Method and system for generating a kill chain for monitoring computer network security

US 10,154,047 B2
Filed: 10/30/2015
Issued: 12/11/2018
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving event data associated with network activities, wherein the event data comprises machine data;

evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events;

identifying at least one anomaly automatically determined from machine learning on the event data;

identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and

upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type;

upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly;

upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and

upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

54 Citations

View as Search Results

29 Claims

1. A method comprising:
- receiving event data associated with network activities, wherein the event data comprises machine data;
  
  evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events;
  
  identifying at least one anomaly automatically determined from machine learning on the event data;
  
  identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and
  
  upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type;
  
  upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly;
  
  upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and
  
  upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the kill chain view includes the duration of at least one stage of the kill chain for the selected threat and the dates that the stage began and concluded.
  - 3. The method of claim 1, wherein stages of the kill chain include intrusion and expansion stages, and the kill chain view includes dates that the intrusion and expansion stages each began and concluded.
  - 4. The method of claim 1, wherein the stages of the kill chain include intrusion, expansion, and exfiltration stages, and the kill chain view includes dates that the intrusion and expansion stages each began and concluded and the date that the exfiltration occurred.
  - 5. The method of claim 1, wherein the kill chain view identifies the total duration of each type of anomaly.
  - 6. The method of claim 1, wherein each entry in the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - upon selection by the user, via a graphical user interface, of the link, generating a listing of all anomalies of the selected type.
  - 7. The method of claim 1, wherein each entry in the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - upon selection by the user, via a graphical user interface, of the link, generating a listing of all anomalies of the selected type, including the one or more entities associated with the anomaly and date of the anomaly.
  - 8. The method of claim 1, wherein the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link to the one or more entities associated with the anomaly and date of the anomaly; and
      
      upon selection by the user of the link for a selected entity, generating a view providing additional information about the entity.
  - 9. The method of claim 1, wherein the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link to the one or more entities associated with the anomaly and date of the anomaly; and
      
      upon selection by the user of the link for a selected entity, generating a view providing additional information about the selected entity.
  - 10. The method of claim 1, wherein the listing of the at least one anomaly type in the kill chain view comprises a link, the method further comprising:
    - identifying a score for each identified anomaly, indicating the severity of the network activity to the security of the network; and
      
      upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a score for each anomaly.
  - 11. The method of claim 1, wherein the listing of the at least one anomaly type in the kill chain view comprises a link, the method further comprising:
    - identifying each entity associated with each identified anomaly, wherein an entity is a device, application and/or network user that participated in the network activity that triggered identification of the anomaly;
      
      identifying a score for each identified entity, indicating the severity of the network activities associated with the entity to the security of the network; and
      
      upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link to the one or more entities associated with the anomaly and date of the anomaly; and
      
      upon selection by the user of the link for a selected entity, generating a view providing the score for the selected entity.
  - 12. The method of claim 1, wherein the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly; and
      
      upon selection by the user of the link for a selected anomaly, generating a view providing additional information about the anomaly.
  - 13. The method of claim 1, wherein the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - identifying each entity associated with each identified anomaly, wherein an entity is a device, application and/or network user that participated in the network activity that triggered identification of the anomaly;
      
      upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly; and
      
      upon selection by the user of the link for a selected anomaly, causing display of a view that indicates a relationship between each entity associated with the anomaly.
  - 14. The method of claim 1, wherein the input received from the user indicates whether the identified threat or an anomaly associated with the threat is accurate or false.
  - 15. The method of claim 1, wherein the input received from the user is an action command to respond to the identified threat.

16. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
- receiving event data associated with network activities, wherein the event data comprises machine data;
  
  evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events;
  
  identifying at least one anomaly automatically determined from machine learning on the event data;
  
  identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and
  
  upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type;
  
  upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly;
  
  upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and
  
  upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The computer-readable storage medium of claim 16, wherein the kill chain view includes the duration of at least one stage of the kill chain for the selected threat and the dates that the stage began and concluded.
  - 18. The computer-readable storage medium of claim 16, wherein stages of the kill chain include intrusion and expansion stages, and the kill chain view includes dates that the intrusion and expansion stages each began and concluded.
  - 19. The computer-readable storage medium of claim 16, wherein the stages of the kill chain include intrusion, expansion, and exfiltration stages, and the kill chain view includes dates that the intrusion and expansion stages each began and concluded and the date that the exfiltration occurred.
  - 20. The computer-readable storage medium of claim 16, wherein the kill chain view identifies the total duration of each type of anomaly.
  - 21. The computer-readable storage medium of claim 16, wherein each entry in the listing of the at least one anomaly type in the kill chain view comprises a link for each anomaly type, the method further comprising:
    - upon selection by the user, via a graphical user interface, of the link, generating a listing of all anomalies of the selected type.
  - 22. The computer-readable storage medium of claim 16, wherein the input received from the user indicates whether the identified threat or an anomaly associated with the threat is accurate or false.
  - 23. The computer-readable storage medium of claim 16, wherein the input received from the user is an action command to respond to the identified threat.

24. A computer system comprising:
- computer memory for storing machine data; and
  
  a processor for;
  
  receiving event data associated with network activities, wherein the event data comprises machine data;
  
  evaluating event data based on a machine learning model utilizing historical data pertaining to evaluations of past events;
  
  identifying at least one anomaly automatically determined from machine learning on the event data;
  
  identifying at least one threat automatically determined from machine learning on the event data and the identified at least one anomaly, wherein a threat is associated with each identified anomaly that, individually or in combination, triggered the determination of the threat; and
  
  upon selection by a user, via a graphical user interface, of an identified threat, generating a kill chain view associated with the threat, wherein the kill chain view includes a plurality of stages, and, for each stage, the kill chain view lists each type of identified anomaly associated with each stage of the kill chain and the number of anomalies of each type, wherein the listing of comprises a link for each anomaly type;
  
  upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link for each anomaly;
  
  upon selection by the user of the link for a selected anomaly, generating a prompt to tag the anomaly for subsequent tracking; and
  
  upon receiving input from the user regarding the identified threat based upon the anomalies in the generated kill chain view, providing feedback for training the machine learning model.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The computer system of claim 24, wherein the kill chain view includes the duration of at least one stage of the kill chain for the selected threat and the dates that the stage began and concluded.
  - 26. The computer system of claim 24, wherein stages of the kill chain include intrusion and expansion stages, and the kill chain view includes dates that the intrusion and expansion stages each began and concluded.
  - 27. The computer system of claim 24, wherein the listing of the at least one anomaly type in the kill chain view comprises a link, the processor additionally for:
    - identifying each entity associated with each identified anomaly, wherein an entity is a device, application and/or network user that participated in the network activity that triggered identification of the anomaly;
      
      identifying a score for each identified entity, indicating the severity of the network activities associated with the entity to the security of the network; and
      
      upon selection by the user, via a graphical user interface, of the link for a selected anomaly type, generating a listing of all anomalies of the selected type, including a link to the one or more entities associated with the anomaly and date of the anomaly; and
      
      upon selection by the user of the link for a selected entity, generating a view providing the score for the selected entity.
  - 28. The computer system of claim 24, wherein the input received from the user indicates whether the identified threat or an anomaly associated with the threat is accurate or false.
  - 29. The computer system of claim 24, wherein the input received from the user is an action command to respond to the identified threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas

Application Number

US14/928,451
Publication Number

US 20170063898A1
Time in Patent Office

1,138 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H05K 999/99 : dummy group

View All

Method and system for generating a kill chain for monitoring computer network security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for generating a kill chain for monitoring computer network security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links