公开(公告)号：US11916953B2

公开(公告)日：2024-02-27

申请号：US16579215

申请日：2019-09-23

申请人： Cybereason, Inc.

发明人： Phillip Tsukerman

IPC分类号： H04L9/40

CPC分类号： H04L63/1441

摘要： A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.

公开(公告)号：US20230328095A1

公开(公告)日：2023-10-12

申请号：US18194087

申请日：2023-03-31

申请人： Cybereason Inc.

发明人： Avi Chesla ,  Elan Pavlov

IPC分类号： H04L9/40 ,  G06F16/28 ,  G06F16/2453

CPC分类号： H04L63/1433 ,  H04L63/1416 ,  G06F16/24539 ,  G06F16/285 ,  H04L63/1425

摘要： A computing system identifies an evidence set associated with a detected cybersecurity attack. The evidence set includes logs representing security alerts associated with the detected cybersecurity attack. The computing system analyzes the evidence set to predict actions taken by a malicious actor, the actions comprising historical actions and future actions. The computing system analyzes the predicted actions to classify the historical actions and future actions taken by the malicious actor. The computing system generates a query for analyzing the evidence set based on the classified historical actions and future actions.

公开(公告)号：US20220147622A1

公开(公告)日：2022-05-12

申请号：US17454343

申请日：2021-11-10

申请人： Cybereason Inc.

发明人： Avi CHESLA

IPC分类号： G06F21/55 ,  G06F21/57 ,  G06N7/00

摘要： Systems and methods are provided for making predictions relating to the attack sequence of an attacker or other malicious entity.

公开(公告)号：US20220019664A1

公开(公告)日：2022-01-20

申请号：US17405608

申请日：2021-08-18

申请人： Cybereason Inc.

发明人： Yonatan Perry ,  Assaf Ben-David ,  Uri Sternfeld

IPC分类号： G06F21/56 ,  G06F21/53 ,  G06K9/62

摘要： Systems and methods are provided to measure the similarity between a first and second data sample. The method can include creating a plurality of k-mers from the first data sample, each k-mer having a first length; generating a first vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; calculating a similarity level between the first and second data sample by comparing the first vector to a second vector, the second vector representing the second data sample; and based on the similarity level, determining a maliciousness level of the first data sample.

公开(公告)号：US10055579B2

公开(公告)日：2018-08-21

申请号：US15395299

申请日：2016-12-30

申请人： Cybereason Inc.

发明人： Yonatan Striem-Amit

IPC分类号： G06F21/53 ,  G06F9/455

CPC分类号： G06F21/53 ,  G06F9/45533 ,  G06F9/45558 ,  G06F9/4856 ,  G06F21/44 ,  G06F21/566 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2221/033 ,  H04L63/10

摘要： A method, computer program product, and apparatus for implementing a distributed sandbox is disclosed. The method comprises discovering a machine with sufficient resources to run a virtual machine for a process, starting the process in a virtual machine on the discovered machine, if the virtual machine terminates, discovering another machine with sufficient resources to run a virtual machine for a process, and deciding if the process is benign when the virtual machine is finished. Control of the distributed sandbox is done by utilizing a broadcast network.

公开(公告)号：US20170193222A1

公开(公告)日：2017-07-06

申请号：US15386244

申请日：2016-12-21

申请人： Cybereason Inc.

发明人： Yonatan Striem-Amit

IPC分类号： G06F21/53 ,  H04L29/06 ,  H04L29/08

CPC分类号： G06F21/53 ,  G06F21/566 ,  H04L63/0263 ,  H04L63/145

摘要： A method, computer program product, and apparatus for performing baseline calculations for firewalling in a computer network is disclosed. The method involves defining a reference group for an executed software program, measuring signals in the reference group, measuring signals of the program, computing a distance between the signals of the program and the signals of the reference group, and taking an action if the computed distance deviates from a norm mode. The distance can be computed using a similarity matrix or other method. Measuring the program comprises observing behaviors of the program, collecting and analyzing data, comparing the data to baselines of the reference group, and comparing the behaviors of the program across a previous execution of the program. In cases where a program is known to be malicious, a reference group is not needed and a sandbox can be tailored just by copying the environment of the actual system.

公开(公告)号：US20230319088A1

公开(公告)日：2023-10-05

申请号：US18194181

申请日：2023-03-31

申请人： Cybereason Inc.

发明人： Avi Chesla ,  Sivan Omer

IPC分类号： H04L9/40

CPC分类号： H04L63/1425 ,  H04L63/1416 ,  H04L63/1433

摘要： Disclosed is a computer-implemented method for correlating user information can include receiving, from a user device, a login log associated with a user; receiving an intrusion detection system (IDS) log; receiving a domain name system (DNS) log; receiving, from a computing device, a log; enriching at least one of the login log, the IDS log, or the DNS log; and correlating an identity with one or more of the login log, the IDS log, and the DNS log. In some embodiments, correlating the identity with one or more of the login log, the IDS log, and the DNS log can include generating a graph representation and saving the graph representation as a sparse graph representation.

公开(公告)号：US11509692B2

公开(公告)日：2022-11-22

申请号：US16020287

申请日：2018-06-27

申请人： Cybereason Inc.

发明人： Rami Cohen ,  Avi Chesla

IPC分类号： H04L29/06 ,  H04L9/40 ,  H04L41/0893 ,  H04L41/0823 ,  H04L41/14 ,  H04L41/0816

摘要： A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

公开(公告)号：US20220019665A1

公开(公告)日：2022-01-20

申请号：US17443077

申请日：2021-07-20

申请人： Cybereason Inc.

发明人： Yonatan Perry ,  Assaf Ben-David ,  Uri Sternfeld

IPC分类号： G06F21/56 ,  G06F21/53 ,  G06K9/62

摘要： Systems and methods are provided to measure the similarity between a first and second data sample. The method can include creating a plurality of k-mers from the first data sample, each k-mer having a first length; generating a first vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; calculating a similarity level between the first and second data sample by comparing the first vector to a second vector, the second vector representing the second data sample; and based on the similarity level, determining a maliciousness level of the first data sample.

公开(公告)号：US20200099715A1

公开(公告)日：2020-03-26

申请号：US16579215

申请日：2019-09-23

申请人： Cybereason, Inc.

发明人： Phillip Tsukerman

IPC分类号： H04L29/06

摘要： A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.