Automatically grouping malware based on artifacts
US-10230749-B1 · Mar 12, 2019 · US
Real-time detection of misuse of system credentials
US2020250307A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2020250307-A1 |
| Application number | US-201916263338-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jan 31, 2019 |
| Priority date | Jan 31, 2019 |
| Publication date | Aug 6, 2020 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some examples relate generally to managing and storing data, and more specifically to the real-time detection of ransomware, system (or insider) threats, or the misappropriation of credentials by using file system audit events.
First claim
Opening claim text (preview).
1 . A method for the real-time detection of an anomaly in file systems relating to a potential misuse of system credentials, the method comprising: accessing audit events in a file system during a time interval, the audit events including unique and duplicative file operations within the time interval; de-duplicating the audit events to remove selected duplicative file operations and generate time series data comprising unique file operations devoid of duplicative file operations; analyzing the time series data to determine whether a subset of the unique file operations includes file-access instructions to access files corresponding to the subset of unique file operations, the files protected by system credentials; determining that the file-access instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the file-access instructions in the time interval and comparing the pattern or number of the file-access instructions to a normal pattern or number of file-access instructions; responsive to determining that the file-access instructions in the subset of unique file operations are abnormal, determining that the file system is vulnerable to a misuse of system credentials; and generating an alert. 2 . The method of claim 1 , wherein the audit events include information comprising, for each audit event, a user_id, a file name, a type of access, and a timestamp. 3 . The method of claim 1 , wherein the selection of duplicative file operations for removal in the de-duplication of the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state. 4 . The method of claim 1 , further comprising: generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key value object store. 5 . The method of claim 4 , wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine. 6 . The method of claim 1 , wherein determining whether the file-read instructions in the subset of the file operations files are abnormal comprises applying a set of machine learning models to the audit events, the set of machine learning models trained to determine the pattern or number of the file operations and to compare the pattern or number of the file operations to the normal pattern or number based on features representing a normal or expected behavior of the file system. 7 . The method of claim 1 , wherein determining that the file-access instructions in the subset of the file operations are abnormal comprises applying Seasonal-Trend Decomposition Procedure Based on Loess (STL) decomposition to file delete audit events to remove seasonal and trend components and using a residue of the decomposition to generate the time series data, and performing an Exploratory Data Analysis (ESD) test on the time series data. 8 . A system for the real-time detection of an anomaly in file systems relating to a potential misuse of system credentials, the system comprising: at least one processor for executing machine-readable instructions; and a memory storing instructions configured to cause the at least one processor to perform operations comprising, at least: accessing audit events in a file system during a time interval, the audit events including unique and duplicative file operations within the time interval; de-duplicating the audit events to remove selected duplicative file operations and generate time series data comprising unique file operations devoid of duplicative file operations; analyzing the time series data to determine whether a subset of the unique file operations includes file-access instructions to access files corresponding to the subset of unique file operations, the files protected by system credentials; determining that the file-access instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the file-access instructions in the time interval and comparing the pattern or number of the file-access instructions to a normal pattern or number of file-access instructions; responsive to determining that the file-access instructions in the subset of unique file operations are abnormal, determining that the file system is vulnerable to a misuse of system credentials; and generating an alert. 9 . The system of claim 8 , wherein the audit events include information comprising, for each audit event, a user_id, a file name, a type of access, and a timestamp. 10 . The system of claim 8 , wherein the selection of duplicative file operations for removal in the de-duplication of the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state. 11 . The system of claim 8 , wherein the operations further comprise: generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key value object store. 12 . The system of claim 11 , wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine. 13 . The system of claim 8 , wherein determining whether the file-read instructions in the subset of the file operations files are abnormal comprises applying a set of machine learning models to the audit events, the set of machine learning models trained to determine the pattern or number of the file operations and to compare the pattern or number of the file operations to the normal pattern or number based on features representing a normal or expected behavior of the file system. 14 . The system of claim 8 , wherein determining that the file-access instructions in the subset of the file operations are abnormal comprises applying Seasonal-Trend Decomposition Procedure Based on Loess (STL) decomposition to file delete audit events to remove seasonal and trend components and using a residue of the decomposition to generate the time series data, and performing an Exploratory Data Analysis (ESD) test on the time series data. 15 . A non-transitory, machine-readable medium storing instructions which, when read by a machine, cause the machine to perform operations comprising, at least: accessing audit events in a file system during a time interval, the audit events including unique and duplicative file operations within the time interval; de-duplicating the audit events to remove selected duplicative file operations and generate time series data comprising unique file operations devoid of duplicative file operations; analyzing the time series data to determine whether a subset of the unique file operations includes file-access instructions to access files corresponding to the subset of unique file operations, the files protected by system credentials; determining that the file-access instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the file-access instructions in the time interval and comparing the pattern or number of the file-access instructions to a normal pattern or number of file-access instructions; responsive to determining that the file-access instructions in the subset of unique
Assignees
Inventors
Classifications
Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Finite state machines · CPC title
De-duplication implemented within the file system, e.g. based on file segments (de-duplication techniques in storage systems for the management of data blocks G06F3/0641) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2020250307A1 cover?
- Some examples relate generally to managing and storing data, and more specifically to the real-time detection of ransomware, system (or insider) threats, or the misappropriation of credentials by using file system audit events.
- Who is the assignee on this patent?
- Rubrik Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Aug 06 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).