Loading...
Please wait, while we are loading the content...
Intrusion Detection and Mitigation in Data Processing
| Content Provider | The Lens |
|---|---|
| Abstract | A security manager configured to generate a plurality of learned security policies and provide at least one learned security policy and a security agent to a client machine for enforcement of the at least one learned security policy by the security agent on the client machine. The security manager configured to receive alerts from the security agent indicating anomalous behavior on the client machine. |
| Related Links | https://www.lens.org/lens/patent/010-296-620-098-204/frontpage |
| Language | English |
| Publisher Date | 2019-01-31 |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Patent |
| Jurisdiction | United States of America |
| Date Applied | 2017-07-26 |
| Applicant | Ibm |
| Application No. | 201715660016 |
| Claim | A computer-implemented method comprising: intercepting, by a security agent of a client machine, a first subset of a plurality of events generated by a first execution environment utilizing the client machine, wherein the first subset of the plurality of events are intercepted according to a first learned security policy, wherein the first learned security policy is learned based on observing operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event of the first subset of events is a type of event associated with a malicious code profile; identifying, by the security agent and based on the first learned security policy for the first execution environment, an anomaly based on comparing at least one intercepted event to at least one rule of the first learned security policy; and executing, by the security agent, a mitigation action responsive to identifying the anomaly. The method according to claim 1 , further comprising: retrieving, by a security agent of a client machine, a first learned security policy from a security policy database in response to identifying a first execution environment utilizing the client machine; wherein the security policy database comprises a plurality of learned security policies, wherein each security policy comprises at least one security rule, and wherein each security rule comprises at least one condition. The method according to claim 2 , wherein the security policy database comprises a security rules table, a security policies table, and a client machines table, wherein multiple security rules are associated with at least one security policy, wherein multiple security policies are associated with at least one security rule, wherein multiple client machines are associated with at least one security policy, and wherein multiple security policies are associated with at least one client machine. The method according to claim 3 , further comprising: retrieving, by the security agent, at least a second learned security policy from the security policy database in response to determining that the client machine is associated with the first learned security policy and the second learned security policy in the security policy database. The method according to claim 1 , wherein the first learned security policy is learned by intercepting a subset of simulated events generated by a simulation of the first execution environment and generating a plurality of rules based on the intercepted subset of simulated events. A computer system comprising: a processor; a tangible, computer-readable memory for storing program instructions which, when executed by the processor, perform the steps of: intercepting a first subset of a plurality of events generated by a first execution environment utilizing a client machine, wherein the first subset of the plurality of events are defined by a first learned security policy, wherein the first learned security policy is learned based on observing operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event of the first subset of events is a type of event associated with a malicious code profile; identifying, based on the first learned security policy for the first execution environment, an anomaly based on comparing at least one intercepted event to at least one rule of the first learned security policy; and executing a mitigation action responsive to identifying the anomaly. The computer system according to claim 6 , wherein the first learned security policy comprises at least one static rule independent of the first execution environment and at least one dynamic rule dependent on at least one parameter configured in the first execution environment, wherein the processor is further configured to perform the step of: substituting at least one parameter configured in the first execution environment in the at least one dynamic rule of the first learned security policy. The computer system according to claim 6 , wherein the processor configured to identify an anomaly is further configured to perform the step of: comparing a plurality of conditions for a first rule of the first learned security policy and the at least one intercepted event, wherein the plurality of conditions are related to a process name, a command line, and a file digest for the at least one intercepted event. The computer system according to claim 6 , wherein at least one rule in the first learned security policy is associated with a set of conditions configured to generate a true value or a false value, wherein a true value is configured to execute a mitigation action, wherein a false value is configured to iterate to a next intercepted event. The computer system according to claim 6 , wherein at least one rule in the first learned security policy is associated with a set of conditions configured to generate a true value or a false value, wherein a false value is configured to execute a mitigation action, wherein a true value is configured to iterate to a next intercepted event. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor to cause the processor to perform a method comprising: intercepting a first subset of a plurality of events generated by a first execution environment utilizing a client machine, wherein the first subset of the plurality of events are defined by a first learned security policy, wherein the first learned security policy is learned based on observing operation of the first execution environment, wherein the first subset comprises less than half of the plurality of events, and wherein at least one event of the first subset of events is a type of event associated with a malicious code profile; identifying, based on the first learned security policy for the first execution environment, an anomaly based on comparing at least one intercepted event to at least one rule of the first learned security policy; and executing a mitigation action responsive to identifying the anomaly. The computer program product according to claim 11 , wherein the instructions stored in the computer readable storage medium were downloaded over a network from a remote data processing system. The computer program product according to claim 12 , the program instructions further configured to cause the processor to perform a method further comprising: identifying a process performing an authorized update on the first execution environment; entering a limited learning phase, wherein, during the limited learning phase, the instructions are further configured to cause the processor to perform a method further comprising: intercepting a new set of events generated by the updated first execution environment; generating an updated first learned security policy by updating at least one rule of the first learned security policy based on the new set of events; and providing