Discovery of groupings of security alert types and corresponding complex multipart attacks, from analysis of massive security telemetry

US 10,178,109 B1
Filed: 03/31/2016
Issued: 01/08/2019
Est. Priority Date: 03/31/2016
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the method comprising:

receiving collected security telemetry, by a centralized computing system, from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device are different computing devices;

identifying alerts in a given sample of the received security telemetry, by the centralized computing system, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated;

filtering invoking source computing devices of the identified alerts, by the centralized computing system, into a subset of alerts with filtered invoking source computing devices determined to meet at least one condition;

discovering tuples identifying multipart attacks, by the centralized computing system, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and

utilizing the tuples for security analytics comprising one or more of;

identifying targeted attacks against organizations associated with the plurality of endpoint computing devices;

detecting multiple variations of specific multipart attacks; and

identifying one or more attack launching infrastructures associated with the tuples.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Alerts generated by triggering signatures on endpoints are identified in samples of security telemetry. The sources of alerts are filtered. Alert tuples identifying multipart attacks are discovered. An iterative multi-pass search of alert types generated by filtered sources can be conducted. During each pass, groups of successively larger numbers of alert types generated by common sources are identified. A list of alert types can be sorted according to the number of filtered sources that generated each alert type, from most to least. Pairs of alert types with multiple common sources can be identified by traversing the sorted list of alerts types. The sorted list can be iteratively traversed, identifying successive additional alert types to add to previously identified groupings, which are used as seed groups for successive identifications. Only the portion of the sorted list appearing after the last added alert type need be examined for successive identifications.

Citations

18 Claims

1. A computer implemented method for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the method comprising:
- receiving collected security telemetry, by a centralized computing system, from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device are different computing devices;
  
  identifying alerts in a given sample of the received security telemetry, by the centralized computing system, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated;
  
  filtering invoking source computing devices of the identified alerts, by the centralized computing system, into a subset of alerts with filtered invoking source computing devices determined to meet at least one condition;
  
  discovering tuples identifying multipart attacks, by the centralized computing system, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and
  
  utilizing the tuples for security analytics comprising one or more of;
  
  identifying targeted attacks against organizations associated with the plurality of endpoint computing devices;
  
  detecting multiple variations of specific multipart attacks; and
  
  identifying one or more attack launching infrastructures associated with the tuples.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein receiving collected security telemetry from a plurality of endpoint computing devices further comprises:
    - periodically receiving updated security telemetry from participating endpoint computing devices.
  - 3. The method of claim 1 wherein receiving collected security telemetry from a plurality of endpoint computing devices further comprises:
    - receiving collected security telemetry from more than a thousand separate participating endpoint computing devices.
  - 4. The method of claim 1 wherein identifying alerts in a given sample of the received security telemetry further comprises:
    - identifying alerts of given types in the given sample of the received security telemetry.
  - 5. The method of claim 1 wherein filtering invoking source computing devices of the identified alerts further comprises:
    - filtering out invoking source computing devices with private Internet Protocol addresses, resulting in a subset of only those alerts with invoking source computing devices with public Internet Protocol addresses.
  - 6. The method of claim 1 wherein filtering invoking source computing devices of the identified alerts further comprises:
    - filtering out invoking source computing devices that do not meet a given threshold number of generated alert types, resulting in a subset of only those alerts that have invoking source computing devices that do meet the given threshold number of generated alert types.
  - 7. The method of claim 1 wherein filtering invoking source computing devices of the identified alerts further comprises:
    - filtering out invoking source computing devices that do not generate alerts on a given threshold number of targeted endpoint computing devices, resulting in a subset of only those alerts that have invoking source computing devices that do generate alerts on the given threshold number of targeted endpoint computing devices.
  - 8. The method of claim 1 wherein filtering invoking source computing devices of the identified alerts further comprises:
    - filtering out invoking source computing devices that do not meet a given threshold number of total generated alerts, resulting in a subset of only those alerts that have invoking source computing devices that do meet the given threshold number of total generated alerts.
  - 9. The method of claim 1 wherein discovering tuples identifying multipart attacks further comprises:
    - identifying a grouping of alert types in the subset of alerts with filtered invoking source computing devices, the identified grouping comprising multiple alert types generated by at least one common invoking source computing device;
      
      adjudicating the identified grouping to be a tuple identifying a multipart attack; and
      
