公开(公告)号：US20160255110A1

公开(公告)日：2016-09-01

申请号：US15057164

申请日：2016-03-01

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

Abstract translation: 通过识别恶意软件和远程主机之间的C＆C通信来检测恶意软件的恶意软件检测技术，并区分进行C＆C通信的通信事务和无害流量的交易。 该系统使用恶意软件识别模型区分恶意软件事务和无害事务，它使用机器学习算法进行调整。 然而，可以从受保护的网络获得的恶意交易的数量和种类往往太有限，以有效地训练机器学习算法。 因此，系统从已知相对较丰富的恶意活动的另一计算机网络获得额外的恶意事务。 因此，该系统能够基于大量正面示例来适应恶意软件识别模型 - 从受保护网络和受感染网络获得的恶意交易。 因此，恶意软件识别模型以高速度和准确度进行了调整。

公开(公告)号：US09306971B2

公开(公告)日：2016-04-05

申请号：US14295758

申请日：2014-06-04

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

Abstract translation: 通过识别恶意软件和远程主机之间的C＆C通信来检测恶意软件的恶意软件检测技术，并区分进行C＆C通信的通信事务和无害流量的交易。 该系统使用恶意软件识别模型区分恶意软件事务和无害事务，它使用机器学习算法进行调整。 然而，可以从受保护的网络获得的恶意交易的数量和种类往往太有限，以有效地训练机器学习算法。 因此，系统从已知相对较丰富的恶意活动的另一计算机网络获得额外的恶意事务。 因此，该系统能够基于大量正面示例来适应恶意软件识别模型 - 从受保护网络和受感染网络获得的恶意交易。 因此，恶意软件识别模型以高速度和准确度进行了调整。

公开(公告)号：US20140325653A1

公开(公告)日：2014-10-30

申请号：US14263097

申请日：2014-04-28

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/0227

Abstract: Methods and systems for automated generation of malicious traffic signatures, for use in Intrusion Detection Systems (IDS). A rule generation system formulates IDS rules based on traffic analysis results obtained from a network investigation system. The rule generation system then automatically configures the IDS to apply the rules. An analysis process in the network investigation system comprises one or more metadata filters that are indicative of malicious traffic. An operator of the rule generation system is provided with a user interface that is capable of displaying the network traffic filtered in accordance with such filters.

Abstract translation: 用于自动生成恶意流量签名的方法和系统，用于入侵检测系统（IDS）。 规则生成系统根据从网络调查系统获得的流量分析结果制定IDS规则。 规则生成系统然后自动配置IDS以应用规则。 网络调查系统中的分析过程包括指示恶意流量的一个或多个元数据过滤器。 规则生成系统的操作者具有能够显示根据这种过滤器过滤的网络流量的用户界面。

公开(公告)号：US09923913B2

公开(公告)日：2018-03-20

申请号：US15057164

申请日：2016-03-01

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

公开(公告)号：US09479523B2

公开(公告)日：2016-10-25

申请号：US14263097

申请日：2014-04-28

Applicant: Verint Systems Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren

IPC: G06F11/00 ,  H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/0227

Abstract: Methods and systems for automated generation of malicious traffic signatures, for use in Intrusion Detection Systems (IDS). A rule generation system formulates IDS rules based on traffic analysis results obtained from a network investigation system. The rule generation system then automatically configures the IDS to apply the rules. An analysis process in the network investigation system comprises one or more metadata filters that are indicative of malicious traffic. An operator of the rule generation system is provided with a user interface that is capable of displaying the network traffic filtered in accordance with such filters.

Abstract translation: 用于自动生成恶意流量签名的方法和系统，用于入侵检测系统（IDS）。 规则生成系统根据从网络调查系统获得的流量分析结果制定IDS规则。 规则生成系统然后自动配置IDS以应用规则。 网络调查系统中的分析过程包括指示恶意流量的一个或多个元数据过滤器。 规则生成系统的操作者具有能够显示根据这种过滤器过滤的网络流量的用户界面。

公开(公告)号：US20180278636A1

公开(公告)日：2018-09-27

申请号：US15924859

申请日：2018-03-19

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N20/00 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

公开(公告)号：US20150026809A1

公开(公告)日：2015-01-22

申请号：US14337341

申请日：2014-07-22

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren

IPC: H04L29/06

CPC classification number: H04L63/1483 ,  H04L63/1416 ,  H04L63/145

Abstract: A malware detection system analyzes communication traffic to and/or from a certain host. The malware detection system uses the mismatch between host name and IP address to assign a quantitative score, which is indicative of the probability that the host is malicious. The system may use this score, for example, in combination with other indications, to decide whether the host in question is malicious or innocent. The overall decision may use, for example, a rule engine, machine learning techniques or any other suitable means. The malware detection system may also analyze alerts regarding hosts that are suspected of being malicious. The alerts may originate, for example, from Command & Control (C&C) detection, from an Intrusion Detection System (IDS), or from any other suitable source. A given alert typically reports a name of the suspected host and an IP address that allegedly belongs to that host.

Abstract translation: 恶意软件检测系统分析与/或来自某个主机的通信流量。 恶意软件检测系统使用主机名和IP地址之间的不匹配来分配定量分数，这表示主机是恶意的概率。 该系统可以使用该分数，例如，结合其他指示来确定所讨论的主机是恶意的还是无辜的。 总体决定可以使用例如规则引擎，机器学习技术或任何其他合适的手段。 恶意软件检测系统还可以分析有关怀疑是恶意的主机的警报。 警报可能起源于例如Command＆Control（C＆C）检测，入侵检测系统（IDS）或任何其他合适的来源。 给定的警报通常报告可疑主机的名称和据称属于该主机的IP地址。

公开(公告)号：US11038907B2

公开(公告)日：2021-06-15

申请号：US15924859

申请日：2018-03-19

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06 ,  G06N20/00

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

公开(公告)号：US20140359761A1

公开(公告)日：2014-12-04

申请号：US14295758

申请日：2014-06-04

Applicant: Verint Systems, Ltd.

Inventor： Yuval Altman ,  Assaf Yosef Keren ,  Ido Krupkin

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/1441 ,  H04L63/145

Abstract: Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.

Abstract translation: 通过识别恶意软件和远程主机之间的C＆C通信来检测恶意软件的恶意软件检测技术，并区分进行C＆C通信的通信事务和无害流量的交易。 该系统使用恶意软件识别模型区分恶意软件事务和无害事务，它使用机器学习算法进行调整。 然而，可以从受保护的网络获得的恶意交易的数量和种类往往太有限，以有效地训练机器学习算法。 因此，系统从已知相对较丰富的恶意活动的另一计算机网络获得额外的恶意事务。 因此，该系统能够基于大量正面示例来适应恶意软件识别模型 - 从受保护网络和受感染网络获得的恶意交易。 因此，恶意软件识别模型以高速度和准确度进行了调整。