US 12,341,801 B2
System and method of anomaly detection with configuration-related activity profiles
Alexander Tormasov, Bremen (DE); Serg Bell, Singapore (SG); and Stanislav Protasov, Singapore (SG)
Assigned to Acronis International GmbH, Schaffhausen (CH)
Filed by Acronis International GmbH, Schaffhausen (CH)
Filed on Dec. 16, 2022, as Appl. No. 18/067,019.
Prior Publication US 2024/0205256 A1, Jun. 20, 2024
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1433 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1441 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer implemented method of anomaly detection with configuration-related activity profiles, the method executed on a processor, the method comprising:
a. testing a threat samples collection in a secure testing environment, comprising:
i. analyzing a known threat sample in the secure testing environment;
ii. collecting system events generated in course of threat sample operation on a test shared network asset;
iii. collecting system configuration parameters changed in course of the threat-sample operation on a shared network asset linked to a test endpoint;
b. filling a threat-pattern database with configuration-related activity profiles, further comprising:
i. extracting a feature set of tested threat samples from the collected system events generated and the collected system configuration parameters changed, wherein the feature set characterizes a malicious configuration-related activity profile by a minimum subset of collected system events and collected configuration parameters changed that define a given tested threat sample;
ii. encoding the extracted feature set in a format for threat detector processing, wherein the encoding is based on a type of the threat detector; and
iii. filling the threat-pattern database with encoded feature sets for a threat detector;
c. detecting an anomalous configuration-related activity at the threat detector in a corporate network, comprising:
i. collecting system events of a shared network asset of the corporate network;
ii. collecting system configuration parameters of endpoints of the corporate network from backup archives, each backup archive including a plurality of historical copies of the system configuration parameters for an endpoint, wherein at least one of the collected system configuration parameters is related to a prior system configuration earlier than a current system configuration;
iii. determining a list of linked endpoints and shared network assets; and
iv. detecting anomalous configuration-related activity on the linked endpoints and the shared network assets by analyzing system events and system configuration parameters of the linked endpoints and the shared network assets; and
d. in response to the detected anomalous configuration-activity, changing a security policy of the endpoint, blocking a network connection, terminating a malicious process, quarantining the endpoint, or deleting a file from the endpoint.