Analytic-based security with learning adaptability
First Claim
Patent Images
1. An analytics-based security monitoring system comprising:
- a hardware processor;
at least one memory for storing instructions that are executed by at least the hardware processor to;
detect a plurality of behavioral characteristics from behavioral data, each of the plurality of behavioral characteristics representing an action conducted in a computing environment,determine, in accordance with a correlation profile, one or more behavioral fragments each comprising a plurality of the behavioral characteristics,correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack,identify an attack based on the correlated one or more determined behavioral fragments, andupdating the correlation profile after an analysis of the identified attack, the correlation profile being used to determine how the one or more behavioral fragments are determined and whether the one or more behavioral fragments are correlated with any of the plurality of sets of behavioral fragments.
7 Assignments
0 Petitions
Accused Products
Abstract
An analytics-based security monitoring system is adapted to receive data, such as in the form of event logs, from one or more network devices transferred through a computing environment, detect a plurality of behavioral characteristics from the received event logs, identify behavioral fragments composed of related behavioral characteristics, and identify an attack by correlating the behavioral fragments against patterns of known malicious attacks. The analytics-based security monitoring system may then perform a learning process to enhance further detection of attacks and perform one or more remedial actions when an attack is identified.
-
Citations
19 Claims
-
1. An analytics-based security monitoring system comprising:
-
a hardware processor; at least one memory for storing instructions that are executed by at least the hardware processor to; detect a plurality of behavioral characteristics from behavioral data, each of the plurality of behavioral characteristics representing an action conducted in a computing environment, determine, in accordance with a correlation profile, one or more behavioral fragments each comprising a plurality of the behavioral characteristics, correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack, identify an attack based on the correlated one or more determined behavioral fragments, and updating the correlation profile after an analysis of the identified attack, the correlation profile being used to determine how the one or more behavioral fragments are determined and whether the one or more behavioral fragments are correlated with any of the plurality of sets of behavioral fragments. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An analytics-based security monitoring method comprising:
-
receiving event logs collected from at least one computing node in a computing environment; detecting a plurality of behavioral characteristics from the received event logs, each of the plurality of behavioral characteristics representing an action conducted in the computing environment; identifying at least one behavioral fragment comprising one or more of the detected behavioral characteristics that are related by correlating the behavioral characteristics against a correlation profile including information associated with a set of behavioral characteristic that form a behavior pattern, the related behavioral characteristics are determined based, at least in part, on proximity in time or whether the detected behavioral characteristics occurred within a certain computing node or nodes of the at least one computing node; identifying, using the instructions, an attack comprising the at least one behavioral fragment by correlating the at least one behavioral fragment against an attack profile including information associated with a set of behavioral fragments that form an attack pattern; and based on an analysis of the identified attack, updating the correlation profile to modify how the at least one behavioral fragment is determined and whether any of behavioral fragments is correlated with the at least one behavioral fragment. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A security monitoring system including at least one processor for execution of stored software, the security monitoring system comprising:
-
a behavioral characteristic detection module that, upon execution by the at least one processor, analyzes data in the event log to detect a plurality of behavioral characteristics from the event logs data collected from at least one computing node in a computing environment, each of the plurality of behavioral characteristics representing an action conducted in the computing environment; a behavioral fragment determination module that, upon execution by the at least one processor, correlates a first of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, using a correlation profile to identify thereby respective first and second behavioral fragments; an attack identification module that, upon execution by the at least one processor, identifies an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and a learning module to update the correlation profile being used to determine how the first and second behavioral fragments are determined and whether the first and second behavioral fragments are correlated with any of the plurality of sets of behavioral fragments. - View Dependent Claims (17, 18, 19)
-
Specification