公开(公告)号：US10721264B1

公开(公告)日：2020-07-21

申请号：US16286774

申请日：2019-02-27

申请人： Symantec Corporation

发明人： Matteo Dell'Amico ,  Chris Gates ,  Michael Hart ,  Kevin Roundy

IPC分类号： H04L29/06 ,  G06N20/00

摘要： The disclosed computer-implemented method for categorizing security incidents may include (i) generating, within a training dataset, a feature vector for each of a group of security incidents, the feature vector including features that describe the security incidents and the features including categories that were previously assigned to the security incidents as labels to describe the security incidents, (ii) training a supervised machine learning function on the training dataset such that the supervised machine learning function learns how to predict an assignment of future categories to future security incidents, (iii) assigning a category to a new security incident by applying the supervised machine learning function to a new feature vector that describes the new security incident, and (iv) notifying a client of the new security incident and the category assigned to the new security incident. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US10574700B1

公开(公告)日：2020-02-25

申请号：US15281130

申请日：2016-09-30

申请人： Symantec Corporation

发明人： Matteo Dell'Amico ,  Kevin Roundy ,  Chris Gates ,  Michael Hart

IPC分类号： H04L29/06 ,  H04L12/24

摘要： A computer-implemented method for managing computer security of client computing machines may include (i) monitoring a set of client computing devices, (ii) receiving security data on sets of security-related events from each client computing device in the set of client computing devices, (iii) clustering the sets of security-related events by calculating a dissimilarity value, for each set of security-related events, that indicates a uniqueness of the set of security-related events in relation to other sets of security-related events using a dissimilarity function and adjusting the dissimilarity function based on a homogeneity of clusters of sets of security-related events, (iv) determining, based on clustering the sets of security-related events by the dissimilarity value, that a set of security-related events comprises an anomaly, and (v) performing a security action in response to determining that the set of security-related events comprises the anomaly. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US10530805B1

公开(公告)日：2020-01-07

申请号：US15679131

申请日：2017-08-16

申请人： Symantec Corporation

发明人： Acar Tamersoy ,  Kevin Roundy ,  Michael Hart ,  Daniel Kats ,  Michael Spertus

IPC分类号： H04L29/06

摘要： The disclosed computer-implemented method for detecting security incidents may include (i) collecting, by a security server, security information describing security events detected on at least one client device, (ii) generating, based on the collected security information, a mathematical graph that includes a set of nodes designating machine-windows of data and a set of nodes designating detected security events, (iii) executing a random-walk-with-restart algorithm on the generated mathematical graph to sort the set of nodes designating machine-windows of data in terms of relevance to a set of ground truth nodes that indicate confirmed security threats, and (iv) performing a remedial security action to protect a user in response to detecting a candidate security threat based on sorting the set of nodes designating machine-windows of data by executing the random-walk-with-restart algorithm. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US10142357B1

公开(公告)日：2018-11-27

申请号：US15385963

申请日：2016-12-21

申请人： Symantec Corporation

发明人： Acar Tamersoy ,  Kevin Roundy

IPC分类号： H04L29/06 ,  G06N99/00

摘要： The disclosed computer-implemented method may include (i) monitoring computing activity, (ii) detecting, during a specific time period, at least one malicious network connection that involves a computing device within a network, (iii) determining that no malicious network connections involving the computing device were detected during another time period, (iv) identifying a feature of the computing activity that (a) occurred during the specific time period and (b) did not occur during the other time period, (v) determining that the feature is likely indicative of malicious network activity due at least in part to the feature having occurred during the specific time period and not having occurred during the other time period, and in response to detecting the feature at a subsequent point in time, (vi) performing a security action on a subsequent network connection attempted around the subsequent point in time. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09838405B1

公开(公告)日：2017-12-05

申请号：US14947878

申请日：2015-11-20

申请人： Symantec Corporation

发明人： Fanglu Guo ,  Kevin Roundy

IPC分类号： G06F11/00 ,  H04L29/06

CPC分类号： H04L63/1416 ,  G06F21/561 ,  G06F2221/2101 ,  H04L63/1433 ,  H04L63/145

摘要： The disclosed computer-implemented method for determining types of malware infections on computing devices may include (1) identifying multiple types of security events generated by a group of endpoint devices that describe suspicious activities on the endpoint devices, each of the endpoint devices having one or more types of malware infections, (2) determining correlations between each type of security event generated by the group of endpoint devices and each type of malware infection within the group of endpoint devices, (3) identifying a set of security events generated on a target endpoint device that potentially has a malware infection, and (4) detecting, based on both the set of security events generated on the target endpoint device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection likely present on the target endpoint device.

