公开(公告)号：US11770387B1

公开(公告)日：2023-09-26

申请号：US16931923

申请日：2020-07-17

申请人： Rapid7, Inc.

发明人： Vasudha Shivamoggi ,  Roy Donald Hodgman ,  Katherine Wilbur

IPC分类号： H04L9/40 ,  G06F21/55

CPC分类号： H04L63/1416 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1441

摘要： Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

公开(公告)号：US12088600B1

公开(公告)日：2024-09-10

申请号：US17024481

申请日：2020-09-17

申请人： Rapid7, Inc.

发明人： Jocelyn Beauchesne ,  John Lim Oh ,  Vasudha Shivamoggi ,  Roy Donald Hodgman

IPC分类号： H04L9/00 ,  G06N20/00 ,  G16B40/30 ,  H04L9/40

CPC分类号： H04L63/1416 ,  G06N20/00 ,  G16B40/30 ,  H04L63/0823

摘要： An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

公开(公告)号：US11956260B2

公开(公告)日：2024-04-09

申请号：US18144357

申请日：2023-05-08

申请人： Rapid7, Inc.

发明人： Vasudha Shivamoggi ,  Roy Donald Hodgman ,  Katherine Wilbur

IPC分类号： H04L9/40 ,  G06F21/55

CPC分类号： H04L63/1416 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1441

摘要： Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

公开(公告)号：US12069079B1

公开(公告)日：2024-08-20

申请号：US17967243

申请日：2022-10-17

申请人： Rapid7, Inc.

发明人： Jocelyn Beauchesne ,  John Lim Oh ,  Vasudha Shivamoggi ,  Roy Donald Hodgman

IPC分类号： H04L9/40 ,  G06N5/04 ,  G06N20/00

CPC分类号： H04L63/1425 ,  G06N5/04 ,  G06N20/00

摘要： An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

公开(公告)号：US11853853B1

公开(公告)日：2023-12-26

申请号：US17139812

申请日：2020-12-31

申请人： Rapid7, Inc.

发明人： Jocelyn Beauchesne ,  John Lim Oh ,  Vasudha Shivamoggi ,  Roy Donald Hodgman

IPC分类号： H04L9/00 ,  G06N20/00 ,  H04L9/40 ,  G06F18/2113 ,  G06F18/2132 ,  G06F18/2433

CPC分类号： G06N20/00 ,  G06F18/2113 ,  G06F18/2132 ,  G06F18/2433 ,  H04L63/1433

摘要： An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

公开(公告)号：US20230275909A1

公开(公告)日：2023-08-31

申请号：US18144357

申请日：2023-05-08

申请人： Rapid7, Inc.

发明人： Vasudha Shivamoggi ,  Roy Donald Hodgman ,  Katherine Wilbur

IPC分类号： H04L9/40 ,  G06F21/55

CPC分类号： H04L63/1416 ,  H04L63/1425 ,  G06F21/552 ,  H04L63/1441

摘要： Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

公开(公告)号：US11606378B1

公开(公告)日：2023-03-14

申请号：US17138504

申请日：2020-12-30

申请人： Rapid7, Inc.

发明人： Raphaëlle Delpont ,  Gabrielle Rappaport ,  Roy Donald Hodgman

IPC分类号： H04L9/40 ,  H04L41/142 ,  H04L43/16 ,  G06N20/00

摘要： Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review. Because the detection models are online models, they are continuously updated based on newly observed data, without having to store the new observation data.

公开(公告)号：US11509674B1

公开(公告)日：2022-11-22

申请号：US17024506

申请日：2020-09-17

申请人： Rapid7, Inc.

发明人： Jocelyn Beauchesne ,  John Lim Oh ,  Vasudha Shivamoggi ,  Roy Donald Hodgman

IPC分类号： H04L9/40 ,  G06N5/04 ,  G06N20/00

摘要： An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.