Event correlation across heterogeneous operations
First Claim
1. A computer-implemented method for determining a network security threat response, the method being executed by one or more processors and comprising:
- receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains;
analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device;
receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and
based on the prior attack pattern data, for at least one of the plurality of threat scenarios;
determining one or more courses of action for responding to the threat scenario; and
providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network security threat response. A data structure that represents communication events between computing devices of two or more network domains is received. The data structure is analyzed and a threat scenario that is based on a chain of communication events that indicates a potential attack path is determined. The chain of communication events include a sequence of communication events between computing devices proceeding from an originating computing device to a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains. Attack pattern data, for the threat scenario and from a threat intelligence data source, that is associated with communications between computing devices that occurred during one or more prior attacks is received. Based on the threat scenario and the attack pattern data, one or more courses of action for responding to the threat scenario is determined, and information associated with the one or more courses of action is provided.
21 Citations
22 Claims
-
1. A computer-implemented method for determining a network security threat response, the method being executed by one or more processors and comprising:
-
receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains; analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device; receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and based on the prior attack pattern data, for at least one of the plurality of threat scenarios; determining one or more courses of action for responding to the threat scenario; and providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
one or more processors; and a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for determining a network security threat response, the operations comprising; receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains; analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device; receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and based on the prior attack pattern data, for each of the plurality of threat scenarios; determining one or more courses of action for responding to the threat scenario; determining an impact of the potential attack on operation of the two or more network domains; ranking the threat scenario among the plurality of threat scenarios based on system priorities; and providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for determining a network security threat response, the operations comprising:
-
receiving a data structure that represents communication events between computing devices of two or more network domains, including at least an originating computing device and a destination computing device, wherein the originating computing device and the destination computing device exist on different network domains; analyzing the data structure and determining a plurality of threat scenarios, each threat scenario being based on a respective chain of communication events that is represented in the data structure and that indicates a potential attack, the chain of communication events including a sequence of communication events between the computing devices of the two or more network domains proceeding from the originating computing device to the destination computing device; receiving, for the plurality of threat scenarios and from a threat intelligence data source, prior attack pattern data that is associated with prior computing device communications that occurred during one or more prior attacks; and based on the prior attack pattern data, for at least one of the plurality of threat scenarios; determining one or more courses of action for responding to the threat scenario; and providing information associated with the one or more courses of action for responding to the threat scenario, the information being relevant to at least one of the computing devices of the two or more network domains. - View Dependent Claims (20, 21, 22)
-
Specification