      assigning a confidence level to the tuple, the confidence level quantifying an assessed likelihood that the identification of the multipart attack by the tuple is accurate.
  - 10. The method of claim 1 wherein discovering tuples identifying multipart attacks further comprises:
    - assigning confidence levels to the discovered tuples, based on at least one of;
      
      number of alert types, number of common invoking source computing devices and confidence levels in triggering signatures.
  - 11. The method of claim 1 wherein discovering tuples identifying multipart attacks by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common invoking source computing device further comprises:
    - conducting an iterative multi-pass search of alert types generated by filtered invoking source computing devices;
      
      during each pass of the iterative multi-pass search, identifying groups of successively larger numbers of alert types generated by at least one common invoking source computing device; and
      
      adjudicating at least one identified group of alert types generated by at least one common invoking source computing device as a tuple that identifies a multipart attack.
  - 12. The method of claim 1 wherein discovering tuples identifying multipart attacks by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common invoking source computing device further comprises:
    - sorting a list of alert types generated by filtered invoking source computing devices, according to a number of filtered invoking source computing devices that generated each alert type from most to least;
      
      identifying groupings of alert types with multiple common invoking source computing devices, by traversing the sorted list of alerts types going from most invoking source computing devices to least;
      
      iteratively traversing the sorted list identifying successive additional alert types to add to previously identified groupings, using previously identified groupings of alert types as seed groups for successive identifications, wherein only a portion of the sorted list appearing after the last added alert type is examined for successive identifications.
  - 13. The method of claim 1 wherein discovering a tuple further comprises:
    - discovering a tuple containing at least one alert type triggered by a verified signature and at least one alert type triggered by an experimental signature.
  - 14. The method of claim 1 further comprising:
    - providing discovered alert tuples to a plurality of endpoint computing devices where tuples are utilized to predict and defend against suspected future occurrence of components of detected multipart attacks.
  - 15. The method of claim 1 further comprising:
    - providing discovered alert tuples to a plurality of endpoint computing devices where tuples are utilized to identify previously executed components of detected multipart attacks and take corresponding corrective action.
  - 16. The method of claim 1 further comprising:
    - adjusting confidence levels in experimental signatures indicative of individual alerts, by performing security analytics on multiple discovered tuples.

17. At least one non-transitory computer readable medium for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the at least one non-transitory computer readable medium storing computer executable instructions that, when loaded into computer memory and executed by at least one processor of at least one centralized computing device, cause the at least one centralized computing device to perform the following steps:
- receiving collected security telemetry from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device computing device are different computing devices;
  
  identifying alerts in a given sample of the received security telemetry, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated;
  
  filtering invoking source computing devices of the identified alerts into a subset of alerts with filtered invoking source computing devices determined to meet at least one condition;
  
  discovering tuples identifying multipart attacks, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and
  
  utilizing the tuples for security analytics comprising one or more of;
  
  identifying targeted attacks against organizations associated with the plurality of endpoint computing devices;
  
  detecting multiple variations of specific multipart attacks; and
  
  identifying one or more attack launching infrastructures associated with the tuples.

18. A centralized computing system for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the centralized computing system comprising:
- a processor;
  
  system memory;
  
  a receiving module residing in the system memory, the receiving module being programmed to receive collected security telemetry from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device are different computing devices;
  
  an alert identifying module residing in the system memory, the alert identifying module being programmed to identify alerts in a given sample of the received security telemetry, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated;
  
  an invoking source filtering module residing in the system memory, the invoking source filtering module being programmed to filter invoking source computing devices of the identified alerts resulting in a subset of alerts with filtered invoking source computing devices determined to meet at least one condition;
  
  a tuple discovering module residing in the system memory, the tuple discovering module being programmed to discover tuples identifying multipart attacks, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and
  
  utilizing the tuples for security analytics comprising one or more of;
  
  identifying targeted attacks against organizations associated with the plurality of endpoint computing devices;
  
  detecting multiple variations of specific multipart attacks; and
  
  identifying one or more attack launching infrastructures associated with the tuples.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Miskovic, Stanislav
Primary Examiner(s)
Jhaveri, Jayesh M

Application Number

US15/088,001
Time in Patent Office

1,013 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Discovery of groupings of security alert types and corresponding complex multipart attacks, from analysis of massive security telemetry

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Discovery of groupings of security alert types and corresponding complex multipart attacks, from analysis of massive security telemetry

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links