US Pat. No. 9,465,850

METRIC GATHERING AND REPORTING SYSTEM FOR IDENTIFYING DATABASE PERFORMANCE AND THROUGHPUT PROBLEMS

SECUREWORKS CORP., Wilmi...

1. A reporting server comprising:
a memory; and
a processor in communication with the memory and operable to:
normalize a variable of a first query running on a first database, wherein the first query is included in a query list in
a second database;

analyze the second database to find a second query in the query list, wherein the second query is found based upon the normalized
first query;

report the second query to a user, wherein the reporting is based upon the analyzing of the second database to find the second
query; and

determine a first loading on a first database based upon a first frequency of occurrence of the second query and upon a first
duration of the second query.

US Pat. No. 9,338,180

SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF UNWANTED NETWORK TRAFFIC

SecureWorks Corp., Atlan...

1. A method comprising:
receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected
network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection
system and that is determined to match a first signature that is associated with undesired network behavior;

receiving at the network protection system a second alert from a second intrusion detection system associated with a second
protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion
detection system and that is determined to match the first signature;

determining a source of the network traffic that triggered the first alert and the second alert;
grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic
between the first alert and the second alert;

assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol
(IP) address associated with the first alert; and

providing the undesired source database to the first intrusion detection system and to the second intrusion detection system,
such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic
that originates from the first IP address.

US Pat. No. 9,961,107

SYSTEM AND METHOD FOR DETECTING AND MONITORING PERSISTENT EVENTS

SECUREWORKS CORP., Wilmi...

1. A method of monitoring an information handling system, comprising:inspecting a persistence location to identify a persistent entry of an executable, the persistent entry causing the executable to be launched automatically when the information handling system boots, when a user logs in, or when a trigger event occurs;
identifying a change in or addition of the persistent entry;
determining if the persistent entry changes when or how the executable is triggered; and
when the persistent entry is not a change in when or how a previously logged executable is triggered:
logging the persistent entry of the executable;
evaluating the executable based on a set of rules;
determining the executable is malicious or compromised; and
removing the persistent entry when the executable is determined to be malicious or compromised.

US Pat. No. 9,426,226

SYSTEM AND METHOD FOR AS NEEDED CONNECTION ESCALATION

SecureWorks Corp., Wilmi...

1. A method comprising:
receiving a first command associated with a first privilege level on a managed system;
selecting a first connection between a connection manager and the managed system in response to receiving the first command,
the first connection being associated with the first privilege level;

communicating, by the connection manager, the first command to the managed system via the first connection;
receiving a second command associated with a second privilege level on the managed system, the second privilege level being
a lower privilege level than the first privilege level;

selecting a second connection between the connection manager and the managed system in response to receiving the second command,
the second connection being associated with the second privilege level; and

communicating, by the connection manager, the second command to the managed system via the second connection.

US Pat. No. 9,762,626

SYSTEM AND METHOD FOR AS NEEDED CONNECTION ESCALATION

SECUREWORKS CORP., Wilmi...

1. A method comprising:
receiving, by a connection manager, a first command for a managed system from a command source, the first command associated
with a first privilege level on the managed system;

determining, by the connection manager, that the command source has a first privilege level authorization on the managed system
in response to receiving the first command, the first privilege level authorization being associated with the first privilege
level;

establishing a first connection between the connection manager and the managed system in response to determining that the
command source has the first privilege level authorization on the managed system, the first connection being associated with
the first privilege level;

communicating, by the connection manager, the first command to the managed system via the first connection;
receiving, by the connection manager, a second command for the managed system from the command source, the second command
associated with a second privilege level on the managed system, the second privilege level being a lower privilege level than
the first privilege level;

determining, by the connection manager, that the command source has a first privilege level authorization on the managed system
in response to receiving the second command, the second privilege level authorization being associated with the second privilege
level;

establishing a second connection between the connection manager and the managed system in response to determining that the
command source has the second privilege level authorization on the managed system, the second connection being associated
with the second privilege level; and

communicating, by the connection manager, the second command to the managed system via the second connection.

US Pat. No. 9,628,511

SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF UNWANTED NETWORK TRAFFIC

SECUREWORKS CORP., Wilmi...

1. A method comprising:
receiving at a network protection system an alert from an intrusion detection system associated with a protected network,
wherein the alert is triggered by network traffic that is evaluated by the intrusion detection system and that is determined
to match a signature that is associated with undesired network behavior;

determining a source of the network traffic that triggered the alert;
grouping at the network protection system the alert into an alert group;
assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
generating an entry in an undesired source database based on the alert group, the entry including a first Internet Protocol
(IP) address associated with the alert; and

providing the undesired source database to the intrusion detection system, such that the intrusion detection system is configured
to block network traffic that originates from the first IP address.

US Pat. No. 9,560,062

SYSTEM AND METHOD FOR TAMPER RESISTANT RELIABLE LOGGING OF NETWORK TRAFFIC

SECUREWORKS CORP., Wilmi...

1. A network interface device comprising:
a first communication interface coupled to an information handling system;
a second communication interface coupled to a management controller;
a network port coupled to a network;
a memory including first code and second code; and
a processor operable to execute the first code to communicate network data packets between the first communication interface
and the network port, and to execute the second code to:

launch a log module in response to a command from the management controller;
receive, by the log module, a malicious packet marker from the information handling system;
store, by the log module, the malicious packet marker to the memory;
receive, by the log module, a job entry from a management system separate from the management controller, wherein the job
entry is received via the management controller via the second communication interface; and

in response to receiving the job entry, to:
monitor, by the log module, the network data packets flowing between the first communication interface and the network port;
determine, by the log module, that a packet matches the malicious packet marker;
store, by the log module, log information from the packet to the memory in response to determining that the packet matches
the malicious packet marker; and

send, by the log module, the log information to the management controller via the second communication interface.

US Pat. No. 9,973,600

SYSTEM AND METHODS FOR SCALABLE PACKET INSPECTION IN CLOUD COMPUTING

SECUREWORKS CORP., Wilmi...

1. A method for packet inspection in a computer network, comprising:receiving a plurality of network streams from a plurality of client systems at a first load balancer;
allocating the network streams across a plurality of proxy instances;
inspecting and filtering the network streams by the proxy instances;
forwarding the filtered network streams to a second load balancer;
allocating the filtered network streams to a plurality of application instances; and
processing and responding to the network streams at the application instances;
inspecting and filtering the responses to the network streams by the proxy instances;
forwarding the response to the client systems.

US Pat. No. 10,009,380

SYSTEMS AND METHODS FOR SECURITY CONFIGURATION

SECUREWORKS CORP., Wilmi...

1. A network security device comprising:a memory configured to:
store a plurality of network events; and
store a set of network filter rules;
a processor configured to:
provide an interface for modifying the set of network rules;
receive a change to a set of network rules;
perform a first simulation of network traffic allowed and denied according to the current set of network rules and a second simulation of network traffic allowed and denied according to the changed set of network rules using at least a portion of the network events;
compare the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules;
calculate an entropy of strings matching a wildcard of a new network rule of the chanced set of network rules;
display the changes in allowed and denied traffic for review of the changed set of network rules and the entropy of the new network rule;
receive an instruction to implement the changed set of network rules based on the review; and
filter network traffic according to the changed set of network rules.

US Pat. No. 10,110,589

SYSTEMS AND METHODS FOR TASK ACCESS BEHAVIOR BASED SITE SECURITY

SECUREWORKS CORP., Wilmi...

1. A method for task access behavior based site security, comprising:characterizing and mapping files accesses by an application and user during operation;
automatically generating a permissions record indicating allowable access to files and directories by the application and user based on the recorded file accesses;
comparing the file access request to a permissions record;
reporting file access requests by an application identified as having an unpatched vulnerability to a master process, wherein the characterizing, the mapping, the generating, the comparing and the reporting are performed by the user space security process; and
intercepting, a file access request;
suspending a request process and activating the user security process:
allowing or denying the file access process request based on the determining by the user space security process, wherein the intercepting, the suspending, the allowing or denying are performed by the hooked OS code;
notifying the user space security processes of an application having an unpatched vulnerability; and
analyzing the files access request to determine if the identified application is compromised, wherein the notifying and the analyzing are performed by the master security process.

US Pat. No. 10,659,498

SYSTEMS AND METHODS FOR SECURITY CONFIGURATION

SecureWorks Corp., Wilmi...

