US2023370481A1PendingUtilityA1

System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network

66
Assignee: TWEENZNET LTDPriority: Nov 26, 2019Filed: Jul 13, 2023Published: Nov 16, 2023
Est. expiryNov 26, 2039(~13.4 yrs left)· nominal 20-yr term from priority
G06N 3/0475G06N 3/0455G06N 3/091G06N 3/094G06N 3/096G06N 3/0442G06N 3/09H04L 63/1416H04L 63/1425G06N 3/08H04L 67/1097G06N 3/088G06N 3/045
66
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods of determining file-access patterns in at least one computer network, the network comprising a file-access server, including training a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic, determining, using the first ML algorithm, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determining file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.

Claims

exact text as granted — not AI-modified
1 . A method of determining file-access patterns in at least one computer network, the network comprising a file-access server, the method comprising:
 training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic;   using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and   determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.   
     
     
         2 . The method of  claim 1 , further comprising:
 training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm;   determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.   
     
     
         3 . The method of  claim 1 , further comprising:
 training, by the processor, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and   applying the third ML algorithm on the sampled network traffic,   wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.   
     
     
         4 . The method of  claim 1 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop. 
     
     
         5 . The method of  claim 1 , wherein the sampled network traffic is sampled on a network attached storage (NAS). 
     
     
         6 . The method of  claim 1 , wherein the sampled network traffic comprises vectors each representing a different time interval. 
     
     
         7 . A method of determining an anomaly in at least one computer network, the network comprising a file-access server, the method comprising:
 training, by a processor in communication with the computer network, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on network characteristics associated with file-access traffic; and   determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.   
     
     
         8 . The method of  claim 7 , wherein the second ML algorithm comprises at least one of: an auto-encoder deep-learning network architecture and a generative adversarial network (GAN) architecture. 
     
     
         9 . The method of  claim 7 , wherein the second ML algorithm is trained for input reconstruction, and wherein the second ML algorithm outputs a larger normalized loss for anomaly input in file-access traffic than for file-access traffic without anomalies. 
     
     
         10 . The method of  claim 7 , further comprising normalizing, by the processor, a loss determined by the second ML algorithm based on the output of the first ML algorithm for the new input vector, wherein the output of the first ML algorithm is different from the output of the second ML algorithm for the second training dataset, and wherein the second ML algorithm is configured to allow a model trained in one installation to serve as a base model in another installation by normalizing the loss vectors of each installation. 
     
     
         11 . The method of  claim 7 , further comprising:
 training, by a processor in communication with the computer network, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic;   using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and   determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.   
     
     
         12 . The method of  claim 7 , further comprising:
 training, by the processor, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in the anomaly sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and   applying the third ML algorithm on the sampled network traffic,   wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.   
     
     
         13 . The method of  claim 7 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop. 
     
     
         14 . The method of  claim 7 , wherein the sampled network traffic is sampled on a network attached storage (NAS). 
     
     
         15 . The method of  claim 7 , wherein the sampled network traffic comprises vectors each representing a different time interval. 
     
     
         16 . A method of determining at least one ransom attack property in at least one computer network, the network comprising a file-access server, the method comprising:
 training, by a processor in communication with the computer network, a third ML algorithm with a third training dataset comprising vectors representing network traffic such that the third ML algorithm detects at least one ransom attack property based on at least one communication pattern in a sampled network traffic, when the third ML algorithm receives a new input vector not in the third training dataset and representing sampled network traffic; and   applying the third ML algorithm on the sampled network traffic,   wherein the at least one ransom attack property is determined based on highest interaction frequency with the file-access server.   
     
     
         17 . The method of  claim 16 , further comprising:
 training, by the processor, a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic;   using the first ML algorithm, determining, by the processor, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network; and   determining, by the processor, file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.   
     
     
         18 . The method of  claim 16 , further comprising:
 training, by the processor, a second ML algorithm with a second training dataset comprising vectors representing network traffic such that the second ML algorithm identifies a file-access anomaly in the sampled network traffic based on the network characteristics learned by the first ML algorithm;   determining, by the processor, a normalized difference between a new input vector representing sampled network traffic and the vectors in the second training dataset, wherein the anomaly is identified when a normalized difference that is larger than difference between the new input vector and the vectors in the second training dataset is determined.   
     
     
         19 . The method of  claim 16 , further comprising applying an active learning mechanism to update at least one detection model based on a user feedback loop. 
     
     
         20 . The method of  claim 16 , wherein the sampled network traffic comprises vectors each representing a different time interval.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.