317; 2017. |
| Lin, Tsung-Yi, et al.; “Microsoft coco: Common objects in context”; European Conference on Computer Vision, Springer, Cham, 2014; 2014. |
| Liu, Y., Wang, Q., Zhuang, M. and Zhu, Y.; Reengineering Legacy Systems with RESTFul Web Service; 2008 32nd Annual IEEE International Computer Software and Applications Conference, 2008; pp. 785-790; doi: 10.1109/COMPSAC.2008.89; 2008. |
| White, Joshua S., Matthews, Jeanna N., and Stacy, John L.; A method for the automated detection phishing websites through both site characteristics and image analysis Cyber Sensing 2012; vol. 8408; International Society for Optics and Photonics, 2012; 2012. |
| URLVoid; URLVoid.com; retrieved from archives.org: https: web.archive.org/web/20180730215132/https.://www.urlvoid.com/); Published Jul. 30, 2018. |
| Buyukkayhan, Ahmet Sali; Oprea, Alina; Li, Zhou; and Robertson, William; “Lens on the endpoint; Hunting for malicious software through endpoint data analysis”; International Symposium on Research in Attacks, Intrusions, and Defenses; RAID 2017: Research in Attacks, Intrusions, and Defenses Proceedings; pp. 73-79; Sep. 18-20, 2017; Atlanta, GA, USA. |
| SECUREWORKS—Log Management—Protect your infrastructure from known and emerging threats; www.secureworks.com/resources/ds-log-management; 2015 (available). |
| Sofya Raskhodnikova & Adam Smith; CSE 598A Algorithmic Challenges in Data Privacy; Lecture 2; Jan. 19, 2010. |
| Number | Date | Country | |
|---|---|---|---|
| 20220070182 A1 | Mar 2022 | US |
