DETECTION OF MALICIOUS ACTIVITY ON ENDPOINT COMPUTERS BY UTILIZING ANOMALY DETECTION IN WEB ACCESS PATTERNS, IN ORGANIZATIONAL ENVIRONMENTS

• Main Authors: Mimran, David, Lehman, Heiko, Brodt, Oleg, Shabtai, Asaf, Elovici, Yuval, Vaisman, Yizhak, Cohen, Dvir
• Format: Patent
• Language: English; French; German
• Published: 25.10.2023
• Subjects: CALCULATING; COMPUTING; COUNTING; ELECTRIC DIGITAL DATA PROCESSING; PHYSICS

A system for detecting malicious activity on endpoint computers utilizing anomaly detection in web access patterns in organizational environments, comprising data collection and preprocessing module for collecting, aggregating and transforming received log data into temporal website sequences of length n, such that each sequence is from a specific user; an LSTM training module, for feeding each sequence, including the sequence's machine ID to a neural network for performing a training phase and predicting the next website in the sequence; an anomaly detection module that uses LSTM for feeding all the sequences into the LSTM once again, after the LSTM is trained and is able to predict the next token correctly, the LSTM provides a "probability score" representing how probable the sequence is for every sequence, such that if the probability score is above a predetermined threshold t, deciding that the sequence is suspicious; a benign URL's remover being a pre-trained classifier, for classifying each website as malicious or benign; filtering the benign website out, if a benign website appears in a malicious sequence and if most of the suspicious websites of a user are classified as benign, ignoring the user; an alerting module, for proving alerts upon detecting malicious activity.