( 12 ) United States Patent
`Crabtree et al .
`
`( 10 ) Patent No .: US 10,783,241 B2
`( 45 ) Date of Patent :
`Sep. 22 , 2020
`
`US010783241B2
`
`( 54 ) SYSTEM AND METHODS FOR SANDBOXED
`MALWARE ANALYSIS AND AUTOMATED
`PATCH DEVELOPMENT , DEPLOYMENT
`AND VALIDATION
`( 71 ) Applicant : QOMPLX , Inc. , Reston , VA ( US )
`( 72 ) Inventors : Jason Crabtree , Vienna , VA ( US ) ;
`Andrew Sellers , Monument , CO ( US )
`( 73 ) Assignee : QOMPLX , INC . , Tysons , VA ( US )
`Subject to any disclaimer , the term of this
`( * ) Notice :
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 209 days .
`( 21 ) Appl . No .: 15 / 887,496
`( 22 ) Filed :
`Feb. 2 , 2018
`( 65 )
`Prior Publication Data
`Sep. 27 , 2018
`US 2018/0276372 A1
`
`Related U.S. Application Data
`( 63 ) Continuation - in - part of application No. 15 / 818,733 ,
`Nov.
`20 ,
`2017 ,
`which is
`filed
`( Continued )
`
`on
`
`a
`
`( 51 ) Int . Ci .
`G06F 21/53
`G06F 21/56
`GO6F 21/57
`GO6F 8/65
`GO6F 9/455
`H04L 29/06
`
`( 52 ) U.S. Ci .
`CPC
`
`( 2013.01 )
`( 2013.01 )
`( 2013.01 )
`( 2018.01 )
`( 2018.01 )
`( 2006.01 )
`( Continued )
`
`G06F 21/53 ( 2013.01 ) ; G06F 8/65
`( 2013.01 ) ; G06F 9/455 ( 2013.01 ) ; G06F
`21/566 ( 2013.01 ) ; G06F 21/577 ( 2013.01 ) ;
`
`G06Q 40/08 ( 2013.01 ) ; H04L 63/1425
`( 2013.01 ) ; H04L 63/1433 ( 2013.01 ) ; GOOF
`2221/033 ( 2013.01 ) ; G06F 2221/2149
`( 2013.01 ) ; GOON 20/00 ( 2019.01 ) ; G06Q
`50/01 ( 2013.01 )
`( 58 ) Field of Classification Search
`CPC . G06F 21/53 ; G06F 9/455 ; G06F 8/65 ; G06F
`21/577 ; G06F 21/566 ; G06F 2221/2149 ;
`GO6F 2221/033 ; G06F 11/3058 ; H04L
`63/1433 ; H04L 63/1425 ; G06Q 40/08 ;
`G06Q 50/01 ; G06N 20/00
`See application file for complete search history .
`References Cited
`
`( 56 )
`
`U.S. PATENT DOCUMENTS
`7/2001 Weissinger
`6,256,544 B1
`9,141,360 B1 *
`9/2015 Chen
`( Continued )
`FOREIGN PATENT DOCUMENTS
`
`G06F 8/52
`
`10/2014
`WO
`2014159150 A1
`WO
`2017075543 A1
`5/2017
`Primary Examiner — Cheng - Feng Huang
`( 74 ) Attorney , Agent , or Firm — Brian S. Boon ; Brian R.
`Galvin ; Galvin Patent Law LLC
`( 57 )
`ABSTRACT
`A system and methods for sandboxed malware analysis and
`automated patch development , deployment and validation ,
`that uses a business operating system , vulnerability scoring
`engine , binary translation engine , sandbox simulation
`engine , at least one network endpoint , at least one database ,
`a network , and a combination of machine learning and
`vulnerability probing techniques , to analyze software , locate
`any vulnerabilities or malicious behavior , and attempt to
`patch and prevent undesired behavior from occurring ,
`autonomously .