公开(公告)号：US11032319B1

公开(公告)日：2021-06-08

申请号：US16119168

申请日：2018-08-31

申请人： Symantec Corporation

发明人： Kevin Roundy ,  Sandeep Bhatkar ,  Michael Rinehart ,  Xiaolin Wang

IPC分类号： H04L29/06 ,  G06F21/62 ,  G06F21/55 ,  G06N20/00 ,  G06F16/951

摘要： The disclosed computer-implemented method for preparing honeypot computer files may include (1) identifying, at a computing device, a search term used by a cyber attacker in an electronic search request, (2) identifying, without regard to a search access restriction, a sensitive computer document in search results stemming from the electronic search request, (3) creating, as a security action in response to the electronic search request, a honeypot computer file based on the sensitive computer document and including the identified search term, and (4) placing the honeypot computer file in the search results. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US10055586B1

公开(公告)日：2018-08-21

申请号：US14753051

申请日：2015-06-29

申请人： Symantec Corporation

发明人： Kevin Roundy ,  Sandeep Bhatkar ,  Christopher Gates ,  Anand Kashyap ,  Yin Liu ,  Aleatha Parker-Wood ,  Leylya Yumer

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F21/57 ,  H04L29/06 ,  G06F21/56 ,  G06F21/00 ,  G06F21/55 ,  G06F21/53

CPC分类号： G06F21/56 ,  G06F21/566 ,  H04L63/101 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/145

摘要： The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09825986B1

公开(公告)日：2017-11-21

申请号：US14753038

申请日：2015-06-29

申请人： Symantec Corporation

发明人： Sandeep Bhatkar ,  Sharada Sundaram ,  Kevin Roundy ,  David Silva

IPC分类号： H04L29/06 ,  H04L12/26

CPC分类号： H04L63/1441 ,  G06F21/552 ,  H04L43/045 ,  H04L63/1416

摘要： The disclosed computer-implemented method for generating contextually meaningful animated visualizations of computer security events may include (1) detecting a security-related event that involves an actor and a target within a computing environment, (2) identifying certain characteristics of the security-related event that collectively describe a context of the security-related event with respect to the actor and the target within the computing environment, (3) generating, based at least in part on the certain characteristics of the security-related event, a graphical animation of the security-related event that graphically represents the context of the security-related event with respect to the actor and the target within the computing environment, and then (4) providing, for presentation to a user, the graphical animation of the security-related event to facilitate visualizing the context of the security-related event with respect to the actor and the target. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09805192B1

公开(公告)日：2017-10-31

申请号：US14751178

申请日：2015-06-26

申请人： Symantec Corporation

发明人： Christopher Gates ,  Kevin Roundy

IPC分类号： G06F21/00 ,  G06F21/56

CPC分类号： G06F21/562 ,  G06F2221/034

摘要： A computer-implemented method for file classification may include (1) identifying, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis, (2) identifying ground truth files to which the computer security system has previously assigned a security score, (3) determining that a file in the cluster of files shares an item of file metadata with another file in the ground truth files, (4) assigning a security score to the file in the cluster of files based on a security score of the other file in the ground truth files that shares the item of file metadata, and (5) assigning an overall security score to the entire cluster of files based on the security score assigned to the file in the cluster. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09407644B1

公开(公告)日：2016-08-02

申请号：US14089999

申请日：2013-11-26

申请人： Symantec Corporation

发明人： Tao Cheng ,  Kevin Roundy ,  Jie Fu ,  Zhi Kai Li ,  Ying Li

IPC分类号： H04L29/06 ,  G06F15/18

CPC分类号： H04L63/1408 ,  H04L63/0853 ,  H04L63/1441

摘要： A computer-implemented method for detecting malicious use of digital certificates may include determining that a digital certificate is invalid. The method may further include locating, within the invalid digital certificate, at least one field that was previously identified as being useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates. The method may also include determining, based on analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications. The method may additionally include performing a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications. Various other methods, systems, and computer-readable media are disclosed.

摘要翻译： 用于检测数字证书的恶意使用的计算机实现的方法可以包括确定数字证书是无效的。 该方法可以进一步包括在无效数字证书内定位至少一个先前被识别为有效区分无效证书的恶意使用以及良性使用无效证书的字段。 该方法还可以包括基于来自无效数字证书领域的信息的分析来确定无效数字证书可能被用于促进恶意通信。 该方法可以另外包括响应于确定无效数字证书潜在地用于促进恶意通信来执行安全动作。 公开了各种其它方法，系统和计算机可读介质。