System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network
Abstract
Systems and methods of determining file-access patterns in at least one computer network, the network comprising a file-access server, including training a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic, determining, using the first ML algorithm, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determining file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
Claims
exact text as granted — not AI-modified1 . A method of determining file-access patterns in at least one computer network, the network comprising a file-access server, the method comprising:
training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic; using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
2 . The method of claim 1 , further comprising:
training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm; determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
3 . The method of claim 1 , further comprising:
training, by the processor, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and applying the third ML algorithm on the sampled network traffic, wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
4 . The method of claim 1 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop.
5 . The method of claim 1 , wherein the sampled network traffic is sampled on a network attached storage (NAS).
6 . The method of claim 1 , wherein the sampled network traffic comprises vectors each representing a different time interval.
7 . A method of determining an anomaly in at least one computer network, the network comprising a file-access server, the method comprising:
training, by a processor in communication with the computer network, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on network characteristics associated with file-access traffic; and determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
8 . The method of claim 7 , wherein the second ML algorithm comprises at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture.
9 . The method of claim 7 , wherein the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic than for file-access traffic without anomalies.
10 . The method of claim 7 , further comprising normalizing, by the processor, a loss determined by the second ML algorithm based on the output of the first ML algorithm for the new input vector, wherein the output of the first ML algorithm is different from the output of the second ML algorithm for the second training dataset, and wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation.
11 . The method of claim 7 , further comprising:
training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic; using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
12 . The method of claim 7 , further comprising:
training, by the processor, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and applying the third ML algorithm on the sampled network traffic, wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
13 . The method of claim 7 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop.
14 . The method of claim 7 , wherein the sampled network traffic is sampled on a network attached storage (NAS).
15 . The method of claim 7 , wherein the sampled network traffic comprises vectors each representing a different time interval.
16 . A method of determining at least one ransom attack property in at least one computer network, the network comprising a file-access server, the method comprising:
training, by a processor in communication with the computer network, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in a sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and applying the third ML algorithm on the sampled network traffic, wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.
17 . The method of claim 16 , further comprising:
training, by the processor, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic; using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.
18 . The method of claim 16 , further comprising:
training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm; determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.
19 . The method of claim 16 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop.
20 . The method of claim 16 , wherein the sampled network traffic comprises vectors each representing a different time interval.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.