`2 Claims , 12 Drawing Sheets
`
`5107
`
`520
`
`5301
`
`540
`
`550
`
`560
`
`Translate target
`file into binary
`
`Transfer translated
`file to sandbox
`environment
`
`Execute file in
`sandbox environment
`
`Examine executing
`software for
`irregularities
`
`Probe for known or
`expected
`vulnerabilities
`
`Learn new behaviors
`based on analysis of
`software
`
`WIZ, Inc. EXHIBIT - 1046
`WIZ, Inc. v. Orca Security LTD. - IPR2024-00220
`
`

`

`US 10,783,241 B2
`Page 2
`
`Related U.S. Application Data
`continuation - in - part of application No. 15 / 725,274 ,
`filed on Oct. 4 , 2017 , now Pat . No. 10,609,079 , which
`is a continuation - in - part of application No. 15/655 ,
`113 , filed on Jul . 20 , 2017 , which is a continuation
`in - part of application No. 157616,427 , filed on Jun . 7 ,
`2017 , and a continuation - in - part of application No.
`15 / 237,625 , filed on Aug. 15 , 2016 , now Pat . No.
`10,248,910 , which is a continuation - in - part of appli
`cation No. 15 / 206,195 , filed on Jul . 8 , 2016 , which is
`a continuation - in - part of application No. 15 / 186,453 ,
`filed on Jun . 18 , 2016 , which is a continuation - in - part
`of application No. 15 / 166,158 , filed on May 26 , 2016 ,
`which is a continuation - in - part of application No.
`15 / 141,752 , filed on Apr. 28 , 2016 , which is a con
`tinuation - in - part of application No. 15 / 091,563 , filed
`on Apr. 5 , 2016 , now Pat . No. 10,204,147 , and a
`continuation - in - part of application No. 14 / 986,536 ,
`filed on Dec. 31 , 2015 , now Pat . No. 10,210,255 , and
`a continuation - in - part of application No. 14 / 925,974 ,
`filed on Oct. 28 , 2015 , application No. 15 / 887,496 ,
`which is a continuation - in - part of application No.
`15 / 823,285 , filed on Nov. 27 , 2017 , which is a con
`tinuation - in - part of application No. 15 / 788,718 , filed
`on Oct. 19 , 2017 , which is a continuation - in - part of
`application No. 15 / 788,002 , filed on Oct. 19 , 2017 ,
`which is a continuation - in - part of application No.
`15 / 787,601 , filed on Oct. 18 , 2017 , which is a con
`
`tinuation - in - part of application No. 15 / 616,427 , filed
`on Jun . 7 , 2017 , which is a continuation - in - part of
`application No. 14 / 925,974 , filed on Oct. 28 , 2015 .
`( 60 ) Provisional application No. 62 / 568,307 , filed on Oct.
`4 , 2017 , provisional application No. 62 / 568,305 , filed
`on Oct. 4 , 2017 ,
`provisional application No.
`62 / 568,312 , filed on Oct. 4 , 2017 .
`( 51 ) Int . CI .
`G06Q 40/08
`GOON 20/00
`G06Q 50/00
`
`( 56 )
`
`( 2012.01 )
`( 2019.01 )
`( 2012.01 )
`References Cited
`U.S. PATENT DOCUMENTS
`12/2005 Sabharwal
`2005/0289072 A1
`1/2007 Venolia
`2007/0011659 Al
`2013/0097706 A1 *
`4/2013 Titonis
`
`H04W 12/12
`726/24
`GO6F 21/57
`726/17
`
`HO4L 63/1433
`726/23
`
`2016/0004858 A1 *
`
`1/2016 Chen
`
`2016/0028758 Al
`2016/0099960 A1 *
`
`1/2016 Ellis et al .
`4/2016 Gerritz
`
`2016/0275123 A1
`2017/0126712 A1
`2017/0139763 Al
`2017/0149802 Al
`* cited by examiner
`
`9/2016 Lin et al .
`5/2017 Crabtree et al .
`5/2017 Ellwein
`5/2017 Huang et al .
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 1 of 12
`
`US 10,783,241 B2
`
`Data Archive Storage
`
`130
`
`125
`
`Series Data
`Store
`
`Multidimensional Time
`
`
`
`Web server Engine
`
`N 115
`
`Sensor Device
`www 110b
`
`Sensor Device
`
`135
`
`Structured Query Interpreter
`
`110n
`
`Fig . 1
`
`120
`
`Data Stream Management Engine
`
`110a
`
`Network
`
`112
`
`Administration Device
`
`Sensor Device
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 2 of 12
`
`US 10,783,241 B2
`
`3
`
`&
`
`2
`
`205
`Client access
`
`web crawler module
`High volume
`
`215
`
`2202
`
`+++
`
`* 224
`
`210
`
`Action outcome simulation module
`
`Multidimen sional
`time series database
`Directed computa tional
`graph module
`250 Graph stack service
`Decomposab le transformer service module
`General transformer service module
`
`High bandwidth cloud interface
`
`2
`
`255
`
`1260
`
`}
`
`2
`
`225
`
`247 ,
`
`' s
`
`Automated planning service module
`230 Observation and
`state estimation service
`
`245
`
`2
`
`Fig . 2 .
