Privilege inference and monitoring based on network behavior
First Claim
1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and
providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
instantiating an inference engine to perform actions, including;
associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and
increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and
instantiating an anomaly engine to perform actions, including;
determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic;
generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and
providing the one or more escalation events to one or more users.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control that source entities exert over the target entities. An anomaly engine may determine one or more interactions between the source entities and the target entities based on the monitored network traffic. The anomaly engine may generate escalation events based on the interactions associated with the source entities and the target entities where the target entities have a higher privilege level than the source entities. The anomaly engine may provide the escalation events to one or more users.
-
Citations
26 Claims
-
1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
-
instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and instantiating an inference engine to perform actions, including; associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and instantiating an anomaly engine to perform actions, including; determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic; generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and providing the one or more escalation events to one or more users. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
-
instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and instantiating an inference engine to perform actions, including; associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and instantiating an anomaly engine to perform actions, including; determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic; generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and providing the one or more escalation events to one or more users. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for monitoring network traffic in a network:
-
one or more network computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and instantiating an inference engine to perform actions, including; associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and instantiating an anomaly engine to perform actions, including; determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic; generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and providing the one or more escalation events to one or more users; and one or more client computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing one or more portions of the network traffic. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A network computer for monitoring communication over a network between two or more computers, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a monitoring engine to perform actions, including; monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics, wherein the entities include one or more of a source entity and one or more of a target entity; and providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and instantiating an inference engine to perform actions, including; associating the plurality of entities with one or more privilege levels based on the device relation model and the one or more metrics, wherein a value for each of the one or more privilege levels is based on one or more of an amount of access or an amount of control that the one or more source entities exert over the one or more target entities; and increasing the one or more privilege levels for a source entity based on one or more metric values that are associated with the one or more target entities that are linked to the source entity; and instantiating an anomaly engine to perform actions, including; determine one or more interactions between the one or more source entities and the one or more target entities based on the monitored network traffic; generating one or more escalation events based on the one or more interactions and the one or more privilege levels associated with the one or more source entities and the one or more target entities, wherein the one or more interactions or the one or more target entities are associated with a privilege level that exceeds the one or more privilege levels associated with the one or more source entities; and providing the one or more escalation events to one or more users. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification