US 12,348,547 B2
Supply chain attack detection
Yuval Zan, Givatayim (IL); Erez Levy, Ganey Tikva (IL); Dor Agron, Ramat Hasharon (IL); Yarom Dadon, Tel Aviv (IL); and Chen Evgi, Lod (IL)
Assigned to Palo Alto Networks Israel Services Ltd, Tel-Aviv (IL)
Filed by Palo Alto Networks (Israel Analytics) Ltd., Tel Aviv (IL)
Filed on Feb. 29, 2024, as Appl. No. 18/591,004.
Application 18/591,004 is a continuation of application No. 17/857,196, filed on Jul. 5, 2022, granted, now 11,968,222.
Prior Publication US 2024/0205254 A1, Jun. 20, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 41/0681 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 41/0681 (2013.01)] 21 Claims
OG exemplary drawing
 
1. A method, comprising:
identifying multiple host computers deployed in respective sources and executing respective instances of a specific software application, each given instance on each given host computer comprising a set of program instructions loaded, by the host computer, from a respective storage device;
collecting, from the host computers, information on actions performed by the executing instances;
computing features based on the information collected from the multiple host computers, the features including one or more global features, which are not specific to any of the sources, and one or more local features, which are specific to respective ones of the sources, wherein at least one of the features combines multiple ones of the local features specific to respective ones of the sources;
comparing, by a processor, the collected information for a given instance to the features so as to classify the given instance as benign or suspicious; and
generating an alert for the given instance only upon classifying the given instance as suspicious.