Context informed abnormal endpoint behavior detection
地域:
CA
CA Santa Clara
摘要
Adaptive normal profiles are generated at a hierarchical scope corresponding to a set of endpoints and a process. Abnormal endpoint activity is detected by verifying whether event data tracking activity on the set of endpoints conforms to the adaptive normal profiles. False positives are reduced by verifying alarms correspond to normal endpoint activity. Abnormal event data is forwarded to a causality chain identifier that identifies abnormal chains of processes for the abnormal endpoint activity. A trained threat detection model receives abnormal causality chains from the causality chain identifier and indicates a likelihood of corresponding to a malicious attack that indicates abnormal endpoint behavior.
說明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
The disclosure generally relates to the field of information security, and to modeling, design, simulation, or emulation.
In the context of monitoring a device or network of endpoint devices (hereinafter “endpoints”), malicious entities will exploit vulnerabilities in common system processes to deliver one or more stages of an attack. Examples of known attacks that exploit processes running in an operating system (OS) include process hollowing, doppelganger attacks, code injection, and using known process names. Often the attack can exploit a zero-day vulnerability, meaning that the network of endpoints is oblivious to the vulnerability being exploited while the attack is carried out.
Embodiments of the disclosure may be better understood by referencing the accompanying drawings.
權(quán)利要求
What is claimed is:1. A method comprising,generating a plurality of profiles for a first process for a plurality of hierarchical endpoint scopes, wherein the first process is executing on one or more endpoints indicated in the plurality of hierarchical endpoint scopes, wherein generating the plurality of profiles for the first process comprises, for each endpoint scope in the plurality of hierarchical endpoint scopes,determining importance qualifiers for event data for the first process at the endpoint scope; filtering the event data according to the importance qualifiers; normalizing the filtered event data to generate normalized event data; determining, for the first process, a plurality of classifiers for process activities of the first process that satisfy a criterion of normal activity for the first process at the endpoint scope, wherein the determination of the plurality of classifiers for process activities that satisfy the criterion of normal activity is based, at least in part, on statistics from the normalized event data for the first process at the endpoint scope; and generating a profile with the plurality of classifiers and associating the profile with the endpoint scope. 2. The method of claim 1 , further comprising,indicating the normalized event data in association with the endpoint scope. 3. The method of claim 2 , wherein normalizing the filtered event data comprises,determining common file path elements for processes corresponding to the filtered event data; and replacing file path elements in the filtered event data with corresponding file path elements in the common file path elements. 4. The method of claim 3 , wherein the criterion of normal activity for the first process at the endpoint scope comprises a determination that the plurality of classifiers corresponds to events in the normalized event data that indicate common file path elements that are statistically normal in events corresponding to process activity for the first process at the endpoint scope. 5. The method of claim 3 , further comprising bucketizing events in the normalized event data according, at least, to file path elements in the common file path elements. 6. The method of claim 2 , wherein generating each of the plurality of profiles comprises adding the normalized event data of the corresponding endpoint scope to the profile. 7. The method of claim 1 , wherein generating the profile with the plurality of classifiers comprises adding the plurality of classifiers to the profile in association with respective events in a plurality of events from the event data and corresponding event types. 8. A non-transitory, computer-readable medium having program code stored thereon the program code comprising instructions to:determine first importance qualifiers for first event data corresponding to a first process across a plurality of endpoints that have hosted the first process and second importance qualifiers for second event data of the first process on a first endpoint of the plurality of endpoints; filter the first event data and second event data according to the first importance qualifiers and the second importance qualifiers, respectively; normalize the first filtered event data and the second filtered event data to generate first normalized event data and second normalized event data, respectively; determine, for a first process, a first plurality of classifiers for process activities of the first process that satisfy a first criterion of normal activity for the first process, wherein the determination of the first plurality of classifiers for process activities that satisfy the first criterion of normal activity is based, at least in part, on first statistics from the first normalized event data; determine, for the first process, a second plurality of classifiers for process activities of the first process that satisfy a second criterion of normal activity for the first process, wherein the determination of the second plurality of classifiers for process activities that satisfy the second criterion of normal activity is based, at least in part, on second statistics from the second normalized event data; generate a first profile with the first plurality of classifiers and associate the first profile with a first hierarchical scope that encompasses the plurality of endpoints; and generate a second profile with the second plurality of classifiers and associate the second profile with a second hierarchical scope that only encompasses the first endpoint. 