Lateral movement detection for network security analysis
First Claim
1. A method comprising:
- receiving, by a computer system, first event data indicative of computer network activity of a plurality of users and network devices in a computer network;
generating, by the computer system, classification metadata for each of the network devices and users, based on the first event data, to indicate relevance in a network security context of each of the users and network devices;
identifying, by the computer system, usage relationships between one or more of the users and one or more of the network devices, based on first event data;
assigning, by the computer system, usage similarity scores to the network devices based on the identified usage relationships, the usage similarity scores being indicative of which of the network devices have been used by the same or similar group of users;
receiving, by the computer system, second event data indicative of computer network activity of a particular user of the plurality of users; and
detecting, by the computer system and in response to the second event data, an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores and the classification metadata.
2 Assignments
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
65 Citations
30 Claims
-
1. A method comprising:
-
receiving, by a computer system, first event data indicative of computer network activity of a plurality of users and network devices in a computer network; generating, by the computer system, classification metadata for each of the network devices and users, based on the first event data, to indicate relevance in a network security context of each of the users and network devices; identifying, by the computer system, usage relationships between one or more of the users and one or more of the network devices, based on first event data; assigning, by the computer system, usage similarity scores to the network devices based on the identified usage relationships, the usage similarity scores being indicative of which of the network devices have been used by the same or similar group of users; receiving, by the computer system, second event data indicative of computer network activity of a particular user of the plurality of users; and detecting, by the computer system and in response to the second event data, an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores and the classification metadata. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computing device comprising:
-
a processor; and a memory storing instructions that, when executed by the processor, cause the computing device to perform a process including; receiving first event data indicative of computer network activity of a plurality of users and network devices in a computer network; generating classification metadata for each of the network devices and users, based on the first event data, to indicate relevance in a network security context of each of the users and network devices; identifying usage relationships between one or more of the users and one or more of the network devices, based on first event data; assigning usage similarity scores to the network devices based on the identified usage relationships, the usage similarity scores being indicative of which of the network devices have been used by the same or similar group of users; receiving second event data indicative of computer network activity of a particular user of the plurality of users; and in response to the second event data, detecting an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores and the classification metadata.
-
-
30. A non-transitory machine readable storage medium storing instructions, execution of which in a machine causes the machine to perform a process including:
-
receiving, by the machine, first event data indicative of computer network activity of a plurality of users and network devices in a computer network; generating, by the machine, classification metadata for each of the network devices and the users, based on the first event data, to indicate relevance in a network security context of each of the users and the network devices; identifying, by the machine, usage relationships between one or more of the users and one or more of the network devices, based on first event data; assigning, by the machine, usage similarity scores to the network devices based on the identified usage relationships, the usage similarity scores being indicative of which of the network devices have been used by the same or similar group of users; receiving, by the machine, second event data indicative of computer network activity of a particular user of the plurality of users; and detecting, by the machine and in response to the second event data, an anomaly indicative that the particular user has interacted with a particular network device with which the particular user does not normally interact, based on the usage similarity scores and the classification metadata.
-
Specification