Discovery of groupings of security alert types and corresponding complex multipart attacks, from analysis of massive security telemetry
First Claim
1. A computer implemented method for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the method comprising:
- receiving collected security telemetry, by a centralized computing system, from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device are different computing devices;
identifying alerts in a given sample of the received security telemetry, by the centralized computing system, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated;
filtering invoking source computing devices of the identified alerts, by the centralized computing system, into a subset of alerts with filtered invoking source computing devices determined to meet at least one condition;
discovering tuples identifying multipart attacks, by the centralized computing system, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and
utilizing the tuples for security analytics comprising one or more of;
identifying targeted attacks against organizations associated with the plurality of endpoint computing devices;
detecting multiple variations of specific multipart attacks; and
identifying one or more attack launching infrastructures associated with the tuples.
2 Assignments
0 Petitions
Accused Products
Abstract
Alerts generated by triggering signatures on endpoints are identified in samples of security telemetry. The sources of alerts are filtered. Alert tuples identifying multipart attacks are discovered. An iterative multi-pass search of alert types generated by filtered sources can be conducted. During each pass, groups of successively larger numbers of alert types generated by common sources are identified. A list of alert types can be sorted according to the number of filtered sources that generated each alert type, from most to least. Pairs of alert types with multiple common sources can be identified by traversing the sorted list of alerts types. The sorted list can be iteratively traversed, identifying successive additional alert types to add to previously identified groupings, which are used as seed groups for successive identifications. Only the portion of the sorted list appearing after the last added alert type need be examined for successive identifications.
-
Citations
18 Claims
-
1. A computer implemented method for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the method comprising:
-
receiving collected security telemetry, by a centralized computing system, from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device are different computing devices; identifying alerts in a given sample of the received security telemetry, by the centralized computing system, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated; filtering invoking source computing devices of the identified alerts, by the centralized computing system, into a subset of alerts with filtered invoking source computing devices determined to meet at least one condition; discovering tuples identifying multipart attacks, by the centralized computing system, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and utilizing the tuples for security analytics comprising one or more of; identifying targeted attacks against organizations associated with the plurality of endpoint computing devices; detecting multiple variations of specific multipart attacks; and identifying one or more attack launching infrastructures associated with the tuples. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. At least one non-transitory computer readable medium for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the at least one non-transitory computer readable medium storing computer executable instructions that, when loaded into computer memory and executed by at least one processor of at least one centralized computing device, cause the at least one centralized computing device to perform the following steps:
-
receiving collected security telemetry from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device computing device are different computing devices; identifying alerts in a given sample of the received security telemetry, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated; filtering invoking source computing devices of the identified alerts into a subset of alerts with filtered invoking source computing devices determined to meet at least one condition; discovering tuples identifying multipart attacks, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and utilizing the tuples for security analytics comprising one or more of; identifying targeted attacks against organizations associated with the plurality of endpoint computing devices; detecting multiple variations of specific multipart attacks; and identifying one or more attack launching infrastructures associated with the tuples.
-
-
18. A centralized computing system for discovering groupings of security alerts identifying corresponding complex, multipart attacks, from analysis of security telemetry received from multiple endpoint computing devices, the centralized computing system comprising:
-
a processor; system memory; a receiving module residing in the system memory, the receiving module being programmed to receive collected security telemetry from a plurality of endpoint computing devices on which attacks occur, the collected security telemetry including a plurality of samples collected on the plurality of endpoint computing devices responsive to detecting by the plurality of endpoint computing devices, one or more attacks from at least one invoking source computing device on which the one or more attacks originate, wherein the plurality of endpoint computing devices and the at least one invoking source computing device are different computing devices; an alert identifying module residing in the system memory, the alert identifying module being programmed to identify alerts in a given sample of the received security telemetry, each specific identified alert having been generated by a triggering signature on a specific one of the plurality of endpoint computing devices, each specific alert containing at least an identifier of the triggering signature, an identifier of a corresponding invoking source computing device, and an identifier of the specific one of the plurality of endpoint computing devices on which the specific identified alert was generated; an invoking source filtering module residing in the system memory, the invoking source filtering module being programmed to filter invoking source computing devices of the identified alerts resulting in a subset of alerts with filtered invoking source computing devices determined to meet at least one condition; a tuple discovering module residing in the system memory, the tuple discovering module being programmed to discover tuples identifying multipart attacks, by examining the subset of alerts with filtered invoking source computing devices and identifying groupings of multiple alerts generated by at least one common filtered invoking source computing device, wherein a tuple comprises an identified grouping of alert types representative of diverse suspicious operations associated with a specific multipart attack; and utilizing the tuples for security analytics comprising one or more of; identifying targeted attacks against organizations associated with the plurality of endpoint computing devices; detecting multiple variations of specific multipart attacks; and identifying one or more attack launching infrastructures associated with the tuples.
-
Specification