`
`240
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 3 of 12
`
`US 10,783,241 B2
`
`
`
`Device Endpoints
`
`330
`
`Multi - dimensional time - series
`database
`
`125
`
`Internet
`
`
`
`Task engine
`
`310
`
`
`
`Scoring engine
`
`320
`
`Fig . 3
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 4 of 12
`
`US 10,783,241 B2
`
`1
`
`Binary
`
`Business OS
`412
`
`410
`
`413 Sandbox environment
`file translation
`Kernel
`
`411
`
`I
`1
`
`
`
`Score generation system
`
`440
`
`Network
`
`Database
`
`430
`
`420
`
`Endpoint n
`
`453
`
`Endpoint 2
`
`
`
`Device endpoints
`
`452
`
`450
`
`| Endpoint 1
`
`451
`
`Fig . 4
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 5 of 12
`
`US 10,783,241 B2
`
`
`Translate target file
`
`into binary
`
`translated file to sandbox environment
`Transfer
`
`Execute
`
`
`
`file in sandbox environment
`
`executing software for irregularities
`Examine
`
`
`
`Probe for
`
`known or expected vulnerabilities
`
`510 V
`
`520
`
`530
`
`540
`
`550
`
`560
`
`behaviors based on analysis of software
`Learn new
`
`
`Fig . 5
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 6 of 12
`
`US 10,783,241 B2
`
`Device
`
`testing data is used to analyze potential vulnerabilities for
`
`
`
`
`data is queried remotely
`Device
`
`
`
`Endpoint instrumentation is installed on device
`
`620
`
`610
`
`
`Device - specific data is sent
`back to OS
`
`630
`
`640
`
`Fig . 6
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 7 of 12
`
`US 10,783,241 B2
`
`
`
`Vulnerabilities and exploits located in executed software are
`
`
`relayed to scoring engine
`
`Vulnerabilities and exploits are scored
`
`based on perceived criticality
`
`
`schedule to be patched first
`
`
`
`
`are Most critical vulnerabilities and exploits
`
`710
`
`720
`
`730
`
`Fig . 7
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 8 of 12
`
`US 10,783,241 B2
`
`
`
`
`
`
`
`
`
`other measures OS learns to try first in similar future instances
`
`830
`
`
`
`Business OS attempts various
`
`patching and security enhancements on vulnerable software
`
`810
`
`Failure
`
`Success
`
`840
`
`Patch or enhancement is sent to endpoint for deployment
`
`similar measures in the future
`
`
`OS uses reinforcement learning to test
`
`820
`
`Fig . 8
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 9 of 12
`
`US 10,783,241 B2
`
`Interfaces
`
`Remote Storage h 91
`
`15
`
`14 r
`
`1413
`212
`Processor ( s )
`
`114
`
`Local Storage
`
`10
`
`Fig . 9
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 10 of 12
`
`US 10,783,241 B2
`
`28
`
`Inputs
`
`
`127 ? Memory 125
`ha 26
`Outputs
`Storage
`
`220
`
`Clients
`
`24
`
`Services
`
`23
`
`OSes
`
`22
`
`21 Processors
`
`Fig . 10
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 11 of 12
`
`US 10,783,241 B2
`
`Servers
`
`32
`
`Databases
`
`34
`
`35 Config
`
`31
`
`Network ( s )
`
`
`
`Ext Svcs
`
`30
`
`37
`
`Clients
`
`Sec .
`
`33
`
`36
`
`Fig . 11
`
`

`

`U.S. Patent
`
`Sep. 22 , 2020
`
`Sheet 12 of 12
`
`US 10,783,241 B2
`
`( 54
`
`NIC
`
`I / O
`
`51
`arch
`48
`
`53
`HDD 152
`
`50
`
`5
`49
`
`46
`
`45
`
`AC
`
`PSU
`
`42
`
`44
`
`NVM
`S ? IVM
`Mem
`
`47 Display
`
`Fig . 12
`
`s ?
`
`43
`
`40
`
`CPU
`
`41
`
`

`

`US 10,783,241 B2
`
`Field of the Art
`
`1
`SYSTEM AND METHODS FOR SANDBOXED
`MALWARE ANALYSIS AND AUTOMATED
`PATCH DEVELOPMENT , DEPLOYMENT
`AND VALIDATION
`
`2
`FOR SOFTWARE DEVELOPMENT ” , filed on Nov. 27 ,
`2017 , which is a continuation - in - part of U.S. patent appli
`cation Ser . No. 15 / 788,718 titled “ DATA MONETIZATION
`AND EXCHANGE PLATFORM ” , filed on Oct. 19 , 2017 ,
`5 which claims benefit of , and priority to , U.S. provisional
`CROSS - REFERENCE TO RELATED
`patent application 62 / 568,307 titled “ DATA MONETIZA
`APPLICATIONS
`TION AND EXCHANGE PLATFORM ” , filed on Oct. 4 ,
`2017 , and is also a continuation - in - part of U.S. patent
`This application is a continuation - in - part of Ser . No.
`application Ser . No. 15 / 788,002 titled “ ALGORITHM
`15 / 818,733 ,
`titled “ SYSTEM AND METHOD FOR 10 MONETIZATION AND EXCHANGE PLATFORM ” filed
`CYBERSECURITY ANALYSIS AND SCORE GENERA on Oct. 19 , 2017 , which claims priority to U.S. provisional
`TION FOR INSURANCE PURPOSES ” , filed on Nov. 20 ,
`patent application 62 / 568,305 titled “ ALGORITHM MON
`2017 , which is a continuation - in - part of Ser . No. 15/725 ,
`ETIZATION AND EXCHANGE PLATFORM ” , filed on
`274 , titled “ APPLICATION OF ADVANCED CYBERSE
`Oct. 4 , 2017 , and is also a continuation - in - part of U.S. patent
`CURITY THREAT MITIGATION TO ROGUE DEVICES , 15 application Ser . No. 15 / 787,601 , titled “ METHOD AND
`APPARATUS FOR CROWDSOURCED DATA GATHER
`PRIVILEGE ESCALATION , AND RISK - BASED VUL
`NERABILITY AND PATCH MANAGEMENT ” , filed on
`ING , EXTRACTION , AND COMPENSATION ” , filed on
`Oct. 4 , 2017 , which is a continuation - in - part of U.S. patent
`Oct. 18 , 2017 , which claims priority to U.S. provisional
`application Ser . No. 15 / 655,113 ,
`titled “ ADVANCED
`patent application 62 / 568,312 titled “ METHOD AND
`CYBERSECURITY THREAT MITIGATION USING 20 APPARATUS FOR CROWDSOURCED DATA GATHER
`BEHAVIORAL AND DEEP ANALYTICS ” , filed on Jul . 20 ,
`ING , EXTRACTION , AND COMPENSATION ” , filed on
`2017 , which is a continuation - in - part of U.S. patent appli
`Oct. 4 , 2017 , and is also a continuation - in - part of U.S. patent
`cation Ser . No. 15 / 616,427 , titled “ RAPID PREDICTIVE
`application Ser . No. 15 / 616,427 titled “ RAPID PREDIC
`ANALYSIS OF VERY LARGE DATA SETS USING AN TIVE ANALYSIS OF VERY LARGE DATA SETS USING
`ACTOR - DRIVEN DISTRIBUTED COMPUTATIONAL 25 AN ACTOR - DRIVEN DISTRIBUTED COMPUTA
`GRAPH ” , filed on Jun . 7 , 2017 , and is also a continuation
`TIONAL GRAPH ” , filed on Jun . 7 , 2017 , which is a
`in - part of U.S. patent application Ser . No. 15 / 237,625 , titled
`continuation - in - part of U.S. patent application Ser . No.
`“ DETECTION MITIGATION AND REMEDIATION OF
`14 / 925,974 , titled “ RAPID PREDICTIVE ANALYSIS OF
`CYBERATTACKS EMPLOYING AN ADVANCED
`VERY LARGE DATA SETS USING THE DISTRIBUTED
`30 COMPUTATIONAL GRAPH ” , filed on Oct. 28 , 2015 , the
`CYBER - DECISION PLATFORM ” , filed on Aug. 15 , 2016 ,
`entire specification of each of which is incorporated herein
`which is a continuation - in - part of U.S. patent application
`Ser . No. 15 / 206,195 , titled " SYSTEM FOR AUTOMATED by reference .
