Method and system for reviewing identified threats for performing computer security monitoring

US 10,212,174 B2
Filed: 10/30/2015
Issued: 02/19/2019
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities;

identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies;

automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; and

causing display, in a graphical user interface, of an indication of the score for each of the entities, wherein;

the graphical user interface selectively provides an entities view for each of the types of entities,each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, andeach entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

68 Citations

View as Search Results

27 Claims

1. A computerized method comprising:
- receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities;
  
  identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies;
  
  automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity; and
  
  causing display, in a graphical user interface, of an indication of the score for each of the entities, wherein;
  
  the graphical user interface selectively provides an entities view for each of the types of entities,each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, andeach entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the graphical user interface further provides at least one entities view comprising a listing of entities of at least one type that participated in network activities that triggered determinations of potential network compromise;
    - wherein each entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
  - 3. The method of claim 2, wherein the entities view lists, for each entity, the number of anomalies associated with the entity.
  - 4. The method of claim 2, wherein the entities view lists, for each entity, the number of threats and anomalies associated with the entity.
  - 5. The method of claim 2, wherein the graphical user interface provides a prompt for filtering the entities view according to score, andupon selection by a user of a score via the graphical user interface, filtering the entities view to include only the entities associated with scores corresponding to the user'"'"'s selection.
  - 6. The method of claim 2, wherein the entities view comprises a listing of network users in a computer network of an organization,and further includes, for each network user, the date of the most recent automated determination regarding the network user'"'"'s involvement in a potential instance of network compromise.
  - 7. The method of claim 2, wherein the entities view comprises a listing of devices communicating on the network and associated with an instance of network compromise,and further wherein the listing includes, for each device, the date of the most recent automated determination regarding the device'"'"'s involvement in a potential instance of network compromise.
  - 8. The method of claim 2, wherein the entities view includes, for each entity, the date of the most recent update regarding the entity'"'"'s participation in a potential instance of network compromise, andwherein the graphical user interface provides a prompt for filtering the entities view according to date, andupon selection by a user of a temporal range via the graphical user interface, filtering the entities view to include only the entities associated with a date of most recent update falling within the selected temporal range.
  - 9. The method of claim 2, wherein the entities view comprises a listing of applications that have run on the network and are associated with an instance of network compromise, and, upon selection of an entry in the listing, providing a detailed view illustrating the relationship between the application and the at least one identified instance of potential network compromise associated with the application.
  - 10. The method of claim 2, further comprising:
    - upon selection by a user of an entity in the listing via the graphical user interface, generating a detailed view of the entity providing additional information, including a trends graph illustrating any changes in the score associated with the entity over a period of time.
  - 11. The method of claim 2, further comprising:
    - upon selection by a user of an entity in the listing via the graphical user interface, generating a detailed view of the entity providing additional information, including an illustration of the relationship between the entity and the associated at least one instance of potential network compromise.
  - 12. The method of claim 2, further comprising:
    - upon selection by a user of an entity in the listing via the graphical user interface, generating a detailed view of the entity providing additional information including, if relevant event data is available, an illustration of how recent network activities associated with the entity has varied from a baseline of activity.
  - 13. The method of claim 2, wherein, upon selection by a user of an entity in the listing via the graphical user interface, generating a detailed view of the entity providing a prompt for a user to tag the selected entity for future tracking, andupon receiving a selection by a user of a tag, associating the tag with the selected entity such that the tag is included in the additional data provided in response to subsequent requests to generate the detailed view of the selected entity.
  - 14. The method of claim 2, wherein the entities view comprises a listing of network users in a computer network of an organization and upon selection by a user of a network user in the listing, a detailed network user view is generated that identifies other network users determined to be similar.
  - 15. The method of claim 2, wherein, upon selection by a user of an entity in the listing via the graphical user interface, generating a detailed view of the entity that provides additional information concerning the entity,upon receiving a selection by a user, via the graphical user interface, of a link in the detailed view, generating an instances view listing instances of potential network compromise that are associated with the entity.
  - 16. The method of claim 2, wherein, upon selection by a user of an entity in the listing via the graphical user interface, generating a detailed view of the entity that provides additional information concerning the entity,upon receiving a selection by a user, via the graphical user interface, of a link in the detailed view, generating an instances view listing instances of potential network compromise that are associated with the entity,wherein each listed instance includes a link to a detailed view of that instance.
  - 17. The method of claim 1, wherein the entities view comprises a listing of users in a computer network of an organization including the department in which the user is assigned in the organization.

18. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising:
- receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities;
  
  identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies;
  
  automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and/or type of identified instances of potential network compromise associated with the entity;
  
  causing for display, in a graphical user interface, of an indication of the score for each of the entities, wherein;
  
  the graphical user interface selectively provides an entities view for each of the types of entities,each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, andeach entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The computer-readable storage medium of claim 18, wherein the graphical user interface provides at least one entities view comprising a listing of entities of at least one type that participated in network activities that triggered determinations of potential network compromise;
    - wherein each entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
  - 20. The computer-readable storage medium of claim 19, wherein the entities view lists, for each entity, the number of anomalies associated with the entity.
  - 21. The computer-readable storage medium of claim 19, wherein the entities view lists, for each entity, the number of threats and anomalies associated with the entity.
  - 22. The computer-readable storage medium of claim 19, wherein the graphical user interface provides a prompt for filtering the entities view according to score, andupon selection by a user of a score via the graphical user interface, filtering the entities view to include only the entities associated with scores corresponding to the user'"'"'s selection.
  - 23. The computer-readable storage medium of claim 19, wherein the entities view comprises a listing of users in a computer network of an organization including, if known, the department in which the user is assigned in the organization.
  - 24. The computer-readable storage medium of claim 19, wherein the entities view comprises a listing of network users in a computer network of an organization,and further includes, for each network user, the date of the most recent automated determination regarding the network user'"'"'s participation in a potential instance of network compromise.

25. A computer system comprising:
- computer memory for storing machine data; and
  
  a processor for;
  
  receiving event data associated with network activities by devices, applications, and network users that interact with a computer network, wherein the devices, applications, and network users are different types of entities;
  
  identifying instances of potential network compromise automatically determined from the event data, wherein instances include threats and anomalies, the identified instances are associated with each of the respective devices, applications, and network users that participated in the network activities from which the instances were determined, and each threat is an interpretation or a conclusion based on one or more of the anomalies;
  
  automatically determining a score for each entity, wherein the score indicates a risk level based at least in part on the number and type of identified instances of potential network compromise associated with the entity;
  
  causing display, in a graphical user interface, of an indication of the score for each of the entities wherein;
  
  the graphical user interface selectively provides an entities view for each of the types of entities,each entities view lists at least all entities of that selected type that participated in network activities that triggered determinations of potential network compromise, andeach entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
- View Dependent Claims (26, 27)
- - 26. The computer system of claim 25, wherein the graphical user interface provides at least one entities view comprising a listing of entities of at least one type that participated in network activities that triggered determinations of potential network compromise;
    - wherein each entity listed in the entities view includes the associated score and a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.
  - 27. The computer system of claim 26, wherein the entities view lists, for each entity, the number of anomalies associated with the entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Muddu, Sudhakar, Tryfonas, Christos
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Nguy, Chi D

Application Number

US14/928,535
Publication Number

US 20170063901A1
Time in Patent Office

1,208 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/254   Extract, transform and load...

G06F 16/285   Clustering or classification

G06F 16/444   Spatial browsing, e.g. 2D m...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 3/0482   Interaction with lists of s...

G06F 3/0484   for the control of specific...

G06F 3/04842   Selection of displayed obje...

G06F 3/04847   Interaction techniques to c...

G06F 40/134   Hyperlinking

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

G06V 10/225   based on a marking or ident...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0893   Assignment of logical group...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/00 : Arrangements for monitoring...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 63/06 : for supporting key manageme...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H05K 999/99 : dummy group

View All

Method and system for reviewing identified threats for performing computer security monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reviewing identified threats for performing computer security monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links