Analytic-based security with learning adaptability

US 10,104,102 B1
Filed: 05/12/2017
Issued: 10/16/2018
Est. Priority Date: 04/13/2015
Status: Active Grant

First Claim

Patent Images

1. An analytics-based security monitoring system comprising:

a hardware processor;

at least one memory for storing instructions that are executed by at least the hardware processor to;

detect a plurality of behavioral characteristics from behavioral data, each of the plurality of behavioral characteristics representing an action conducted in a computing environment,determine, in accordance with a correlation profile, one or more behavioral fragments each comprising a plurality of the behavioral characteristics,correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack,identify an attack based on the correlated one or more determined behavioral fragments, andupdating the correlation profile after an analysis of the identified attack, the correlation profile being used to determine how the one or more behavioral fragments are determined and whether the one or more behavioral fragments are correlated with any of the plurality of sets of behavioral fragments.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An analytics-based security monitoring system is adapted to receive data, such as in the form of event logs, from one or more network devices transferred through a computing environment, detect a plurality of behavioral characteristics from the received event logs, identify behavioral fragments composed of related behavioral characteristics, and identify an attack by correlating the behavioral fragments against patterns of known malicious attacks. The analytics-based security monitoring system may then perform a learning process to enhance further detection of attacks and perform one or more remedial actions when an attack is identified.

Citations

19 Claims

1. An analytics-based security monitoring system comprising:
- a hardware processor;
  
  at least one memory for storing instructions that are executed by at least the hardware processor to;
  
  detect a plurality of behavioral characteristics from behavioral data, each of the plurality of behavioral characteristics representing an action conducted in a computing environment,determine, in accordance with a correlation profile, one or more behavioral fragments each comprising a plurality of the behavioral characteristics,correlate, in accordance with the correlation profile, the one or more determined behavioral fragments against an attack profile comprising a plurality of sets of behavioral fragments where each set of behavioral fragments forms a malicious behavior pattern of a known attack,identify an attack based on the correlated one or more determined behavioral fragments, andupdating the correlation profile after an analysis of the identified attack, the correlation profile being used to determine how the one or more behavioral fragments are determined and whether the one or more behavioral fragments are correlated with any of the plurality of sets of behavioral fragments.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed to:
    - identify the attack by generating a score based on the correlated one or more determined behavioral fragments.
  - 3. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed to:
    - correlate a first behavioral characteristic against one or more other behavioral characteristics;
      
      generate a behavioral score indicative of a level of relevance of the first behavioral characteristic to the one or more other behavioral characteristics using at least one correlation weighting factor applied to the first behavioral characteristic and the one or more other behavioral characteristics; and
      
      identify the attack by generating a score based on the correlated one or more determined behavioral fragments.
  - 4. The analytics-based security monitoring system of claim 3, wherein the instructions are further executed to perform a learning process that includes analyzing a previously identified attack, and modifying the at least one correlation weighting factor according to the analyzed attack.
  - 5. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed to detect the plurality of behavioral characteristics using one or more detection weighting factors that are applied to the behavioral data.
  - 6. The analytics-based security monitoring system of claim 1, wherein the instructions are further executed to normalize received data including the behavioral data into a common format prior to detecting the plurality of behavioral characteristics.
  - 7. The analytics-based security monitoring system of claim 1, wherein the remedial action comprises at least one of generating an alert message, tracing an origin of one or more computing nodes associated with the attack, and halting operation of the one or more computing nodes associated with the attack.

8. An analytics-based security monitoring method comprising:
- receiving event logs collected from at least one computing node in a computing environment;
  
  detecting a plurality of behavioral characteristics from the received event logs, each of the plurality of behavioral characteristics representing an action conducted in the computing environment;
  
  identifying at least one behavioral fragment comprising one or more of the detected behavioral characteristics that are related by correlating the behavioral characteristics against a correlation profile including information associated with a set of behavioral characteristic that form a behavior pattern, the related behavioral characteristics are determined based, at least in part, on proximity in time or whether the detected behavioral characteristics occurred within a certain computing node or nodes of the at least one computing node;
  