`CAPTURE AND ANALYSIS OF BUSINESS INFORMA
`TION FOR RELIABLE BUSINESS VENTURE OUT
`BACKGROUND OF THE INVENTION
`COME PREDICTION ” , filed on Jul . 8 , 2016 , which is a 35
`continuation in - part of U.S. patent application Ser . No.
`15 / 186,453 , titled “ SYSTEM FOR AUTOMATED CAP
`The disclosure relates to the field of computer manage
`TURE AND ANALYSIS OF BUSINESS INFORMATION
`FOR RELIABLE BUSINESS VENTURE OUTCOME ment , and more particularly to the field of cybersecurity and
`PREDICTION ” , filed on Jun . 18 , 2016 , which is a continu- 40 threat analytics .
`ation - in - part of U.S. patent application Ser . No. 15 / 166,158 ,
`Discussion of the State of the Art
`titled “ SYSTEM FOR AUTOMATED CAPTURE AND
`ANALYSIS OF BUSINESS INFORMATION FOR SECU
`RITY AND CLIENT - FACING INFRASTRUCTURE
`On Aug. 4 , 2016 , United States government's DEFENSE
`RELIABILITY ” , filed on May 26 , 2016 , which is a con- 45 ADVANCED RESEARCH PROJECTS AGENCY
`tinuation - in - part of U.S. patent application Ser . No. 15/141 ,
`( DARPA ) TM hosted an event in 2016 called the Cyber Grand
`752 , titled " SYSTEM FOR FULLY INTEGRATED CAP
`Challenge , aimed at creating an automatic defense system
`TURE , AND ANALYSIS OF BUSINESS INFORMATION
`for network defense and vulnerability detection and patch
`RESULTING IN PREDICTIVE DECISION MAKING
`ing . During the event numerous teams and individuals
`AND SIMULATION ” , filed on Apr. 28 , 2016 , which is a 50 competed to develop a system which could automatically
`continuation - in - part of U.S. patent application Ser . No.
`detect vulnerabilities and exploits in software systems ,
`15 / 091,563 , titled “ SYSTEM FOR CAPTURE , ANALYSIS
`develop a patch , and deploy the patch within a finite amount
`AND STORAGE OF TIME SERIES DATA FROM SEN
`of time , in an effort to produce a highly robust system to
`SORS WITH HETEROGENEOUS REPORT INTERVAL
`defend software systems from a variety of possible exploits
`PROFILES ” , filed on Apr. 5 , 2016 , which is a continuation- 55 and malicious attacks . The competition was partially suc
`in - part of U.S. patent application Ser . No. 14 / 986,536 , titled
`cessful , with the submitted systems from each team com
`“ DISTRIBUTED SYSTEM FOR LARGE VOLUME DEEP
`peting automatically in a capture - the - flag style competition ,
`WEB DATA EXTRACTION ” , filed on Dec. 31 , 2015 ,
`and the competition in its entirety demonstrated that fully
`which is a continuation - in - part of U.S. patent application
`autonomous network defense and exploitation is possible .
`Ser . No. 14 / 925,974 , titled “ RAPID PREDICTIVE ANALY- 60 No team's submission completed the competition with
`SIS OF VERY LARGE DATA SETS USING THE DIS
`100 % success in identifying vulnerabilities and exploits , and
`TRIBUTED COMPUTATIONAL GRAPH ” , filed on Oct.
`as of yet no such system is deployed for large scale or
`28 , 2015 , the entire specifications of each of which are
`commercial applications in automated analysis and defense
`incorporated herein by reference .
`of networks and network - connected devices . Malware of
`This application is a continuation - in - part of U.S. patent 65 today is continually being advanced in the area of memory
`application Ser . No. 15 / 823,285 titled “ META - INDEXING ,
`scanning , to evade detection from current anti - virus and
`SEARCH , COMPLIANCE , AND TEST FRAMEWORK antimalware software , and continually advancing and evolv
`
`

`

`US 10,783,241 B2
`
`10
`
`15
`
`4
`3
`FIG . 4 is a system diagram illustrating connections
`ing network and system defense techniques are required in
`between important components for analyzing software and
`order to keep up with the pace of advancement of malware
`network - connected endpoints , according to a preferred
`both today and in the future . Even until this competition , no
`aspect .
`system existed even for research applications which could
`FIG . 5 is a method diagram illustrating important steps in
`reliably identify and patch vulnerabilities and exploits in 5
`detecting and analyzing software exploits or vulnerabilities ,
`software systems and networks before malware took advan
`according to a preferred aspect of the invention .
`tage of said vulnerabilities in the software . It is commonly
`FIG . 6 is a method diagram illustrating the use of
`the case that vulnerabilities and exploits in software are only
`advanced endpoint instrumentation to collect data on end
`found out and then patched some time after they are taken
`point devices across a network , according to a preferred
`advantage of , falling out of view of the system developers
`aspect .
`before the issue is made use of by malicious actors , for
`FIG . 7 is a method diagram illustrating the prioritization
`example the Heartbleed exploit present in many OpenSSL
`of software flaws and exploits according to a preferred
`systems until patched in 2014 , only shortly after the vulner
`ability was publicly disclosed .
`aspect .
`FIG . 8 is a method diagram illustrating the basic steps for
`What is needed is a system and methods for sandboxed
`patching exploits and vulnerabilities in analyzed software ,
`malware analysis and automated patch development ,
`according to an aspect .
`deployment and validation , and further , a system which can
`FIG . 9 is a block diagram illustrating an exemplary
`use state - of - the - art machine learning techniques and artifi
`cial intelligence paradigms to evolve its understanding of 20 hardware architecture of a computing device .
`malware analysis to help keep pace with the advancement of
`FIG . 10 is a block diagram illustrating an exemplary
`logical architecture for a client device .
`malware in the world .
`FIG . 11 is a block diagram showing an exemplary archi
`tectural arrangement of clients , servers , and external ser
`SUMMARY OF THE INVENTION
`25 vices .
`Accordingly , the inventor has conceived and reduced to
`FIG . 12 is another block diagram illustrating an exem
`practice , in a preferred embodiment of the invention , a
`plary hardware architecture of a computing device .
`system and methods for sandboxed malware analysis and
`automated patch development , deployment and validation .
`DETAILED DESCRIPTION
`The following non - limiting summary of the invention is 30
`provided for clarity , and should be construed consistently
`The inventor has conceived , and reduced to practice , a
`with embodiments described in the detailed description
`system and methods for sandboxed malware analysis and
`automated patch development , deployment and validation .
`below .
`To solve the problem of malware advancing beyond the
`One or more different aspects may be described in the
`capabilities of existing antimalware capabilities , a system 35 present application . Further , for one or more of the aspects
`described herein , numerous alternative arrangements may be
`and methods have been devised comprising a specialized
`business operating system , the ability to convert files into
`described ; it should be appreciated that these are presented
`binary to be executed in a sandbox environment , machine
`for illustrative purposes only and are not limiting of the
`learning capabilities , a cybersecurity scoring system , pattern
`aspects contained herein or the claims presented herein in
`matching heuristics , in a system designed to find vulner- 40 any way . One or more of the arrangements may be widely
`abilities present in networks and files on a computer system ,
`applicable to numerous aspects , as may be readily apparent
`analyze the vulnerabilities and exploits present , develop
`from the disclosure . In general , arrangements are described
`software patches for the vulnerabilities and exploits , and
`in sufficient detail to enable those skilled in the art to
`deploy the software patches autonomously , as well as learn
`practice one or more of the aspects , and it should be
`from and evolve according to present and emerging malware 45 appreciated that other arrangements may be utilized and that
`techniques using machine learning techniques .
`structural , logical , software , electrical and other changes
`may be made without departing from the scope of the
`particular aspects . Particular features of one or more of the
`BRIEF DESCRIPTION OF THE DRAWING
`aspects described herein may be described with reference to
`FIGURES
`50 one or more particular aspects or figures that form a part of
`the present disclosure , and in which are shown , by way of
`The accompanying drawings illustrate several aspects
`illustration , specific arrangements of one or more of the
`and , together with the description , serve to explain the
`principles of the invention according to the aspects . It will
`aspects . It should be appreciated , however , that such features
`be appreciated by one skilled in the art that the particular
`are not limited to usage in the one or more particular aspects
`arrangements illustrated in the drawings are merely exem- 55 or figures with reference to which they are described . The
`plary , and are not to be considered as limiting of the scope
`present disclosure is neither a literal description of all
`arrangements of one or more of the aspects nor a listing of
`of the invention or the claims herein in any way .
`FIG . 1 is a diagram of an exemplary architecture of a
`features of one or more of the aspects that must be present
`system for the capture and storage of time series data from
`in all arrangements .
`sensors with heterogeneous reporting profiles according to a 60
`Headings of sections provided in this patent application
`preferred aspect of the invention .
`and the title of this patent application are for convenience
`FIG . 2 is a diagram of an exemplary architecture of a
`only , and are not to be taken as limiting the disclosure in any
`business operating system according to a preferred aspect of
`way .
`Devices that are in communication with each other need
`the invention .
`FIG . 3 is a diagram of an exemplary architecture of a 65 not be in continuous communication with each other , unless
`cybersecurity analysis system according to a preferred
`expressly specified otherwise . In addition , devices that are in
`aspect of the invention .
`communication with each other may communicate directly
`
`

`

`US 10,783,241 B2
`
`5
`6
`being its capacity . Attempts to place 5 seconds worth of data
`or indirectly through one or more communication means or
`intermediaries , logical or physical .
`received from 6 sensors using one swimlane would result in
`data loss .
`A description of an aspect with several components in
`As used herein , a “ meta swimlane ” is an as - needed logical
`communication with each other does not imply that all such
`components are required . To the contrary , a variety of 5 combination of transfer capacity of two or more real swim
`optional components may be described to illustrate a wide
`lanes that is transparent to the requesting process . Sensor
`studies where the amount of data received per unit time is
`variety of possible aspects and in order to more fully
`expected to be highly heterogeneous over time may be
`illustrate one or more aspects . Similarly , although process
`initiated to use meta swimlanes . Using the example used
`steps , method steps , algorithms or the like may be described
`in a sequential order , such processes , methods and algo 10 above that a single real swimlane can transfer and incorpo
`rate the 5 seconds worth of data of 10 sensors without data
`rithms may generally be configured to work in alternate
`loss , the sudden receipt of incoming sensor data from 13
`orders , unless specifically stated to the contrary . In other
`sensors during a 5 second interval would cause the system
`words , any sequence or order of steps that may be described
`to create a two swimlane metaswimlane to accommodate the
`in this patent application does not , in and of itself , indicate 15 standard 10 sensors of data in one real swimlane and the 3
`a requirement that the steps be performed in that order . The
`sensor data overage in the second , transparently added real
`steps of described processes may be performed in any order
`swimlane , however no changes to the data receipt logic
`practical . Further , some steps may be performed simultane
`would be needed as the data reception and apportionment
`ously despite being described or implied as occurring non
`device would add the additional real swimlane transparently .
`simultaneously ( e.g. , because one step is described after the 20 Conceptual Architecture
`other step ) . Moreover , the illustration of a process by its
`FIG . 1 is a diagram of an exemplary architecture of a
`depiction in a drawing does not imply that the illustrated
`system for the capture and storage of time series data from
`process is exclusive of other variations and modifications
`sensors with heterogeneous reporting profiles according to a
`thereto , does not imply that the illustrated process or any of
`preferred aspect of the invention 100. In this embodiment , a
`its steps are necessary to one or more of the aspects , and 25 plurality of sensor devices 110a - n stream data to a collection
`does not imply that the illustrated process is preferred . Also ,
`device , in this case a web server acting as a network gateway
`steps are generally described once per aspect , but this does
`115. These sensors 110a - n can be of several forms , some
`not mean they must occur once , or that they may only occur
`non - exhaustive examples being : physical sensors measuring
`once each time a process , method , or algorithm is carried out
`humidity , pressure , temperature , orientation , and presence of
`or executed . Some steps may be omitted in some aspects or 30 a gas ; or virtual such as programming measuring a level of
`some occurrences , or some steps may be executed more than
`network traffic , memory usage in a controller , and number of
`once in a given aspect or occurrence .
`times the word " refill ” is used in a stream of email messages
`When a single device or article is described herein , it will
`on a particular network segment , to name a small few of the
`be readily apparent that more than one device or article may
`many diverse forms known to the art . In the embodiment , the
`be used in place of a single device or article . Similarly , 35 sensor data is passed without transformation to the data
`where more than one device or article is described herein , it
`management engine 120 , where it is aggregated and orga
`will be readily apparent that a single device or article may
`nized for storage in a specific type of data store 125 designed
`be used in place of the more than one device or article .
