US 12,189,771 B2
Method and system for detecting malicious activity
Sergei Sergeevich Perfilev, Permskij krai (RU); and Nikolay Nikolaevich Andreev, Khimki (RU)
Assigned to F.A.C.C.T. NETWORK SECURITY LLC, Moscow (RU)
Filed by F.A.C.C.T. NETWORK SECURITY LLC, Moscow (RU)
Filed on Jan. 27, 2022, as Appl. No. 17/585,993.
Application 17/585,993 is a continuation of application No. PCT/RU2020/000319, filed on Jun. 30, 2020.
Claims priority of application No. 2020121186 (RU), filed on Jun. 26, 2020.
Prior Publication US 2022/0147631 A1, May 12, 2022
Int. Cl. H04L 29/06 (2006.01); G06F 21/56 (2013.01); G06N 20/00 (2019.01)
CPC G06F 21/566 (2013.01) [G06N 20/00 (2019.01); G06F 2221/034 (2013.01)] 10 Claims
OG exemplary drawing
 
1. A computer-implemented method for detection of a malicious activity by analyzing object behavior in a non-isolated environment, the method comprising:
receiving, from a given host of a plurality of hosts of the non-isolated environment, an event flow including data representative of events that occurred at the given host;
analyzing, a given event sequence of the event flow having been generated for a predetermined period, to generate, for a given event of the given event sequence, a respective internal event, the respective internal event being format-invariant to other events in the event flow;
applying, to the respective internal event, a plurality of signature-based rules to determine at least one internal state marker of the given host associated with the given event of the given event sequence,
the respective internal state marker being indicative of a then current state of the given host during an occurrence of the given event of the given event sequence; and
respective internal state markers associated with the given event sequence being indicative of whether the given event sequence is associated with the malicious activity or not;
feeding the respective internal state markers to a trained machine-learning algorithm (MLA) to determine a prediction outcome thereof of whether the given event sequence is associated with the malicious activity,
the trained MLA having been trained to determine whether the given event sequence is associated with the malicious activity using a training set of data comprising: (i) arrays of training internal state markers associated with training event sequences; and (ii) a respective label assigned to each of the training event sequences, the respective label for a given training event sequence being indicative of whether the given training event sequence is associated with the malicious activity or not;
in response to the prediction outcome exceeding a predetermined threshold value, determining that the given event sequence having occurred at the given host is associated with the malicious activity; and
generating a report including the prediction outcome for presentation thereof to a user.