Graph-based network security threat detection across time and entities
First Claim
1. A method comprising:
- accessing, from a data store, a relationship graph corresponding to a time range, the time range having a number of time units, the relationship graph having entities as nodes and relationships among the entities as links, the relationship graph reflecting a batch of events that occurred during the time range, wherein each event of the batch of events includes timestamped, raw machine data that reflects one or more of;
(1) activity occurred in an information technology (IT) or a security technology environment, (2) a time at which the activity occurred, and (3) a number of entities associated with the activity;
assigning the nodes in the relationship graph to groups based on event timestamps, each group corresponding to a time unit and including nodes associated with activities that occurred in the time unit;
constructing links for nodes between different groups, each link representing a relationship between nodes as established by a respective activity recorded in the batch of events, each chain of linked nodes forming a component;
computing a total interest score for each of the formed components, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link;
adjusting the total interest score for each of the formed components based on comparing events underlying a component with a pattern of interest, wherein the pattern of interest identifies an expected temporal order and/or logical relationship in underlying events for such component to be of interest; and
identifying a component for further security scrutiny based on the adjusted total interest score.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors.
66 Citations
30 Claims
-
1. A method comprising:
-
accessing, from a data store, a relationship graph corresponding to a time range, the time range having a number of time units, the relationship graph having entities as nodes and relationships among the entities as links, the relationship graph reflecting a batch of events that occurred during the time range, wherein each event of the batch of events includes timestamped, raw machine data that reflects one or more of;
(1) activity occurred in an information technology (IT) or a security technology environment, (2) a time at which the activity occurred, and (3) a number of entities associated with the activity;assigning the nodes in the relationship graph to groups based on event timestamps, each group corresponding to a time unit and including nodes associated with activities that occurred in the time unit; constructing links for nodes between different groups, each link representing a relationship between nodes as established by a respective activity recorded in the batch of events, each chain of linked nodes forming a component; computing a total interest score for each of the formed components, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; adjusting the total interest score for each of the formed components based on comparing events underlying a component with a pattern of interest, wherein the pattern of interest identifies an expected temporal order and/or logical relationship in underlying events for such component to be of interest; and identifying a component for further security scrutiny based on the adjusted total interest score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer system comprising:
-
a processor; and a communication device, operatively coupled to the processor, through which to receive first event data indicative of computer network activity of an entity that is part of or interacts with a computer network and second event data indicative of additional computer network activity associated with the entity; wherein the processor is configured to perform steps including; accessing, from a data store, a relationship graph corresponding to a time range, the time range having a number of time units, the relationship graph having entities as nodes and relationships among the entities as links, the relationship graph reflecting a batch of events that occurred during the time range, wherein each event of the batch of events includes timestamped, raw machine data that reflects one or more of;
(1) activity occurred in an information technology (IT) or a security technology environment, (2) a time at which the activity occurred, and (3) a number of entities associated with the activity;assigning the nodes in the relationship graph to groups based on event timestamps, each group corresponds to a time unit and including nodes associated with activities that occurred in the time unit; constructing links for nodes between different groups, each link representing a relationship between nodes as established by a respective activity recorded in the batch of events, each chain of linked nodes forming a component; computing a total interest score for each of formed components, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; adjusting the total interest score for each of the formed components based on comparing events underlying a component with a pattern of interest, wherein the pattern of interest identifies an expected temporal order and/or logical relationship in underlying events for such component to be of interest; identifying a component for further security scrutiny based on the adjusted total interest score.
-
-
30. A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:
-
accessing, from a data store, a relationship graph corresponding to a time range, the time range having a number of time units, the relationship graph having entities as nodes and relationships among the entities as links, the relationship graph reflecting a batch of events that occurred during the time range, wherein each event of the batch of events includes timestamped, raw machine data that reflects one or more of;
(1) activity occurred in an information technology (IT) or a security technology environment, (2) a time at which the activity occurred, and (3) a number of entities associated with the activity;assigning the nodes in the relationship graph to groups based on event timestamps, each group corresponds to a time unit and including nodes associated with activities that occurred in the time unit; constructing links for nodes between different groups, each link representing a relationship between nodes as established by a respective activity recorded in the batch of events, each chain of linked nodes forming a component; computing a total interest score for each of formed components, wherein the total interest score reflects a totality of interest generated from all nodes attached to a given link; adjusting the total interest score for each of the formed components based on comparing events underlying a component with a pattern of interest, wherein the pattern of interest identifies an expected temporal order and/or logical relationship in underlying events for such component to be of interest; identifying a component for further security scrutiny based on the adjusted total interest score.
-
Specification