`to handle the multidimensional time series data resultant
`The functionality or the features of a device may be
`from sensor data . Raw sensor data can exhibit highly dif
`alternatively embodied by one or more other devices that are 40 ferent delivery characteristics . Some sensor sets may deliver
`not explicitly described as having such functionality or
`low to moderate volumes of data continuously . It would be
`features . Thus , other aspects need not include the device
`infeasible to attempt to store the data in this continuous
`fashion to a data store as attempting to assign identifying
`itself .
`Techniques and mechanisms described or referenced
`keys and store real time data from multiple sensors would
`herein will sometimes be described in singular form for 45 invariably lead to significant data loss . In this circumstance ,
`clarity . However , it should be appreciated that particular
`the data stream management engine 120 would hold incom
`aspects may include multiple iterations of a technique or
`ing data in memory , keeping only the parameters , or “ dimen
`multiple instantiations of a mechanism unless noted other
`sions ” from within the larger sensor stream that are pre
`wise . Process descriptions or blocks in figures should be
`decided by the administrator of the study as important and
`understood as representing modules , segments , or portions 50 instructions to store them transmitted from the administra
`of code which include one or more executable instructions
`tion device 112. The data stream management engine 120
`for implementing specific logical functions or steps in the
`would then aggregate the data from multiple individual
`process . Alternate implementations are included within the
`sensors and apportion that data at a predetermined interval ,
`scope of various aspects in which , for example , functions
`for example , every 10 seconds , using the timestamp as the
`may be executed out of order from that shown or discussed , 55 key when storing the data to a multidimensional time series
`including substantially concurrently or in reverse order ,
`data store over a single swimlane of sufficient size . This
`depending on the functionality involved , as would be under
`highly ordered delivery of a foreseeable amount of data per
`unit time is particularly amenable to data capture and storage
`stood by those having ordinary skill in the art .
`but patterns where delivery of data from sensors occurs
`Definitions
`As used herein , a “ swimlane ” is a communication channel 60 irregularly and the amount of data is extremely heteroge
`between a time series sensor data reception and apportioning
`neous are quite prevalent . In these situations , the data stream
`device and a data store meant to hold the apportioned data
`management engine cannot successfully use strictly single
`time series sensor data . A swimlane is able to move a
`time interval over a single swimlane mode of data storage .
`specific , finite amount of data between the two devices . For
`In addition to the single time interval method the inven
`example a single swimlane might reliably carry and have 65 tion also can make use of event based storage triggers where
`incorporated into the data store , the data equivalent of 5
`a predetermined number of data receipt events , as set at the
`seconds worth of data from 10 sensors in 5 seconds , this
`administration device 112 , triggers transfer of a data block
`
`

`

`US 10,783,241 B2
`
`8
`identifier ) FILTER [ filter_identifier ] FORMAT ( sensor [ AS
`consisting of the apportioned number of events as one
`identifier ] [ , sensor [ AS identifier ] ] .
`] ( TEXT | JSON
`dimension and a number of sensor ids as the other . In the
`| FUNNEL?KMLIGEOJSON / TOPOJSON ) ;
`embodiment , the system time at commitment or a time
`Here “ data_spec ” might be replaced by a list of individual
`stamp that is part of the sensor data received is used as the
`key for the data block value of the value - key pair . The 5 sensors from a larger array of sensors and each sensor in the
`invention can also accept a raw data stream with commit
`list might be given a human readable identifier in the format
`ment occurring when the accumulated stream data reaches a
`“ sensor AS identifier ” . “ unit ” allows the researcher to assign
`predesigned size set at the administration device 112 .
`a periodicity for the sensor data such as second ( s ) , minute
`It is also likely that that during times of heavy reporting
`( m ) , hour ( h ) . One or more transformational filters , which
`from a moderate to large array of sensors , the instantaneous 10 include but a not limited to : mean , median , variance , stan
`load of data to be committed will exceed what can be
`dard deviation , standard linear interpolation , or Kalman
`reliably transferred over a single swimlane . The embodi
`filtering and smoothing , may be applied and then data
`ment of the invention can , if capture parameters pre - set at
`formatted in one or more formats examples of with are text ,
`the administration device 112 , combine the data movement
`JSON , KML , GEOJSON and TOPOJSON among others
`capacity of two or more swimlanes , the combined band- 15 known to the art , depending on the intended use of the data .
`width dubbed a metaswimlane , transparently t