Cyber security adaptive analytics threat monitoring system and method
US-9191403-B2 · Nov 17, 2015 · US
Detecting malware attacks using extracted behavioral features
US10530787B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10530787-B2 |
| Application number | US-201715690668-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 30, 2017 |
| Priority date | Aug 30, 2017 |
| Publication date | Jan 7, 2020 |
| Grant date | Jan 7, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data. The method may also include executing, via the processor, an ad hoc protection improvement based on the detected malware attack.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer system, comprising: one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage medium, and program instructions stored on at least one of the one or more tangible storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, wherein the computer system is capable of performing a method comprising: receiving events from a plurality of activity monitors; extracting a plurality of behavioral features from the received events, wherein the behavioral features include network behavioral features, database behavioral features, and file behavioral features; detecting a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data, wherein the malware includes previously unknown form of malware detected based on a combination of the behavioral features; and executing an ad hoc protection improvement based on the detected malware attack, wherein the improvement includes dynamically installing a file access monitor agent on a machine correlated with the detected malware attack, blocking access to tables with sensitive information for suspicious users, installation of security patches on machines, and blocking suspicious command and control domains. 2. The computer system of claim 1 , wherein the ad hoc protection improvement comprises a dynamic installation of a file access monitor agent on a machine correlated with the detected malware attack. 3. The computer system of claim 1 , wherein the processor is to block network traffic associated with the detected malware attack. 4. The computer system of claim 1 , wherein the network behavioral feature comprises a user identification, a proxy agent used by the malware attack, a data characteristic, a protocol error, an access domain metadata, or any combination thereof. 5. The computer system of claim 1 , wherein the database behavioral feature comprises a user account used by the malware attack to access data. 6. The computer system of claim 1 , wherein the file behavioral feature comprises a file metadata, a file permission, a user identification, a content classification, a file action, or any combination thereof. 7. The computer system of claim 1 , wherein the plurality of activity monitors comprise a file activity monitor, a network activity monitors, a database activity monitor, or any combination thereof. 8. A computer-implemented method, comprising: receiving, via a processor, events from a plurality of activity monitors; extracting, via the processor, a plurality of behavioral features from the received events, wherein the behavioral features include network behavioral features, database behavioral features, and file behavioral features; detecting, via the processor, a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data, wherein the malware includes previously unknown form of malware detected based on a combination of the behavioral features; and executing, via the processor, an ad hoc protection improvement based on the detected malware attack, wherein the improvement includes dynamically installing a file access monitor agent on a machine correlated with the detected malware attack, blocking access to tables with sensitive information for suspicious users, installation of security patches on machines, and blocking suspicious command and control domains. 9. The method of claim 8 , wherein the ad hoc protection improvement comprises dynamically installing a file access monitor agent on a machine correlated with the detected malware attack. 10. The method of claim 8 , comprising blocking, via the processor, network traffic associated with the detected malware attack. 11. The method of claim 8 , comprising generating a report and sending the report to a security information and event management (SIEM) service. 12. The method of claim 8 , comprising updating the malware identification model based on collected findings about the malware attack. 13. The method of claim 8 , comprising updating a knowledge database based on the detected malware attack. 14. The method of claim 8 , further comprising retraining the malware identification model based on collected findings associated with the malware attack. 15. A computer program product for detecting malware attacks, the computer program product comprising: one or more computer-readable tangible storage medium and program instructions stored on at least one of the one or more tangible storage medium, the program instructions executable by a processor capable of performing a method, the method comprising: receiving events from a plurality of activity monitors; extracting a plurality of behavioral features from the received events, wherein the behavioral features include network behavioral features, database behavioral features, and file behavioral features; detecting a malware attack based on the extracted behavioral features using a malware identification model trained on private data and public data, wherein the malware includes previously unknown form of malware detected based on a combination of the behavioral features; and executing an ad hoc protection improvement based on the detected malware attack, wherein the improvement includes dynamically installing a file access monitor agent on a machine correlated with the detected malware attack, blocking access to tables with sensitive information for suspicious users, installation of security patches on machines, and blocking suspicious command and control domains. 16. The computer program product of claim 15 , further comprising program code executable by the processor to dynamically install a file access monitor agent on a machine correlated with the detected malware attack. 17. The computer program product of claim 15 , further comprising program code executable by the processor to block network traffic associated with the detected malware attack. 18. The computer program product of claim 15 , further comprising program code executable by the processor to generate a report and sending the report to a security information and event management (SIEM) service. 19. The computer program product of claim 15 , further comprising program code executable by the processor to update a knowledge database based on the detected malware attack. 20. The computer program product of claim 15 , further comprising program code executable by the processor to retrain the malware identification model based on collected findings associated with the malware attack.
Assignees
Inventors
Classifications
involving event detection and direct action · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Vulnerability analysis · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10530787B2 cover?
- Detecting malware attacks is described herein. A computer-implemented method may include receiving, via a processor, events from a plurality of activity monitors. The method also include extracting, via the processor, a plurality of behavioral features from the received events. The method may further include detecting, via the processor, a malware attack based on the extracted behavioral featur…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 07 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).