Interface providing an interactive timeline for evaluating instances of potential network compromise

US 10,193,901 B2
Filed: 10/30/2015
Issued: 01/29/2019
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include at least one of computer users and devices in communication with the computer network;

identifying instances of potential network compromise from the event data comprising threats based on one or more anomalies automatically triggered by detecting deviations from expected or permitted network activities, wherein each of the instances of potential network compromise is classified by type and associated with a time period of occurrence and an entity or entities that participated in the network activity that triggered the corresponding automated determination;

causing display, in a graphical user interface, of an interactive graphic of data values indicating identified instances of potential network compromise occurring at time periods along a timeline, including graphical representations indicating a level of risk and the number of instances of network compromise occurring during a same time period;

upon receiving a selection by a user, via the graphical user interface, of a time period from the timeline, causing display of a listing of each identified instance of potential network compromise occurring at the selected time period, the listing including the type of instance and each associated entity; and

upon receiving a selection of a threat from the listing of instances of potential network compromise, causing display of a graphical representation of a relationship between the entities participating in the network activities that triggered the threat, wherein the display includes one or more lines that connect the entities whose participation together in a network activity triggered an anomaly, and upon receiving a selection of a line in the display, causing the type of the anomaly to be displayed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Citations

29 Claims

1. A method comprising:
- receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include at least one of computer users and devices in communication with the computer network;
  
  identifying instances of potential network compromise from the event data comprising threats based on one or more anomalies automatically triggered by detecting deviations from expected or permitted network activities, wherein each of the instances of potential network compromise is classified by type and associated with a time period of occurrence and an entity or entities that participated in the network activity that triggered the corresponding automated determination;
  
  causing display, in a graphical user interface, of an interactive graphic of data values indicating identified instances of potential network compromise occurring at time periods along a timeline, including graphical representations indicating a level of risk and the number of instances of network compromise occurring during a same time period;
  
  upon receiving a selection by a user, via the graphical user interface, of a time period from the timeline, causing display of a listing of each identified instance of potential network compromise occurring at the selected time period, the listing including the type of instance and each associated entity; and
  
  upon receiving a selection of a threat from the listing of instances of potential network compromise, causing display of a graphical representation of a relationship between the entities participating in the network activities that triggered the threat, wherein the display includes one or more lines that connect the entities whose participation together in a network activity triggered an anomaly, and upon receiving a selection of a line in the display, causing the type of the anomaly to be displayed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the timeline is a column chart illustrating a number of each type of instance occurring on time periods when there is at least one instance of potential network compromise.
  - 3. The method of claim 1, wherein the identified instances of potential network compromise from the event data comprise anomalies.
  - 4. The method of claim 1, wherein the identified instances of potential network compromise comprise anomalies, the method further comprising:
    - upon receiving a selection of an anomaly from the listing of instances of potential network compromise, causing display of the event data that triggered detection of the anomaly.
  - 5. The method of claim 1, wherein the identified instances of potential network compromise anomalies, the method further comprising:
    - upon receiving a selection of an anomaly from the listing of instances of potential network compromise, causing display of a graphical representation of a relationship between the entities whose network activity triggered detection of the anomaly.
  - 6. The method of claim 1, wherein the identified instances of potential network compromise comprise anomalies, the method further comprising:
    - upon receiving a selection of an anomaly from the listing of instances of potential network compromise, prompting a user to designate whether the anomaly is a false positive.
  - 7. The method of claim 1, wherein the identified instances of potential network compromise comprise anomalies, and each anomaly is classified as a type from a set of anomaly types, the set of anomaly types including at least one type pertaining to an alarm, an excessive data transfer, or an unusual login time.
  - 8. The method of claim 1, wherein the identified instances of potential network compromise comprise threats.
  - 9. The method of claim 1, wherein the identified instances of potential network compromise comprise threats, and each threat has been detected based on automated determinations of one or more anomalies.
  - 10. The method of claim 1, wherein the identified instances of potential network compromise comprise threats, and each threat has been detected based on automated determinations of one or more anomalies, the method further comprising:
    - upon receiving a selection of a threat from the listing of threats, causing display of a graphical representation of a relationship between the entities whose participation in the network activities triggered detection of the threat.
  - 11. The method of claim 1, wherein the identified instances of potential network compromise comprise threats based on automated determinations of one or more anomalies, the method further comprising:
    - upon receiving a selection of a threat from the listing of threats, prompting a user to designate whether the threat has been resolved.
  - 12. The method of claim 1, wherein the identified instances of potential network compromise comprise threats, the method further comprising:
    - upon receiving a selection of a threat from the listing of threats, prompting a user to designate whether the threat is a false positive.
  - 13. The method of claim 1, wherein the identified instances of potential network compromise comprise threats, and each threat is classified as a type from a set of threat types, the set of threat types including at least one type pertaining to external or internal behavior relative to the computer network.
  - 14. The method of claim 1, wherein the identified instances of potential network compromise comprise threats, and each threat is classified as a type from a set of threat types, the set of threat types including at least one type pertaining to malware, data exfiltration, compromise of the organization'"'"'s website, large file transfers, or attack.
  - 15. The method of claim 1, wherein the instances of potential network compromise are identified based on real-time automated detection.
  - 16. The method of claim 1, wherein the instances of potential network compromise are identified based on both real-time detection and batch detection.
  - 17. The method of claim 1, wherein the instances of potential network compromise are threats, the timeline is a column chart illustrating a number of each type of threat occurring on time periods when there is at least one threat, and wherein upon user-selection of any threat illustrated in the chart, a detailed view for the selected threat is generated, identifying the start date and last update for the selected threat.

18. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
- receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include at least one of computer users and devices in communication with the computer network;
  
  identifying instances of potential network compromise from the event data comprising threats based on one or more anomalies automatically triggered by detecting deviations from expected or permitted network activities, wherein each of the instances of potential network compromise is classified by type and associated with a time period of occurrence and an entity or entities that participated in the network activity that triggered the corresponding automated determination;
  
  causing display, in a graphical user interface, of an interactive graphic of data values indicating identified instances of potential network compromise occurring at time periods along a timeline, including graphical representations indicating a level of risk and the number of instances of network compromise occurring during a same time period;
  
  upon receiving a selection by a user, via the graphical user interface, of a time period from the timeline, causing display of a listing of each identified instance of potential network compromise occurring at the selected time period, the listing including the type of instance and each associated entity; and
  
  upon receiving a selection of a threat from the listing of instances of potential network compromise, causing display of a graphical representation of a relationship between the entities participating in the network activities that triggered the threat, wherein the display includes one or more lines that connect the entities whose participation together in a network activity triggered an anomaly, and upon receiving a selection of a line in the display, causing the type of the anomaly to be displayed.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise anomalies.
  - 20. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise anomalies, and the instructions further comprise code for:
    - upon receiving a selection of an anomaly from the listing of instances of potential network compromise, further causing display of event data that triggered the anomaly.
  - 21. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise anomalies, and the instructions further comprise code for:
    - upon receiving a selection of an anomaly from the listing of instances of potential network compromise, causing display of a graphical representation of a relationship between entities participating in the network activity that triggered the anomaly.
  - 22. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise anomalies, and each anomaly is classified as a type from a set of anomaly types, the set of anomaly types including at least one type pertaining to an alarm, an excessive data transfer, or an unusual login time.
  - 23. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise threats.
  - 24. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise threats based on automated determinations of one or more anomalies, and the instructions further comprise code for:
    - upon receiving a selection of a threat from the listing of threats, causing display of a graphical representation of a relationship between entities whose participation in the network activities triggered the threat.
  - 25. The computer-readable storage medium of claim 18, wherein the identified instances of potential network compromise comprise threats based on automated determinations of one or more anomalies, and the instructions further comprise code for:
    - upon receiving a selection of a threat from the listing of threats, prompting a user to designate whether the threat has been resolved.
  - 26. The computer-readable storage medium of claim 18, wherein the instances of potential network compromise are threats, the timeline is a column chart illustrating a number of each type of threat occurring on time periods when there is at least one threat, and wherein upon user-selection of any threat illustrated in the chart, a detailed view for the selected threat is generated, identifying the start date and last update for the selected threat.

27. A computer system comprising:
- computer memory for storing machine data; and
  
  a processor for;
  
  receiving event data generated by network activities of entities that interact with a computer network, wherein the event data comprises machine data, and the entities include at least one of computer users and devices in communication with the computer network;
  
  identifying instances of potential network compromise from the event data comprising threats based on one or more anomalies automatically triggered by detecting deviations from expected or permitted network activities, wherein each of the instances of potential network compromise is classified by type and associated with a time period of occurrence and an entity or entities that participated in the network activity that triggered the corresponding automated determination;
  
  causing display, in a graphical user interface, of an interactive graphic of data values indicating identified instances of potential network compromise occurring at time periods along a timeline, including graphical representations indicating a level of risk and the number of instances of network compromise occurring during a same time period;
  
  upon receiving a selection by a user, via the graphical user interface, of a time period from the timeline, causing display of a listing of each identified instance of potential network compromise occurring at the selected time period, the listing including the type of instance and each associated entity; and
  
  upon receiving a selection of a threat from the listing of instances of potential network compromise, causing display of a graphical representation of a relationship between the entities participating in the network activities that triggered the threat, wherein the display includes one or more lines that connect the entities whose participation together in a network activity triggered an anomaly, and upon receiving a selection of a line in the display, causing the type of the anomaly to be displayed.
- View Dependent Claims (28, 29)
- - 28. The computer system of claim 27, wherein the timeline is a column chart illustrating a number of each type of instance occurring on dates when there is at least one instance of potential network compromise.
  - 29. The computer system of claim 27, wherein the instances of potential network compromise are threats, the timeline is a column chart illustrating a number of each type of threat occurring on time periods when there is at least one threat, and wherein upon user-selection of any threat illustrated in the chart, a detailed view for the selected threat is generated, identifying the start date and last update for the selected threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/928,421
Publication Number

US 20170063897A1
Time in Patent Office

1,187 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

View All

Interface providing an interactive timeline for evaluating instances of potential network compromise

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Interface providing an interactive timeline for evaluating instances of potential network compromise

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links