1. A network security device comprising:a memory configured to:
store a plurality of network events; and
store a set of network filter rules; and
a hardware processor connected to the memory, the hardware processor configured to:
receive a change to a set of network rules;
perform a first simulation of network traffic allowed and denied according to the current set of network rules and a second simulation of network traffic allowed and denied according to the changed set of network rules, the first simulation and second simulation utilizing at least a portion of the network events;
evaluate the use of computational resources during the first and second simulation;
calculate an entropy of strings matching a wildcard of a new network rule of the changed set of network rules to determine if the changed network rule is too broad;
provide an indication of the changes in allowed and denied traffic and the entropy of the new network rule for review of the changed set of network rules;
provide an indication of a performance impact of the changed set of network rules or rejecting the changed set of rules if the performance impact crosses a threshold;
receive an instruction to implement the changed set of network rules based on the review; and
filter network traffic according to the changed set of network rules.

US Pat. No. 10,594,573

SYSTEMS AND METHODS FOR RULE QUALITY ESTIMATION

SecureWorks Corp., Wilmi...

1. A method of assessing the quality of a network filter rule containing a wildcard, comprising:when the network filter rule is triggered, recording a string matching the wildcard as a wildcard match in a log;
obtaining a plurality of strings from a plurality of wildcard matches for the network filter rule;
determining an instantaneous string entropy for the network filter rule based on the plurality of strings, the instantaneous string entropy being a measure of similarity of the string matches calculated from a histogram of characters in the wildcard matches; and
if the instantaneous entropy for the network filter rule crosses a threshold, flagging the rule as a low quality rule and generating a candidate rule based on a portion of the match having low entropy and a portion of the match having high entropy.

US Pat. No. 10,594,713

SYSTEMS AND METHODS FOR SECURE PROPAGATION OF STATISTICAL MODELS WITHIN THREAT INTELLIGENCE COMMUNITIES

SECUREWORKS CORP., Wilmi...

1. A method of securely propagating analytical models for detection of security threats and/or malicious actions among members of a threat intelligence community, comprising:determining and encoding attributes of security data common to, accessible by, and/or shared between the members of the threat intelligence community, the attributes including one or more measurements or features selected as indicating, identifying, predicting and/or mitigating potential malicious actions or security threats;
developing or selecting an analytical model for detection of the potential malicious actions or security threats using the encoded attributes of the security data and a derivation data schema;
encrypting the derivation data schema of the model;
translating the model into one or more common exchange formats for sharing the model with at least selected ones of the members of the threat intelligence community;
transmitting the encrypted derivation data schema of the model to the at least selected ones of the members of the threat intelligence community;
after receipt, decoding the derivation data schema at the selected ones of the members of the threat intelligence community and applying the derivation data schema to security data to determine if the encoded attributes are found;
if the encoded attributes are found, applying a remedial or mitigating action.

US Pat. No. 10,587,640

SYSTEM AND METHOD FOR ATTRIBUTION OF ACTORS TO INDICATORS OF THREATS TO A COMPUTER SYSTEM AND PREDICTION OF FUTURE THREAT ACTIONS

SecureWorks Corp., Wilmi...

1. A computer implemented method, the computer having a processor and memory, the method comprising:detecting by the computer a threat indicator that provides an indication of an attack against a networked system of information handling systems;
representing the threat indicator in part by numerical parameters;
normalizing the numerical parameters;
calculating one or more measures of association between the threat indicator and other threat indicators based upon the normalized numerical parameters;
finding an association of the threat indicator with another threat indicator based upon the one or more measures of association, wherein the other threat indicator provides an indication of another attack, the other attack attributed to a threat actor group;
attributing the attack to the threat actor group based upon the association;
assigning to the threat indicator a probability that the threat actor group caused the attack;
assessing a risk to the networked system based upon the threat actor group and the probability; and
determining a defense posture for the networked system based upon the risk.

US Pat. No. 10,489,720

SYSTEM AND METHOD FOR VENDOR AGNOSTIC AUTOMATIC SUPPLEMENTARY INTELLIGENCE PROPAGATION

SecureWorks Corp., Wilmi...