the updated first learned security policy to the remote data processing system. The computer program product according to claim 11 , wherein the first subset of the plurality of events comprises less than 1% of the plurality of events. The computer program product according to claim 11 , wherein a majority of respective events of the first subset of events comprise events associated with more than one malicious code profile. A system comprising: a security manager comprising a processor, a memory storing processor-executable instructions, a security policy database, and an interface, wherein the security manager is communicatively coupled to a plurality of nodes; wherein the security manager is configured to: generate a plurality of security policies including a first learned security policy based on a minority of events associated with a synthetic first execution environment, wherein at least one rule associated with the first learned security policy is based on a type of event that is associated with a malicious code profile; store the plurality of security policies in the security policy database; provide a respective security agent and at least the first learned security policy to a subset of the plurality of nodes, wherein the subset of nodes are configured to host the first execution environment, wherein respective security agents are configured to enforce at least the first learned security policy on respective nodes of the subset of nodes; and receive, from a first security agent provided to a first node, an alert identifying an anomaly based on at least one intercepted event generated by the first execution environment utilizing the first node and intercepted by the first security agent according to the first learned security policy. The system according to claim 16 , wherein the security manager is further configured to: send a mitigation action to the first security agent responsive to presenting the alert to the interface and receiving input from the interface, wherein the first security agent is configured to implement the mitigation action. The system according to claim 16 , wherein the security manager is configured to generate a plurality of security policies by performing the steps of: intercepting a first subset of events from a synthetic first execution environment for a first time interval; generating a plurality of rules defining normal and abnormal behavior based on the first subset of events, wherein respective rules are associated with one or more conditions; storing the plurality of rules as the first learned security policy for the first execution environment in the security policy database; and associating the first learned security policy to the subset of nodes based on the subset of nodes being configured to host the first execution environment. The system according to claim 16 , wherein the security policy database comprises a security rules table, a security policies table, and a nodes table, wherein multiple security rules are associated with at least one security policy, wherein multiple security policies are associated with at least one security rule, wherein multiple nodes are associated with at least one security policy, and wherein multiple security policies are associated with at least one node. The system according to claim 16 , wherein the security manager is further configured to perform the steps of: receiving, from the first security agent, an updated first learned security policy, wherein the first security agent is configured to update the first learned security policy responsive to detecting an authorized update associated with the first execution environment; updating the first learned security policy in the security policy database responsive to receiving the updated first learned security policy; and providing, to at least a second security agent provided to a second node of the subset of nodes, the updated first learned security policy. A computer-implemented method comprising: generating a plurality of security policies including a first learned security policy based on a subset of events associated with a synthetic first execution environment, wherein at least one rule associated with the first learned security policy is based on a type of event that is associated with a malicious code profile; storing the plurality of security policies in a security policy database; providing at least the first learned security policy to a plurality of clients, wherein the first learned security policy is relevant to a first execution environment deployed by the plurality of clients, wherein the plurality of clients are configured to enforce the first learned security policy; and receiving, from a first client, an alert identifying an anomaly based on at least one intercepted event generated by the first execution environment deployed on the first client and intercepted by the first client according to the first learned security policy. The method according to claim 21 , wherein the plurality of security policies are stored in a directed acyclic graph (DAG) having as nodes security policies comprising rules, and having as edges connections between the security policies indicating relationships between nodes. The method according to claim 22 , wherein providing the first learned security policy further comprises: providing a second learned security policy responsive to determining that a second node corresponding to the second learned security policy shares an edge in the DAG with a first node corresponding to the first learned security policy. The method according to claim 21 , wherein generating a plurality of security policies further comprises: intercepting a first subset of events from the synthetic first execution environment for a first time interval; generating a plurality of rules defining normal and abnormal behavior based on the first subset of events from the synthetic first execution environment, wherein respective rules are associated with one or more conditions; storing the plurality of rules as the first learned security policy for the first execution environment in the security policy database; and associating the first learned security policy with the plurality of clients. The method according to claim 21 , wherein the first learned security policy is configured to be dynamically changed by each client of the plurality of clients based on respective parameters associated with respective first execution environments deployed on each client. |
| CPC Classification | TRANSMISSION OF DIGITAL INFORMATION; e.g. TELEGRAPHIC COMMUNICATION ELECTRIC DIGITAL DATA PROCESSING |
| Extended Family | 160-358-909-448-893 160-746-932-695-811 180-427-748-133-429 104-240-994-037-751 010-296-620-098-204 014-684-120-604-561 133-285-682-945-276 030-115-661-062-240 135-067-772-774-682 132-577-132-364-301 141-591-575-012-257 098-509-852-554-191 150-380-774-937-486 022-952-991-640-347 098-757-727-487-586 |
| Patent ID | 20190036978 |
| Inventor/Author | Shulman-peleg Alexandra Regev Shmuel Peleg Ron Kohanim Shahar Basil Zohar |
| IPC | H04L29/06 G06F21/55 |
| Status | Active |
| Owner | International Business Machines Corporation |
| Simple Family | 160-358-909-448-893 160-746-932-695-811 180-427-748-133-429 104-240-994-037-751 010-296-620-098-204 014-684-120-604-561 133-285-682-945-276 030-115-661-062-240 135-067-772-774-682 132-577-132-364-301 141-591-575-012-257 098-509-852-554-191 150-380-774-937-486 022-952-991-640-347 098-757-727-487-586 |
| CPC (with Group) | H04L63/205 G06F21/53 G06F21/554 G06F2221/034 H04L63/1416 H04L63/1441 |
| Issuing Authority | United States Patent and Trademark Office (USPTO) |
| Kind | Patent Application Publication |