9. The computer-readable medium of claim 8 , wherein the instructions to determine the first plurality of classifiers comprise instructions to determine common file paths corresponding to event data for the first process based, at least in part, on the first statistics from event data corresponding to the first process across a plurality of endpoints that have hosted the first process. 10. The computer-readable medium of claim 9 , wherein the instructions to determine, for the first process, the first plurality of classifiers for process activities of the first process that satisfy the first criterion of normal activity for the first process comprise instructions to determine that file path elements corresponding to the first plurality of classifiers are indicated in the common file paths. 11. The computer-readable medium of claim 9 , wherein the instructions to determine the first plurality of classifiers further comprise instructions to determine file types corresponding to common file paths for the first process. 12. The computer-readable medium of claim 9 , wherein the first criterion of normal activity comprises a determination that the common file paths are statistically normal in events corresponding to process activity of the first process on the plurality of endpoints. 13. The computer-readable medium of claim 9 , wherein the instructions to generate a first profile with the first plurality of classifiers comprise instructions to add the common file paths to the first profile. 14. The computer-readable medium of claim 9 ,wherein the instructions to normalize the first filtered event data comprise instructions to normalize the first filtered event data according to common file path elements indicated in the first filtered event data, wherein the common file paths comprise the common file path elements, wherein the first statistics from the event data at least comprise statistics of file path elements indicated in the first filtered event data. 15. An apparatus comprising:a processor; and a non-transitory machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, determine first importance qualifiers for first event data corresponding to a first process across a plurality of endpoints that have hosted the first process and second importance qualifiers for second event data of the first process on a first endpoint of the plurality of endpoints; filter the first event data and second event data according to the first importance qualifiers and the second importance qualifiers, respectively; normalize the first filtered event data and the second filtered event data to generate first normalized event data and second normalized event data, respectively; determine, for a first process, a first plurality of classifiers for process activities of the first process that satisfy a first criterion of normal activity for the first process, wherein the determination of the first plurality of classifiers for process activities that satisfy the first criterion of normal activity is based, at least in part, on first statistics from the first normalized event data corresponding to the first process across a plurality of endpoints that have hosted the first process; determine, for the first process, a second plurality of classifiers for process activities of the first process that satisfy a second criterion of normal activity for the first process, wherein the determination of the second plurality of classifiers for process activities that satisfy the second criterion of normal activity is based, at least in part, on second statistics from the second normalized event data corresponding to the first process on a first endpoint of the plurality of endpoints; generate a first profile with the first plurality of classifiers and associate the first profile with a first hierarchical scope that encompasses the plurality of endpoints; and generate a second profile with the second plurality of classifiers and associate the second profile with a second hierarchical scope that only encompasses the first endpoint. 16. The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to determine the first plurality of classifiers comprise instructions to determine common file paths corresponding to event data for the first process based, at least in part, on the first statistics from event data corresponding to the first process across a plurality of endpoints that have hosted the first process. 17. The apparatus of claim 16 , wherein the instructions executable by the processor to cause the apparatus to determine, for the first process, the first plurality of classifiers for process activities of the first process that satisfy the first criterion of normal activity for the first process comprise instructions to determine that file path elements corresponding to the first plurality of classifiers are indicated in the common file paths. 18. The apparatus of claim 16 , wherein the instructions executable by the processor to cause the apparatus to determine the first plurality of classifiers further comprise instructions to determine file types corresponding to common file paths for the first process. 19. The apparatus of claim 16 , wherein the first criterion of normal activity comprises a determination that the common file paths are statistically normal in events corresponding to process activity of the first process on the plurality of endpoints. 20. The apparatus of claim 16 , wherein the instructions to normalize the first filtered event data comprise instructions executable by the processor to cause the apparatus to:normalize the first filtered event data according to common file path elements indicated in the first filtered event data, wherein the common file paths comprise the common file path elements, wherein the first statistics from the first filtered event data at least comprise statistics of file path elements indicated in the first filtered event data.
意見反饋
使用該功能遇到問題
該功能需要專業(yè)版企業(yè)版VIP權(quán)限,您可以:
您也可以聯(lián)系官方QQ: 2157717237 電話: 13264338900