1. An information handling system comprising:a storage device configured to store network activity logs from a first set of client systems and a second set of client systems; and
a processor configured to:
receive a security alert from the first set of client systems;
analyze the security alert to obtain a plurality of supplementary indicators;
utilize the supplementary indicators to build a statistical security model; and
analyze activity on the second set of client systems using the statistical security model to identify an additional security event,
wherein the first set of client systems does not include the second set of client systems.

US Pat. No. 10,599,668

ADAPTIVE PARSING AND NORMALIZING OF LOGS AT MSSP

Secureworks Corp., Wilim...

1. A security system for a network, comprising:an event management center including at least one processor configured to:
receive security logs including security log data from a plurality of monitored devices;
determine whether one or more parsing scripts or rules are available to parse or normalize the security log data in the received security logs: and
if one or more parsing scripts or rules are available:
apply the one or more parsing scripts or rules to the security log data; and
normalize the security log data and organize the normalized securing log data into a structured format; and
if one or more parsing scripts or rules are not available, provide the security data to one or more engines for parsing or normalization thereof, wherein the one or more engines are stored in a memory of or accessible by the at least one processor, and at least one of the engines is configured to:
receive one or more security logs that comprise the security log data in an unrecognized format or include the security log data that is at least partially unpayable by the one or more parsing scripts or rules accessible by the at least one processor;
identify one or more attributes of the security log data;
determine a probability that the one or more identified attributes represent one or more recognized security log entities; and
if the determined probability meets or exceeds a predetermined threshold probability, isolate and/or tag recognized security log entities and organize isolated and/or tagged recognized security log entities into a structured format to generate normalized security logs;
wherein the normalized security logs are reviewable to determine if a security threat has been detected.

US Pat. No. 10,484,423

SYSTEM AND METHOD FOR DETECTING AND MONITORING THREAD CREATION

SecureWorks Corp., Wilmi...

1. A method of monitoring network connections for malicious activity, comprising:identifying creation of a new thread;
determining the creation of the new thread is a remote thread creation event when a target process and a creating process are different;
logging the remote thread creation event, wherein the logging includes source process information, target process information, and a portion of the data stored at the start address of the thread;
evaluating the new thread based on a set of rules to determine the thread is malicious or compromised, the set of rules including a set of protected processes for which no remote thread injection is allowable;
wherein evaluating the new thread includes comparing the target process to the set of protected processes and determining the thread is malicious or compromised when the target process is in the set of protected processes; and
terminating the new thread when the thread is determined to be malicious.

US Pat. No. 10,645,124

SYSTEM AND METHOD FOR COLLECTION OF FORENSIC AND EVENT DATA

SecureWorks Corp., Wilmi...

1. An endpoint agent for an information handling system, comprising: a communication engine configured to send forensic and event data, to receive software and configuration updates, and to, concatenate forensic and, event, data from multiple events prior to sending to a cloud service;a process creation monitor configured to intercept process creation events, record the creation of a process, determine the process is malicious, and terminate the process;
a network monitor configured to collect metadata on traffic flows and results from DNS queries;
a thread injection monitor configured to intercept thread injection events; and
a persistent process monitor configured to identify processes that will launch automatically, to store the identified processes that will launch automatically in a list of persistent events, to detect a change in when or how an executable is triggered to automatically launch, in response to the detection of the change in when or how the executable is triggered to automatically launch, to detect a new persistent event that is not in the list of persistent events, to identify a mechanism by which the new persistent event will be launched, and to report the detected new persistent event to the cloud service.

US Pat. No. 10,635,811

SYSTEM AND METHOD FOR AUTOMATION OF MALWARE UNPACKING AND ANALYSIS

SecureWorks Corp., Wilmi...

1. An information handling system comprising:a storage configured to store malware samples and malware signatures; and
a processor configured to:
unpack a malware sample;
check for obscurities in the unpacked malware sample, wherein the obscurities include additional packed executable components;
in response to no obscurities being within the unpacked malware sample, compare the malware sample to known malware families including comparing the use of application program interface usage patterns;
extract a command-and-control domain;
extract encryption keys and communication parameters;
store a malware signature for the malware sample, the malware signature including information required to monitor a network for activity of the malware sample or detect the malware sample on another system; and
provide the command-and-control server addresses, encryption keys, and communication parameters to a botnet tracker.