  identifying, using the instructions, an attack comprising the at least one behavioral fragment by correlating the at least one behavioral fragment against an attack profile including information associated with a set of behavioral fragments that form an attack pattern; and
  
  based on an analysis of the identified attack, updating the correlation profile to modify how the at least one behavioral fragment is determined and whether any of behavioral fragments is correlated with the at least one behavioral fragment.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The analytics-based security monitoring method of claim 8, further comprising:
    - identifying the attack by generating an attack score based on the correlated one or more determined behavioral fragments.
  - 10. The analytics-based security monitoring method of claim 9, further comprising identifying an inter-computing environment-based attack by comparing the correlated behavioral fragments against a profile including information associated with one or more other attacks identified in other computing environments.
  - 11. The analytics-based security monitoring method of claim 8, further comprising using the instructions, one or more remedial actions when the attack is identified, the one or more remedial actions including reporting the attack.
  - 12. The analytics-based security monitoring method of claim 8, further comprising:
    - correlating a first behavioral characteristic against one or more other behavioral characteristics;
      
      generating a behavioral characteristic score indicative of a level of relevance of the first behavioral characteristic to the one or more other behavioral characteristics using at least one correlation weighting factor applied to the first behavioral characteristic and the one or more other behavioral characteristics; and
      
      identify the attack by generating an attack score based on the correlated one or more determined behavioral fragments.
  - 13. The analytics-based security monitoring method of claim 12, further comprising performing a learning process that includes analyzing a previously identified attack, and modifying the at least one correlation weighting factor according to the analyzed attack.
  - 14. The analytics-based security monitoring method of claim 13, further comprising:
    - detecting the plurality of behavioral characteristics using one or more detection weighting factors with respect to behavioral data of the received event logs.
  - 15. The analytics-based security monitoring method of claim 13, further comprising performing a learning process that includes analyzing a previously identified attack, and modifying the correlation weighting factors according to the analyzed attack.

16. A security monitoring system including at least one processor for execution of stored software, the security monitoring system comprising:
- a behavioral characteristic detection module that, upon execution by the at least one processor, analyzes data in the event log to detect a plurality of behavioral characteristics from the event logs data collected from at least one computing node in a computing environment, each of the plurality of behavioral characteristics representing an action conducted in the computing environment;
  
  a behavioral fragment determination module that, upon execution by the at least one processor, correlates a first of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, and a second of the detected behavioral characteristics against at least one other of the detected behavioral characteristics, using a correlation profile to identify thereby respective first and second behavioral fragments;
  
  an attack identification module that, upon execution by the at least one processor, identifies an attack by correlating the first and second behavioral fragments against an attack profile including information associated with a plurality of sets of behavioral fragments that each form a malicious behavior pattern of the attack; and
  
  a learning module to update the correlation profile being used to determine how the first and second behavioral fragments are determined and whether the first and second behavioral fragments are correlated with any of the plurality of sets of behavioral fragments.
- View Dependent Claims (17, 18, 19)
- - 17. The security monitoring system of claim 16, wherein the behavioral fragment determination module further provides a control signal to the behavioral characteristic detection module to cause the behavioral characteristic detection module to re-analyze the event log data to detect, based on a fragment profile, a behavioral characteristic that was not detected when the event log data was analyzed previously.
  - 18. The security monitoring system of claim 16, wherein the attack identification module further provides a control signal to the behavioral characteristic detection module to cause the behavioral characteristic detection module to re-analyze the event log data to detect, based on a fragment profile, a behavioral characteristic that was not detected when the event log data was analyzed previously.
  - 19. The security monitoring system of claim 16, wherein the attack identification module further provides a control signal to the behavioral fragment determination module to cause the behavioral fragment determination module to re-correlate the behavioral characteristics based on the attack profile, to determine either a third behavioral fragment constituting part of the attack or an additional behavioral characteristic that was previously omitted from the first and second behavioral fragments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Neumann, Justin
Primary Examiner(s)
Powers, William S

Application Number

US15/594,049
Time in Patent Office

522 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Analytic-based security with learning adaptability

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Analytic-based security with learning adaptability

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links